issue with android analysis

[p2rate]

hi I am trying to set up cuckoo for android malware analysis but it seems like I don't get how it works. I have downloaded android sdk, made an AVD, rooted the AVD, ran the create_guest_avd.sh (located in utils/android_emulator_creator in cuckoo-droid archive. and to sum it up my guest emulator is ready to go. what should I do next from here? I reckoned that I should use the cuckoo.py in cukcoo sandbox main distribution (https://github.com/cuckoosandbox/cuckoo). I properly set the conf files for cuckoo and ran cuckoo.py. but when I use submit.py to start an analysis, cuckoo.py reports that the AVD I created to be used as the guest does not exist. and it actually removes the AVD I created.

here is the output:

2016-08-21 17:58:45,714 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "HandHeldTracker.apk" (task #12, options "")
2016-08-21 17:58:46,291 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/ashk/Downloads/cuckoo/storage/binaries/8e4912f052f3fd52d06bb980273f0f49a8d48ee7f6d27e5512795145ef7c35e1"
2016-08-21 17:58:46,414 [lib.cuckoo.core.scheduler] INFO: Task #12: acquired machine koad (label=koad)
2016-08-21 17:58:48,220 [modules.machinery.avd] INFO: Stopping AVD listening on port 5554
2016-08-21 17:58:49,464 [lib.cuckoo.core.scheduler] ERROR: Failure in AnalysisManager.run
Traceback (most recent call last):
  File "/home/ashk/Downloads/cuckoo/lib/cuckoo/core/scheduler.py", line 447, in run
    self.launch_analysis()
  File "/home/ashk/Downloads/cuckoo/lib/cuckoo/core/scheduler.py", line 325, in launch_analysis
    machinery.start(self.machine.label, self.task)
  File "/home/ashk/Downloads/cuckoo/modules/machinery/avd.py", line 75, in start
    self.duplicate_reference_machine(label)
  File "/home/ashk/Downloads/cuckoo/modules/machinery/avd.py", line 117, in duplicate_reference_machine
    shutil.copyfile(avd_config_file, new_config_file)
  File "/usr/lib/python2.7/shutil.py", line 82, in copyfile
    with open(src, 'rb') as fsrc:
IOError: [Errno 2] No such file or directory: '/root/.android/avd/koad.ini'

by the way: I am using google APIs(armeabi-v7a) for my AVD, not pure armeabi-v7a

[p2rate]

hey guys, I'm still coping with this problem. I have rooted the avd but whenever I close the AVD and run it again applications cannot get root access. and this happens in spite of everything being in it's place(su binary is not deleted and has the same permissions as before). I read somewhere that something like this might happen and I should push the binary file to the AVD and set the permissions again. And it seems to work but obliviously cuckoo does not do this.

could it be the problem? is there an option to make cuckoo run the AVD from snapshot?

SOMEONE PLEASE HELP ME!

[kevross33]

Try running this version. It has instructions for integrating it with Cuckoo 2.0 or run it standalone and it is the latest version (recently updated and released last month). Also there is instructions and documentation here and this is what the android component of Cuckoo 2.0 is cuckoo-droid.

https://github.com/idanr1986/cuckoo-droid

[kevross33]

Also I believe using those documents you should be able to understand the setup of how this is working better to use with current Cuckoo-droid in cuckoo 2.0

[kevross33]

http://cuckoo-droid.readthedocs.io/en/latest/

[p2rate]

I found the problem:

in avd.conf config file you should not give reference_machine and machines the same name. at the time of execution, cuckoo will make a copy of reference_machine and name it whatever name you gave to machines. but everytime you run an analysis it first looks for the copied AVD and remove it. if you give reference_machine and machines the same name, cuckoo will mistakenly remove the reference_machine.

add the following code to modules/machinery/avd.py at the line 105

if str(reference_machine)==str(label): raise CuckooCriticalError("reference_machine and machines name cannot be the same, check avd.conf")

[doomedraven]

@jbremer @p2rate sound as solved no?

[jbremer]

Should probably include the patch provided by @p2rate, so I'll keep this open until I find the time to do so (which might be a little while).