Critical Timeout after installing Cuckoo 2.0.1. No issues with Cuckoo 2.0-rc2

[ghost]

Hey everyone,

I created a fresh install and used the python package for 2.0.1. I recreated the box using the setting from my working instance of cuckoo 2.0-rc2.

Unfortunately, I'm now hitting a dreaded Critical Timeout and "does not contain any behavior log files" error in the new install. A couple of things that I've tried so far: dropped iptables on the host, checked guest to host communication from within the guest VM (successfully telneted from guest to host), monitored via GUI the guest VM. The guest VMs do not have firewall activated and are XP guests (no UAC).

I know this error is usually from virtual networking problems, but I'm not sure what else to check. Maybe trying the older agent?

From what it seems to me, the uploaded file never gets executed on the guest. I took a wireshark capture and will try to see if anything is being sent back over the wire. Any other suggestions would be appreciated.

Old cuckoo install: Host OS CentOS 7, guest VMs Windows XP SP3, installed modules: yara, ssdeep, volatility. Successfully captures screenshots and reports back on activity

New cuckoo install: Host OS RHEL7, guest VMs Windows XP SP3, installed modules: yara, ssdeep, volatility. Does not capture screenshots (Pillow installed), does not report back on behavior, reaches critical timeout.

[SajjadPourali]

I have the same problem but on macos. there is my configuration and log files : output of cuckoo -d => https://pastebin.com/Vp7Dkaj5 cuckoo.conf => https://pastebin.com/csthpuyi virtualbox.conf => https://pastebin.com/PLhbc5WL

vm screen shot (guest)

macos screen shot (host)

firewalls are disables and ports are open.

[ghost]

Just wanted to post an update. I'm getting a "isbit32.exe" error inside of the guest. Closing the box allows some of the processing to continue, but nothing seems to get launched. I'm still hitting a critical timeout though. I will try and follow instructions that others have used to solve this issue.

With that all being said, I created a separate box using CentOS and the cuckoo 2.0.1. This install has no issues. I'm baffled by why one works and the other doesn't. However, I will work on trying to solve my initial install issues for a few days, then close out the ticket if I can't figure it out.

[jbremer]

Sounds odd. @yeejay so you have one box where 2.0-rc2 works and 2.0.1 does not and one box where 2.0.1 works? If you figure out what's the difference between those boxes, do let me know.. :-P Both running the same OS in the Guest etc? @SajjadPourali logs are mostly looking fine and Cuckoo seems to be able to connect to the VM, however, the VM doesn't seem to be able to connect back. Try connecting to 192.168.56.1:2042 from within the Guest (e.g., using Python with socket.create_connection(("192.168.56.1", 2042))), does that work?

[SajjadPourali]

@jbremer : thank you for your response . I've done it, socket is listen in result server and it is reachable in guest.

[ghost]

@jbremer is there much difference in how the agent communicates between the different versions? They look coded differently.

I will try a couple of different things and get back to you. That being said, I do have a working cuckoo version and try to find the diff between the two.

[jbremer]

@yeejay Yes, they're quite different. Both use HTTP, but old agent is based on xmlrpc and new agent is more of a REST API. Thanks for your efforts - hope to find out what's up!

[jbremer]

@yeejay @SajjadPourali Thanks for the feedback - it is indeed correct that Windows XP analysis was broken. In the meanwhile we've put out a new alpha release which fixes these issues (as well as introduces migration code for the CWD, because the files that have to be updated for this fix include those in $CWD/analyzer/windows/). Assuming you haven't made any out of the ordinary changes in your CWD you'll be able to install the latest version of Cuckoo and Cuckoo will automatically upgrade your CWD to the latest version the next time you run it. If an automatic upgrade isn't possible, Cuckoo will inform you on steps forward. You may upgrade with pip install cuckoo==2.0.3a2 for now, until we release a stable release. Please let me know if these instructions are enough to upgrade your version of Cuckoo & if they resolve your Windows XP analyses. Thanks again! If you have any additional questions, do not hesitate to let us know :-)

[jbremer]

Didn't get any feedback, so assuming all went well - closing issue! Thanks :-)