Open nrrpinto opened 2 years ago
I'm facing the same issue for some files for unknown reason where analyzers is processing different file hash than the original one. did you got any idea or solution for that?
I'm having the exact same issue. Any news on how to solve it or from where it comes?
Request Type
Bug
Work Environment
Problem Description
I was developing an analyzer for CAPEv2, and I was getting two different hashes from the same file, between direct execution of the analyzer and the upload/execution through the Cortex or TheHive GUIs. After some digging I realize that when I use CORTEX GUI or through TheHive, the file uploads just 256000 bytes, and not the total 834560 bytes. I found this by tracking the temporary files created on the /tmp folder. Here is a screenshot:
No matter which analyzer I select, the result is that, that file uploads just those 250KB.
I tried other files bigger than 250KB, and I did not observed the same issue. I even tried the same file zipped, and everything worked fine. That file has some characteristic that results on an incorrect upload.
I've attached the file avaddon.exe.zip with the password: infected The extension was changed to avoid unintentional execution, but please be careful with the file, it is a ransomware.
I would like to understand why this file does not upload correctly to predict other files in the future and avoid wrong analysis.
Steps to Reproduce
Complementary information
Thanks