doomedraven
commented
7 years ago when posting code please use markdown code escape ```your code goes here ``` that will generate this your code
Open alizohrevand opened 7 years ago
doomedraven
commented
7 years ago when posting code please use markdown code escape ```your code goes here ``` that will generate this your code
doomedraven
commented
7 years ago a bit better lets seewhat is wrong
the cuckoo log is :
2016-12-31 04:00:44,936
[lib.cuckoo.core.scheduler] INFO: Task #2: acquired machine android4.1.2 (label=android4.1.2) 2016-12-31 04:00:44,939
[modules.auxiliary.sniffer] ERROR: Network interface not defined, network capture aborted 2016-12-31 04:01:35,656
[lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=android4.1.2, ip=127.0.0.1) 2016-12-31 04:01:35,766
[lib.cuckoo.core.guest] CRITICAL: We were unable to detect either the Old or New Agent in the Guest VM, are you sure you have set it up correctly? Please go through the documentation once more and otherwise inform the Cuckoo Developers of your issue. 2016-12-31 04:01:35,780
[modules.machinery.avd] INFO: Stopping AVD listening on port 5554 2016-12-31 04:01:36,918
[modules.processing.behavior] WARNING: Analysis results folder does not exist at path '/home/android-admin/cuckoo/storage/analyses/2/logs'. 2016-12-31 04:01:37,101
[lib.cuckoo.common.objects] WARNING: Unable to import yara (please compile from sources) 2016-12-31 04:01:38,929
[lib.cuckoo.core.scheduler] INFO: Task #2: reports generation completed (path=/home/android-admin/cuckoo/storage/analyses/2) 2016-12-31 04:01:38,948
[lib.cuckoo.core.scheduler] INFO: Task #2: analysis procedure completedmy avd.conf is:
Specify whether we're running the Android emulator in headless mode (no GUI)
or with GUI - for an interactive session.
mode = GUI
Path to the local installation of the android emulator.
emulator_path = /home/android-admin/Android/Sdk/tools/emulator
Path to the local installation of the adb (android debug bridge) utility.
adb_path = /home/android-admin/Android/Sdk/platform-tools/adb
Path where the emulator files are located.
avd_path = /home/android-admin/.android/avd
Name of the reference machine that is used to duplicate.
reference_machine = android4.1
Specify a comma-separated list of available machines to be used. For each
specified ID you have to define a dedicated section containing the details
on the respective machine.
machines = android4.1.2
[android4.1.2]
label = android4.1.2
Specify the operating system platform used by current machine.
platform = android
Specify the IP address of the current virtual machine. Make sure that the
IP address is valid and that the host machine is able to reach it. If not,
the analysis will fail. It's always 127.0.0.1 because the android emulator
runs on the loopback network interface.
ip = 127.0.0.1
Specify the port for the emulator as your adb sees it.
emulator_port = 5554
(Optional) Specify the IP of the Result Server, as your virtual machine sees it.
The Result Server will always bind to the address and port specified in cuckoo.conf,
however you could set up your virtual network to use NAT/PAT, so you can specify here
the IP address for the Result Server as your machine sees it. If you don't specify an
address here, the machine will use the default value from cuckoo.conf.
NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
Example:
resultserver_ip = 10.0.2.2
(Optional) Specify the port for the Result Server, as your virtual machine sees it.
The Result Server will always bind to the address and port specified in cuckoo.conf,
however you could set up your virtual network to use NAT/PAT, so you can specify here
the port for the Result Server as your machine sees it. If you don't specify a port
here, the machine will use the default value from cuckoo.conf.
Example:
resultserver_port = 2042`
my cuckoo.conf is:
`[cuckoo]
Enable or disable startup version check. When enabled, Cuckoo will connect
to a remote location to verify whether the running version is the latest
one available.
version_check = on
If turned on, Cuckoo will delete the original file after its analysis
has been completed.
delete_original = off
If turned on, Cuckoo will delete the copy of the original file in the
local binaries repository after the analysis has finished. (On *nix this
will also invalidate the file called "binary" in each analysis directory,
as this is a symlink.)
delete_bin_copy = off
Specify the name of the machinery module to use, this module will
define the interaction between Cuckoo and your virtualization software
of choice.
machinery = avd
Enable creation of memory dump of the analysis machine before shutting
down. Even if turned off, this functionality can also be enabled at
submission. Currently available for: VirtualBox and libvirt modules (KVM).
memory_dump = off
When the timeout of an analysis is hit, the VM is just killed by default.
For some long-running setups it might be interesting to terminate the
monitored processes before killing the VM so that connections are closed.
terminate_processes = off
Enable automatically re-schedule of "broken" tasks each startup.
Each task found in status "processing" is re-queued for analysis.
reschedule = off
Enable processing of results within the main cuckoo process.
This is the default behavior but can be switched off for setups that
require high stability and process the results in a separate task.
process_results = on
Limit the amount of analysis jobs a Cuckoo process goes through.
This can be used together with a watchdog to mitigate risk of memory leaks.
max_analysis_count = 0
Limit the number of concurrently executing analysis machines.
This may be useful on systems with limited resources.
Set to 0 to disable any limits.
max_machines_count = 0
Limit the amount of VMs that are allowed to start in parallel. Generally
speaking starting the VMs is one of the more CPU intensive parts of the
actual analysis. This option tries to avoid maxing out the CPU completely.
max_vmstartup_count = 10
Minimum amount of free space (in MB) available before starting a new task.
This tries to avoid failing an analysis because the reports can't be written
due out-of-diskspace errors. Setting this value to 0 disables the check.
(Note: this feature is currently not supported under Windows.)
freespace = 64
Temporary directory containing the files uploaded through Cuckoo interfaces
(api.py and Django web interface).
tmppath = /tmp
Path to the unix socket for running root commands.
rooter = /tmp/cuckoo-rooter
[routing]
Default network routing mode; "none", "internet", or "vpn_name".
In none mode we don't do any special routing - the VM doesn't have any
network access (this has been the default actually for quite a while).
In internet mode by default all the VMs will be routed through the network
interface configured below (the "dirty line").
And in VPN mode by default the VMs will be routed through the VPN identified
by the given name of the VPN (as per vpn.conf).
Note that just like enabling VPN configuration setting this option to
anything other than "none" requires one to run utils/rooter.py as root next
to the Cuckoo instance (as it's required for setting up the routing).
route = none
Network interface that allows a VM to connect to the entire internet, the
"dirty line" so to say. Note that, just like with the VPNs, this will allow
malicious traffic through your network. So think twice before enabling it.
(For example, to route all VMs through eth0 by default: "internet = eth0").
internet = none
Routing table name/id for "dirty line" interface. If "dirty line" is
also default gateway in the system you can leave "main" value. Otherwise add
new routing table by adding " " line to /etc/iproute2/rt_tables
(e.g., "200 eth0"). ID and name must be unique across the system (refer to
/etc/iproute2/rt_tables for existing names and IDs).
rt_table = main
To route traffic through multiple network interfaces Cuckoo uses
Policy Routing with separate routing table for each output interface
(VPN or "dirty line"). If this option is enabled Cuckoo on start will try
to automatically initialise routing tables by copying routing entries from
main routing table to the new routing tables. Depending on your network/vpn
configuration this might not be sufficient. In such case you would need to
initialise routing tables manually. Note that enabling this option won't
affect main routing table.
auto_rt = yes
[resultserver]
The Result Server is used to receive in real time the behavioral logs
produced by the analyzer.
Specify the IP address of the host. The analysis machines should be able
to contact the host through such address, so make sure it's valid.
NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option
resultserver_ip for all your virtual machines in machinery configuration.
ip = 0.0.0.0
Specify a port number to bind the result server on.
port = 2042
Force the port chosen above, don't try another one (we can select another
port dynamically if we can not bind this one, but that is not an option
in some setups)
force_port = no
Maximum size of uploaded files from VM (screenshots, dropped files, log)
The value is expressed in bytes, by default 10Mb.
upload_max_size = 10485760
[processing]
Set the maximum size of analyses generated files to process. This is used
to avoid the processing of big files which may take a lot of processing
time. The value is expressed in bytes, by default 100Mb.
analysis_size_limit = 104857600
Enable or disable DNS lookups.
resolve_dns = on
Enable PCAP sorting, needed for the connection content view in the web interface.
sort_pcap = on
[database]
Specify the database connection string.
NOTE: If you are using a custom database (different from sqlite), you have to
use utf-8 encoding when issuing the SQL database creation statement.
Examples, see documentation for more:
sqlite:///foo.db
postgresql://foo:bar@localhost:5432/mydatabase
mysql://foo:bar@localhost/mydatabase
If empty, default is a SQLite in db/cuckoo.db.
connection =
Database connection timeout in seconds.
If empty, default is set to 60 seconds.
timeout =
[timeouts]
Set the default analysis timeout expressed in seconds. This value will be
used to define after how many seconds the analysis will terminate unless
otherwise specified at submission.
default = 120
Set the critical timeout expressed in (relative!) seconds. It will be added
to the default timeout above and after this timeout is hit
Cuckoo will consider the analysis failed and it will shutdown the machine
no matter what. When this happens the analysis results will most likely
be lost.
critical = 60
Maximum time to wait for virtual machine status change. For example when
shutting down a vm. Default is 60 seconds.
vm_state = 60`
alizohrevand
commented
7 years ago any help for my problem?
doomedraven
commented
7 years ago I just started on this, as i just finished create documentation for linux guest setup, to setup android analyzer which documentation you followed? Cuckoo-droid?
alizohrevand
commented
7 years ago no. original doc in here
alizohrevand
commented
7 years ago is there any new Doc for android analyzer setup?
doomedraven
commented
7 years ago the existent one http://cuckoo-droid.readthedocs.io/en/latest/installation/
alizohrevand
commented
7 years ago i did not understand! in cuckoo sandbox official doc there is no link or reference to cuckoo droid. Cuckoo sandbox could not do android analyze alone? is that so what is the usage of avd.con ?? cuckoo droid use virtual box and Ubuntu guest vm for running android emulator.
doomedraven
commented
7 years ago is because you not used search on issues before posting https://github.com/cuckoosandbox/cuckoo/issues/1054
alizohrevand
commented
7 years ago there is no new information in that issue for me and i have read that before.i have read cuckoo droid . i do not want to use cuckoo droid. cuckoo droid use virtual box and Ubuntu guest vm for running android emulator. it requires a good hardware and will be so slow.... cuckoo sandbox could not support android analyze alone? i setup cuckoo sand box and my android emulator killed immediately, i have posted my log.
doomedraven
commented
7 years ago lol that dislike, you have all answers in that post, cuckoo-droid was integrated to cuckoo, but not the documentation part
liranfar
commented
7 years ago @alizohrevand which ubuntu version installed on the guest machines? I solved this problem when I installed the guest on Ubuntu 12.04 as recommended in the documentations.(The emulator crashing problem was on Ubuntu 16.04)
lovina37
commented
7 years ago @liranfar
can u once tell me how to get cuckoodroid working everytime I get into new problem which ubuntu version which setup did u use?? android on linux or any other and did you do any firewall settings?? Also about the host only network how did u get it set up
liranfar
commented
7 years ago on Host: ubuntu 16.04 on Guest: ubuntu 12.04 android on linux machine ( using emulator ) I did not set up any firewall setting for host only network I disabled DHCP on guest - default gateway is the vboxnext0 address (usually 192.168.56.1)
HI, i submitted my apk to cuckoo, but android emulator killed immediately, there is two error:
the cuckoo log is :
2016-12-31 04:00:44,936 [lib.cuckoo.core.scheduler] INFO: Task #2: acquired machine android4.1.2 (label=android4.1.2) 2016-12-31 04:00:44,939 [modules.auxiliary.sniffer] ERROR: Network interface not defined, network capture aborted 2016-12-31 04:01:35,656 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=android4.1.2, ip=127.0.0.1) 2016-12-31 04:01:35,766 [lib.cuckoo.core.guest] CRITICAL: We were unable to detect either the Old or New Agent in the Guest VM, are you sure you have set it up correctly? Please go through the documentation once more and otherwise inform the Cuckoo Developers of your issue. 2016-12-31 04:01:35,780 [modules.machinery.avd] INFO: Stopping AVD listening on port 5554 2016-12-31 04:01:36,918 [modules.processing.behavior] WARNING: Analysis results folder does not exist at path '/home/android-admin/cuckoo/storage/analyses/2/logs'. 2016-12-31 04:01:37,101 [lib.cuckoo.common.objects] WARNING: Unable to import yara (please compile from sources) 2016-12-31 04:01:38,929 [lib.cuckoo.core.scheduler] INFO: Task #2: reports generation completed (path=/home/android-admin/cuckoo/storage/analyses/2) 2016-12-31 04:01:38,948 [lib.cuckoo.core.scheduler] INFO: Task #2: analysis procedure completedmy avd.conf:my cuckoo.conf is: