Analysis results folder does not contain any behavior log files.

[MattHalleran]

Hello, I am having issues getting log files from my analysis tasks. It doesn't seem to matter what type of file I use there is never any logged behaviour though I can see on my virtual machine that there is plenty of activity taking place.

Here is my cuckoo.log output:

2017-04-09 00:50:07,751 [lib.cuckoo.core.scheduler] INFO: Task #7: acquired machine win7 (label=win7) 2017-04-09 00:50:07,756 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 17666 (interface=vboxnet0, host=192.168.56.102, pcap=/home/matt/cuckoo/storage/analyses/7/dump.pcap) 2017-04-09 00:50:11,608 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7, ip=192.168.56.102) 2017-04-09 00:52:23,465 [lib.cuckoo.core.guest] INFO: win7: analysis completed successfully 2017-04-09 00:52:23,589 [lib.cuckoo.core.plugins] WARNING: Unable to stop auxiliary module: Potential error while running tcpdump, did not expect the following standard error output: 'dropped privs to root'. 2017-04-09 00:52:25,061 [modules.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files. 2017-04-09 00:52:25,072 [lib.cuckoo.common.objects] WARNING: Unable to import yara (please compile from sources) 2017-04-09 00:52:26,039 [lib.cuckoo.core.scheduler] INFO: Task #7: reports generation completed (path=/home/matt/cuckoo/storage/analyses/7) 2017-04-09 00:52:26,109 [lib.cuckoo.core.scheduler] INFO: Task #7: analysis procedure completed

and here is my analysis log from the task:

2017-04-04 19:18:43,042 [analyzer] DEBUG: Starting analyzer from: C:\dqedemm 2017-04-04 19:18:43,042 [analyzer] DEBUG: Pipe server name: \.\PIPE\mdSHqbmrAyhYzaWVPLrHk 2017-04-04 19:18:43,042 [analyzer] DEBUG: Log pipe server name: \.\PIPE\BfhZHZOdLkEufzyhNkvZVml 2017-04-04 19:18:43,042 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically. 2017-04-04 19:18:43,042 [analyzer] INFO: Automatically selected analysis package "generic" 2017-04-04 19:18:43,667 [analyzer] DEBUG: Started auxiliary module Disguise 2017-04-04 19:18:47,434 [analyzer] WARNING: Cannot execute auxiliary module DumpTLSMasterSecrets: Error returned by is32bit: Command '['bin\is32bit.exe', '-n', 'lsass.exe']' returned non-zero exit status 1 2017-04-04 19:18:47,464 [analyzer] DEBUG: Started auxiliary module Human 2017-04-04 19:18:47,464 [analyzer] DEBUG: Started auxiliary module InstallCertificate 2017-04-04 19:18:47,464 [analyzer] DEBUG: Started auxiliary module Reboot 2017-04-04 19:18:47,542 [analyzer] DEBUG: Started auxiliary module RecentFiles 2017-04-04 19:18:47,542 [analyzer] DEBUG: Started auxiliary module Screenshots 2017-04-04 19:18:47,542 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2017-04-04 19:18:47,714 [lib.api.process] INFO: Successfully executed process from path 'C:\Windows\System32\cmd.exe' with arguments ['/c', 'start', '/wait', '"gfXSDQeTrHBCOVHh"', u'C:\Users\root\AppData\Local\Temp\Virus.DOS.3Y.853'] and pid 760 2017-04-04 19:18:48,605 [modules.auxiliary.human] INFO: Found button "OK", clicking it 2017-04-04 19:18:50,792 [modules.auxiliary.human] INFO: Found button "OK", clicking it 2017-04-04 19:18:52,855 [modules.auxiliary.human] INFO: Found button "OK", clicking it 2017-04-04 19:20:46,730 [analyzer] INFO: Analysis timeout hit, terminating analysis. 2017-04-04 19:20:46,730 [analyzer] INFO: Analysis completed.

If anyone could help me that would be very much appreciated, I need these log files to progress with my project unfortunately haha.

I am running a Windows7 Ultimate Edition 64-Bit VM on VirtualBox with a Ubuntu 16.04 host.

[jbremer]

Did you disable UAC & run the Agent as Administrator?

[MattHalleran]

Thanks for the reply, I will try that out I've also turned off my firewall services in Ubuntu as someone had a similar problem.

[SparkyNZL]

@jbremer I also get this from time to time. ill see if i can find a peice of malwarz which is causing this. and send over your way.

[jbremer]

Let me know @SparkyNZL!

[MattHalleran]

I have turned off UAC and am now running agent.py from a run as administrator command prompt and it runs more smoothly now i.e. the cmd.exe is run without issue and the malware in the logs actually tries to open adobe reader. However, the virtual machine and analysis stops as adobe reader is being loaded and I am still not receiving any log files.

Here is the analysis log from trying with the same malware after turning off UAC:

2017-04-09 22:30:37,000 [analyzer] DEBUG: Starting analyzer from: C:\eyzlfq 2017-04-09 22:30:37,015 [analyzer] DEBUG: Pipe server name: \.\PIPE\GptptuDcLKaXidNnPcvUAGlaJnV 2017-04-09 22:30:37,015 [analyzer] DEBUG: Log pipe server name: \.\PIPE\pVVVaCFQVrzvRVcVpHjZfIRzlLCvI 2017-04-09 22:30:37,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically. 2017-04-09 22:30:37,015 [analyzer] INFO: Automatically selected analysis package "generic" 2017-04-09 22:30:37,530 [analyzer] DEBUG: Started auxiliary module Disguise 2017-04-09 22:30:37,905 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets 2017-04-09 22:30:37,905 [analyzer] DEBUG: Started auxiliary module Human 2017-04-09 22:30:37,905 [analyzer] DEBUG: Started auxiliary module InstallCertificate 2017-04-09 22:30:37,905 [analyzer] DEBUG: Started auxiliary module Reboot 2017-04-09 22:30:37,953 [analyzer] DEBUG: Started auxiliary module RecentFiles 2017-04-09 22:30:37,953 [analyzer] DEBUG: Started auxiliary module Screenshots 2017-04-09 22:30:37,953 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2017-04-09 22:30:38,171 [lib.api.process] INFO: Successfully executed process from path 'C:\Windows\System32\cmd.exe' with arguments ['/c', 'start', '/wait', '"dNOSleyUYcPg"', u'C:\Users\root\AppData\Local\Temp\Virus.DOS.3Y.853'] and pid 3180 2017-04-09 22:30:40,256 [modules.auxiliary.human] INFO: Found button "&Select a program from a list of installed programs", clicking it 2017-04-09 22:30:41,375 [modules.auxiliary.human] INFO: Found button "OK", clicking it 2017-04-09 22:30:45,980 [modules.auxiliary.human] INFO: Found button "&Always use the selected program to open this kind of file", clicking it 2017-04-09 22:30:47,081 [modules.auxiliary.human] INFO: Found button "OK", clicking it 2017-04-09 22:30:49,125 [analyzer] INFO: Process with pid 3180 has terminated 2017-04-09 22:30:49,125 [analyzer] INFO: Process list is empty, terminating analysis. 2017-04-09 22:30:50,286 [analyzer] INFO: Analysis completed.

I've looked at tutorials and demos of the sandbox being used and something odd is happening to me as well as no matter what type of sample from any source I will always see random Microsoft office documents being dumped on the desktop of my Virtual Machine. Again I would really appreciate any suggestions and thank you in advance.

[doomedraven]

quick question, why do you use generic package?

[doomedraven]

if that pdf try to specify pdf package when upload, to see if behavior change

[MattHalleran]

I just left to to automatic I think, I'll try changing that. Thanks.

[MattHalleran]

I have now tried running some Virus.Win executables with the package exe and the free option set to no. I am still getting them same issue with the behaviour logs unfortunately.

Just to check as well is this the correct syntax for changing the package options? sudo python submit.py --package exe --options free=no /path/to/file

Thanks again.

[jbremer]

Based on the strings I'd say you're running some installer, please check that all the screens are "clicked through". Hint: check the screenshots. There's no such thing as free=no, as-is you should remove that field altogether.

[MattHalleran]

Oh thanks for the heads up on the options. I don't currently have screenshots enabled as tesseract installation is giving me problems but I have made sure to click through any prompts the malware will give me and ran it again just to check. Unfortunately I am receiving nothing in my behavioural logs regardless of the type of malware. The only information I get out of the web application is UDP traffic, strings and what anti-virus signatures it picks up, no sign of behavioural and no static analysis either.

I'm not too sure what is going wrong, I can't be getting this unlucky since I've tried about 20 different samples some from different collections/sources. Since I'm getting UDP traffic and anti-virus results back I guess it isn't a problem with my results server configuration. Also again I haven't seen examples where certain microsoft office file types are being dumped during the analysis which is quite odd.

Sorry for being such a pain and thanks in advance for any advice.

[MattHalleran]

Hi guys I have moved to a Windows XP SP3 32-bit guest environment and am having much more success with the sandbox. I am getting slight errors when using exe packages but I am getting useful behaviour logs it seems and the analysis is completing. Thanks for all your help and I think I have resolved my issue.

One last thing I wanted to ask is the installation of YARA important if I am pretty much only interested in behavioural analysis logs? It was giving me trouble and wanted to know if it was worth fixing. Thanks again.

[doomedraven]

if you want behavior only and don't care about miss some signatures of yara then it is ok

[jbremer]

I'd like to improve logging / detection for this, so keeping the issue open for the time being.

[basant-kumar]

hi, I have the same problem as I also not getting any behavior analysis though it is showing very less score (less than 1) for very critical malware who has the score of around 9. I using Ubuntu 16.04 as host and Windows XP as a guest on VirtualBox. I have turn off firewall, updates etc. guest is able to ping host and vice-versa. here is the log

2017-11-26 17:56:39,863 [cuckoo.core.scheduler] INFO: Task #23: acquired machine windowsxp (label=windowsxp) 2017-11-26 17:56:39,879 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 4128 (interface=vboxnet0, host=192.168.56.10) 2017-11-26 17:56:39,880 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer 2017-11-26 17:56:40,051 [cuckoo.machinery.virtualbox] DEBUG: Starting vm windowsxp 2017-11-26 17:56:40,237 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine windowsxp to snapshot1 2017-11-26 17:56:43,675 [cuckoo.core.guest] INFO: Starting analysis on guest (id=windowsxp, ip=192.168.56.10) 2017-11-26 17:56:44,700 [cuckoo.core.guest] DEBUG: windowsxp: not ready yet 2017-11-26 17:56:45,705 [cuckoo.core.guest] DEBUG: windowsxp: not ready yet 2017-11-26 17:56:46,714 [cuckoo.core.guest] DEBUG: windowsxp: not ready yet 2017-11-26 17:56:47,722 [cuckoo.core.guest] DEBUG: windowsxp: not ready yet 2017-11-26 17:56:48,727 [cuckoo.core.guest] DEBUG: windowsxp: not ready yet 2017-11-26 17:56:48,743 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.7 (id=windowsxp, ip=192.168.56.10) 2017-11-26 17:56:48,953 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=windowsxp, ip=192.168.56.10, monitor=latest, size=3842483) 2017-11-26 17:56:51,178 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:56:51,266 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized. 2017-11-26 17:56:52,188 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:56:53,200 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:56:54,209 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:56:55,218 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:56:56,227 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:56:57,234 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:56:58,243 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:56:59,251 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:00,259 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:01,266 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:02,278 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:03,286 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:04,299 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:05,309 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:06,317 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:07,329 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:08,341 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:09,349 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:10,362 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:11,370 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:12,381 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:13,389 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:14,399 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:15,411 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:16,421 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:17,430 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:18,441 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:19,457 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:20,471 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:21,479 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:22,486 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:23,496 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:24,507 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:25,515 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:26,522 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:27,529 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:28,539 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:29,546 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:30,554 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:31,565 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:32,573 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:33,583 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:34,596 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:35,606 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:36,615 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:37,627 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:38,636 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:39,651 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:40,660 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:41,667 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:42,674 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:43,682 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:44,689 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:45,698 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:46,707 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:47,719 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:48,727 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:49,735 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:50,743 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:51,749 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:52,759 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:53,766 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:54,776 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:55,787 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:56,794 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:57,802 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:58,816 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:57:59,828 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:00,843 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:01,852 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:02,860 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:03,870 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:04,880 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:05,890 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:06,900 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:07,910 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:08,920 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:09,931 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:10,940 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:11,949 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:12,960 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:13,973 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:14,984 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:15,996 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:17,006 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:18,019 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:19,026 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:20,035 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:21,042 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:22,049 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:23,058 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:24,067 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:25,075 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:26,084 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:27,096 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:28,106 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:29,112 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:30,125 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:31,168 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:32,180 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:33,191 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:34,198 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:35,217 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:36,229 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:37,241 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:38,250 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:39,266 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:40,293 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:41,301 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:42,340 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:43,349 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:44,359 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:45,369 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:46,378 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:47,388 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:48,400 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:49,409 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:50,421 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:51,431 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:52,438 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:53,447 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:54,456 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:55,465 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:56,476 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:57,488 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:58,501 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:58:59,514 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:00,525 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:01,536 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:02,548 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:03,559 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:04,570 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:05,579 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:06,586 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:07,595 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:08,603 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:09,610 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:10,620 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:11,629 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:12,643 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:13,651 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:14,659 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:15,666 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:16,683 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:17,689 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:18,698 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:19,714 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:20,721 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:21,735 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:22,745 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:23,756 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:24,768 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:25,778 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:26,786 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:27,798 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:28,811 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:29,819 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:30,828 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:31,840 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:32,850 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:33,860 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:34,872 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:35,880 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:36,890 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:37,902 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:38,912 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:39,924 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:40,934 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:41,943 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:42,956 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:43,966 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:44,975 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:45,988 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:47,001 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:48,011 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:49,028 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:50,034 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:51,042 [cuckoo.core.guest] DEBUG: windowsxp: analysis still processing 2017-11-26 17:59:52,043 [cuckoo.core.guest] INFO: windowsxp: end of analysis reached! 2017-11-26 17:59:52,183 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer 2017-11-26 17:59:52,183 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm windowsxp 2017-11-26 17:59:55,662 [cuckoo.core.scheduler] DEBUG: Released database task #23 2017-11-26 17:59:55,725 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #23 2017-11-26 17:59:55,725 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files. 2017-11-26 17:59:55,725 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #23 2017-11-26 17:59:55,726 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #23 2017-11-26 17:59:55,726 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #23 2017-11-26 17:59:55,726 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #23 2017-11-26 17:59:55,727 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #23 2017-11-26 17:59:55,727 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #23 2017-11-26 17:59:55,727 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #23 2017-11-26 17:59:55,727 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #23 2017-11-26 17:59:56,386 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #23 2017-11-26 17:59:56,430 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #23 2017-11-26 17:59:56,457 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #23 2017-11-26 17:59:56,460 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #23 2017-11-26 17:59:56,460 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #23 2017-11-26 17:59:56,479 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #23 2017-11-26 17:59:56,481 [cuckoo.core.plugins] DEBUG: Running 472 signatures 2017-11-26 17:59:56,636 [cuckoo.core.plugins] DEBUG: Analysis matched signature: packer_entropy 2017-11-26 17:59:56,637 [cuckoo.core.plugins] DEBUG: Analysis matched signature: pe_features 2017-11-26 17:59:56,637 [cuckoo.core.plugins] DEBUG: Analysis matched signature: peid_packer 2017-11-26 17:59:56,642 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"

Here is summary and signature log screenshots

I have tried for many different malware from different sources but not getting behavior log for any of them. Can anybody help me what wrong here because I need the behaviorial analysis report for my project.

[reox]

I have the same problem here on a fresh installation:

WARNING: Analysis results folder does not contain any behavior log files.

The Guest is a Windows 7, disabled Firewall, disabled updates, disabled UAC and agent.py runs as Administrator. Is there something else I should check? The documentation does not even tell you about UAC and the Administrator account btw.

edit: I also checked that the tmp folder is read/writable (See https://github.com/cuckoosandbox/cuckoo/issues/1577#issuecomment-302795050). I do not suspect that something is wrong with the python libs, as this is a fresh virtualenv...

editedit: okay found it. It was the same reason as in #2091 you should mark this big fat in the documentaion ;)

[divyakamalmaddi]

@basant-kumar - How did u resolve it? I do have the same errors

[peytyfaithy]

I am experiencing the same issue. How to resolved this?

[damaugusto]

cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files Hi. install cuckoo but when i run the scan the report doesn't work. Error 404 File. I update Firefox but it doesn't work. I explore the reporting.conf but can't find any errors. [single file]

Enable creation of report.html and / or report.pdf?

enabled = yes

Enable creation of report.html?

html = yes

Enable creation of report.pdf?

pdf = no The config of windows 7 victim. The UAC off. Firewall off, windows defender off. I need yuour help i dont found de error pls your help.

[synv-09]

@reox Please clarify your fixes

[reox]

IIRC the fix was to not use python x86-64 if you analyze x86-32 binaries

[synv-09]

@reox You mean I have to reinstall python for win 7

[reox]

@Synv-09 I do not even know anymore if that was the fix... but it turned out you could analyze 32bit binaries only with a 32bit python back then. So I had to reinstall python because I installed 64bit python accidentally. If you already have 32bit python for 32bit binaries, you probably have another issue...

[synv-09]

@reox I reinstalled 32 bit python and it is no longer appearing thank you