├── .gitignore
├── README.md
├── community.pyproj
├── community.sln
└── modules
├── machinemanagers
└── .gitignore
├── processing
└── .gitignore
├── reporting
└── .gitignore
└── signatures
├── andromeda_apis.py
├── antianalysis_detectfile.py
├── antianalysis_detectreg.py
├── antiav_avast_libs.py
├── antiav_bitdefender_libs.py
├── antiav_detectfile.py
├── antiav_detectreg.py
├── antiav_servicestop.py
├── antiav_srp.py
├── antidbg_devices.py
├── antidbg_windows.py
├── antiemu_wine.py
├── antiemu_wine_func.py
├── antisandbox_cuckoo.py
├── antisandbox_joe_anubis_files.py
├── antisandbox_mouse_hook.py
├── antisandbox_productid.py
├── antisandbox_sboxie_libs.py
├── antisandbox_sboxie_mutex.py
├── antisandbox_sboxie_objects.py
├── antisandbox_sleep.py
├── antisandbox_sunbelt_files.py
├── antisandbox_sunbelt_libs.py
├── antisandbox_suspend.py
├── antisandbox_unhook.py
├── antivirus_virustotal.py
├── antivm_dirobjects.py
├── antivm_generic_bios.py
├── antivm_generic_cpu.py
├── antivm_generic_disk.py
├── antivm_generic_disk_setupapi.py
├── antivm_generic_diskreg.py
├── antivm_generic_scsi.py
├── antivm_generic_services.py
├── antivm_generic_system.py
├── antivm_vbox_acpi.py
├── antivm_vbox_devices.py
├── antivm_vbox_files.py
├── antivm_vbox_keys.py
├── antivm_vbox_libs.py
├── antivm_vbox_provname.py
├── antivm_vbox_window.py
├── antivm_vmware_devices.py
├── antivm_vmware_events.py
├── antivm_vmware_files.py
├── antivm_vmware_keys.py
├── antivm_vmware_libs.py
├── antivm_vmware_mutexes.py
├── antivm_vpc_files.py
├── antivm_vpc_keys.py
├── antivm_vpc_mutex.py
├── bad_certs.py
├── bad_ssl_certs.py
├── banker_cridex.py
├── banker_geodo.py
├── banker_prinimalka.py
├── banker_spyeye_mutex.py
├── banker_zeus_mutex.py
├── banker_zeus_p2p.py
├── banker_zeus_url.py
├── betabot_apis.py
├── bitcoin_opencl.py
├── bootkit.py
├── bot_athenahttp.py
├── bot_dirtjumper.py
├── bot_drive.py
├── bot_drive2.py
├── bot_madness.py
├── bot_russkill.py
├── browser_addon.py
├── browser_bho.py
├── browser_proxy.py
├── browser_scanbox.py
├── browser_security.py
├── browser_startpage.py
├── bypass_firewall.py
├── carberp_mutex.py
├── chimera_apis.py
├── clickfraud_cookies.py
├── clickfraud_volume.py
├── copies_self.py
├── creates_largekey.py
├── creates_nullvalue.py
├── critical_process.py
├── cryptowall_apis.py
├── darkcomet_regkeys.py
├── dead_link.py
├── debugs_self.py
├── deepfreeze_mutex.py
├── deletes_self.py
├── deletes_shadowcopies.py
├── dep_bypass.py
├── dep_disable.py
├── disables_browserwarn.py
├── disables_spdy.py
├── disables_sysrestore.py
├── disables_uac.py
├── disables_wer.py
├── disables_wfp.py
├── disables_windowsupdate.py
├── downloader_cabby.py
├── dridex_apis.py
├── driver_load.py
├── dropper.py
├── dyre_apis.py
├── ek_angler.py
├── ek_gondad.py
├── ek_heapsray.py
├── ek_javaapplet.py
├── ek_neutrino.py
├── ek_nuclear.py
├── ek_rig.py
├── ek_silverlight.py
├── ek_virtualcheck.py
├── encrypted_ioc.py
├── exec_crash.py
├── generic_phish.py
├── hawkeye_apis.py
├── infostealer_bitcoin.py
├── infostealer_browser.py
├── infostealer_ftp.py
├── infostealer_im.py
├── infostealer_keylog.py
├── infostealer_mail.py
├── injection_createremotethread.py
├── injection_explorer.py
├── injection_needextension.py
├── injection_runpe.py
├── injection_rwx.py
├── internet_dropper.py
├── js_phish.py
├── kazybot_apis.py
├── kibex_apis.py
├── kraken_mutex.py
├── locker_regedit.py
├── locker_taskmgr.py
├── martians_ie.py
├── mimics_agent.py
├── mimics_filename.py
├── mimics_filetime.py
├── mimics_icon.py
├── modifies_certs.py
├── modifies_hostsfile.py
├── modifies_seccenter.py
├── modifies_uac_notify.py
├── multiple_ua.py
├── network_anomaly.py
├── network_bind.py
├── network_cnc_http.py
├── network_dga.py
├── network_http.py
├── network_icmp.py
├── network_irc.py
├── network_smtp.py
├── network_tor.py
├── network_tor_service.py
├── network_torgateway.py
├── office_dl_write_exe.py
├── office_macro.py
├── office_security.py
├── office_suspicious.py
├── origin_langid.py
├── origin_resource_langid.py
├── packer_armadillo_mutex.py
├── packer_armadillo_regkey.py
├── packer_entropy.py
├── packer_themida.py
├── packer_upx.py
├── packer_vmprotect.py
├── pdf_annot_urls.py
├── pdf_eof.py
├── pdf_page.py
├── persistence_ads.py
├── persistence_autorun.py
├── persistence_service.py
├── polymorphic.py
├── pony_apis.py
├── powershell_command.py
├── prevents_safeboot.py
├── process_interest.py
├── process_needed.py
├── procmem_yara.py
├── ransomware_fileextensions.py
├── ransomware_files.py
├── ransomware_recyclebin.py
├── rat_beebus_mutex.py
├── rat_fynloski_mutex.py
├── rat_pcclient.py
├── rat_plugx_mutex.py
├── rat_poisonivy.py
├── rat_spynet.py
├── rat_xtreme_mutex.py
├── reads_self.py
├── recon_beacon.py
├── recon_checkip.py
├── recon_fingerprint.py
├── recon_programs.py
├── recon_systeminfo.py
├── removes_zoneid_ads.py
├── secure_login_phish.py
├── setsautoconfigurl.py
├── shifu_apis.py
├── sniffer_winpcap.py
├── spoofs_procname.py
├── spreading_autoruninf.py
├── stack_pivot.py
├── static_authenticode.py
├── static_java.py
├── static_pe_anomaly.py
├── static_rat_config.py
├── static_versioninfo_anomaly.py
├── stealth_childproc.py
├── stealth_file.py
├── stealth_hiddenreg.py
├── stealth_hidenotifications.py
├── stealth_network.py
├── stealth_timelimit.py
├── stealth_webhistory.py
├── stealth_window.py
├── suricata_alert.py
├── targeted_flame.py
├── tinba_apis.py
├── trojan_fleercivet_mutex.py
├── upatre_apis.py
├── vawtrak_apis.py
├── vawtrak_dll_apis.py
├── virus.py
├── volatility_sig.py
├── webmail_phish.py
└── whois_create.py
/.gitignore:
--------------------------------------------------------------------------------
1 | community.v12.suo
2 | UpgradeLog.htm
3 |
4 | # Ignore Python byte code
5 | *.pyc
6 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | This repository contains over 220 [Cuckoo Sandbox](http://www.cuckoosandbox.org) signature modules from the community, including
2 | those heavily modified for correctness, removal of false positives,
3 | and more detailed information. It also includes over 75 new signature modules provided under the GPL.
4 |
5 | Please note that many of these signature modules make use of extensive
6 | improvements to both Cuckoo and cuckoomon and are noted accordingly as requiring
7 | Cuckoo version "1.2".
8 |
9 | Since I will no longer have access to this account, I have created a fork of each of the repos at https://github.com/spender-sandbox/ which you may
10 | submit pull requests to that I will respond to quickly.
11 |
--------------------------------------------------------------------------------
/community.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.30501.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{888888A0-9F3D-457C-B088-3A5042F75D52}") = "community", "community.pyproj", "{5ADFFAE4-AD3E-4F6C-8519-7FB05B81B89C}"
7 | EndProject
8 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{42C278AF-03F0-4DA1-8A31-AE7C7666BE9F}"
9 | ProjectSection(SolutionItems) = preProject
10 | README.md = README.md
11 | EndProjectSection
12 | EndProject
13 | Global
14 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
15 | Debug|Any CPU = Debug|Any CPU
16 | Release|Any CPU = Release|Any CPU
17 | EndGlobalSection
18 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
19 | {5ADFFAE4-AD3E-4F6C-8519-7FB05B81B89C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
20 | {5ADFFAE4-AD3E-4F6C-8519-7FB05B81B89C}.Debug|Any CPU.Build.0 = Debug|Any CPU
21 | {5ADFFAE4-AD3E-4F6C-8519-7FB05B81B89C}.Release|Any CPU.ActiveCfg = Release|Any CPU
22 | {5ADFFAE4-AD3E-4F6C-8519-7FB05B81B89C}.Release|Any CPU.Build.0 = Release|Any CPU
23 | EndGlobalSection
24 | GlobalSection(SolutionProperties) = preSolution
25 | HideSolutionNode = FALSE
26 | EndGlobalSection
27 | EndGlobal
28 |
--------------------------------------------------------------------------------
/modules/machinemanagers/.gitignore:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/brad-sp/community-modified/6a13d5df9fd91d8e42384f0b921ff72d3bceb84d/modules/machinemanagers/.gitignore
--------------------------------------------------------------------------------
/modules/processing/.gitignore:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/brad-sp/community-modified/6a13d5df9fd91d8e42384f0b921ff72d3bceb84d/modules/processing/.gitignore
--------------------------------------------------------------------------------
/modules/reporting/.gitignore:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/brad-sp/community-modified/6a13d5df9fd91d8e42384f0b921ff72d3bceb84d/modules/reporting/.gitignore
--------------------------------------------------------------------------------
/modules/signatures/andromeda_apis.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Andromeda_APIs(Signature):
19 | name = "andromeda_behavior"
20 | description = "Exhibits behavior characteristic of Andromeda/Gamarue malware"
21 | weight = 3
22 | severity = 3
23 | categories = ["trojan"]
24 | families = ["andromeda","gamarue"]
25 | authors = ["Optiv"]
26 | minimum = "1.3"
27 | evented = True
28 |
29 | def __init__(self, *args, **kwargs):
30 | Signature.__init__(self, *args, **kwargs)
31 | self.sysvolserial = self.get_environ_entry(self.get_initial_process(), "SystemVolumeSerialNumber")
32 | if self.sysvolserial:
33 | self.sysvolserial = int(self.sysvolserial.replace("-",""), 16)
34 |
35 | filter_apinames = set(["NtOpenEvent"])
36 |
37 | def on_call(self, call, process):
38 | eventname = self.get_argument(call, "EventName")
39 | try:
40 | eventname_int = int(eventname)
41 | if self.sysvolserial and eventname_int == self.sysvolserial ^ 0x696e6a63: # 'injc'
42 | return True
43 | except:
44 | pass
45 |
--------------------------------------------------------------------------------
/modules/signatures/antianalysis_detectfile.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class AntiAnalysisDetectFile(Signature):
8 | name = "antianalysis_detectfile"
9 | description = "Attempts to identify installed analysis tools by a known file location"
10 | severity = 3
11 | categories = ["anti-analysis"]
12 | authors = ["KillerInstinct"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | file_indicators = [
17 | "^[A-Za-z]:\\\\analysis",
18 | "^[A-Za-z]:\\\\iDEFENSE",
19 | "^[A-Za-z]:\\\\popupkiller.exe$",
20 | "^[A-Za-z]:\\\\tools\\\\execute.exe$",
21 | "^[A-Za-z]:\\\\Program\\ Files(\\ \(x86\))?\\\\Fiddler",
22 | "^[A-Za-z]:\\\\ComboFix",
23 | ]
24 | ret = False
25 | for indicator in file_indicators:
26 | file_match = self.check_file(pattern=indicator, regex=True, all=True)
27 | if file_match:
28 | for match in file_match:
29 | self.data.append({"file" : match })
30 | ret = True
31 | return ret
32 |
--------------------------------------------------------------------------------
/modules/signatures/antianalysis_detectreg.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class AntiAnalysisDetectReg(Signature):
8 | name = "antianalysis_detectreg"
9 | description = "Attempts to identify installed analysis tools by registry key"
10 | severity = 3
11 | categories = ["anti-analysis"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | reg_indicators = [
17 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\App\\ Paths\\\\Wireshark\.exe$",
18 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\Wireshark$",
19 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\App\\ Paths\\\\Fiddler\.exe$",
20 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\App\\ Paths\\\\Fiddler2\.exe$",
21 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\Fiddler2$",
22 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Fiddler2$",
23 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\SOFTWARE\\\\IEInspectorSoft.*",
24 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\IEHTTPAnalyzer\.HTTPAnalyzerAddon$",
25 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\IEHTTPAnalyzerStd\.HTTPAnalyzerStandAlone$",
26 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\Charles\.AMF\.Document$",
27 | ".*\\\\Software\\\\(Wow6432Node\\\\)?XK72\\ Ltd\\ folder$",
28 | ]
29 | found = False
30 | for indicator in reg_indicators:
31 | reg_match = self.check_key(pattern=indicator, regex=True, all=True)
32 | if reg_match:
33 | for match in reg_match:
34 | self.data.append({"key" : match })
35 | found = True
36 | return found
37 |
--------------------------------------------------------------------------------
/modules/signatures/antiav_avast_libs.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class AvastDetectLibs(Signature):
19 | name = "antiav_avast_libs"
20 | description = "Detects Avast Antivirus through the presence of a library"
21 | severity = 3
22 | categories = ["anti-av"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 | evented = True
26 |
27 | filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"])
28 |
29 | def on_call(self, call, process):
30 | dllname = self.get_argument(call, "FileName")
31 | if "snxhk" in dllname.lower():
32 | return True
33 |
--------------------------------------------------------------------------------
/modules/signatures/antiav_bitdefender_libs.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class BitdefenderDetectLibs(Signature):
19 | name = "antiav_bitdefender_libs"
20 | description = "Detects Bitdefender Antivirus through the presence of a library"
21 | severity = 3
22 | categories = ["anti-av"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 | evented = True
26 |
27 | filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"])
28 |
29 | def on_call(self, call, process):
30 | dllname = self.get_argument(call, "FileName")
31 | if "avcuf32" in dllname.lower():
32 | return True
33 |
--------------------------------------------------------------------------------
/modules/signatures/antiav_servicestop.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | try:
6 | import re2 as re
7 | except ImportError:
8 | import re
9 |
10 | from lib.cuckoo.common.abstracts import Signature
11 |
12 | class AntiAVServiceStop(Signature):
13 | name = "antiav_servicestop"
14 | description = "Attempts to stop active services"
15 | severity = 3
16 | categories = ["anti-av"]
17 | authors = ["Optiv"]
18 | minimum = "1.2"
19 | evented = True
20 |
21 | def __init__(self, *args, **kwargs):
22 | Signature.__init__(self, *args, **kwargs)
23 | self.handles = dict()
24 | self.lastprocess = 0
25 | self.stoppedservices = []
26 |
27 | filter_apinames = set(["OpenServiceW", "OpenServiceA", "ControlService"])
28 |
29 | def on_call(self, call, process):
30 | if process is not self.lastprocess:
31 | self.handles = dict()
32 | self.lastprocess = process
33 |
34 | if (call["api"] == "OpenServiceA" or call["api"] == "OpenServiceW") and call["status"]:
35 | handle = int(call["return"], 16)
36 | self.handles[handle] = self.get_argument(call, "ServiceName")
37 | elif call["api"] == "ControlService":
38 | handle = int(self.get_argument(call, "ServiceHandle"), 16)
39 | code = int(self.get_argument(call, "ControlCode"), 10)
40 | if code == 1 and handle in self.handles and self.handles[handle] not in self.stoppedservices:
41 | self.stoppedservices.append(self.handles[handle])
42 |
43 | def on_complete(self):
44 | ret = False
45 | if self.stoppedservices:
46 | ret = True
47 | for service in self.stoppedservices:
48 | self.data.append({"servicename" : service })
49 | return ret
50 |
--------------------------------------------------------------------------------
/modules/signatures/antiav_srp.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class AntiAVSRP(Signature):
8 | name = "antiav_srp"
9 | description = "Modifies Software Restriction Policies likely to cripple AV"
10 | severity = 3
11 | categories = ["anti-av"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | match_key = self.check_write_key(".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*", regex=True, all=True)
17 | if match_key:
18 | for match in match_key:
19 | self.data.append({"key" : match})
20 | return True
21 | return False
22 |
--------------------------------------------------------------------------------
/modules/signatures/antidbg_devices.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class AntiDBGDevices(Signature):
19 | name = "antidbg_devices"
20 | description = "Checks for the presence of known devices from debuggers and forensic tools"
21 | severity = 3
22 | categories = ["anti-debug"]
23 | authors = ["nex"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | indicators = [
28 | ".*SICE$",
29 | ".*SIWVID$",
30 | ".*SIWDEBUG$",
31 | ".*NTICE$",
32 | ".*REGVXG$",
33 | ".*FILEVXG$",
34 | ".*REGSYS$",
35 | ".*FILEM$",
36 | ".*TRW$",
37 | ".*ICEXT$"
38 | ]
39 |
40 | for indicator in indicators:
41 | if self.check_file(pattern=indicator, regex=True):
42 | return True
43 |
44 | return False
45 |
--------------------------------------------------------------------------------
/modules/signatures/antiemu_wine.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class WineDetectReg(Signature):
19 | name = "antiemu_wine_reg"
20 | description = "Detects the presence of Wine emulator via registry key"
21 | severity = 3
22 | categories = ["anti-emulation"]
23 | authors = ["nex"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | return self.check_key(pattern="HKEY_CURRENT_USER\\Software\\Wine")
28 |
--------------------------------------------------------------------------------
/modules/signatures/antiemu_wine_func.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class WineDetectFunc(Signature):
19 | name = "antiemu_wine_func"
20 | description = "Detects the presence of Wine emulator via function name"
21 | severity = 3
22 | categories = ["anti-emulation"]
23 | authors = ["Optiv"]
24 | minimum = "1.0"
25 | evented = True
26 |
27 | filter_apinames = set(["LdrGetProcedureAddress"])
28 |
29 | def on_call(self, call, process):
30 | funcname = self.get_argument(call, "FunctionName")
31 | if not call["status"] and funcname == "wine_get_unix_file_name":
32 | return True
--------------------------------------------------------------------------------
/modules/signatures/antisandbox_cuckoo.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class AntiCuckoo(Signature):
19 | name = "antisandbox_cuckoo"
20 | description = "Employs AntiCuckoo detection techniques"
21 | severity = 3
22 | weight = 3
23 | categories = ["anti-sandbox"]
24 | authors = ["Optiv"]
25 | minimum = "1.3"
26 | evented = True
27 |
28 | filter_categories = set(["__notification__"])
29 |
30 | def __init__(self, *args, **kwargs):
31 | Signature.__init__(self, *args, **kwargs)
32 |
33 | def on_call(self, call, process):
34 | subcategory = self.check_argument_call(call,
35 | api="__anomaly__",
36 | name="Subcategory",
37 | pattern="anticuckoo")
38 | if subcategory:
39 | return True
40 |
--------------------------------------------------------------------------------
/modules/signatures/antisandbox_joe_anubis_files.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Kevin Ross
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class SandboxJoeAnubisDetectFiles(Signature):
19 | name = "antisandbox_joe_anubis_files"
20 | description = "Detects Joe or Anubis Sandboxes through the presence of a file"
21 | severity = 3
22 | categories = ["anti-sandbox"]
23 | authors = ["Kevin Ross"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | indicators = [
28 | "C\:\\\\sample\.exe$",
29 | "C\:\\\\InsideTm\\\\.*",
30 | ]
31 |
32 | for indicator in indicators:
33 | if self.check_file(pattern=indicator, regex=True):
34 | return True
35 |
36 | return False
37 |
--------------------------------------------------------------------------------
/modules/signatures/antisandbox_mouse_hook.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class HookMouse(Signature):
19 | name = "antisandbox_mouse_hook"
20 | description = "Installs an hook procedure to monitor for mouse events"
21 | severity = 3
22 | categories = ["hooking", "anti-sandbox"]
23 | authors = ["nex"]
24 | minimum = "1.0"
25 | evented = True
26 |
27 | filter_apinames = set(["SetWindowsHookExA", "SetWindowsHookExW"])
28 |
29 |
30 | def on_call(self, call, process):
31 | if int(self.get_argument(call, "HookIdentifier")) in [7, 14]:
32 | if int(self.get_argument(call, "ThreadId")) == 0:
33 | return True
34 |
--------------------------------------------------------------------------------
/modules/signatures/antisandbox_productid.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2013,2015 Claudio "nex" Guarnieri (@botherder), Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class GetProductID(Signature):
19 | name = "antisandbox_productid"
20 | description = "Retrieves Windows ProductID, probably to fingerprint the sandbox"
21 | severity = 3
22 | categories = ["anti-sandbox"]
23 | authors = ["nex", "Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | indicators = [
28 | ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\ProductId$",
29 | ".*\\\\Microsoft\\\\Internet\\ Explorer\\\\Registration\\\\ProductId$",
30 | ]
31 | for indicator in indicators:
32 | if self.check_read_key(pattern=indicator, regex=True):
33 | return True
34 | return False
--------------------------------------------------------------------------------
/modules/signatures/antisandbox_sboxie_libs.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014-2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class SandboxieDetectLibs(Signature):
19 | name = "antisandbox_sboxie_libs"
20 | description = "Detects Sandboxie through the presence of a library"
21 | severity = 3
22 | categories = ["anti-sandbox"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 | evented = True
26 |
27 | filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"])
28 |
29 | def on_call(self, call, process):
30 | dllname = self.get_argument(call, "FileName")
31 | if "sbiedll" in dllname.lower():
32 | return True
33 |
--------------------------------------------------------------------------------
/modules/signatures/antisandbox_sboxie_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class AntisandboxSboxieMutex(Signature):
19 | name = "antisandbox_sboxie_mutex"
20 | description = "Detects Sandboxie using a known mutex"
21 | severity = 3
22 | categories = ["antisandbox"]
23 | authors = ["KillerInstinct"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | indicators = [
28 | "Sandboxie_SingleInstanceMutex_Control",
29 | ]
30 |
31 | for indicator in indicators:
32 | if self.check_mutex(pattern=indicator, regex=True):
33 | return True
34 |
35 | return False
36 |
--------------------------------------------------------------------------------
/modules/signatures/antisandbox_sboxie_objects.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class AntiSandboxSboxieObjects(Signature):
19 | name = "antisandbox_sboxie_objects"
20 | description = "The sample enumerated a known Sandboxie device object."
21 | severity = 3
22 | categories = ["antisandbox"]
23 | authors = ["KillerInstinct"]
24 | minimum = "1.0"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 |
30 | filter_apinames = set(["NtOpenDirectoryObject"])
31 |
32 | def on_call(self, call, process):
33 | objectattr = self.get_argument(call, "ObjectAttributes")
34 | if len(objectattr) >= 10:
35 | if objectattr[2:10] == r"\Sandbox":
36 | return True
37 |
--------------------------------------------------------------------------------
/modules/signatures/antisandbox_sunbelt_files.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Kevin Ross
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class SunbeltDetectFiles(Signature):
19 | name = "antisandbox_sunbelt_files"
20 | description = "Detects Sunbelt Sandbox through the presence of a file"
21 | severity = 3
22 | categories = ["anti-sandbox"]
23 | authors = ["Kevin Ross"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | indicators = [
28 | ".*\\\\SandboxStarter\.exe$",
29 | "C\:\\\\analysis\\\\.*",
30 | ]
31 |
32 | for indicator in indicators:
33 | if self.check_file(pattern=indicator, regex=True):
34 | return True
35 |
36 | return False
37 |
--------------------------------------------------------------------------------
/modules/signatures/antisandbox_sunbelt_libs.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class SunbeltDetectLibs(Signature):
19 | name = "antisandbox_sunbelt_libs"
20 | description = "Detects SunBelt Sandbox through the presence of a library"
21 | severity = 3
22 | categories = ["anti-sandbox"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 | evented = True
26 |
27 | filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"])
28 |
29 | def on_call(self, call, process):
30 | indicators = [
31 | "api_log",
32 | "dir_watch"
33 | ]
34 | dllname = self.get_argument(call, "FileName").lower()
35 |
36 | for indicator in indicators:
37 | if indicator in dllname:
38 | return True
39 |
--------------------------------------------------------------------------------
/modules/signatures/antisandbox_suspend.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class AntiSandboxSuspend(Signature):
19 | name = "antisandbox_suspend"
20 | description = "Tries to suspend Cuckoo threads to prevent logging of malicious activity"
21 | severity = 3
22 | confidence = 80
23 | categories = ["anti-sandbox"]
24 | authors = ["Optiv"]
25 | minimum = "1.3"
26 | evented = True
27 |
28 | filter_apinames = set(["NtSuspendThread"])
29 |
30 | def __init__(self, *args, **kwargs):
31 | Signature.__init__(self, *args, **kwargs)
32 |
33 | def on_call(self, call, process):
34 | alert = self.get_argument(call, "Alert")
35 | if alert:
36 | return True
37 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_generic_bios.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2013,2015 Claudio "nex" Guarnieri (@botherder), Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class AntiVMBios(Signature):
19 | name = "antivm_generic_bios"
20 | description = "Checks the version of Bios, possibly for anti-virtualization"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["nex", "Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | if self.check_read_key(pattern=".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\(SystemBiosVersion|VideoBiosVersion)$", regex=True):
28 | return True
29 | return False
--------------------------------------------------------------------------------
/modules/signatures/antivm_generic_cpu.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class AntiVMCPU(Signature):
19 | name = "antivm_generic_cpu"
20 | description = "Checks the CPU name from registry, possibly for anti-virtualization"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | if self.check_read_key(pattern=r'.*\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\[^\\]+\\ProcessorNameString$', regex=True):
28 | return True
29 | return False
--------------------------------------------------------------------------------
/modules/signatures/antivm_generic_disk_setupapi.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class SetupAPIDiskInformation(Signature):
19 | name = "antivm_generic_disk_setupapi"
20 | description = "Queries information on disks for anti-virtualization via Device Information APIs"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["Optiv"]
24 | minimum = "1.3"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 |
30 | filter_apinames = set(["SetupDiGetClassDevsA","SetupDiGetClassDevsW"])
31 |
32 | def on_call(self, call, process):
33 | known = self.get_argument(call, "Known")
34 | if known and known in ("DiskDrive", "CDROM"):
35 | return True
36 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_generic_diskreg.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012,2015 Claudio "nex" Guarnieri (@botherder), Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class AntiVMDiskReg(Signature):
19 | name = "antivm_generic_diskreg"
20 | description = "Checks the presence of disk drives in the registry, possibly for anti-virtualization"
21 | severity = 3
22 | confidence = 50
23 | categories = ["anti-vm"]
24 | authors = ["nex"]
25 | minimum = "0.5"
26 |
27 | def run(self):
28 | indicators = [
29 | ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE$",
30 | ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Services\\\\Disk\\\\Enum\\\\.*",
31 | ]
32 | for indicator in indicators:
33 | if self.check_key(pattern=indicator, regex=True):
34 | return True
35 | return False
36 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_generic_system.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class AntiVMSystem(Signature):
19 | name = "antivm_generic_system"
20 | description = "Checks the system manufacturer, likely for anti-virtualization"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | if self.check_read_key(pattern= ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\SystemInformation\\\\SystemManufacturer$", regex=True):
28 | return True
29 |
30 | return False
--------------------------------------------------------------------------------
/modules/signatures/antivm_vbox_acpi.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder), Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VBoxDetectACPI(Signature):
19 | name = "antivm_vbox_acpi"
20 | description = "Detects VirtualBox using ACPI tricks"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["nex", "Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | if self.check_key(pattern=".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\VBOX__$", regex=True):
28 | return True
29 |
30 | return False
31 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vbox_devices.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VBoxDetectDevices(Signature):
19 | name = "antivm_vbox_devices"
20 | description = "Detects VirtualBox through the presence of a device"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["nex"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | indicators = [
28 | ".*\\VBoxGuest$",
29 | ".*\\VBoxMouse$",
30 | ".*\\VBoxVideo$",
31 | ".*\\VBoxMiniRdrDN$",
32 | ".*\\VBoxTrayIPC$",
33 | ]
34 |
35 | for indicator in indicators:
36 | if self.check_file(pattern=indicator):
37 | return True
38 |
39 | return False
40 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vbox_keys.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VBoxDetectKeys(Signature):
19 | name = "antivm_vbox_keys"
20 | description = "Detects VirtualBox through the presence of a registry key"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["nex"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | return self.check_key(pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Oracle\\\\VirtualBox\\ Guest\\ Additions$",
28 | regex=True)
29 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vbox_libs.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VBoxDetectLibs(Signature):
19 | name = "antivm_vbox_libs"
20 | description = "Detects VirtualBox through the presence of a library"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["nex"]
24 | minimum = "1.3"
25 | evented = True
26 |
27 | filter_apinames = set(["LdrLoadDll"])
28 |
29 | def on_call(self, call, process):
30 | indicators = [
31 | "VBoxDisp.dll",
32 | "VBoxHook.dll",
33 | "VBoxMRXNP.dll",
34 | "VBoxOGL.dll",
35 | "VBoxOGLarrayspu.dll",
36 | "VBoxOGLcrutil.dll",
37 | "VBoxOGLerrorspu.dll",
38 | "VBoxOGLfeedbackspu.dll",
39 | "VBoxOGLpackspu.dll",
40 | "VBoxOGLpassthroughspu.dll"
41 | ]
42 |
43 | for indicator in indicators:
44 | if self.check_argument_call(call,
45 | pattern=indicator,
46 | name="FileName",
47 | ignorecase=True):
48 | return True
49 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vbox_provname.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VBoxDetectProvname(Signature):
19 | name = "antivm_vbox_provname"
20 | description = "Detects VirtualBox using WNetGetProviderName trick"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["Optiv"]
24 | minimum = "1.3"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 |
30 | filter_apinames = set(["WNetGetProviderNameW"])
31 |
32 | def on_call(self, call, process):
33 | nettype = int(self.get_argument(call, "NetType"))
34 | if nettype == 0x250000:
35 | return True
--------------------------------------------------------------------------------
/modules/signatures/antivm_vbox_window.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VBoxDetectWindow(Signature):
19 | name = "antivm_vbox_window"
20 | description = "Detects VirtualBox through the presence of a window"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["nex"]
24 | minimum = "1.3"
25 | evented = True
26 |
27 | filter_categories = set(["windows"])
28 |
29 | def on_call(self, call, process):
30 | indicators = [
31 | "VBoxTrayToolWndClass",
32 | "VBoxTrayToolWnd"
33 | ]
34 |
35 | for indicator in indicators:
36 | if self.check_argument_call(call, pattern=indicator, ignorecase=True):
37 | self.data.append({"window" : indicator})
38 | return True
39 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vmware_devices.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VMwareDetectDevices(Signature):
19 | name = "antivm_vmware_devices"
20 | description = "Detects VMware through the presence of a device"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | indicators = [
28 | "\\??\\vmci",
29 | "\\??\\HGFS"
30 | ]
31 |
32 | for indicator in indicators:
33 | if self.check_file(pattern=indicator):
34 | return True
35 |
36 | return False
37 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vmware_events.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VMwareDetectEvent(Signature):
19 | name = "antivm_vmware_events"
20 | description = "Detects VMware through Opening/Creating VMware specific events"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["KillerInstinct"]
24 | minimum = "1.2"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 | self.matches = list()
30 |
31 | filter_apinames = set(["NtCreateEvent", "NtOpenEvent"])
32 |
33 | def on_call(self, call, process):
34 | vmware_events = [
35 | "VMwareToolsDumpStateEvent_vmusr",
36 | "VMwareToolsQuitEvent_vmusr",
37 | "VMwareToolsDumpStateEvent_vmsvc",
38 | "VMwareToolsQuitEvent_vmsvc",
39 | "VMToolsWindowEvent",
40 | "VMToolsHookQueueEvent",
41 | ]
42 |
43 | event = self.get_argument(call, "EventName")
44 | for check in vmware_events:
45 | if check in event:
46 | self.matches.append(event)
47 |
48 | def on_complete(self):
49 | ret = False
50 | if self.matches:
51 | ret = True
52 | for item in self.matches:
53 | self.data.append({"Event": item})
54 |
55 | return ret
56 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vmware_files.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VMwareDetectFiles(Signature):
19 | name = "antivm_vmware_files"
20 | description = "Detects VMware through the presence of a file"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | indicators = [
28 | ".*\\\\drivers\\\\vmmouse\.sys$",
29 | ".*\\\\drivers\\\\vmhgfs\.sys$",
30 | ".*\\\\VMware\\ Tools\\\\TPAutoConnSvc.exe$",
31 | ".*\\\\VMware\\ Tools\\\\TPAutoConnSvc.exe.dll$",
32 | ]
33 |
34 | for indicator in indicators:
35 | if self.check_file(pattern=indicator, regex=True):
36 | return True
37 |
38 | return False
39 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vmware_keys.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VMwareDetectKeys(Signature):
19 | name = "antivm_vmware_keys"
20 | description = "Detects VMware through the presence of a registry key"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | return self.check_key(pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?VMWare,\\ Inc\..*",
28 | regex=True)
29 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vmware_libs.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VMwareDetectLibs(Signature):
19 | name = "antivm_vmware_libs"
20 | description = "Detects VMware through the presence of a library"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["Optiv"]
24 | minimum = "1.3"
25 | evented = True
26 |
27 | filter_apinames = set(["LdrLoadDll"])
28 |
29 | def on_call(self, call, process):
30 | indicators = [
31 | "vmGuestLib.dll",
32 | ]
33 |
34 | for indicator in indicators:
35 | if self.check_argument_call(call,
36 | pattern=indicator,
37 | name="FileName",
38 | ignorecase=True):
39 | return True
40 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vmware_mutexes.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VMwareDetectMutexes(Signature):
19 | name = "antivm_vmware_mutexes"
20 | description = "Attempts to detect VMware using known mutexes"
21 | severity = 3
22 | categories = ["antivm"]
23 | authors = ["KillerInstinct"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | ret = False
28 | indicators = [
29 | ".*VMwareGuestDnDDataMutex$",
30 | ".*VMwareGuestCopyPasteMutex$",
31 | ".*VMToolsHookQueueLock$",
32 | ".*HGFSMUTEX.*",
33 | ]
34 |
35 | for indicator in indicators:
36 | match = self.check_mutex(pattern=indicator, regex=True)
37 | if match:
38 | self.data.append({"mutex": match})
39 | ret = True
40 |
41 | return ret
42 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vpc_files.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VPCDetectFiles(Signature):
19 | name = "antivm_vpc_files"
20 | description = "Detects Virtual PC through the presence of a file"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | indicators = [
28 | ".*\\\\drivers\\\\vpc-s3\.sys$",
29 | ".*\\\\drivers\\\\vpcubus\.sys$",
30 | ]
31 |
32 | for indicator in indicators:
33 | if self.check_file(pattern=indicator, regex=True):
34 | return True
35 |
36 | return False
37 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vpc_keys.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VPCDetectKeys(Signature):
19 | name = "antivm_vpc_keys"
20 | description = "Detects Virtual PC through the presence of a registry key"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | return self.check_key(pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Services\\\\vpc-s3$", regex=True)
28 |
--------------------------------------------------------------------------------
/modules/signatures/antivm_vpc_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VPCDetectMutex(Signature):
19 | name = "antivm_vpc_mutex"
20 | description = "Detects Virtual PC using a known mutex"
21 | severity = 3
22 | categories = ["anti-vm"]
23 | authors = ["KillerInstinct"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | indicators = [
28 | "MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex"
29 | ]
30 |
31 | for indicator in indicators:
32 | if self.check_mutex(pattern=indicator, regex=True):
33 | return True
34 |
35 | return False
36 |
--------------------------------------------------------------------------------
/modules/signatures/banker_prinimalka.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2013 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Prinimalka(Signature):
19 | name = "banker_prinimalka"
20 | description = "Detected Prinimalka banking trojan"
21 | severity = 3
22 | categories = ["banker"]
23 | families = ["prinimalka"]
24 | authors = ["nex"]
25 | minimum = "1.0"
26 | evented = True
27 |
28 | filter_apinames = set(["RegSetValueExA","RegSetValueExW"])
29 |
30 | def on_call(self, call, process):
31 | if self.get_argument(call, "ValueName").endswith("_opt_server1"):
32 | server = self.get_argument(call, "Buffer").rstrip("\\x00")
33 | self.description += " (C&C: {0})".format(server)
34 | return True
35 |
--------------------------------------------------------------------------------
/modules/signatures/banker_spyeye_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class SpyEyeMutexes(Signature):
19 | name = "banker_spyeye_mutexes"
20 | description = "Creates known SpyEye mutexes"
21 | severity = 3
22 | categories = ["banker"]
23 | families = ["spyeye"]
24 | authors = ["nex"]
25 | minimum = "0.5"
26 |
27 | def run(self):
28 | indicators = [
29 | "zXeRY3a_PtW.*",
30 | "SPYNET",
31 | "__CLEANSWEEP__",
32 | "__CLEANSWEEP_UNINSTALL__",
33 | "__CLEANSWEEP_RELOADCFG__"
34 | ]
35 |
36 | for indicator in indicators:
37 | if self.check_mutex(pattern=indicator, regex=True):
38 | return True
39 |
40 | return False
41 |
--------------------------------------------------------------------------------
/modules/signatures/banker_zeus_url.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Robby Zeitfuchs (@robbyFux)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class ZeusURL(Signature):
19 | name = "banker_zeus_url"
20 | description = "Contacts C&C server HTTP check-in (Banking Trojan)"
21 | severity = 3
22 | categories = ["banker"]
23 | authors = ["Robby Zeitfuchs"]
24 | minimum = "0.5"
25 | references = ["https://zeustracker.abuse.ch/blocklist.php?download=compromised"]
26 |
27 | def run(self):
28 | indicators = [
29 | ".*\/config\.bin",
30 | ".*\/gate\.php",
31 | ".*\/cfg\.bin",
32 | ]
33 |
34 | for indicator in indicators:
35 | match = self.check_url(pattern=indicator, regex=True)
36 | if match:
37 | self.data.append({"url": match})
38 | return True
39 |
40 | return False
41 |
--------------------------------------------------------------------------------
/modules/signatures/bitcoin_opencl.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2013 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class BitcoinOpenCL(Signature):
19 | name = "bitcoin_opencl"
20 | description = "Installs OpenCL library, probably to mine Bitcoins"
21 | severity = 2
22 | categories = ["bitcoin"]
23 | authors = ["nex"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | if self.check_file(pattern=".*OpenCL\.dll$", regex=True):
28 | return True
29 |
30 | return False
31 |
--------------------------------------------------------------------------------
/modules/signatures/bot_athenahttp.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 jjones
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | try:
17 | import re2 as re
18 | except ImportError:
19 | import re
20 |
21 | from lib.cuckoo.common.abstracts import Signature
22 |
23 | class AthenaHttp(Signature):
24 | name = "bot_athenahttp"
25 | description = "Recognized to be an Athena HTTP bot"
26 | severity = 3
27 | categories = ["bot", "ddos"]
28 | families = ["athenahttp"]
29 | authors = ["jjones", "nex"]
30 | minimum = "0.5"
31 |
32 | def run(self):
33 | indicators = [
34 | "UPDATE__",
35 | "MAIN_.*",
36 | "BACKUP_.*"
37 | ]
38 |
39 | count = 0
40 | for indicator in indicators:
41 | if self.check_mutex(pattern=indicator, regex=True):
42 | count += 1
43 |
44 | if count == len(indicators):
45 | return True
46 |
47 | athena_http_re = re.compile("a=(%[A-Fa-f0-9]{2})+&b=[-A-Za-z0-9+/]+(%3[dD])*&c=(%[A-Fa-f0-9]{2})+")
48 |
49 | if "network" in self.results:
50 | httpitems = self.results["network"].get("http")
51 | if not httpitems:
52 | return False
53 | for http in httpitems:
54 | if http["method"] == "POST" and athena_http_re.search(http["body"]):
55 | self.data.append({"url" : http["uri"], "data" : http["body"]})
56 | return True
57 |
58 | return False
59 |
--------------------------------------------------------------------------------
/modules/signatures/bot_dirtjumper.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012-2014 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class DirtJumper(Signature):
19 | name = "bot_dirtjumper"
20 | description = "Recognized to be a DirtJumper bot"
21 | severity = 3
22 | categories = ["bot", "ddos"]
23 | families = ["dirtjumper"]
24 | authors = ["nex","jjones"]
25 | minimum = "0.5"
26 |
27 | def run(self):
28 | if "network" in self.results:
29 | httpitems = self.results["network"].get("http")
30 | if not httpitems:
31 | return False
32 | for http in httpitems:
33 | if http["method"] == "POST" and http["body"].startswith("k=") and http.get("user-agent", "") == "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)":
34 | self.data.append({"url" : http["uri"], "data" : http["body"]})
35 | return True
36 |
37 | return False
38 |
--------------------------------------------------------------------------------
/modules/signatures/bot_drive.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 jjones
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | try:
17 | import re2 as re
18 | except ImportError:
19 | import re
20 |
21 | from lib.cuckoo.common.abstracts import Signature
22 |
23 | class Drive(Signature):
24 | name = "bot_drive"
25 | description = "Recognized to be a Drive bot"
26 | severity = 3
27 | categories = ["bot", "ddos"]
28 | families = ["drive"]
29 | authors = ["jjones", "nex"]
30 | minimum = "0.5"
31 |
32 | def run(self):
33 | drive_ua_re = re.compile("Mozilla/5.0 \(Windows NT [56].1; (WOW64; )?rv:(9|1[0-7]).0\) Gecko/20100101 Firefox/(9|1[0-7]).0|Mozilla/4.0 \(compatible; MSIE 8.0; Windows NT [56].1; (WOW64; )?Trident/4.0; SLCC2; .NET CLR 2.0.[0-9]{6}; .NET CLR 3.5.[0-9]{6}; .NET CLR 3.0.[0-9]{6}|Opera/9.80 \(Windows NT [56].1; (WOW64; )?U; Edition [a-zA-Z]+ Local; ru\) Presto/2.10.289 Version/([5-9]|1[0-2]).0[0-9]")
34 |
35 | if "network" in self.results:
36 | httpitems = self.results["network"].get("http")
37 | if not httpitems:
38 | return False
39 | for http in httpitems:
40 | if http["method"] == "POST" and http["body"].startswith("k=") and drive_ua_re.search(http.get("user-agent", "")):
41 | self.data.append({"url" : http["uri"], "data" : http["body"]})
42 | return True
43 |
44 | return False
45 |
--------------------------------------------------------------------------------
/modules/signatures/bot_madness.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 thedude13
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | try:
17 | import re2 as re
18 | except ImportError:
19 | import re
20 |
21 | from lib.cuckoo.common.abstracts import Signature
22 |
23 | class Madness(Signature):
24 | name = "bot_madness"
25 | description = "Recognized to be an Madness bot"
26 | severity = 3
27 | categories = ["bot", "ddos"]
28 | families = ["madness"]
29 | authors = ["thedude13", "nex"]
30 | minimum = "0.5"
31 |
32 | def run(self):
33 | madness_re = re.compile("\?uid\x3d[0-9]{8}&ver\x3d[0-9].[0-9]{2}&mk\x3d[0-9a-f]{6}&os\x3d[A-Za-z0-9]+&rs\x3d[a-z]+&c\x3d[0-1]&rq\x3d[0-1]")
34 |
35 | if "network" in self.results:
36 | httpitems = self.results["network"].get("http")
37 | if not httpitems:
38 | return False
39 | for http in httpitems:
40 | if http["method"] == "GET" and madness_re.search(http["uri"]):
41 | self.data.append({"url" : http["uri"], "data" : http["uri"]})
42 | return True
43 |
44 | return False
45 |
--------------------------------------------------------------------------------
/modules/signatures/bot_russkill.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 JoseMi Holguin (@j0sm1)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Ruskill(Signature):
19 | name = "bot_russkill"
20 | description = "Creates known Ruskill mutexes"
21 | severity = 3
22 | alert = True
23 | categories = ["bot", "ddos"]
24 | authors = ["JoseMi Holguin", "nex"]
25 |
26 | def run(self):
27 | return self.check_mutex(pattern="FvLQ49IlzIyLjj6m")
28 |
--------------------------------------------------------------------------------
/modules/signatures/browser_bho.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Kevin Ross
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class BrowserHelperObject(Signature):
19 | name = "browser_helper_object"
20 | description = "Attempts to create or modify a Browser Helper Object"
21 | severity = 3
22 | categories = ["browser"]
23 | authors = ["Kevin Ross"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | if self.check_write_key(pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Browser\\ Helper\\ Objects\\\\.*", regex=True):
28 | return True
29 |
30 | return False
31 |
--------------------------------------------------------------------------------
/modules/signatures/browser_scanbox.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Will Metcalf william.metcalf@gmail.com
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class BrowserScanbox(Signature):
19 | name = "browser_scanbox"
20 | description = "Scanbox Activity in Browser"
21 | weight = 3
22 | severity = 3
23 | categories = ["exploit"]
24 | authors = ["Will Metcalf"]
25 | minimum = "1.3"
26 | evented = True
27 |
28 | def __init__(self, *args, **kwargs):
29 | Signature.__init__(self, *args, **kwargs)
30 |
31 | filter_categories = set(["browser"])
32 | # backward compat
33 | filter_apinames = set(["JsEval", "COleScript_Compile", "COleScript_ParseScriptText"])
34 |
35 | def on_call(self, call, process):
36 | if call["api"] == "JsEval":
37 | buf = self.get_argument(call, "Javascript")
38 | else:
39 | buf = self.get_argument(call, "Script")
40 | if 'softwarelist.push(' in buf.lower() and 'indexof("-2147023083")' in buf.lower():
41 | return True
42 | elif 'var logger' in buf.lower() and 'document.onkeypress = keypress;' in buf.lower() and 'setinterval(sendchar,' in buf.lower():
43 | return True
44 |
--------------------------------------------------------------------------------
/modules/signatures/browser_startpage.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Kevin Ross
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class browser_startpage(Signature):
19 | name = "browser_startpage"
20 | description = "Attempts to modify Internet Explorer's start page"
21 | severity = 2
22 | categories = ["browser", "adware"]
23 | authors = ["Kevin Ross"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | if self.check_write_key(pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Main\\\\Start\\ Page$", regex=True):
28 | return True
29 |
30 | return False
31 |
--------------------------------------------------------------------------------
/modules/signatures/bypass_firewall.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Anderson Tamborim (@y2h4ck)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | # Based on information from http://antivirus.about.com/od/windowsbasics/tp/autostartkeys.htm
17 |
18 | from lib.cuckoo.common.abstracts import Signature
19 |
20 | class BypassFirewall(Signature):
21 | name = "bypass_firewall"
22 | description = "Operates on local firewall's policies and settings"
23 | severity = 3
24 | categories = ["bypass"]
25 | authors = ["Anderson Tamborim", "nex"]
26 | minimum = "0.5"
27 |
28 | def run(self):
29 | return self.check_key(pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\.*",
30 | regex=True)
31 |
--------------------------------------------------------------------------------
/modules/signatures/carberp_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class CarberpMutexes(Signature):
19 | name = "carberp_mutex"
20 | description = "Attempts to create a known Carberp/Rovnix mutex."
21 | weight = 3
22 | severity = 3
23 | categories = ["banker", "trojan", "rootkit"]
24 | families = ["carberp"]
25 | authors = ["KillerInstinct"]
26 | minimum = "0.5"
27 |
28 | def run(self):
29 | if self.check_mutex(pattern="^(Global\\\\)?(UAC|INS|BD)NTFS\d+$", regex=True):
30 | return True
31 |
32 | return False
33 |
--------------------------------------------------------------------------------
/modules/signatures/clickfraud_cookies.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class ClickfraudCookies(Signature):
8 | name = "clickfraud_cookies"
9 | description = "Overrides system cookie policy, indicative of click fraud"
10 | severity = 3
11 | categories = ["clickfraud"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 | evented = True
15 |
16 | def __init__(self, *args, **kwargs):
17 | Signature.__init__(self, *args, **kwargs)
18 |
19 | filter_apinames = set(["InternetSetOptionA"])
20 |
21 | def on_call(self, call, process):
22 | handle = int(self.get_argument(call, "InternetHandle"), 16)
23 | option = int(self.get_argument(call, "Option"), 16)
24 | # INTERNET_OPTION_SUPPRESS_BEHAVIOR
25 | if option == 81:
26 | val = 0
27 | try:
28 | val = int(self.get_argument(call, "Buffer"), 16)
29 | except:
30 | pass
31 | # INTERNET_SUPPRESS_COOKIE_POLICY
32 | if not handle and val == 1:
33 | return True
34 |
--------------------------------------------------------------------------------
/modules/signatures/clickfraud_volume.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class ClickfraudVolume(Signature):
8 | name = "clickfraud_volume"
9 | description = "Attempts to disable browser navigation sounds, indicative of click fraud"
10 | severity = 3
11 | categories = ["clickfraud"]
12 | authors = ["Optiv"]
13 | minimum = "1.3"
14 | evented = True
15 |
16 | def __init__(self, *args, **kwargs):
17 | Signature.__init__(self, *args, **kwargs)
18 |
19 | filter_apinames = set(["CoInternetSetFeatureEnabled"])
20 |
21 | def on_call(self, call, process):
22 | entry = int(self.get_argument(call, "FeatureEntry"), 10)
23 | buf = self.get_argument(call, "Enabled")
24 | if buf:
25 | enable = int(buf, 10)
26 | else:
27 | enable = None
28 |
29 | # FEATURE_DISABLE_NAVIGATION_SOUNDS
30 | if entry == 21 and enable:
31 | return True
32 |
--------------------------------------------------------------------------------
/modules/signatures/copies_self.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014-2015 Optiv Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class CopiesSelf(Signature):
19 | name = "copies_self"
20 | description = "Creates a copy of itself"
21 | severity = 3
22 | categories = ["persistence"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | if self.results["target"]["category"] != "file":
28 | return False
29 | if "PE32" not in self.results["target"]["file"]["type"] and "MS-DOS executable" not in self.results["target"]["file"]["type"]:
30 | return False
31 | created_copy = False
32 | # get the path of the initial monitored executable
33 | initialpath = None
34 | initialproc = self.get_initial_process()
35 | if initialproc:
36 | initialpath = initialproc["module_path"].lower()
37 | target_sha1 = self.results["target"]["file"]["sha1"]
38 |
39 | for drop in self.results["dropped"]:
40 | if drop["sha1"] == target_sha1:
41 | for path in drop["guest_paths"]:
42 | if initialpath and initialpath != path.lower():
43 | self.data.append({"copy" : path})
44 | created_copy = True
45 | return created_copy
46 | return created_copy
47 |
--------------------------------------------------------------------------------
/modules/signatures/creates_largekey.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class CreatesLargeKey(Signature):
19 | name = "creates_largekey"
20 | description = "Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config"
21 | severity = 3
22 | confidence = 80
23 | categories = ["stealth"]
24 | authors = ["Optiv"]
25 | minimum = "1.3"
26 | evented = True
27 |
28 | def __init__(self, *args, **kwargs):
29 | Signature.__init__(self, *args, **kwargs)
30 | self.saw_large = False
31 | self.regkeyvals = set()
32 | filter_apinames = set(["NtSetValueKey", "RegSetValueExA", "RegSetValueExW"])
33 |
34 | def on_call(self, call, process):
35 | vallen = self.get_argument(call, "BufferLength")
36 | if vallen:
37 | length = int(vallen)
38 | if length > 16 * 1024:
39 | self.regkeyvals.add(self.get_argument(call, "FullName"))
40 | self.saw_large = True
41 |
42 | def on_complete(self):
43 | if self.saw_large:
44 | for keyval in self.regkeyvals:
45 | self.data.append({"regkeyval" : keyval})
46 | return self.saw_large
--------------------------------------------------------------------------------
/modules/signatures/creates_nullvalue.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class CreatesNullValue(Signature):
19 | name = "creates_nullvalue"
20 | description = "Creates a registry key or value with NUL characters to avoid detection with regedit"
21 | severity = 3
22 | categories = ["stealth"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 | self.saw_null = False
30 | self.regkeyvals = set()
31 | filter_apinames = set(["NtSetValueKey", "NtCreateKey"])
32 |
33 | def on_call(self, call, process):
34 | if call["api"] == "NtCreateKey":
35 | keyname = self.get_argument(call, "ObjectAttributes")
36 | if "\\x00" in keyname:
37 | self.regkeyvals.add(keyname)
38 | self.saw_null = True
39 | else:
40 | valuename = self.get_argument(call, "ValueName")
41 | if "\\x00" in valuename:
42 | self.regkeyvals.add(self.get_argument(call, "FullName"))
43 | self.saw_null = True
44 |
45 | def on_complete(self):
46 | if self.saw_null:
47 | for keyval in self.regkeyvals:
48 | self.data.append({"keyval" : keyval})
49 | return self.saw_null
--------------------------------------------------------------------------------
/modules/signatures/critical_process.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class CriticalProcess(Signature):
19 | name = "critical_process"
20 | description = "A process was set to shut the system down when terminated"
21 | severity = 3
22 | categories = ["generic"]
23 | authors = ["Optiv"]
24 | minimum = "1.3"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 |
30 | filter_apinames = set(["NtSetInformationProcess"])
31 |
32 | def on_call(self, call, process):
33 | infoclass = int(self.get_argument(call, "ProcessInformationClass"))
34 | value = int(self.get_argument(call, "Value"))
35 |
36 | # ProcessBreakOnTermination
37 | if infoclass == 29 and value == 1:
38 | self.data.append({"process" : process["process_name"] + ":" + str(process["process_id"])})
39 |
40 | def on_complete(self):
41 | if self.data:
42 | return True
43 | return False
--------------------------------------------------------------------------------
/modules/signatures/darkcomet_regkeys.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class DarkCometRegkeys(Signature):
19 | name = "darkcomet_regkeys"
20 | description = "Interacts with known DarkComet registry keys"
21 | severity = 3
22 | categories = ["rat"]
23 | families = ["darkcomet"]
24 | authors = ["KillerInstinct"]
25 | minimum = "0.5"
26 |
27 | def run(self):
28 | dc_keys = False
29 | indicators = [
30 | ".*\\\\Software\\\\DC3_FEXEC$",
31 | ".*\\\\Software\\\\DC3_FEXEC\\\\.*",
32 | ".*\\\\Software\\\\DC2_USERS$",
33 | ]
34 | for indicator in indicators:
35 | match = self.check_key(pattern=indicator, regex=True)
36 | if match:
37 | self.data.append({"Key": match})
38 | dc_keys = True
39 |
40 | return dc_keys
41 |
--------------------------------------------------------------------------------
/modules/signatures/dead_link.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class DeadLink(Signature):
8 | name = "dead_link"
9 | description = "Attempts to execute a binary from a dead or sinkholed URL"
10 | severity = 3
11 | weight = 2
12 | categories = ["generic"]
13 | authors = ["Optiv"]
14 | minimum = "1.2"
15 | evented = True
16 |
17 | def __init__(self, *args, **kwargs):
18 | Signature.__init__(self, *args, **kwargs)
19 | self.appnames = []
20 |
21 | filter_apinames = set(["CreateProcessInternalW"])
22 |
23 | def on_call(self, call, process):
24 | appname = self.get_argument(call, "ApplicationName").lower()
25 | if appname not in self.appnames:
26 | self.appnames.append(appname)
27 |
28 | def on_complete(self):
29 | if "dropped" in self.results:
30 | deadnames = []
31 | for dropped in self.results["dropped"]:
32 | if "HTML document" not in dropped["type"]:
33 | continue
34 | lowerpaths = map(str.lower, dropped["guest_paths"])
35 | for appname in self.appnames:
36 | if appname in lowerpaths:
37 | deadnames.append(appname)
38 | break
39 | if deadnames:
40 | for deadname in deadnames:
41 | self.data.append({"dead_binary" : deadname})
42 | return True
43 |
44 | return False
--------------------------------------------------------------------------------
/modules/signatures/debugs_self.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class DebugsSelf(Signature):
19 | name = "debugs_self"
20 | description = "Debugs itself to thwart analysis"
21 | severity = 3
22 | categories = ["stealth"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 |
30 | filter_apinames = set(["CreateProcessInternalW"])
31 |
32 | def on_call(self, call, process):
33 | createflags = int(self.get_argument(call, "CreationFlags"), 16)
34 | applicationname = self.get_argument(call, "ApplicationName").lower()
35 | pid = self.get_argument(call, "ProcessId")
36 | if createflags & 1:
37 | for proc in results["behavior"]["processes"]:
38 | if proc["process_id"] == pid and proc["module_path"].lower() == process["module_path"].lower():
39 | # DEBUG_PROCESS on a copy of ourselves
40 | return True
41 |
--------------------------------------------------------------------------------
/modules/signatures/deepfreeze_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class DeepFreezeMutex(Signature):
19 | name = "deepfreeze_mutex"
20 | description = "Checks for a known DeepFreeze Frozen State Mutex"
21 | severity = 3
22 | categories = ["anti-sandbox"]
23 | authors = ["KillerInstinct"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | if self.check_mutex(pattern="Frz_State", regex=True):
28 | return True
29 |
30 | return False
31 |
--------------------------------------------------------------------------------
/modules/signatures/deletes_shadowcopies.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class DeletesShadowCopies(Signature):
8 | name = "deletes_shadow_copies"
9 | description = "Attempts to delete volume shadow copies"
10 | severity = 3
11 | categories = ["ransomware"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 | evented = True
15 |
16 | def __init__(self, *args, **kwargs):
17 | Signature.__init__(self, *args, **kwargs)
18 |
19 | filter_apinames = set(["CreateProcessInternalW","ShellExecuteExW"])
20 |
21 | def on_call(self, call, process):
22 | if call["api"] == "CreateProcessInternalW":
23 | cmdline = self.get_argument(call, "CommandLine").lower()
24 | if "vssadmin" in cmdline and "delete" in cmdline and "shadows" in cmdline:
25 | return True
26 | elif call["api"] == "ShellExecuteExW":
27 | filepath = self.get_argument(call, "FilePath").lower()
28 | params = self.get_argument(call, "Parameters").lower()
29 | if "vssadmin" in filepath and "delete" in params and "shadows" in params:
30 | return True
31 |
--------------------------------------------------------------------------------
/modules/signatures/dep_disable.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class DEPDisable(Signature):
19 | name = "dep_disable"
20 | description = "A process disabled DEP at runtime"
21 | severity = 3
22 | categories = ["exploit"]
23 | authors = ["Optiv"]
24 | minimum = "1.3"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 |
30 | filter_apinames = set(["NtSetInformationProcess"])
31 |
32 | def on_call(self, call, process):
33 | infoclass = int(self.get_argument(call, "ProcessInformationClass"))
34 | value = int(self.get_argument(call, "Value"))
35 |
36 | # ProcessDEPPolicy
37 | if infoclass == 34 and value == 0:
38 | self.data.append({"process" : process["process_name"] + ":" + str(process["process_id"])})
39 |
40 | def on_complete(self):
41 | if self.data:
42 | return True
43 | return False
--------------------------------------------------------------------------------
/modules/signatures/disables_browserwarn.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com), Kevin Ross
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class DisablesBrowserWarn(Signature):
8 | name = "disables_browser_warn"
9 | description = "Attempts to disable browser security warnings"
10 | severity = 3
11 | categories = ["generic", "banker", "clickfraud"]
12 | authors = ["Optiv", "Kevin Ross"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | indicators = [
17 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnBadCertRecving$",
18 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnBadCertSending$",
19 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnHTTPSToHTTPRedirect$",
20 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnZoneCrossing$",
21 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnPostRedirect$",
22 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\IEHardenNoWarn$",
23 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Main\\\\NoProtectedModeBanner$",
24 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Main\\\\IE9RunOncePerInstallCompleted$",
25 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Main\\\\IE9TourShown$",
26 | ]
27 | found_match = False
28 | for indicator in indicators:
29 | key_match = self.check_write_key(pattern=indicator, regex=True)
30 | if key_match:
31 | self.data.append({"key" : key_match})
32 | found_match = True
33 | return found_match
34 |
--------------------------------------------------------------------------------
/modules/signatures/disables_spdy.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class DisablesSPDY(Signature):
8 | name = "disables_spdy"
9 | description = "Attempts to disable SPDY support in Firefox to improve web infostealing capability"
10 | severity = 3
11 | weight = 2
12 | categories = ["generic"]
13 | authors = ["Optiv"]
14 | minimum = "1.2"
15 | evented = True
16 |
17 | def __init__(self, *args, **kwargs):
18 | Signature.__init__(self, *args, **kwargs)
19 |
20 | filter_apinames = set(["NtWriteFile"])
21 |
22 | def on_call(self, call, process):
23 | buf = self.get_argument(call, "Buffer")
24 | if "network.http.spdy.enabled" in buf and "false" in buf:
25 | return True
26 |
--------------------------------------------------------------------------------
/modules/signatures/disables_sysrestore.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Kevin Ross
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class DisablesSystemRestore(Signature):
8 | name = "disables_system_restore"
9 | description = "Attempts to disable System Restore"
10 | severity = 3
11 | categories = ["ransomware"]
12 | authors = ["Kevin Ross"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | keys = [
17 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR$",
18 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\ NT\\\\SystemRestore\\\\DisableSR$",
19 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\ NT\\\\SystemRestore\\\\DisableConfig$"
20 | ]
21 | for check in keys:
22 | if self.check_write_key(pattern=check, regex=True):
23 | return True
24 |
25 | return False
26 |
27 |
--------------------------------------------------------------------------------
/modules/signatures/disables_uac.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class DisablesUAC(Signature):
8 | name = "disables_uac"
9 | description = "Attempts to disable UAC"
10 | severity = 3
11 | categories = ["generic"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | if self.check_write_key(pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA$", regex=True):
17 | return True
18 | return False
19 |
--------------------------------------------------------------------------------
/modules/signatures/disables_wer.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Kevin Ross
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class DisablesWER(Signature):
8 | name = "disables_wer"
9 | description = "Attempts to disable Windows Error Reporting"
10 | severity = 3
11 | categories = ["stealth"]
12 | authors = ["Kevin Ross"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | if self.check_write_key(pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ Error\\ Reporting\\\\Disabled$", regex=True):
17 | return True
18 |
19 | return False
20 |
--------------------------------------------------------------------------------
/modules/signatures/disables_wfp.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class DisablesWFP(Signature):
8 | name = "disables_wfp"
9 | description = "Attempts to disable Windows File Protection"
10 | severity = 3
11 | categories = ["generic"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 | evented = True
15 |
16 | def __init__(self, *args, **kwargs):
17 | Signature.__init__(self, *args, **kwargs)
18 | self.saw_disable = False
19 | self.nextopen = None
20 |
21 | filter_apinames = set(["NtWriteFile", "CopyFileA", "CopyFileW", "CopyFileExW"])
22 |
23 | def on_call(self, call, process):
24 | if call["api"] == "NtWriteFile":
25 | filename = self.get_argument(call, "HandleName")
26 | filenamelower = filename.lower()
27 | if not self.saw_disable:
28 | if filenamelower.endswith("pipe\\sfcapi"):
29 | self.saw_disable = True
30 | elif not self.nextopen and ("\\syswow64\\" in filenamelower or "\\system32\\" in filenamelower):
31 | self.nextopen = filename
32 | elif call["api"].startswith("CopyFile") and self.saw_disable and not self.nextopen:
33 | filename = self.get_argument(call, "NewFileName")
34 | filenamelower = filename.lower()
35 | if "\\syswow64\\" in filenamelower or "\\system32\\" in filenamelower:
36 | self.nextopen = filename
37 |
38 | def on_complete(self):
39 | if self.saw_disable and self.nextopen:
40 | self.data.append({"Likely to allow modification of" : self.nextopen })
41 | return self.saw_disable
42 |
--------------------------------------------------------------------------------
/modules/signatures/disables_windowsupdate.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class DisablesWindowsUpdate(Signature):
8 | name = "disables_windowsupdate"
9 | description = "Attempts to disable Windows Auto Updates"
10 | severity = 3
11 | categories = ["generic"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | if self.check_write_key(pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\(AU\\\\NoAutoUpdate|Auto\\ Update\\\\AUOptions)$", regex=True):
17 | return True
18 | return False
19 |
--------------------------------------------------------------------------------
/modules/signatures/driver_load.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class DriverLoad(Signature):
19 | name = "driver_load"
20 | description = "Loads a driver"
21 | severity = 2
22 | categories = ["stealth"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 | self.found_driverload = False
30 |
31 | filter_apinames = set(["NtLoadDriver"])
32 |
33 | def on_call(self, call, process):
34 | drivername = self.get_argument(call, "DriverServiceName")
35 | self.data.append({"driver service name" : drivername })
36 | self.found_driverload = True
37 |
38 | def on_complete(self):
39 | return self.found_driverload
40 |
--------------------------------------------------------------------------------
/modules/signatures/dropper.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Dropper(Signature):
19 | name = "dropper"
20 | description = "Drops a binary and executes it"
21 | severity = 2
22 | confidence = 50
23 | categories = ["dropper"]
24 | authors = ["Optiv"]
25 | minimum = "1.2"
26 |
27 | def run(self):
28 | is_dropper = False
29 | mainprocesspath = ""
30 | processpaths = set()
31 | processes = None
32 | if "behavior" in self.results and "processes" in self.results["behavior"]:
33 | processes = self.results["behavior"]["processes"]
34 | if processes and len(processes):
35 | mainprocesspath = processes[0]["module_path"].lower()
36 | for process in processes[1:]:
37 | processpath = process["module_path"].lower()
38 | if processpath != mainprocesspath:
39 | processpaths.add(processpath)
40 | for processpath in processpaths:
41 | for drop in self.results["dropped"]:
42 | for path in drop["guest_paths"]:
43 | if path.lower() == processpath:
44 | self.data.append({"binary" : path})
45 | is_dropper = True
46 | return is_dropper
--------------------------------------------------------------------------------
/modules/signatures/ek_angler.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Angler_JS(Signature):
19 | name = "angler_js"
20 | description = "Executes obfuscated JavaScript indicative of Angler Exploit Kit"
21 | weight = 3
22 | severity = 3
23 | categories = ["exploit_kit"]
24 | families = ["angler"]
25 | authors = ["Optiv"]
26 | minimum = "1.3"
27 | evented = True
28 |
29 | def __init__(self, *args, **kwargs):
30 | Signature.__init__(self, *args, **kwargs)
31 |
32 | filter_categories = set(["browser"])
33 | # backward compat
34 | filter_apinames = set(["JsEval", "COleScript_Compile", "COleScript_ParseScriptText"])
35 |
36 | def on_call(self, call, process):
37 | if call["api"] == "JsEval":
38 | buf = self.get_argument(call, "Javascript")
39 | else:
40 | buf = self.get_argument(call, "Script")
41 |
42 | if "/malware.dontneedcoffee.com/.test()" in buf:
43 | return True
44 |
--------------------------------------------------------------------------------
/modules/signatures/ek_gondad.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Gondad_JS(Signature):
19 | name = "gondad_js"
20 | description = "Executes obfuscated JavaScript indicative of Gondad Exploit Kit"
21 | weight = 3
22 | severity = 3
23 | categories = ["exploit_kit"]
24 | families = ["gondad"]
25 | authors = ["Optiv"]
26 | minimum = "1.3"
27 | evented = True
28 |
29 | def __init__(self, *args, **kwargs):
30 | Signature.__init__(self, *args, **kwargs)
31 |
32 | filter_categories = set(["browser"])
33 | filter_apinames = set(["CDocument_write"])
34 |
35 | def on_call(self, call, process):
36 | buf = self.get_argument(call, "Buffer")
37 | if buf.count("gondad") > 4:
38 | return True
39 |
--------------------------------------------------------------------------------
/modules/signatures/ek_javaapplet.py:
--------------------------------------------------------------------------------
1 | try:
2 | import re2 as re
3 | except ImportError:
4 | import re
5 |
6 | from lib.cuckoo.common.abstracts import Signature
7 |
8 | class Java_JS(Signature):
9 | name = "java_js"
10 | description = "Executes obfuscated JavaScript containing a Java appplet indicative of an exploit attempt"
11 | weight = 3
12 | severity = 3
13 | categories = ["exploit_kit", "java"]
14 | authors = ["Kevin Ross"]
15 | minimum = "1.3"
16 | evented = True
17 |
18 | def __init__(self, *args, **kwargs):
19 | Signature.__init__(self, *args, **kwargs)
20 |
21 | filter_categories = set(["browser"])
22 | # backward compat
23 | filter_apinames = set(["JsEval", "COleScript_Compile", "COleScript_ParseScriptText"])
24 |
25 | def on_call(self, call, process):
26 | if call["api"] == "JsEval":
27 | buf = self.get_argument(call, "Javascript")
28 | else:
29 | buf = self.get_argument(call, "Script")
30 |
31 | if re.search("\.
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Nuclear_JS(Signature):
19 | name = "nuclear_js"
20 | description = "Executes obfuscated JavaScript indicative of Nuclear Exploit Kit"
21 | weight = 3
22 | severity = 3
23 | categories = ["exploit_kit"]
24 | families = ["nuclear"]
25 | authors = ["Will Metcalf"]
26 | minimum = "1.3"
27 | evented = True
28 |
29 | def __init__(self, *args, **kwargs):
30 | Signature.__init__(self, *args, **kwargs)
31 |
32 | filter_categories = set(["browser"])
33 | # backward compat
34 | filter_apinames = set(["JsEval", "COleScript_Compile", "COleScript_ParseScriptText"])
35 |
36 | def on_call(self, call, process):
37 | if call["api"] == "JsEval":
38 | buf = self.get_argument(call, "Javascript")
39 | else:
40 | buf = self.get_argument(call, "Script")
41 |
42 | if "window.runer = true;" in buf and "function flash_run(fu," in buf:
43 | return True
44 |
--------------------------------------------------------------------------------
/modules/signatures/ek_rig.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Will Metcalf william.metcalf@gmail.com
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class RIG_JS(Signature):
19 | name = "rig_js"
20 | description = "Executes obfuscated JavaScript indicative of RIG Exploit Kit"
21 | weight = 3
22 | severity = 3
23 | categories = ["exploit_kit"]
24 | families = ["RIG"]
25 | authors = ["Will Metcalf"]
26 | minimum = "1.3"
27 | evented = True
28 |
29 | def __init__(self, *args, **kwargs):
30 | Signature.__init__(self, *args, **kwargs)
31 |
32 | filter_categories = set(["browser"])
33 | # backward compat
34 | filter_apinames = set(["JsEval", "COleScript_Compile", "COleScript_ParseScriptText"])
35 |
36 | def on_call(self, call, process):
37 | if call["api"] == "JsEval":
38 | buf = self.get_argument(call, "Javascript")
39 | else:
40 | buf = self.get_argument(call, "Script")
41 |
42 | str1=["Y2hydygyMTc2K","NocncoMjE3Ni","jaHJ3KDIxNzYp"]
43 | str2=["Y2hydygzMjc2Ny","NocncoMzI3Njcp","jaHJ3KDMyNzY3K"]
44 | str3=["Y2hydygwMS","NocncoMDEp","jaHJ3KDAxK"]
45 | str4=["Y2hydygwMC","NocncoMDAp","jaHJ3KDAwK"]
46 |
47 | if "VBscript" in buf and "String.fromCharCode" in buf and "window.execScript" in buf and any(e in buf for e in str1) and any(e in buf for e in str2) and any(e in buf for e in str3) and any(e in buf for e in str4):
48 | return True
--------------------------------------------------------------------------------
/modules/signatures/ek_silverlight.py:
--------------------------------------------------------------------------------
1 | try:
2 | import re2 as re
3 | except ImportError:
4 | import re
5 |
6 | from lib.cuckoo.common.abstracts import Signature
7 |
8 | class Silverlight_JS(Signature):
9 | name = "silverlight_js"
10 | description = "Executes obfuscated JavaScript containing a Silverlight object indicative of an exploit attempt"
11 | weight = 3
12 | severity = 3
13 | categories = ["exploit_kit", "silverlight"]
14 | authors = ["Kevin Ross"]
15 | minimum = "1.3"
16 | evented = True
17 |
18 | def __init__(self, *args, **kwargs):
19 | Signature.__init__(self, *args, **kwargs)
20 |
21 | filter_categories = set(["browser"])
22 | # backward compat
23 | filter_apinames = set(["JsEval", "COleScript_Compile", "COleScript_ParseScriptText"])
24 |
25 | def on_call(self, call, process):
26 | if call["api"] == "JsEval":
27 | buf = self.get_argument(call, "Javascript")
28 | else:
29 | buf = self.get_argument(call, "Script")
30 |
31 | if re.search("application\/x\-silverlight.*?\.*", buf, re.IGNORECASE|re.DOTALL):
32 | return True
33 |
--------------------------------------------------------------------------------
/modules/signatures/exec_crash.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Crash(Signature):
19 | name = "exec_crash"
20 | description = "At least one process apparently crashed during execution"
21 | severity = 1
22 | categories = ["execution", "crash"]
23 | authors = ["nex"]
24 | minimum = "1.0"
25 | evented = True
26 |
27 | filter_apinames = set(["LdrLoadDll"])
28 |
29 | def on_call(self, call, process):
30 | if self.check_argument_call(
31 | call,
32 | pattern=".*faultrep\.dll$",
33 | name="FileName",
34 | api="LdrLoadDll",
35 | regex=True):
36 | return True
37 |
--------------------------------------------------------------------------------
/modules/signatures/infostealer_keylog.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 | from lib.cuckoo.common.abstracts import Signature
5 |
6 | class KeyLogger(Signature):
7 | name = "infostealer_keylog"
8 | description = "Sniffs keystrokes"
9 | severity = 3
10 | categories = ["infostealer"]
11 | authors = ["Optiv"]
12 | minimum = "1.2"
13 | evented = True
14 |
15 | filter_apinames = set(["SetWindowsHookExA","SetWindowsHookExW","GetAsyncKeyState"])
16 |
17 | def on_call(self, call, process):
18 | if call["api"] == "GetAsyncKeyState":
19 | # avoid an IE false positive
20 | keycode = int(self.get_argument(call, "KeyCode"), 10)
21 | # whitelist a-z, 0-9
22 | if (keycode >= 0x30 and keycode <= 0x39) or (keycode >= 0x4a and keycode <= 0x5a):
23 | return True
24 | else:
25 | id = int(self.get_argument(call, "HookIdentifier"), 10)
26 | thread = int(self.get_argument(call, "ThreadId"), 10)
27 |
28 | # global WH_KEYBOARD or WH_KEYBOARD_LL hook
29 | if thread == 0 and (id == 2 or id == 13):
30 | return True
31 |
--------------------------------------------------------------------------------
/modules/signatures/injection_needextension.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class InjectionExtension(Signature):
8 | name = "injection_needextension"
9 | description = "Attempted to execute a copy of itself but requires an .exe extension to work"
10 | severity = 3
11 | categories = ["injection"]
12 | authors = ["Optiv"]
13 | minimum = "1.0"
14 | evented = True
15 |
16 | def __init__(self, *args, **kwargs):
17 | Signature.__init__(self, *args, **kwargs)
18 |
19 | filter_apinames = set(["CreateProcessInternalW"])
20 |
21 | def on_call(self, call, process):
22 | if call["status"] == False:
23 | procname = process["process_name"].lower()
24 | if procname.endswith(".exe") == False:
25 | procname += ".exe"
26 | apiarg1 = self.get_argument(call, "ApplicationName")
27 | apiarg2 = self.get_argument(call, "CommandLine")
28 | if apiarg1.endswith(procname) or apiarg2.endswith(procname):
29 | return True
--------------------------------------------------------------------------------
/modules/signatures/injection_rwx.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class InjectionRWX(Signature):
8 | name = "injection_rwx"
9 | description = "Creates RWX memory"
10 | severity = 2
11 | confidence = 50
12 | categories = ["injection"]
13 | authors = ["Optiv"]
14 | minimum = "1.2"
15 | evented = True
16 |
17 | def __init__(self, *args, **kwargs):
18 | Signature.__init__(self, *args, **kwargs)
19 | self.dont_check = False
20 |
21 | if self.results["info"]["package"] not in ["exe", "rar", "zip", "dll", "regsvr"]:
22 | self.dont_check = True
23 |
24 | filter_apinames = set(["NtAllocateVirtualMemory","NtProtectVirtualMemory","VirtualProtectEx"])
25 | filter_analysistypes = set(["file"])
26 |
27 | def on_call(self, call, process):
28 | if self.dont_check:
29 | return False
30 |
31 | if call["api"] == "NtAllocateVirtualMemory" or call["api"] == "VirtualProtectEx":
32 | protection = self.get_argument(call, "Protection")
33 | # PAGE_EXECUTE_READWRITE
34 | if protection == "0x00000040":
35 | return True
36 | elif call["api"] == "NtProtectVirtualMemory":
37 | protection = self.get_argument(call, "NewAccessProtection")
38 | # PAGE_EXECUTE_READWRITE
39 | if protection == "0x00000040":
40 | return True
41 |
--------------------------------------------------------------------------------
/modules/signatures/kraken_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Will Metcalf william.metcalf@gmail.com
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class KrakenMutexes(Signature):
19 | name = "bot_kraken_mutexes"
20 | description = "Creates known Kraken mutexes"
21 | severity = 3
22 | categories = ["bot"]
23 | families = ["kraken"]
24 | authors = ["wmetcalf"]
25 | minimum = "0.5"
26 |
27 | def run(self):
28 | indicators = [
29 | "yourhavebecracked",
30 | ]
31 |
32 | for indicator in indicators:
33 | if self.check_mutex(pattern=indicator, regex=False):
34 | return True
35 |
36 | return False
37 |
--------------------------------------------------------------------------------
/modules/signatures/locker_regedit.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012,2015 Thomas "stacks" Birn (@stacksth), Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class DisableRegedit(Signature):
19 | name = "locker_regedit"
20 | description = "Disables Windows' Registry Editor"
21 | severity = 3
22 | categories = ["locker"]
23 | authors = ["Thomas Birn", "nex", "Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | if self.check_write_key(pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools$", regex=True):
28 | return True
29 |
30 | return False
--------------------------------------------------------------------------------
/modules/signatures/locker_taskmgr.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012, 2015 Thomas "stacks" Birn (@stacksth), Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class DisableTaskMgr(Signature):
19 | name = "locker_taskmgr"
20 | description = "Disables Windows' Task Manager"
21 | severity = 3
22 | categories = ["locker"]
23 | authors = ["Thomas Birn", "nex"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | if self.check_write_key(pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr$", regex=True):
28 | return True
29 |
30 | return False
--------------------------------------------------------------------------------
/modules/signatures/mimics_agent.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class MimicsAgent(Signature):
8 | name = "mimics_agent"
9 | description = "Mimics the system's user agent string for its own requests"
10 | severity = 2
11 | categories = ["stealth"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 | evented = True
15 |
16 | def __init__(self, *args, **kwargs):
17 | Signature.__init__(self, *args, **kwargs)
18 | self.useragent = None
19 |
20 | filter_apinames = set(["ObtainUserAgentString","InternetOpenA","InternetOpenW"])
21 |
22 | def on_call(self, call, process):
23 | if call["api"] == "ObtainUserAgentString":
24 | self.useragent = self.get_argument(call, "UserAgent")
25 | elif call["api"] == "InternetOpenA" or call["api"] == "InternetOpenW":
26 | agent = self.get_argument(call, "Agent")
27 | if self.useragent and self.useragent == agent:
28 | return True
29 |
--------------------------------------------------------------------------------
/modules/signatures/mimics_filename.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | try:
6 | import re2 as re
7 | except:
8 | import re
9 |
10 | from lib.cuckoo.common.abstracts import Signature
11 |
12 | class MimicsExtension(Signature):
13 | name = "mimics_extension"
14 | description = ("Attempts to mimic the file extension of a {1} by having "
15 | "'{0}' in the file name.")
16 | severity = 2
17 | categories = ["stealth"]
18 | authors = ["KillerInstinct"]
19 | minimum = "0.5"
20 |
21 | def run(self):
22 | # There are more, but these are the only ones I've observed
23 | execs = [
24 | "exe",
25 | "scr",
26 | ]
27 | exts = {
28 | "doc": "Word 97-2003 document",
29 | "docx": "Word 2007+ document",
30 | "xls": "Excel 97-2003 spreadsheet",
31 | "xlsx": "Excel 2007+ spreadsheet",
32 | "ppt": "PowerPoint 97-2003 file",
33 | "pptx": "PowerPoint 2007+ file",
34 | "jpeg": "JPEG image",
35 | "jpg": "JPG image",
36 | "png": "PNG image",
37 | "gif": "GIF image",
38 | "pdf": "PDF document",
39 | "xml": "XML document",
40 | }
41 | pat = ".*[ _\-\.](?P{0})\.(?:{1})".format(
42 | "|".join(exts.keys()), "|".join(execs))
43 | if self.results["target"]["category"] == "file":
44 | check = re.match(pat, self.results["target"]["file"]["name"])
45 | if check:
46 | ext = check.group("FakeExtension")
47 | self.description = self.description.format(ext,
48 | exts[ext.lower()])
49 | return True
50 |
51 | return False
52 |
--------------------------------------------------------------------------------
/modules/signatures/mimics_icon.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class MimicsIcon(Signature):
8 | name = "mimics_icon"
9 | description = "Mimics icon used for popular non-executable file format"
10 | severity = 3
11 | categories = ["stealth"]
12 | authors = ["Optiv"]
13 | minimum = "1.3"
14 |
15 | def run(self):
16 | # Alphanumerica hash list by category
17 | badhashes = [
18 | # outlook 2013? icon
19 | "94c2270400f0e96be89d6d909c8e2485",
20 | # Office 365 Application Logo
21 | "4e623298caf36bc642543408fee2fd10",
22 | # Word 2007+ Application Logo
23 | "bad3afc82412906dc308db9d96f95e88",
24 | # Word 2007+
25 | "ec7e6f5458456dddb2d826bf1b8b03a2",
26 | # PDF icon
27 | "059dcdf32e800b5f2fe2aea2d5f045d8",
28 | "2c45339aea71418c49248aa88ffb2378",
29 | "6890c8a40c2eb5ff973159eca0428d6e",
30 | "6b0de9fbca602a637b0580b879904d61",
31 | "9334967a316ffffd255aaf9224a7da5e",
32 | "b686a61a6fbd20073faf430128597795",
33 | "d05e789cb57b150c4315acd350fce088",
34 | "db2d2c31f0c651217a0ef11aaf8c7796",
35 | "e52d1e9d64fd9535bf10f6da1091df9d",
36 | "f25d6693364cba910762c7e1d5149c21",
37 | # Fake PDF icon
38 | "f042192565667b350a5056af6ce01d5c",
39 | ]
40 |
41 | if "static" in self.results and "pe" in self.results["static"] and "icon_fuzzy" in self.results["static"]["pe"]:
42 | if self.results["static"]["pe"]["icon_fuzzy"] in badhashes:
43 | return True
44 | return False
45 |
--------------------------------------------------------------------------------
/modules/signatures/modifies_certs.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Kevin Ross
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class ModifiesCerts(Signature):
8 | name = "modifies_certs"
9 | description = "Attempts to create or modify system certificates"
10 | severity = 3
11 | categories = ["browser"]
12 | authors = ["Kevin Ross"]
13 | minimum = "1.2"
14 |
15 | filter_analysistypes = set(["file"])
16 |
17 | def run(self):
18 | if self.check_write_key(pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\SystemCertificates\\\\.*\\\\Certificates\\\\.*", regex=True):
19 | return True
20 |
21 | return False
22 |
--------------------------------------------------------------------------------
/modules/signatures/modifies_hostsfile.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Modifies_HostFile(Signature):
19 | name = "modifies_hostfile"
20 | description = "The sample wrote data to the system hosts file."
21 | severity = 3
22 | categories = ["misc"]
23 | authors = ["KillerInstinct"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | ret = False
28 | match = self.check_write_file(pattern=".*\\\\Windows\\\\(System32|SysWow64)\\\\drivers\\\\etc\\\\hosts$", regex=True)
29 | if match:
30 | ret = True
31 | hfile = match.lower()
32 | data = ""
33 | if "dropped" in self.results:
34 | for dfile in self.results["dropped"]:
35 | if hfile in map(str.lower, dfile["guest_paths"]):
36 | with open(dfile["path"], "r") as rfile:
37 | data = rfile.read()
38 | break
39 | if data:
40 | for line in data.split("\r\n"):
41 | if not line.startswith("#") and len(line) > 4:
42 | self.data.append({"added": line})
43 |
44 | return ret
45 |
--------------------------------------------------------------------------------
/modules/signatures/modifies_seccenter.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Kevin Ross, Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class ModifySecurityCenterWarnings(Signature):
8 | name = "modify_security_center_warnings"
9 | description = "Attempts to modify or disable Security Center warnings"
10 | severity = 3
11 | categories = ["stealth"]
12 | authors = ["Kevin Ross", "Optiv"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | indicators = [
17 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\.*",
18 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\explorer\\\\ShellServiceObjects\\\\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}$",
19 | ]
20 | for indicator in indicators:
21 | if self.check_write_key(pattern=indicator, regex=True):
22 | return True
23 |
24 | return False
25 |
--------------------------------------------------------------------------------
/modules/signatures/modifies_uac_notify.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Kevin Ross
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class ModifiesUACNotify(Signature):
8 | name = "modify_uac_prompt"
9 | description = "Attempts to modify UAC prompt behavior"
10 | severity = 3
11 | categories = ["stealth"]
12 | authors = ["Kevin Ross"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | reg_indicators = [
17 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin$",
18 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorUser$",
19 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop$",
20 | ]
21 |
22 | for indicator in reg_indicators:
23 | if self.check_write_key(pattern=indicator, regex=True):
24 | return True
25 |
26 | return False
--------------------------------------------------------------------------------
/modules/signatures/network_icmp.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2013 David Maciejak
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class NetworkICMP(Signature):
19 | name = "network_icmp"
20 | description = "Generates some ICMP traffic"
21 | severity = 3
22 | categories = ["icmp"]
23 | authors = ["David Maciejak"]
24 | minimum = "1.0"
25 |
26 | def run(self):
27 | if "network" in self.results:
28 | if "icmp" in self.results["network"]:
29 | for icmp in self.results["network"]["icmp"]:
30 | # ignore dest unreachable
31 | if icmp["type"] != 3:
32 | return True
33 |
34 | return False
35 |
--------------------------------------------------------------------------------
/modules/signatures/network_irc.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2013 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class NetworkIRC(Signature):
19 | name = "network_irc"
20 | description = "Connects to an IRC server, possibly part of a botnet"
21 | severity = 3
22 | categories = ["irc"]
23 | authors = ["nex"]
24 | minimum = "0.6"
25 |
26 | def run(self):
27 | if "network" in self.results:
28 | if "irc" in self.results["network"]:
29 | if len(self.results["network"]["irc"]) > 0:
30 | return True
31 |
32 | return False
33 |
--------------------------------------------------------------------------------
/modules/signatures/network_smtp.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2013 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class NetworkSMTP(Signature):
19 | name = "network_smtp"
20 | description = "Makes SMTP requests, possibly sending spam"
21 | severity = 3
22 | categories = ["smtp", "spam"]
23 | authors = ["nex"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | if "network" in self.results:
28 | if "smtp" in self.results["network"]:
29 | if len(self.results["network"]["smtp"]) > 0:
30 | return True
31 |
32 | return False
33 |
--------------------------------------------------------------------------------
/modules/signatures/network_tor.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Tor(Signature):
19 | name = "network_tor"
20 | description = "Installs Tor on the infected machine"
21 | severity = 3
22 | categories = ["network", "anonimity", "tor"]
23 | authors = ["nex"]
24 | minimum = "1.3"
25 | evented = True
26 |
27 | filter_apinames = set(["CreateServiceA", "CreateServiceW"])
28 |
29 | def on_call(self, call, process):
30 | if self.check_argument_call(call,
31 | pattern="Tor Win32 Service",
32 | ignorecase=True):
33 | return True
34 |
35 | def on_complete(self):
36 | indicators = [
37 | ".*\\\\tor\\\\cached-certs$",
38 | ".*\\\\tor\\\\cached-consensus$",
39 | ".*\\\\tor\\\\cached-descriptors$",
40 | ".*\\\\tor\\\\geoip$",
41 | ".*\\\\tor\\\\lock$",
42 | ".*\\\\tor\\\\state$",
43 | ".*\\\\tor\\\\torrc$"
44 | ]
45 |
46 | for indicator in indicators:
47 | if self.check_file(pattern=indicator, regex=True):
48 | return True
49 |
--------------------------------------------------------------------------------
/modules/signatures/network_tor_service.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class TorHiddenService(Signature):
19 | name = "network_tor_service"
20 | description = "Creates a Tor Hidden Service on the machine"
21 | severity = 3
22 | categories = ["network", "anonimity", "tor"]
23 | authors = ["nex"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | indicators = [
28 | ".*\\\\tor\\\\hidden_service\\\\private_key$",
29 | ".*\\\\tor\\\\hidden_service\\\\hostname$"
30 | ]
31 |
32 | for indicator in indicators:
33 | if self.check_file(pattern=indicator, regex=True):
34 | return True
35 |
36 | return False
37 |
--------------------------------------------------------------------------------
/modules/signatures/office_security.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Kevin Ross
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class OfficeSecurity(Signature):
19 | name = "office_security"
20 | description = "Attempts to modify Microsoft Office security settings"
21 | severity = 3
22 | categories = ["office"]
23 | authors = ["Kevin Ross"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | office_pkgs = ["ppt","doc","xls","eml"]
28 | if any(e in self.results["info"]["package"] for e in office_pkgs):
29 | return False
30 |
31 | reg_indicators = [
32 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Office\\\\.*\\\\Security\\\\.*",
33 | ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Office\\\\.*\\\\Security\\\\.*",
34 | ]
35 |
36 | for indicator in reg_indicators:
37 | if self.check_write_key(pattern=indicator, regex=True):
38 | return True
39 |
40 | return False
41 |
--------------------------------------------------------------------------------
/modules/signatures/packer_armadillo_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class ArmadilloMutex(Signature):
19 | name = "packer_armadillo_mutex"
20 | description = "Detected Armadillo packer using a known mutex"
21 | severity = 3
22 | categories = ["packer"]
23 | authors = ["KillerInstinct"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | indicators = [
28 | ".*:SIMULATEEXPIRED"
29 | ]
30 |
31 | ret = False
32 | for indicator in indicators:
33 | match = self.check_mutex(pattern=indicator, regex=True)
34 | if match:
35 | self.data.append({"mutex": match})
36 | ret = True
37 |
38 | return ret
39 |
--------------------------------------------------------------------------------
/modules/signatures/packer_armadillo_regkey.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class ArmadilloRegKey(Signature):
19 | name = "packer_armadillo_regkey"
20 | description = "Detected Armadillo packer using a known registry key"
21 | severity = 3
22 | categories = ["packer"]
23 | authors = ["KillerInstinct"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | indicators = [
28 | ".*\\\\The\\ Silicon\\ Realms\\ Toolworks\\\\Armadillo$"
29 | ]
30 |
31 | for indicator in indicators:
32 | match = self.check_key(pattern=indicator, regex=True)
33 | if match:
34 | return True
35 |
36 | return False
37 |
--------------------------------------------------------------------------------
/modules/signatures/packer_upx.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012,2015 Michael Boman (@mboman), Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class UPXCompressed(Signature):
19 | name = "packer_upx"
20 | description = "The executable is compressed using UPX"
21 | severity = 2
22 | categories = ["packer"]
23 | authors = ["Michael Boman", "nex", "Optiv"]
24 | minimum = "1.3"
25 |
26 | def run(self):
27 | if "static" in self.results and "pe" in self.results["static"]:
28 | if "sections" in self.results["static"]["pe"]:
29 | for section in self.results["static"]["pe"]["sections"]:
30 | if section["name"].startswith("UPX"):
31 | descmsg = "name: {0}, entropy: {1}, characteristics: {2}, raw_size: {3}, virtual_size: {4}".format(section["name"],
32 | section["entropy"], section["characteristics"], section["size_of_data"], section["virtual_size"])
33 | self.data.append({"section" : descmsg})
34 | return True
35 |
36 | return False
37 |
--------------------------------------------------------------------------------
/modules/signatures/packer_vmprotect.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Jeremy Hedges
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class VMPPacked(Signature):
19 | name = "packer_vmprotect"
20 | description = "The executable is likely packed with VMProtect"
21 | severity = 2
22 | categories = ["packer"]
23 | authors = ["Jeremy Hedges"]
24 | minimum = "1.3"
25 |
26 | def run(self):
27 | if "static" in self.results and "pe" in self.results["static"]:
28 | if "sections" in self.results["static"]["pe"]:
29 | for section in self.results["static"]["pe"]["sections"]:
30 | if section["name"].lower().startswith(".vmp"):
31 | self.data.append({"section" : section})
32 | return True
33 |
34 | return False
--------------------------------------------------------------------------------
/modules/signatures/pdf_annot_urls.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class PDF_Annot_URLs(Signature):
19 | name = "pdf_annot_urls"
20 | description = "The PDF contains a Link Annotation to a compressed archive or executable file"
21 | severity = 3
22 | categories = ["pdf"]
23 | authors = ["Optiv"]
24 | minimum = "1.3"
25 |
26 | filter_analysistypes = set(["file"])
27 |
28 | def run(self):
29 | found_URLs = False
30 | if "static" in self.results and "pdf" in self.results["static"]:
31 | if "PDF" in self.results["target"]["file"]["type"]:
32 | if "Annot_URLs" in self.results["static"]["pdf"]:
33 | for entry in self.results["static"]["pdf"]["Annot_URLs"]:
34 | entrylower = entry.lower()
35 | if entrylower.endswith((".zip", ".exe", ".msi", ".bat", ".scr", ".rar")):
36 | self.data.append({"URL":entry})
37 | found_URLs = True
38 | return found_URLs
39 |
--------------------------------------------------------------------------------
/modules/signatures/pdf_eof.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012-2014 Cuckoo Foundation.
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class PDF_EOF(Signature):
19 | name = "pdf_eof"
20 | description = "The PDF has data after the last %% EOF marker."
21 | severity = 3
22 | categories = ["pdf"]
23 | authors = ["KillerInstinct"]
24 | minimum = "1.3"
25 |
26 | filter_analysistypes = set(["file"])
27 |
28 | def run(self):
29 | if "static" in self.results and "pdf" in self.results["static"]:
30 | if "PDF" in self.results["target"]["file"]["type"]:
31 | if "Data After EOF" in self.results["static"]["pdf"]["Info"]:
32 | if self.results["static"]["pdf"]["Info"]["Data After EOF"] != "0":
33 | return True
34 |
35 | return False
36 |
--------------------------------------------------------------------------------
/modules/signatures/pdf_page.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012-2014 Cuckoo Foundation.
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class PDF_Page(Signature):
19 | name = "pdf_page"
20 | description = "The PDF has one page. Many malicious PDFs only have one page."
21 | severity = 2
22 | categories = ["pdf"]
23 | authors = ["KillerInstinct"]
24 | minimum = "1.3"
25 |
26 | filter_analysistypes = set(["file"])
27 |
28 | def run(self):
29 | if "static" in self.results and "pdf" in self.results["static"]:
30 | if "PDF" in self.results["target"]["file"]["type"]:
31 | if "Keywords" in self.results["static"]["pdf"]:
32 | if "/Page" in self.results["static"]["pdf"]["Keywords"]:
33 | if self.results["static"]["pdf"]["Keywords"]["/Page"] == 1:
34 | return True
35 |
36 | return False
37 |
--------------------------------------------------------------------------------
/modules/signatures/persistence_ads.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012,2015 Claudio "nex" Guarnieri (@botherder), Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | try:
17 | import re2 as re
18 | except ImportError:
19 | import re
20 |
21 | from lib.cuckoo.common.abstracts import Signature
22 |
23 | class ADS(Signature):
24 | name = "persistence_ads"
25 | description = "Attempts to interact with an Alternate Data Stream (ADS)"
26 | severity = 3
27 | categories = ["persistence", "ads"]
28 | authors = ["nex", "Optiv"]
29 | minimum = "0.5"
30 |
31 | def run(self):
32 | result = False
33 | for file_path in self.results["behavior"]["summary"]["files"]:
34 | if len(file_path) <= 3:
35 | continue
36 |
37 | if ":" in file_path.split("\\")[-1]:
38 | if not file_path.lower().startswith("c:\\dosdevices\\") and not file_path[-1] == ":":
39 | # we have a different signature to deal with removal of Zone.Identifier
40 | if not file_path.startswith("\\??\\http://") and not file_path.endswith(":Zone.Identifier") and not re.match(r'^[A-Z]?:\\Users\\[^\\]+\\Favorites\\Links\\Suggested Sites\.url:favicon$', file_path, re.IGNORECASE):
41 | self.data.append({"file" : file_path})
42 | result = True
43 |
44 | return result
45 |
--------------------------------------------------------------------------------
/modules/signatures/persistence_service.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free Software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class PersistenceService(Signature):
19 | name = "persistence_service"
20 | description = "Created a service that was not started"
21 | severity = 3
22 | categories = ["persistence"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | found = False
28 | created_services = set(self.results["behavior"]["summary"]["created_services"])
29 | started_services = set(self.results["behavior"]["summary"]["started_services"])
30 | missing = created_services.difference(started_services)
31 | if missing:
32 | for service in missing:
33 | self.data.append({"service" : service })
34 | found = True
35 | return found
--------------------------------------------------------------------------------
/modules/signatures/prevents_safeboot.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class PreventsSafeboot(Signature):
8 | name = "prevents_safeboot"
9 | description = "Attempts to block SafeBoot use by removing registry keys"
10 | severity = 3
11 | categories = ["generic"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | if self.check_delete_key(pattern=".*\\\\System\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\SafeBoot\\\\.*", regex=True):
17 | return True
18 | return False
19 |
--------------------------------------------------------------------------------
/modules/signatures/process_interest.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class ProcessInterest(Signature):
19 | name = "process_interest"
20 | description = "Expresses interest in specific running processes"
21 | severity = 2
22 | categories = ["generic"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 | self.searches = 0
30 | self.lastprocessname = ""
31 | self.interested_processes = set()
32 |
33 | filter_apinames = set(["Process32NextW", "Process32FirstW"])
34 |
35 | def on_call(self, call, process):
36 | if call["api"] == "Process32NextW":
37 | if not call["status"]:
38 | self.lastprocessname = ""
39 | else:
40 | self.lastprocessname = self.get_argument(call, "ProcessName")
41 | else:
42 | # is Process32FirstW
43 | if self.lastprocessname:
44 | self.interested_processes.add(self.lastprocessname)
45 |
46 |
47 | def on_complete(self):
48 | if self.lastprocessname:
49 | self.interested_processes.add(self.lastprocessname)
50 | if len(self.interested_processes):
51 | for proc in self.interested_processes:
52 | self.data.append({"process" : proc})
53 | return True
54 | return False
55 |
--------------------------------------------------------------------------------
/modules/signatures/process_needed.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class ProcessNeeded(Signature):
19 | name = "process_needed"
20 | description = "Repeatedly searches for a not-found process, may want to run with startbrowser=1 option"
21 | severity = 2
22 | categories = ["generic"]
23 | authors = ["Optiv"]
24 | minimum = "1.2"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 | self.searches = 0
30 | self.did_openprocess = 0
31 |
32 | filter_apinames = set(["Process32NextW", "NtOpenProcess"])
33 |
34 | def on_call(self, call, process):
35 | if call["api"] == "Process32NextW":
36 | if not call["status"]:
37 | if self.did_openprocess:
38 | self.did_openprocess = 0
39 | else:
40 | self.searches += 1
41 | else:
42 | # is NtOpenProcess
43 | self.did_openprocess = 1
44 |
45 | def on_complete(self):
46 | if self.searches > 5:
47 | return True
48 | return False
49 |
--------------------------------------------------------------------------------
/modules/signatures/ransomware_fileextensions.py:
--------------------------------------------------------------------------------
1 | from lib.cuckoo.common.abstracts import Signature
2 |
3 | class RansomwareExtensions(Signature):
4 | name = "ransomware_extensions"
5 | description = "Appends known ransomware file extensions to files that have been encrypted"
6 | severity = 3
7 | categories = ["ransomware"]
8 | authors = ["Kevin Ross"]
9 | minimum = "1.2"
10 |
11 | def run(self):
12 | indicators = [
13 | ".*\.aaa$",
14 | ".*\.abc$",
15 | ".*\.ccc$",
16 | ".*\.ecc$",
17 | ".*\.exx$",
18 | ".*\.ezz$",
19 | ]
20 |
21 | for indicator in indicators:
22 | results = self.check_write_file(pattern=indicator, regex=True, all=True)
23 | if results and len(results) > 15:
24 | return True
25 |
26 | return False
27 |
--------------------------------------------------------------------------------
/modules/signatures/ransomware_recyclebin.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class RansomwareRecyclebin(Signature):
8 | name = "ransomware_recyclebin"
9 | description = "Empties the Recycle Bin, indicative of ransomware"
10 | severity = 3
11 | categories = ["ransomware"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | if self.check_delete_file(pattern="C:\\\\RECYCLER\\\\.*", regex=True):
17 | return True
18 | return False
--------------------------------------------------------------------------------
/modules/signatures/rat_beebus_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 @threatlead
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class BeebusMutexes(Signature):
19 | name = "rat_beebus_mutexes"
20 | description = "Creates known Beebus mutexes"
21 | severity = 3
22 | categories = ["rat"]
23 | families = ["beebus"]
24 | authors = ["threatlead", "nex"]
25 | minimum = "0.5"
26 | references = [
27 | "http://www.fireeye.com/blog/technical/malware-research/2013/04/the-mutter-backdoor-operation-beebus-with-new-targets.html",
28 | "https://malwr.com/analysis/MjhmNmJhZjdjOWM4NDExZDkzOWMyMDQ2YzUzN2QwZDI/"
29 | ]
30 |
31 | def run(self):
32 | indicators = [
33 | ".*mqe45tex13fw14op0",
34 | ".*654234576804d",
35 | ]
36 |
37 | for indicator in indicators:
38 | if self.check_mutex(pattern=indicator, regex=True):
39 | return True
40 |
41 | return False
42 |
--------------------------------------------------------------------------------
/modules/signatures/rat_fynloski_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 @threatlead
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class FynloskiMutexes(Signature):
19 | name = "rat_fynloski_mutexes"
20 | description = "Creates known Fynloski/DarkComet mutexes"
21 | severity = 3
22 | categories = ["rat"]
23 | families = ["darkcomet", "fynloski"]
24 | authors = ["threatlead"]
25 | references = ["https://malwr.com/analysis/ODVlOWEyNDU3NzBhNDE3OWJkZjE0ZjIxNTdiMzU1YmM/"]
26 | minimum = "0.5"
27 |
28 | def run(self):
29 | indicators = [
30 | "DC_MUTEX-.*"
31 | ]
32 |
33 | for indicator in indicators:
34 | if self.check_mutex(pattern=indicator, regex=True):
35 | return True
36 |
37 | return False
38 |
--------------------------------------------------------------------------------
/modules/signatures/rat_pcclient.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 @threatlead
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class PcClientMutexes(Signature):
19 | name = "rat_pcclient"
20 | description = "Creates known PcClient mutex and/or file changes."
21 | severity = 3
22 | categories = ["rat"]
23 | families = ["pcclient", "nex"]
24 | authors = ["threatlead"]
25 | references = ["https://malwr.com/analysis/MDIxN2NhMjg4MTg2NDY4MWIyNTE0Zjk5MTY1OGU4YzE/"]
26 | minimum = "0.5"
27 |
28 | def run(self):
29 | indicators = [
30 | "BKLANG.*",
31 | "VSLANG.*",
32 | ]
33 |
34 | for indicator in indicators:
35 | if self.check_mutex(pattern=indicator, regex=True):
36 | return True
37 |
38 | indicators = [
39 | ".*\\\\syslog.dat",
40 | ".*\\\\.*_lang.ini",
41 | ".*\\\\[0-9]+_lang.dll",
42 | ".*\\\\[0-9]+_res.tmp",
43 | ]
44 |
45 | for indicator in indicators:
46 | if self.check_file(pattern=indicator, regex=True):
47 | return True
48 |
49 | return False
50 |
--------------------------------------------------------------------------------
/modules/signatures/rat_plugx_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 @threatlead
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class PlugxMutexes(Signature):
19 | name = "rat_plugx_mutexes"
20 | description = "Creates known PlugX mutexes"
21 | severity = 3
22 | categories = ["rat"]
23 | families = ["plugx"]
24 | authors = ["threatlead", "nex"]
25 | references = ["https://malwr.com/analysis/YTZjYmUwMzNlNzkwNGU5YmIxNDQwYTcyYjFkYWI0NWE/"]
26 | minimum = "0.5"
27 |
28 | def run(self):
29 | indicators = [
30 | "DoInstPrepare",
31 | ]
32 |
33 | for indicator in indicators:
34 | if self.check_mutex(pattern=indicator):
35 | return True
36 |
37 | return False
38 |
--------------------------------------------------------------------------------
/modules/signatures/rat_poisonivy.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class PoisonIvyMutexes(Signature):
8 | name = "rat_poisonivy_mutexes"
9 | description = "Creates known Poison Ivy mutexes"
10 | severity = 3
11 | categories = ["rat"]
12 | authors = ["Optiv"]
13 | references = ["http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf"]
14 | minimum = "1.2"
15 |
16 | def run(self):
17 | indicators = [
18 | ")!VoqA.I4",
19 | "K^DJA^#FE",
20 | "KEIVH^#$S",
21 | "%1Sjfhtd8",
22 | "2SF#@R@#!"
23 | ]
24 |
25 | for indicator in indicators:
26 | if self.check_mutex(pattern=indicator):
27 | return True
28 |
29 | return False
30 |
--------------------------------------------------------------------------------
/modules/signatures/rat_xtreme_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 @threatlead
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class XtremeMutexes(Signature):
19 | name = "rat_xtreme_mutexes"
20 | description = "Creates known XtremeRAT mutexes"
21 | severity = 3
22 | categories = ["rat"]
23 | families = ["xtremerat"]
24 | authors = ["threatlead", "nex"]
25 | references = [
26 | "https://malwr.com/analysis/ZWM4YjI2MzI1MmQ2NDBkMjkwNzI3NzhjNWM5Y2FhY2U/",
27 | "https://malwr.com/analysis/MWY5YTAwZWI1NDc3NDJmMTgyNDA4ODc0NTk0MWIzNjM/"
28 | ]
29 | minimum = "0.5"
30 |
31 | def run(self):
32 | indicators = [
33 | "XTREMEUPDATE",
34 | "\(\(Mutex\)\).*"
35 | ]
36 |
37 | for indicator in indicators:
38 | if self.check_mutex(pattern=indicator, regex=True):
39 | return True
40 |
41 | return False
42 |
--------------------------------------------------------------------------------
/modules/signatures/recon_fingerprint.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012,2015 Claudio "nex" Guarnieri (@botherder), Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Fingerprint(Signature):
19 | name = "recon_fingerprint"
20 | description = "Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)"
21 | severity = 3
22 | categories = ["recon"]
23 | authors = ["nex", "Optiv"]
24 | minimum = "1.2"
25 |
26 | def run(self):
27 | matches = 0
28 |
29 | indicators = [
30 | ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\DigitalProductId$",
31 | ".*\\\\Microsoft\\\\Cryptography\\\\MachineGuid$",
32 | ".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\SystemBIOSDate$",
33 | ]
34 |
35 | for indicator in indicators:
36 | if self.check_read_key(pattern=indicator, regex=True):
37 | matches += 1
38 |
39 | if matches >= 2:
40 | return True
41 |
42 | return False
43 |
--------------------------------------------------------------------------------
/modules/signatures/recon_programs.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class InstalledApps(Signature):
8 | name = "recon_programs"
9 | description = "Collects information about installed applications"
10 | severity = 3
11 | confidence = 20
12 | categories = ["recon"]
13 | authors = ["Optiv"]
14 | minimum = "1.2"
15 |
16 | def run(self):
17 | office_pkgs = ["ppt","doc","xls","eml","pdf"]
18 | if any(e in self.results["info"]["package"] for e in office_pkgs):
19 | return False
20 |
21 | if self.check_read_key(pattern= ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall.*", regex=True):
22 | return True
23 |
24 | return False
--------------------------------------------------------------------------------
/modules/signatures/recon_systeminfo.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class SystemInfo(Signature):
19 | name = "recon_systeminfo"
20 | description = "Collects information on the system (ipconfig, netstat, systeminfo)"
21 | severity = 3
22 | categories = ["recon"]
23 | authors = ["nex"]
24 | minimum = "1.0"
25 | evented = True
26 |
27 | filter_categories = set(["process"])
28 |
29 | def on_call(self, call, process):
30 | return self.check_argument_call(
31 | call, pattern="(^cmd\.exe).*[(systeminfo)|(ipconfig)|(netstat)]",
32 | name="CommandLine",
33 | category="process",
34 | regex=True
35 | )
36 |
--------------------------------------------------------------------------------
/modules/signatures/removes_zoneid_ads.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class RemovesZoneIdADS(Signature):
8 | name = "removes_zoneid_ads"
9 | description = "Attempts to remove evidence of file being downloaded from the Internet"
10 | severity = 3
11 | categories = ["generic"]
12 | authors = ["Optiv"]
13 | minimum = "1.0"
14 | evented = True
15 |
16 | def __init__(self, *args, **kwargs):
17 | Signature.__init__(self, *args, **kwargs)
18 |
19 | filter_apinames = set(["DeleteFileA","DeleteFileW"])
20 |
21 | def on_call(self, call, process):
22 | if call["api"].startswith("DeleteFile") and self.get_argument(call, "FileName").endswith(":Zone.Identifier"):
23 | self.data.append({"file" : self.get_argument(call, "FileName") })
24 | return True
25 |
26 | return None
27 |
--------------------------------------------------------------------------------
/modules/signatures/sniffer_winpcap.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Thomas "stacks" Birn (@stacksth)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class InstallsWinpcap(Signature):
19 | name = "sniffer_winpcap"
20 | description = "Installs WinPCAP"
21 | severity = 3
22 | categories = ["sniffer"]
23 | authors = ["Thomas Birn", "nex"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | indicators = [
28 | ".*\\\\packet\.dll$",
29 | ".*\\\\npf\.sys$",
30 | ".*\\\\wpcap\.dll$"
31 | ]
32 |
33 | for indicator in indicators:
34 | file_path = self.check_file(pattern=indicator, regex=True)
35 | if file_path:
36 | self.data.append({"file" : file_path})
37 | return True
38 |
39 | return False
40 |
--------------------------------------------------------------------------------
/modules/signatures/spreading_autoruninf.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Thomas "stacks" Birn (@stacksth)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class CreatesAutorunInf(Signature):
19 | name = "spreading_autoruninf"
20 | description = "Creates an autorun.inf file"
21 | severity = 2
22 | categories = ["spreading"]
23 | authors = ["Thomas Birn", "nex"]
24 | minimum = "0.5"
25 |
26 | def run(self):
27 | return self.check_file(pattern=".*\\\\autorun\.inf$", regex=True)
28 |
--------------------------------------------------------------------------------
/modules/signatures/static_authenticode.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class Authenticode(Signature):
8 | name = "static_authenticode"
9 | description = "Presents an Authenticode digital signature"
10 | severity = 1
11 | weight = -1
12 | confidence = 30
13 | categories = ["static"]
14 | authors = ["Optiv"]
15 | minimum = "1.3"
16 |
17 | def run(self):
18 | found_sig = False
19 |
20 | if "static" in self.results and "pe" in self.results["static"]:
21 | if "digital_signers" in self.results["static"]["pe"] and self.results["static"]["pe"]["digital_signers"]:
22 | for sign in self.results["static"]["pe"]["digital_signers"]:
23 | self.data.append(sign)
24 | found_sig = True
25 |
26 | return found_sig
27 |
--------------------------------------------------------------------------------
/modules/signatures/static_rat_config.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class RATConfig(Signature):
8 | name = "static_rat_config"
9 | description = "Contains extracted RAT config"
10 | severity = 3
11 | weight = 3
12 | categories = ["static"]
13 | authors = ["Optiv"]
14 | minimum = "1.3"
15 |
16 | def run(self):
17 | if "static" in self.results and "rat" in self.results["static"] and "name" in self.results["static"]["rat"] and len(self.results["static"]["rat"]["name"]):
18 | self.description = "Contains RAT configuration for " + self.results["static"]["rat"]["name"] + " (see Static Analysis tab)"
19 | self.families = [ self.results["static"]["rat"]["name"] ]
20 | return True
21 |
22 | return False
23 |
--------------------------------------------------------------------------------
/modules/signatures/static_versioninfo_anomaly.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class VersionInfoAnomaly(Signature):
8 | name = "static_versioninfo_anomaly"
9 | description = "Unusual version info supplied for binary"
10 | severity = 3
11 | categories = ["static"]
12 | authors = ["Optiv"]
13 | minimum = "1.3"
14 |
15 | def run(self):
16 | found_sig = False
17 |
18 | if not "static" in self.results or not "pe" in self.results["static"] or not "versioninfo" in self.results["static"]["pe"]:
19 | return False
20 |
21 | msincopyright = None
22 | msincompanyname = None
23 | mstransposed = False
24 |
25 | # Microsoft Corporation sorted
26 | mscorpsorted = " CMacfiinoooooprrrstt"
27 |
28 | for info in self.results["static"]["pe"]["versioninfo"]:
29 | if info["name"] == "LegalCopyright":
30 | if "microsoft" in info["value"].lower():
31 | msincopyright = True
32 | else:
33 | msincopyright = False
34 | elif info["name"] == "CompanyName":
35 | if ''.join(sorted(info["value"])) == mscorpsorted and info["value"] != "Microsoft Corporation":
36 | mstransposed = True
37 |
38 | if "microsoft" in info["value"].lower():
39 | msincompanyname = True
40 | else:
41 | msincompanyname = False
42 |
43 | if msincopyright == True and msincompanyname == False:
44 | self.data.append({"anomaly" : "Microsoft mentioned in LegalCopyright, but not in CompanyName field"})
45 | found_sig = True
46 | if mstransposed == True:
47 | self.data.append({"anomaly" : "CompanyName is a transposed form of \"Microsoft Corporation\"."})
48 | self.families = ["Bedep"]
49 | found_sig = True
50 |
51 | return found_sig
52 |
--------------------------------------------------------------------------------
/modules/signatures/stealth_childproc.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class StealthChildProc(Signature):
8 | name = "stealth_childproc"
9 | description = "Forces a created process to be the child of an unrelated process"
10 | severity = 3
11 | categories = ["stealth"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 | evented = True
15 |
16 | def __init__(self, *args, **kwargs):
17 | Signature.__init__(self, *args, **kwargs)
18 |
19 | filter_apinames = set(["NtCreateProcess","NtCreateProcessEx","RtlCreateUserProcess","CreateProcessInternalW"])
20 |
21 | def on_call(self, call, process):
22 | parenthandle = self.get_argument(call, "ParentHandle")
23 | if parenthandle and parenthandle != "0xffffffff":
24 | return True
25 |
--------------------------------------------------------------------------------
/modules/signatures/stealth_hiddenreg.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class StealthHiddenReg(Signature):
8 | name = "stealth_hiddenreg"
9 | description = "Attempts to modify Explorer settings to prevent hidden files from being displayed"
10 | severity = 3
11 | categories = ["stealth"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | reg_indicators = [
17 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden$",
18 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden$",
19 | ]
20 |
21 | for indicator in reg_indicators:
22 | reg_match = self.check_write_key(pattern=indicator, regex=True, all=True)
23 | if reg_match:
24 | return True
25 | return False
26 |
--------------------------------------------------------------------------------
/modules/signatures/stealth_hidenotifications.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Kevin Ross
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class StealthHideNotifications(Signature):
8 | name = "stealth_hide_notifications"
9 | description = "Attempts to modify user notification settings"
10 | severity = 3
11 | categories = ["stealth"]
12 | authors = ["Kevin Ross"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | reg_indicators = [
17 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth$",
18 | ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Advanced\\\\TaskbarNoNotification$",
19 | ]
20 |
21 | for indicator in reg_indicators:
22 | reg_match = self.check_write_key(pattern=indicator, regex=True, all=True)
23 | if reg_match:
24 | return True
25 | return False
26 |
--------------------------------------------------------------------------------
/modules/signatures/stealth_network.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class StealthNetwork(Signature):
8 | name = "stealth_network"
9 | description = "Network activity detected but not expressed in API logs"
10 | severity = 3
11 | categories = ["stealth"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 | evented = True
15 |
16 | def __init__(self, *args, **kwargs):
17 | Signature.__init__(self, *args, **kwargs)
18 | self.foundnetwork = False
19 | filter_categories = set(["network"])
20 |
21 | def on_call(self, call, process):
22 | self.foundnetwork = True
23 |
24 | def on_complete(self):
25 | initialproc = self.get_initial_process()
26 | if "network" in self.results:
27 | if ((("hosts" in self.results["network"]) and len(self.results["network"]["hosts"]) > 0) or
28 | (("domains" in self.results["network"]) and len(self.results["network"]["domains"]) > 0)) and initialproc and not self.foundnetwork:
29 | return True
30 | return False
31 |
--------------------------------------------------------------------------------
/modules/signatures/stealth_timelimit.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class StealthTimeout(Signature):
8 | name = "stealth_timeout"
9 | description = "Likely date expiration check, exits too soon after checking local time"
10 | severity = 3
11 | weight = 3
12 | confidence = 80
13 | categories = ["stealth"]
14 | authors = ["Optiv"]
15 | minimum = "1.3"
16 | evented = True
17 |
18 | def __init__(self, *args, **kwargs):
19 | Signature.__init__(self, *args, **kwargs)
20 | self.lastprocess = 0
21 | self.systimeidx = 0
22 | self.exitidx = 0
23 | self.curidx = 0
24 |
25 | def on_call(self, call, process):
26 | if process is not self.lastprocess:
27 | self.lastprocess = process
28 | self.systimeidx = 0
29 | self.exitidx = 0
30 | self.curidx = 0
31 |
32 | self.curidx += 1
33 |
34 | if call["api"] == "GetSystemTimeAsFileTime" or call["api"] == "GetSystemTime" or call["api"] == "GetLocalTime" or call["api"] == "NtQuerySystemTime":
35 | self.systimeidx = self.curidx
36 | elif call["api"] == "NtTerminateProcess":
37 | handle = self.get_argument(call, "ProcessHandle")
38 | if handle == "0xffffffff" or handle == "0x00000000":
39 | self.exitidx = self.curidx
40 | if self.systimeidx and self.exitidx and self.systimeidx > (self.exitidx - 10):
41 | if process["module_path"].lower() != "c:\\windows\\system32\\attrib.exe":
42 | self.data.append({"process" : process["process_name"] + ", PID " + str(process["process_id"])})
43 | return True
44 |
45 | return None
46 |
47 |
--------------------------------------------------------------------------------
/modules/signatures/stealth_webhistory.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
3 | # See the file 'docs/LICENSE' for copying permission.
4 |
5 | from lib.cuckoo.common.abstracts import Signature
6 |
7 | class StealthWebHistory(Signature):
8 | name = "stealth_webhistory"
9 | description = "Clears web history"
10 | severity = 3
11 | categories = ["stealth"]
12 | authors = ["Optiv"]
13 | minimum = "1.2"
14 |
15 | def run(self):
16 | file_indicators = [
17 | ".*\\\\History\\\\History\.IE5\\\\.*",
18 | ".*\\\\Temporary\\\\ Internet\\ Files\\\\Content\.IE5\\\\.*",
19 | ]
20 | if self.results["target"]["category"] == "file":
21 | file_indicators.append(".*\\\\Cookies\\\\.*")
22 | found_cleaner = False
23 | for indicator in file_indicators:
24 | file_match = self.check_delete_file(pattern=indicator, regex=True, all=True)
25 | if file_match and len(file_match) > 10:
26 | for match in file_match:
27 | self.data.append({"file" : match })
28 | found_cleaner = True
29 | return found_cleaner
30 |
--------------------------------------------------------------------------------
/modules/signatures/suricata_alert.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class SuricataAlert(Signature):
19 | name = "suricata_alert"
20 | description = "Created network traffic indicative of malicious activity"
21 | severity = 3
22 | confidence = 80
23 | weight = 3
24 | categories = ["network"]
25 | authors = ["Optiv"]
26 | minimum = "1.2"
27 |
28 | def run(self):
29 | sigset = set()
30 | whitelist = [
31 | "Application Crash Report Sent to Microsoft",
32 | "Outdated Windows Flash Version IE",
33 | "JAVA - ClassID",
34 | ]
35 | if "suricata" in self.results:
36 | if "alerts" in self.results["suricata"]:
37 | for alert in self.results["suricata"]["alerts"]:
38 | if "signature" in alert:
39 | addsig = True
40 | for item in whitelist:
41 | if item in alert["signature"]:
42 | addsig = False
43 | break
44 | if addsig:
45 | sigset.add(alert["signature"])
46 | for sig in sigset:
47 | self.data.append({"signature" : sig})
48 | self.weight += 1
49 | if len(sigset):
50 | return True
51 | return False
52 |
--------------------------------------------------------------------------------
/modules/signatures/targeted_flame.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2012 Claudio "nex" Guarnieri (@botherder)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Flame(Signature):
19 | name = "targeted_flame"
20 | description = "Shows some indicators associated with the Flame malware"
21 | severity = 3
22 | references = ["http://www.crysys.hu/skywiper/skywiper.pdf",
23 | "http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers",
24 | "http://www.certcc.ir/index.php?name=news&file=article&sid=1894"]
25 | categories = ["targeted"]
26 | families = ["flame", "skywiper"]
27 | authors = ["nex"]
28 | minimum = "0.5"
29 |
30 | def run(self):
31 | indicators = [
32 | "__fajb.*",
33 | "DVAAccessGuard.*",
34 | ".*mssecuritymgr.*"
35 | ]
36 |
37 | for indicator in indicators:
38 | if self.check_mutex(pattern=indicator, regex=True):
39 | return True
40 |
41 | indicators = [
42 | ".*\\\\Microsoft Shared\\\\MSSecurityMgr\\\\.*",
43 | ".*\\\\Ef_trace\.log$"
44 | ]
45 |
46 | for indicator in indicators:
47 | if self.check_file(pattern=indicator, regex=True):
48 | return True
49 |
50 | return False
51 |
--------------------------------------------------------------------------------
/modules/signatures/trojan_fleercivet_mutex.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 Optiv, Inc. (brad.spengler@optiv.com)
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class FleerCivetMutexes(Signature):
19 | name = "fleercivet_mutex"
20 | description = "Creates known FleerCivet mutexes"
21 | severity = 3
22 | weight = 5
23 | categories = ["trojan"]
24 | families = ["fleercivet"]
25 | authors = ["Optiv"]
26 | minimum = "0.5"
27 |
28 | def run(self):
29 | indicators = [
30 | "_HSJ909NJJNJ90203_"
31 | ]
32 |
33 | for indicator in indicators:
34 | if self.check_mutex(pattern=indicator):
35 | return True
36 |
37 | return False
38 |
--------------------------------------------------------------------------------
/modules/signatures/webmail_phish.py:
--------------------------------------------------------------------------------
1 | # Copyright (C) 2015 KillerInstinct
2 | #
3 | # This program is free software: you can redistribute it and/or modify
4 | # it under the terms of the GNU General Public License as published by
5 | # the Free Software Foundation, either version 3 of the License, or
6 | # (at your option) any later version.
7 | #
8 | # This program is distributed in the hope that it will be useful,
9 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 | # GNU General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see .
15 |
16 | from lib.cuckoo.common.abstracts import Signature
17 |
18 | class Webmail_Phish(Signature):
19 | name = "webmail_phish"
20 | description = "Network activity contains known webmail credential phishing indicators."
21 | severity = 3
22 | categories = ["network"]
23 | authors = ["KillerInstinct"]
24 | minimum = "1.0"
25 | evented = True
26 |
27 | def __init__(self, *args, **kwargs):
28 | Signature.__init__(self, *args, **kwargs)
29 | # Lower case for now, may tighten later
30 | self.indicators = [
31 | "validateformyahoo()",
32 | "validateformhotmail()",
33 | "validateformgmail()",
34 | "validateformaol()",
35 | "validateformother()",
36 | ]
37 | self.hits = set()
38 |
39 | # Observed with IE8
40 | filter_apinames = set(["InternetReadFile"])
41 |
42 | def on_call(self, call, process):
43 | data = self.get_argument(call, "Buffer")
44 | if data:
45 | for indicator in self.indicators:
46 | if indicator in data.lower():
47 | self.hits.add(indicator)
48 |
49 | def on_complete(self):
50 | ret = False
51 | if self.hits:
52 | ret = True
53 | for item in self.hits:
54 | self.weight += 1
55 |
56 | return ret
57 |
--------------------------------------------------------------------------------