Telkas-j
commented
7 years ago Hey just an update, I'm still working on this issue however at the min I've moved into a bit more of a pressing problem which is the user interface seems to view .apk files as zips so attempts to expand them preventing file analysis. This seems to be a UI issue as passing the apk to cuckoo from the terminal identifies it as a Jar file. If anyone gets any ideas or makes progress setting up the agent for android analysis however please let me know.
Thanks, Jamie.
doomedraven
Hi,
I've recently tried to update to cuckoo 2.0 from 1.3 for android analysis (2.0 installed on a fresh system). I have downloaded the android sdk and configured the emulator as described in the cuckoo droid documentation. The problem I'm having is to do with the guest agent, currently I have installed the java_agent.apk from the cuckoo droid repository to the emulator. This however is not working, when I try to pass an apk for analysis I get the following two error messages:
We were unable to detect either the Old or New Agent in the Guest VM, are you sure you have set it up correctly? Please go through the documentation once more and otherwise inform the Cuckoo Developers of your issue.
Once that error occurs the AVD shuts down and the following subsequent error is generated:
Error processing task #58: it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host. There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration
I'm assuming that these two are caused by the same problem which revolves around the guest agent not working. Below is the full cuckoo log for an atttempted apk analysis.
2017-05-11 13:52:21,665 [cuckoo.core.scheduler] INFO: Task #58: acquired machine cuckoo1 (label=cuckoo1) 2017-05-11 13:52:21,752 [cuckoo.common.objects] DEBUG: Picked package com.google.progress and the first activity com.google.progress.BackGroundActivity. 2017-05-11 13:52:21,853 [cuckoo.machinery.avd] DEBUG: Starting vm cuckoo1 2017-05-11 13:52:21,853 [cuckoo.machinery.avd] DEBUG: Duplicate Reference Machine 'aosx2'. 2017-05-11 13:52:21,853 [cuckoo.machinery.avd] DEBUG: Deleting old emulator config file '/home/james/.android/avd/cuckoo1.ini' 2017-05-11 13:52:21,853 [cuckoo.machinery.avd] DEBUG: Deleting old emulator FS '/home/james/.android/avd/cuckoo1.avd/' 2017-05-11 13:52:21,882 [cuckoo.machinery.avd] DEBUG: Copy AVD reference config file '/home/james/.android/avd/aosx2.ini' in '/home/james/.android/avd/cuckoo1.ini'... 2017-05-11 13:52:21,883 [cuckoo.machinery.avd] DEBUG: Duplicate the AVD internal content from '/home/james/.android/avd/aosx2.avd/' in '/home/james/.android/avd/cuckoo1.avd/'... 2017-05-11 13:52:21,964 [cuckoo.machinery.avd] DEBUG: Replacing 'aosx2' with 'cuckoo1' in '/home/james/.android/avd/cuckoo1.ini' 2017-05-11 13:52:21,964 [cuckoo.machinery.avd] DEBUG: Replacing 'aosx2' with 'cuckoo1' in '/home/james/.android/avd/cuckoo1.avd/hardware-qemu.ini' 2017-05-11 13:52:31,970 [cuckoo.machinery.avd] DEBUG: Restarting ADB server... 2017-05-11 13:52:31,976 [cuckoo.machinery.avd] DEBUG: ADB server has been killed. 2017-05-11 13:52:32,003 [cuckoo.machinery.avd] DEBUG: ADB server has been restarted. 2017-05-11 13:52:32,004 [cuckoo.machinery.avd] DEBUG: Waiting for device emulator-5554 to be ready. 2017-05-11 13:52:35,011 [cuckoo.machinery.avd] DEBUG: Waiting for the emulator to be ready 2017-05-11 13:52:35,011 [cuckoo.machinery.avd] DEBUG: - (dev.bootcomplete) 2017-05-11 13:52:40,259 [cuckoo.machinery.avd] DEBUG: - (sys_bootcomplete) 2017-05-11 13:52:40,301 [cuckoo.machinery.avd] DEBUG: - (init.svc.bootanim) 2017-05-11 13:52:45,343 [cuckoo.machinery.avd] DEBUG: Emulator emulator-5554 is ready ! 2017-05-11 13:52:55,590 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=127.0.0.1) 2017-05-11 13:52:55,602 [cuckoo.core.guest] CRITICAL: We were unable to detect either the Old or New Agent in the Guest VM, are you sure you have set it up correctly? Please go through the documentation once more and otherwise inform the Cuckoo Developers of your issue. 2017-05-11 13:52:55,816 [cuckoo.machinery.avd] DEBUG: Stopping vm cuckoo1 2017-05-11 13:52:55,819 [cuckoo.machinery.avd] INFO: Stopping AVD listening on port 5554 2017-05-11 13:52:57,182 [cuckoo.core.scheduler] DEBUG: Released database task #58 2017-05-11 13:52:57,223 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,223 [cuckoo.processing.behavior] WARNING: Analysis results folder does not exist at path '/home/james/.cuckoo/storage/analyses/58/logs'. 2017-05-11 13:52:57,224 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,224 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,224 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,225 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,225 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,225 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,225 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,226 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,260 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,275 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,287 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,287 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,287 [cuckoo.processing.debug] ERROR: Error processing task #58: it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host. There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration 2017-05-11 13:52:57,389 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" on analysis at "/home/james/.cuckoo/storage/analyses/58" 2017-05-11 13:52:57,390 [cuckoo.core.plugins] DEBUG: Running 0 signatures 2017-05-11 13:52:57,397 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump" 2017-05-11 13:52:57,460 [cuckoo.core.plugins] DEBUG: Executed reporting module "SingleFile"
Not really sure what to do in regards to configuring the agent, I've read the recommended documentation which suggests a new agent approach with 2.0 but i'm unsure about the installation process for android emulators. As i said I am using the old cuckoo droid java_agent.apk which may be causing these issues and the new agent may be the solution but I'm really unsure of the installation procedure on an android emulator.
Apologies if this isn't the right format for the issue tracker, I've tried to access the community site for the past few days but keep getting a 502 bad gateway error (https://community.cuckoosandbox.org/).
Thanks, Jamie.
edit: also please find attached below a compressed version of one of the analysis reports, not sure if its useful thought I would include it anyway. analysis_example.tar.gz