search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.71k forks source link

Unable to analyze jar file. #1560

Open francisfsjiang opened 7 years ago

francisfsjiang commented 7 years ago

Hi. I am trying to use cuckoo to analyze jar file, using java 8. So I started by testing simple example. But jvm crashd. I tried to run the jar from the cmd, it worked. So I guess there may be a bug in monitor. When I switch java version to java 7, it kept creating new thread until out of memory instead of crashing.

By the way, I tried to use Office 2016 and 2013 in guest machine, both of them crashed after analyzer invoking inject-x64.exe with -resume-thread option. But Office 2007 works well. Same thing happens to Adobe Reader, Adobe Reader 12 will crash but Adobe Reader 9 works well.

I am using the current master brach version, 1661e3c.

Here is exproted analyisis. Guest machine's OS is Windows7 SP1 64-bit build 7601. java version "1.8.0_131" Java(TM) SE Runtime Environment (build 1.8.0_131-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode) java8_analysis.zip And the jvm's log. hs_err_pid2700.log.txt Sample source Test.jar.zip Test.java.txt

Here is java7's exported analysis. Guest machine's OS is Windows7 SP1 64-bit build 7601. java version "1.7.0_80" Java(TM) SE Runtime Environment (build 1.7.0_80-b15) Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode) java7_analysis.zip Test sample is the same as java8

francisfsjiang commented 7 years ago

I fixed this problem by using 32bit jre 8 . Office 2016 32bit is working too. This point should be documented

jbremer commented 7 years ago

Thanks for the extensive feedback @neveralso! It's our intention to support all of these platforms naturally, but this is a work in progress (we hope to release some major improvements in this regard in the near future). In the meanwhile, if you're able to share VMs with crashing software (privately - you can email me at jbr@cuckoo.sh) that'd be great, that way we can ensure that it will work in a next release and remain working afterwards! Thanks again! :-) I agree that a list of known supported software would be great as well. I'll see if we can compile such a list in the future.

Nwinternights commented 7 years ago

I confirm that with jre8 it works while with older version the analysis fails. @jbremer can you consider add it as a package in vmcloak? regards

Clevero commented 6 years ago

Can confirm that Java 8 32 Bit is working under Windows 7