Add in Emotet/Geodo APIs Signature #252
Conversation
To cover this. I am seeing a lot of this at the moment. Sig probably can have more indicators added to it but this is what I have been using for the moment to ID it quickly: https://blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk
|
|
|
Here is a few MD5s if you want to check: 8d01c393b5663644f7c787ca03662cd7, fc9af61acfe42bf13c06213b3a42c235 I tested it on a variety of samples for campaigns going back to April 3rd 2017 until samples from yesterday. |
|
@kevross33 will you keep on posting PR (if yes where) ? your sigs are essentials for this project!! |
|
Thank you for the kind words but there is a lot of people who have
contributed more to this project then me but i do what i am able to in
order to collectively add to it.
Yes for the SIG's I put in i will post them here and also trying to improve
cuckkoo 2.0. I am keeping on improving my SIG's and also adding new ones
where I can. Still I feel detection of activity is generally covered aside
from specific families maybe. For instance the ransomware file modification
behaviour SIG still holds up to new samples when they encrypt.
…On 30 Apr 2017 7:04 p.m., "Nwinternights" ***@***.***> wrote:
@kevross33 <https://github.com/kevross33> will you keep on posting PR (if
yes where) ? your sigs are essentials for this project!!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#252 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACTXtQoUtPrpTDmY2qykn2so0qVkpWz_ks5r1M1GgaJpZM4NKFGr>
.
|
|
It's really a pity that Brad wanted to give up on working on this repo but I'm sure he has its reasons. By the way thank you for your support hoping that cuckoo-modified won't die because it's an awesome project and many guys worked hard on it. |
|
Brad has done so much for Cuckoo in general. I understand why changes aren't as quick as they once were now this is more a labour of love rather than work as it is for many of us and it is worth reading this https://www.optiv.com/blog/improving-reliability-of-sandbox-results. While Cuckoo 2.0 is a massive improvement over cuckoo I still think for Windows malware nothing is as thorough as cuckoo-modified currently. The work Brad did on improving the monitoring, stabilising it as well as a raft of new features and APIs is amazing. When you compare main branch 1.1 - 1.3 verus Cuckoo-Modified at the time the quality was apparant. I mean Cuckoo had a lot of quality work done on it by many tallented people but Brad made it practical and reliable at the time to researchers needing a reliable dynamic analysis platform and it is testement to the quality of the improvements that even years later it still reliably gets those important results and so we in the security community owe a massive thanks to all work his has done and any time spent :-D |
|
With this signature I have added in some improvements to match detection more precisely and also extract C2 information when it is trying to send the Cookie. |
|
@kevross33 I agree with you 100%. I really thank to Brad because I came across to deep malware analysis thanks to his great work in cuckoomod. |
|
yup i still have pend to backport pend PRs |
|
Yeah I am a bit surprised but understand about this. Thank you brad though
for you great work.
Given I still use cuckoo modified extensively given its quality but I think
more will need done to get the improvements over to cuckoo 2 as I think
cuckoo 2 will benefit greatly from them, there are devs and also to ensure
the features exist.
I have made effort with SIG conversions but it would be great if the
improvements lived on in cuckoo 2. That said I will continue to support
modified with SIG's hopefully they can get pulled but ideally it can be
forked under the main cuckoo project umbrella. I am not keen to see forks
of it though and ideally it can be maintained by others or under another
direct agreed fork until a time cuckoo 2 offers the functionality. I tend
to use both but I really don't want to lose things in cuckoo modified.
Kind regards,
Kevin
…On 17 May 2017 12:32 p.m., "doomedraven" ***@***.***> wrote:
yup i still have pend to backport pend PRs
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#252 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACTXtZRZl2M3DRO1bAmt6rgVTOI9fbu1ks5r6trNgaJpZM4NKFGr>
.
|
|
totally agree, but till then at least it can be all in one place and not dead in PRs :) |
|
Hi,
What is happening with Cuckoo-Modified? Does anyone have any ideas for
making an "official" location we can all still contribute too without
dividing it a load of times. Someone with enough knowledge to make sure
problem PRs don't make it in until sorted and can do pull requests would be
great just to keep it alive.
…On 17 May 2017 at 16:38, doomedraven ***@***.***> wrote:
totally agree, but till then at least it can be all in one place and not
dead in PRs :)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#252 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACTXtTgF1HFU8KM9pDTOPyz2BKcyIN69ks5r6xSHgaJpZM4NKFGr>
.
|
|
feel free to push against https://github.com/doomedraven/community-modified & https://github.com/doomedraven/cuckoo-modified as I still use it for some stuff, I will keep it up and running |
|
ok great. I will do that if you are keeping those going for pull requests.
Thanks.
…On 25 May 2017 at 08:30, doomedraven ***@***.***> wrote:
feel free to push against https://github.com/
doomedraven/community-modified & https://github.com/
doomedraven/cuckoo-modified as I still use it for some stuff, I will keep
it up and running
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#252 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACTXtfIJ2vPVU41GXMyJFXbwaBps2OV2ks5r9S4HgaJpZM4NKFGr>
.
|
|
i will ;) |
|
@kevross33 I saw your yara rule that searches for ransom messages in memory and it's very interesting. |
To cover this. I am seeing a lot of this at the moment. Sig probably can have more indicators added to it but this is what I have been using for the moment to ID it quickly:
https://blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk