cuckoo_0.3.2 Guest monitoring

cuckoo loads the submitted sample into the Guest through the vbox shared folder feature and loads that sample inside the Guest. As of now it can load dll, exe , doc, pdf, php document samples and it can load an URL into Firefox or IE. Once the process is started inside the Guest, it injects a DLL into the target process and it hooks few API’s. cuckoo didn’t release the source code of the DLL. If you just take a strings of it you can find the list of API’s hooked by this DLL. cuckoo provides an option of loading your own custom DLL too.

List of API’s hooked by the cmonitor.dll:
   FindWindowW
    CreateMutexW
    OpenMutexW
    OpenSCManagerW
    CreateServiceA
    CreateServiceW
    OpenServiceW
    StartServiceW
    IsDebuggerPresent
    ControlService
    DeleteService
    RegOpenKeyW
    RegCreateKeyW
    RegDeleteKeyW
    RegEnumKeyExW
    RegEnumValueW
    RegSetValueExW
    RegQueryValueExW
    CreateProcessA
    CreateProcessW
    TerminateProcess
    ExitProcess
    ShellExecuteExW
    CreateThread
    CreateRemoteThread
    URLDownloadToFileW
    InternetOpenUrlW
    Sleep
    LoadLibraryA
    LoadLibraryW
    ExitWindowsEx
    VirtualAllocEx
    WriteProcessMemory
    ReadProcessMemory
    SetWindowsHookExA
    SetWindowsHookExW
    CreateFileW
    ReadFile
    WriteFile
    DeleteFileW
    MoveFileExW
    DeviceIoControl

Advertisements
This entry was posted in Malware and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s