CuckooL No activity being reported for Behaviorial analysis on Ubuntu Host and centos 7 guest

[assadabbas]

Hi,

I want to execute elf's on centos 7 and want to analyze the sample using cuckoo sandbox. I have installed cuckoo 2.0.5 on Ubuntu host and Centos 7 as guest. Followed all the instructions mentioned at https://github.com/cuckoosandbox/cuckoo/blob/master/docs/book/installation/guest/linux.rst . When i submit an elf sample it gets executed on client but no activity is reported for dynamic analysis. The sample creates some files then execute these files. None of the activity is reported in Behavioral analysis, dropped files section. No error/warning appears in logs. Installed all of systemtap dependencies for centos using yum. Any help would be grateful.

[doomedraven]

logs?

[assadabbas]

Analyzer logs or cuckoo logs? BTW, i have checked from /tmp/some_dir that all the directories like logs, files, drops, memory are empty. That possibly means stap is unable to monitor the system events.

On Mon, 9 Apr 2018, 18:03 doomedraven, notifications@github.com wrote:

logs?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/community/issues/407#issuecomment-379744128, or mute the thread https://github.com/notifications/unsubscribe-auth/Ah6dJ1gAc-V88751U_7VzLok5wsC750Bks5tm1wFgaJpZM4TMcBi .

[doomedraven]

all logs, it is in $CWD/storage/analyses/id/

[assadabbas]

Hi,

I have attached all the logs.

On Tue, Apr 10, 2018 at 12:01 AM, doomedraven notifications@github.com wrote:

all logs, it is in $CWD/storange/analyses/id/

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/community/issues/407#issuecomment-379858841, or mute the thread https://github.com/notifications/unsubscribe-auth/Ah6dJ55YlglV0-hSB8gy6I1WCVnOwCV2ks5tm7AZgaJpZM4TMcBi .

[doomedraven]

False

[assadabbas]

I cannot understand "False".

On Tue, 10 Apr 2018, 11:10 doomedraven, notifications@github.com wrote:

False

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/community/issues/407#issuecomment-379985089, or mute the thread https://github.com/notifications/unsubscribe-auth/Ah6dJy5CJG1XhF3R1_AC6XUm3su8Ts1yks5tnEy4gaJpZM4TMcBi .

[doomedraven]

you didn't attach the log

[assadabbas]

Can't you find logs.zip?

On Tue, 10 Apr 2018, 11:12 doomedraven, notifications@github.com wrote:

you didn't attach the log

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/community/issues/407#issuecomment-379985476, or mute the thread https://github.com/notifications/unsubscribe-auth/Ah6dJ67ixMbyuesaJJS04jUoR-mgxBRpks5tnE1EgaJpZM4TMcBi .

[doomedraven]

where you see them?

[assadabbas]

I am attaching the logs.zip file again.

On Tue, Apr 10, 2018 at 11:20 AM, doomedraven notifications@github.com wrote:

where you see them?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/community/issues/407#issuecomment-379987102, or mute the thread https://github.com/notifications/unsubscribe-auth/Ah6dJwJ6uzZk4DjzhOzBVsOvRzoa6H-Dks5tnE9EgaJpZM4TMcBi .

[doomedraven]

false, go to thread and upload them manually, and plz do that next time to save us time if you want get help asap

[asadzaigum]

I dont know why you are not able to find logs attached to email thread. Anyway i am attaching the logs here now. logs.zip

[doomedraven]

email which you send isn't sent to me, it sent to gh, and it cut it off. stap.log contains behaviour, and there no errors in logs. so no idea. which is your cuckoo version?

[assadabbas]

2.0.5

On Tue, 10 Apr 2018, 13:06 doomedraven, notifications@github.com wrote:

email which you send isn't sent to me, it sent to gh, and it cut it off. stap.log contains behaviour, and there no errors in logs. so no idea. which is your cuckoo version?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/community/issues/407#issuecomment-380011901, or mute the thread https://github.com/notifications/unsubscribe-auth/Ah6dJ2fmR0JDDRlaJP-AYGrW8MB4EC7oks5tnGfvgaJpZM4TMcBi .

[doomedraven]

latest is Cuckoo (2.0.5.3) - Automated Malware Analysis System

[assadabbas]

The issue is not with cuckoo version but with stap. I have manually executed the stap command to launch and monitor the sample and no event is reported by stap while sample is launched successfully.

On Tue, Apr 10, 2018 at 1:43 PM, doomedraven notifications@github.com wrote:

latest is Cuckoo (2.0.5.3) - Automated Malware Analysis System

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/community/issues/407#issuecomment-380022193, or mute the thread https://github.com/notifications/unsubscribe-auth/Ah6dJ-QQwhAD5ReeLBsP5MYnJnk9RIKUks5tnHCigaJpZM4TMcBi .

[doomedraven]

if you see your logs which you send me, your stap.log has the content

[doomedraven]

you always can use https://linux.huntingmalware.com/ with all supported arches

[assadabbas]

Thanks for sharing the link. Can you explain which OS are supported in your setup. As I would like to submit an elf to a centos 7. Is it supported in your setup?

On Tue, Apr 10, 2018 at 7:34 PM, doomedraven notifications@github.com wrote:

you always can use https://linux.huntingmalware.com/ with all supported arches

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/community/issues/407#issuecomment-380122635, or mute the thread https://github.com/notifications/unsubscribe-auth/Ah6dJygGag-O0BUZwXERGWh4nWKnFvOCks5tnMLggaJpZM4TMcBi .

[doomedraven]

nah, only ubuntu, maybe one day i will extend the list but right now it works just fine with ubuntu for all arches, why do you need specially centos?