Posts

Let "auto choose analysis package" properly work on Windows 10 64-bit

As I said before(http://xywcloud.blogspot.com/2018/04/behavior-based-signature-changelog.html), these days I' m working hard on creating custom signatures for Cuckoo Sandbox.
During the process of deploying Cuckoo Sandbox, I encountered lots of problems and I fixed most of them.
Today I let the "auto choose analysis package" properly work on my computer, the most important problem is installing python-magic on Windows 10 64-bit because python-magic does not support 64-bit Windows.
Here is the final solution to let this function properly work :-)

Cuckoo Version: 2.0.5
OS: Windows 10 Professional 64-bit(16299)

1. Patch file: .cuckoo/analyzer/windows/analyzer.py
line 543: we should add a check for "None" string
if not self.config.package or self.config.package == "None"

2. https://github.com/julian-r/file-windows
Download DLL & MGC file, rename DLL file into "magic1.dll" then drop it on System32 directory, over-write same MGC file on [pytho…

Behavior-based Signature Changelog

About a week ago, I started to deploy Cuckoo Sandbox on my old laptop(I would like to use it as Cloud Analysis for X-Sec Antivirus in the future) and I finished deployment on 31th Mar. 2018.

After a overview of Cuckoo Community signature, I found that the signatures can't meet my need, so it's time to create extra signatures to enhance malware detection.

Due to the lack of official document, create a signature usually costs me 3~4 hours, but it doesn't matter, the time will be reduced after I'm proficient in doing it.

Here is the signature changelog.

+ -> add
↑ -> improve/bugfix
- -> remove
× -> try to add signature but failed/unnecessary to add signature

Already Covered Malware Families:

Backdoor(Generic Detection)
Injector(Generic Detection)
Nitol
DotnetCrypter
DelfCrypter
Tinba
NsisInject
Ransomware(Generic Detection)
Adware.Downloader
Hancitor
Panda(Banker)
Betabot
Trickbot
InfoStealer(Generic Detection)
Neshta
Expiro
Nakuru
Sality
Bladabindi(Disfa)
Imm…