search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.7k forks source link

.hta file format analysis error #1682

Closed Rosle23 closed 6 years ago

Rosle23 commented 7 years ago

Hi,

Cuckoo 2.02, windows 7 VM any fix for this error while analyzing .hta malware (petya.hta)?

2017-06-28 15:31:00,827 [cuckoo.core.guest] WARNING: Guest_Win7 Clone2: analysis caught an exception Traceback (most recent call last): File "C:\tmpz4g6zx\analyzer.py", line 784, in success = analyzer.run() File "C:\tmpz4g6zx\analyzer.py", line 639, in run pids = self.package.start(self.target) File "C:\tmpz4g6zx\modules\packages\zip.py", line 82, in start zipinfos = self.get_infos(path) File "C:\tmpz4g6zx\modules\packages\zip.py", line 74, in get_infos with ZipFile(zip_path, "r") as archive: File "C:\Python27\lib\zipfile.py", line 770, in init self._RealGetContents() File "C:\Python27\lib\zipfile.py", line 832, in _RealGetContents fp.seek(self.start_dir, 0) IOError: [Errno 22] Invalid argument

2017-06-28 15:31:00,921 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer 2017-06-28 15:31:02,141 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.jpg 2017-06-28 15:31:02,221 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 84990 2017-06-28 15:31:15,617 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label Guest_Win7 Clone2 to path /root/.cuckoo/storage/analyses/9/memory.dmp 2017-06-28 15:31:15,619 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm Guest_Win7 Clone2 2017-06-28 15:31:15,922 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0002.jpg 2017-06-28 15:31:16,097 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 92709

Thanks

jbremer commented 7 years ago

Saw a similar error recently. Can you please share some hashes?

Rosle23 commented 7 years ago

MD5 0487382a4daf8eb9660f1c67e30f8b25 SHA1 736752744122a0b5ee4b95ddad634dd225dc0f73 SHA256 ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6

https://www.virustotal.com/en/file/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6/analysis/

FernandoDoming commented 7 years ago

Seems that the problem is not with Cuckoo itself, but rather with Sflock. As Sflock detects your sample (and potentially more) as a Zip (zip package). I have already created an issue in sflock for that matter.

https://github.com/jbremer/sflock/issues/21

In the meanwhile, you can manually select the ie package for your hta files, although we should be adding an hta analysis package (mshta.exe) soon-ish.

jbremer commented 7 years ago

An .hta package was added today!

jbremer commented 6 years ago

Closing issue for now. I believe that error above was fixed, in sflock at least anyway.