search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.71k forks source link

CuckooError: The package "modules.packages.reboot" start function encountered an unhandled exception: #1415

Open likekabin opened 7 years ago

likekabin commented 7 years ago

Hi, now im running lastest cuckoo and ussing Cuckoo Agent 0.7 (downloaded from https://github.com/jbremer/agent) on ubuntu 14.04 Currently I have 4 machines as oder: WindowsXP(32bits),Windows7(32bits),Windows10(64bits),Server2008(64bits) My problem is when I submited samples for any machine such as windows7 or Windows10 or Server2008 and when the analysis process susseccfull completed (without any issue), I opened the analysis result page then press the "Reboot analysis" button then cuckoo auto open Windows XP for reanalysis but not open windows7 or Windows10 or Server2008. Hope you help me solve this. Thank you.

Here i my cuckoo reboot analysis log: Dont care about: "Memory dump not found" because I turn off Memory dump.

2017-04-14 13:10:16,485 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/demo/Desktop/cuckoo/storage/binaries/4ee9151a184cc03fdc9928d322e31de5b5372fb3b5b60c3abbc618beeb2d7954" 2017-04-14 13:10:16,542 [lib.cuckoo.core.scheduler] INFO: Task #234: acquired machine WindowsXP (label=WindowsXP) 2017-04-14 13:10:16,560 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 17107 (interface=vboxnet0, host=192.168.56.111, pcap=/home/demo/Desktop/cuckoo/storage/analyses/234/dump.pcap) 2017-04-14 13:10:19,820 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=WindowsXP, ip=192.168.56.111) 2017-04-14 13:10:24,913 [lib.cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.7 (id=WindowsXP, ip=192.168.56.111) 2017-04-14 13:10:27,929 [modules.auxiliary.reboot] INFO: Preparing task #234 for a reboot analysis.. 2017-04-14 13:10:31,169 [lib.cuckoo.core.guest] INFO: WindowsXP: analysis caught an exception Traceback (most recent call last): File "C:\tmp9_vxxc\analyzer.py", line 778, in success = analyzer.run() File "C:\tmp9_vxxc\analyzer.py", line 631, in run "exception: %s" % (package_name, e) CuckooError: The package "modules.packages.reboot" start function encountered an unhandled exception: access() argument 1 must be encoded string without null bytes, not unicode

2017-04-14 13:10:39,042 [modules.processing.memory] ERROR: Memory dump not found: to run volatility you have to enable memory_dump 2017-04-14 13:10:39,483 [modules.processing.network] ERROR: Unable to open /home/demo/Desktop/cuckoo/storage/analyses/234/dump_sorted.pcap

And here is Analyzer log:

2017-04-14 13:10:16,000 [analyzer] DEBUG: Starting analyzer from: C:\tmp9_vxxc 2017-04-14 13:10:16,009 [analyzer] DEBUG: Pipe server name: \.\PIPE\eLQomBhXscavcbiXEJo 2017-04-14 13:10:16,019 [analyzer] DEBUG: Log pipe server name: \.\PIPE\FKIBQrpcTyFSEVChAzIq 2017-04-14 13:10:16,911 [analyzer] DEBUG: Started auxiliary module Disguise 2017-04-14 13:10:17,371 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c) 2017-04-14 13:10:17,391 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c) 2017-04-14 13:10:17,461 [analyzer] DEBUG: Loaded monitor into process with pid 688 2017-04-14 13:10:17,482 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets 2017-04-14 13:10:17,492 [analyzer] DEBUG: Started auxiliary module Human 2017-04-14 13:10:17,492 [analyzer] DEBUG: Started auxiliary module InstallCertificate 2017-04-14 13:10:17,502 [analyzer] DEBUG: Started auxiliary module Reboot 2017-04-14 13:10:18,183 [analyzer] DEBUG: Started auxiliary module RecentFiles 2017-04-14 13:10:18,183 [analyzer] DEBUG: Started auxiliary module Screenshots

jbremer commented 7 years ago

What's the filename of your sample? Seems it might be slightly malformed or something.

likekabin commented 7 years ago

my file name is already upload to virus total, it has a function that perform some actions after restart system. But I dont know why it has issue? I slso try differences samples on other machines but the same result, all "reboot analysis" open Windows XP :( How can I fix it?

jbremer commented 7 years ago

I'll have to give it a spin later. If in the meantime you find a fix, let us know.

likekabin commented 7 years ago

Thank you jbremer,

But till now I cant perform reboot analysis with cuckoo, I submit a sample for windows7 machine, and then analysis complted, i browse the result then click reboot analysis, the cuckoo open windows XP instead of open windows7 again. Please help me solve this :(