Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Feature request: Display original filename on cuckoo web interface #81

Closed
Clevero opened this issue May 2, 2019 · 4 comments
Closed

Feature request: Display original filename on cuckoo web interface #81

Clevero opened this issue May 2, 2019 · 4 comments
Assignees
@michaelweiser
Labels
enhancement
Milestone
2.0

Comments

@Clevero
Copy link
Contributor

Clevero commented May 2, 2019

Expected Behavior

Original filenames are displayed in cuckoo web instead of their checksum

Current Behavior

Cuckoo web displays some long checksums

Possible Solution

Display the real file name on cuckoo web

Context (Environment)

That makes sometime debugging not easy when you want to find a specific analysis
@Thorsten-Sick
Copy link

cuckoo Sandbox should get the file with the original filename. The reason is: Malware could check at start of execution what the own file name/folder is and abort before doing anything malicious. This would also solve the issue with the displayed name :-)

@Jack28
Copy link
Member

Jack28 commented May 5, 2019

Allow me to give some background for the decision to use SHA256.file_extension.
Amavis places the extracted email attachments in the file system named p001,p002..p00n. For some or most AV scanners the filename doesn't matter, it's the files content that is scanned. Also it makes sense to not allow the attacker to place a file with a given name in the file system. Especially because the filename of the attachment is only a header of the attachment section (e.g. Content-Disposition: attachment; filename=file.pdf) and can be set to any desired value.

To address the original question I want to reference the database layout. The connection between analysis report in Cuckoo and mail is normally made via cuckoo_job_id and job_hash. Vice versa it is possible to look for hashes in the database.

For Cuckoo to display the declared filename it would require a lot of checks and to put
sample.meta_info_name_declared somewhere here:

PeekabooAV/peekaboo/toolbox/cuckoo.py

Line 295 in cb54cc4

files = {"file": (filename, open(path, 'rb'))}

It would be interesting to learn your routine and how the original filename in Cuckoo would ease your life.

Alternatively the declared/original filename could be passed to Cuckoo via the custom parameter:
https://cuckoo.sh/docs/usage/submit.html?highlight=api#api

@Thorsten-Sick
Copy link

...there is this joke about the AV that flagged all files with the name *.vir as malicious. Had a good detection. Do not know if the rumours are true...

For static detection the file name should not matter. For dynamic detection where the file is executed everything should look as "normal" as possible. No idea if the filename is top priority or something else....

I created a new issue for the analysis. This Issue here is for the display of the file name.
#82

@michaelweiser michaelweiser mentioned this issue May 7, 2019
Closed
@michaelweiser
Copy link
Contributor

Using the idea for getting the original name into Cuckoo without actually giving it that name in the local filesystem using the REST API sketched out in #82, the name displayed in the Web UI should be fixed as a side-effect. Re-reading @Jack28's comment above I think we mean the same and already looked at the same piece of code for the solution.

I'd vote to leave it at that and not try to implement any hacks for the (deprecated) embed mode as well.

@michaelweiser michaelweiser self-assigned this May 7, 2019
@michaelweiser michaelweiser added this to the 2.0 milestone May 7, 2019
michaelweiser added a commit to michaelweiser/PeekabooAV that referenced this issue May 7, 2019
@michaelweiser
Submit sample with its original filename to Cuckoo
92762a7 
When using the REST API, submit the sample with its original filename if
available via the new name_declared (meta info) property.

Closes scVENUS#81 and scVENUS#82 when using api mode. No plans to add this to embed
mode as well since it's deprecated anyway.
michaelweiser added a commit to michaelweiser/PeekabooAV that referenced this issue May 8, 2019
@michaelweiser
Submit sample with its original filename to Cuckoo
3d7882d 
When using the REST API, submit the sample with its original filename if
available via the new name_declared (meta info) property.

Closes scVENUS#81 and scVENUS#82 when using api mode. No plans to add this to embed
mode as well since it's deprecated anyway.
@michaelweiser michaelweiser mentioned this issue Feb 20, 2020
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@michaelweiser michaelweiser

Labels
enhancement
Projects
None yet
Milestone
2.0
Development

No branches or pull requests
4 participants
@Thorsten-Sick @michaelweiser @Jack28 @Clevero