Introduction

At Hatching we are continuously improving the behavioral analysis capabilities used for dynamic analysis of malware. Today marks our first public release of onemon, our successor of zer0m0n that is compatible with Cuckoo Sandbox.

It should be noted that this release focuses solely on real-time process memory scanning using Yara and subsequent process memory dumping if a match has been found. It is therefore not a (complete) replacement for the behavioral analysis capabilities present today in Cuckoo Monitor.

Furthermore, the work behind this release has been performed in collaboration with CERT.PL and is co-financed by the Connecting Europe Facility of the European Union, action no: 2016-PL-IA-0127.

What, why, and how?

To most malware researchers, the capability of performing memory dumps is a crucial step for additional manual research. Some like to run entire VM memory dumps through Volatility or Rekall while others use the “dumped” binary (i.e., the payload binary as opposed to the packer that executes it) to analyze the actual threat. Even just running strings(1) on memory dumps may often give interesting results.

While we generally believe this is a good thing to do, we are not big on the generation of entire Virtual Machine state snapshots that in practice often take one to four gigabytes of storage (depending on how much RAM was assigned to the VM). Therefore Cuckoo Monitor and now onemon implement process memory dumping; these process memory dumps often take less than 50-100 MB of storage, making it much less heavy on the I/O side as well as HDD size required.

In onemon we have slightly optimized and generally improved the process memory dumping strategy though. Instead of somewhat randomly, often at the start of a new process and a few times during execution, performing a process memory dump (as is the case in Cuckoo Monitor) we have opted for only dumping process memory if there’s a match against a configured Yara rule in the first place. It should be mentioned that Cuckoo Monitor was also (primarily) developed by yours truly, but that all newly developed techniques in onemon are the conclusion of years of knowledge on the subject of malware sandboxing.

During an analysis, this release of onemon will scan processes against the defined Yara rules at the following moments in time:

• Upon creation of a new process.
• Upon injection of an image through NtMapViewOfSection (Process Hollowing).
• Upon resuming of a thread through NtResumeThread (Process Hollowing).
• Once every second for each monitored process.
• Upon termination of a process.

In the future, specific system calls may lead to Yara scans. E.g., in the past various socket operations have been known to lead to good scanning opportunities for process memory.

How to use it?

Using our onemon Windows kernel driver is as simple as applying the following three steps to your Cuckoo environment:

• Fetch the latest Cuckoo Community by running cuckoo community. This will make sure your Cuckoo environment contains onemon.
• Place a number of Yara rules that may be applied to process memory scanning in $CWD/yara/dumpmem/, i.e., simplified rules for specific malware families for which you’d like memory dumps. Ideally these Yara rules are somewhat simplified for performance and don’t include things like “($mz at 0)”.
• Submit an analysis with the analysis=kernel option set. Through the command-line this may look as follows: cuckoo submit -o analysis=kernel sample.exe.
• Ensure that your Virtual Machine has Patch Guard disabled & allows loading of unsigned Windows kernel drivers. In order to do so, one may either boot Windows in “test” or “debug” mode or use a tool like UPGDSED to patch the VM.

Note that, for backwards compatibility reasons in Cuckoo, the driver is called zer0m0n-x64.sys in the Cuckoo Community repository. This allows Cuckoo to use it as-is with existing Cuckoo 2.0.6 and later installations.

After a successful analysis has been performed, one should be able to find one or more memory dumps related to that specific malware family and analysis. It is then possible to perform automated post analysis processing using roach, an easy-to-use and modular library that exposes a fair bit of functionality often used by malware samples. Roach is installed with Cuckoo by default and attempts to abstract away numerous routines normally exposed by various 3rd party libraries.

License

This version of our Windows kernel driver has been released to Cuckoo Sandbox under a perpetual license, i.e., it may be used for both research as well as commercial usage by anyone who deems that to be relevant.

While the development of onemon was originally inspired by zer0m0n, we have completely overhauled the kernel driver. The codebase of onemon is fully owned by Hatching, as it shares no code with zer0m0n. However, we do want to thank Conix Security for their open source contribution of zer0m0n towards Cuckoo Sandbox. Additionally, a number of other software licenses are in use by onemon - a copy of the license headers may be found here.