System hangs during post analysis

[Rayal]

Used the guide at https://reversingfun.com/posts/cuckoo-3-installation-guide/

When submitting an exe for analysis, the system spins up as many VMs as configured, and runs the exe for the alloted time. Screenshots are made as expected and the pcap files are all uploaded to the analyses folder on cuckoocwd.

But post analysis just stops. The webpage shows "Task(s) pending" forever and the logs don't show why it doesn't do anything.

Below is the output of cuckoo --verbose.

2023-04-21 13:10:13 DEBUG [cuckoo.node.resultserver]: Screenshot upload ended. newfile=26924.jpg size=48.3KiB task_id=20230421-DIZ1RT_1
2023-04-21 13:10:25 DEBUG [cuckoo.node.taskrunner]: Task run timeout reached. timeout=30 task_id=20230421-DIZ1RT_1
2023-04-21 13:10:25 DEBUG [cuckoo.node.taskrunner]: Requesting machine stop. machine=win10vm_4 task_id=20230421-DIZ1RT_1
2023-04-21 13:10:25 DEBUG [cuckoo.node.machinery]: Machine action request. machine=win10vm_4 action=<function stop at 0x7f2139b62dc0>
2023-04-21 13:10:25 DEBUG [cuckoo.node.machinery]: Starting work. machine=win10vm_4 action=<function stop at 0x7f2139b62dc0>
2023-04-21 13:10:26 DEBUG [cuckoo.common.netcapture]: Stopping tcpdump process. pid=2891
2023-04-21 13:10:26 DEBUG [cuckoo.common.netcapture]: Reading tcpdump process stderr. Process has not exited yet. Waiting for it to exit. pid=2891 timeout=60
2023-04-21 13:10:26 DEBUG [cuckoo.node.machinery]: Updating machine state. machine=win10vm_4 newstate=poweroff
2023-04-21 13:10:27 DEBUG [cuckoo.node.taskrunner]: Asking resultserver to unmap IP-task. ip=192.168.30.23 task_id=20230421-DIZ1RT_1
2023-04-21 13:10:27 DEBUG [cuckoo.node.taskrunner]: Sending task done state to state controller. task_id=20230421-DIZ1RT_1
2023-04-21 13:10:27 INFO  [cuckoo.node.taskrunner]: Task completed. task_id=20230421-DIZ1RT_1
2023-04-21 13:10:27 DEBUG [cuckoo.node.resultserver]: File upload ended. newfile='logs/threemon.pb' size=72.4KiB task_id=20230421-DIZ1RT_1
2023-04-21 13:10:27 DEBUG [cuckoo.control]: Queueing task for post analysis processing. task_id=20230421-DIZ1RT_1
2023-04-21 13:10:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:11:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:12:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:13:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:14:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:15:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:16:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:17:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:18:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:19:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:20:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:21:27 DEBUG [cuckoo.scheduler]: No new tasks(s)
2023-04-21 13:22:27 DEBUG [cuckoo.scheduler]: No new tasks(s)

[Rayal]

It took a week of debugging and messing around with the codebase. Here's what I learned:

First, Python version 3.8 IS A MUST! I got it to work on 3.8.10. Second, if using vmcloak, as suggested in this tutorial: https://reversingfun.com/posts/cuckoo-3-installation-guide/ .... then you will have to force vmcloak to use a newer version of pefile. I set it to pefile<2023.0.0. This is in the vmcloak/setup.py file.

Finally, and most important, DO NOT use the new hyperscan. Hyperscan 0.4.0 and 0.3.2 both DO NOT WORK. Using these versions the postprocessing worker fails, because of a socket communication issue I did not have the patience to debug. I used hyperscan 0.1.5 and it all worked perfectly. This can be set in processing/setup.py to hyperscan==0.1.5.

To the maintainers of this repository: please put together a better oversight system, to ensure that the dependency upgrades that you have been doing the past year actually work and do not break anything, as is the case with hyperscan.

[OzzyKampha]

I worked for me as well 👍