Cuckoo: PDF Embedded EXE

Created on 21 May 2018  路  4Comments  路  Source: cuckoosandbox/cuckoo

My issue is:

i m using adobe_pdf_embedded_exe module in metasploit in order to embed a backdoor connection in a pdf file my cuckoo can't detect nothing with a score of 3.8 :( i need some tips to harden my cuckoo and a better score calculation

My Cuckoo version and operating system are:

cuckoo version : 2.0.5
os : ubuntu 16.04

All 4 comments

go for documentation how to write signatures

Hi rayenmessaoudi,

Thanks for posting this issue.

The score is not a definite malicious/not malicious answer, and should (currently) be seen as information that should be viewed together with what signatures were triggered. More high severity signatures(red in web interface) means that actions were performed that are likely to be malicious.

There can be many reasons if there was a low amount of triggered signatures. It might be that the embedded executable was not executed, for example.

Could you please post the PDF with embedded executable you have created? :smile: I am curious what signatures are triggered on my own Cuckoo setups.

Hi,
@RicoVZ u have right the problem is the exe was not executed :p
i solved the problem but the score is 4.6.
i developed a module to extract files from mails then submit it to cuckoo for analysis and alerting via mail i asked how i can ameliorate the score calculation because the alert is based on defined threshold example if the score = 5 then send the alert ? so any advices ?

Ah, nice use of Cuckoo. :smile:

Instead of editing the score calculation, I would suggest using three types of information to decide if you want to trigger an alert:

  • The score itself
    By this I mean the threshold as you use it now
  • The severity of the triggered signatures
    You could also trigger an alert if for example, there is more than one, or at least one
    signature of severity level 3. These signatures tend to be only for actions that might be malicious,
    especially if combined with other triggered signatures.

https://github.com/cuckoosandbox/community/search?q=severity+%3D+3&unscoped_q=severity+%3D+3

Of course, this depends very much on the context of the files you are submitting. For example: a known benign torrent client will likely trigger some level 3 signatures. But this is because it is software that does a lot of things. But you would likely not expect mail attachments to perform the same actions.

  • Signature names
    There are likely some signatures for which you always want to trigger an alert.

Examples:
https://github.com/cuckoosandbox/community/blob/master/modules/signatures/windows/ransomware_files.py#L20

https://github.com/cuckoosandbox/community/blob/master/modules/signatures/windows/ransomware_fileextensions.py#L19

Was this page helpful?
0 / 5 - 0 ratings

Related issues

duramen picture duramen  路  4Comments

myhsu picture myhsu  路  5Comments

rodkinal picture rodkinal  路  6Comments

ishaansharma picture ishaansharma  路  3Comments

shafaqat1 picture shafaqat1  路  6Comments