nahaye
commented
6 years ago it is probably because of the bson too large
Open seantree opened 6 years ago
nahaye
commented
6 years ago it is probably because of the bson too large
leixyou
commented
6 years ago maybe ransomeware encrypt the sniffer.py or other something in PYTHON-PATH of guest machine.I test some ransomeware get many errors.
RicoVZ
commented
6 years ago Hi seantree,
Thanks for posting an issue, and sorry for the very delayed reply.
I have checked out this sample, and it does not seem to encrypt any files. The behavior it does display is killing some processes and displaying a full screen message.
About the behavioral logs: these are send out 'live' to the Cuckoo host, encryption of files would not prevent this.
@leixyou What kind of problems are you running into? Could you post those in a new issue? :smile:
seantree
commented
6 years ago Hi @RicoVZ The thing is when we are analyzing the ransomware on cuckoo sandbox it's encrypting everything Check other ransomware's you will also see most of the ransomware are locking and encrypting the python and executable files, so Cuckoo is not able to fetch the right output due to files required by cuckoo are locked, I have tested lots of samples of ransomware and cuckoo is failed to get the actual output that's required. . Test it By increasing the time limit of ransomware at least 10-15 Mins. . And then check the output. . Thanks & Regards Seantree
RicoVZ
commented
6 years ago @seantree
Can you post some samples that show this behavior?
As @nahaye stated, when analyzing for longer times, it will cause large bson logs (Where all behavior is stored on the host). If these are too large (defined in cuckoo.conf), Cuckoo will skip it. This will result in no behavior in the report. Because the results from a bson log are missing.
To increase this limit, and cause Cuckoo to still process large bson logs, change:
analysis_size_limit = in your cuckoo.conf to a larger number than it is at the moment.
Ransomware encrypting Cuckoo Python files is not a problem, and should not cause losing the results of an analysis. :smile:
If you believe this is not the case, please re-run your analysis and then post the $CWD/storage/<taskid>/cuckoo.log from this analysis. I can then examine it. Preferably, upload and share the entire task from the analysis folder.
seantree
commented
6 years ago Hi @RicoVZ
Thanks for the quick reply, below are the following Hashes of ransomware, in which they are creating one folder and dropped one file. And the file which is dropped by the ransomware is in used and because of it's lockable state. . Cuckoo is not able fetch the details of dropped files. . Hashes:
068ae87b2b8035afaff8c4a90ffab20f 96afc9cdef3c623e0c5420e339c57283 01a84553575ee23276bad7e26958acab .
Can you also suggest best suitable limit size for max analysis_size_limit (In case of longer times) . Thanks & Regards Seantree
RicoVZ
commented
6 years ago Thanks for sharing the hashes. I will look at them as soon as I can squeeze in some time for it.
About the analysis_size_limit: There really is not a suitable/perfect one. It all depends on how much storage you want to be used and how much time you want processing to take.
A higher analysis_size_limit means larger bsons will be processed, which means more time is used and larger reports are generated.
I would suggest that you see how large the average bson log your setup generates is, and adjust the limit according to that. You can see the logs at $CWD/storage/analyses/logs.
githule
commented
5 years ago I had the problem with recent ransomwares (I will try to find the hashes back) that encrypts more file than usual including files in the agent or analyzer directory (it's my interpretation of the report).
I have an idea but dont really know how to implement it and if it works:
Another way to get this would be to add an option to run the agent as an admin (to collect informations as usual), to protect access to cuckoo agent and analyzer at the FS level via ACL, and to drop the admin rights to a standard user on the sample execution.
I will try to get back some logs and reports to bring you some elements.
Hello Guys,
This MD5 fa984640d51ed7ff6eb07658ab8b3a2c sample is locking every files and cuckoo is not able to show the log due to encryption. . Thanks & Regards Seantree