jbremer
commented
6 years ago This is a .NET sample. We had a bug in there before. Please upgrade to the latest Cuckoo (currently 2.0.5, by running pip install -U cuckoo) and try again. Thanks.
Open gugronnier opened 6 years ago
jbremer
commented
6 years ago This is a .NET sample. We had a bug in there before. Please upgrade to the latest Cuckoo (currently 2.0.5, by running pip install -U cuckoo) and try again. Thanks.
gugronnier
commented
6 years ago I already use Cuckoo 2.0.5 (github version). i will try it again Monday 12th February, but i don't thinks the problem is resolve.
rev3nant
commented
6 years ago Having same and/or similar issue as gugronnier, although my Windows 7 64-Bit isn't as robust with all the bells and whistles it does have the agent.py as full admin. Running Cuckoo 2.0.5 however on macOS High Sierra 10.13.3. Cuckoo fires up no issues, 'cuckoo web runserver' no issues (mongoDB installed and started), web gui fires up no issues. SWIG is installed, however, m2crypto==0.24.0 will not (macOS?). I noticed sufficient Ubuntu documentation, just wasn't a lot of macOS stuff to reference. I'm still on a learning curve since I'm still new to security just need pointed in the right direction. Thanks.
Submit sample to analyze, then I get the following:
2018-02-09 15:08:42,811 [cuckoo.core.scheduler] INFO: Task #3: acquired machine cuckoo1 (label=cuckoo1)
2018-02-09 15:08:42,817 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 30851 (interface=vboxnet0, host=192.168.56.101)
2018-02-09 15:08:42,818 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-02-09 15:08:42,915 [cuckoo.machinery.virtualbox] DEBUG: Starting vm cuckoo1
2018-02-09 15:08:43,038 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo1 to its current snapshot
2018-02-09 15:08:46,948 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.101)
2018-02-09 15:08:47,955 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2018-02-09 15:08:48,964 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2018-02-09 15:08:49,971 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2018-02-09 15:08:50,185 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=cuckoo1, ip=192.168.56.101)
2018-02-09 15:08:50,203 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.101, monitor=latest, size=1765585)
2018-02-09 15:08:50,420 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-02-09 15:08:50,556 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2018-02-09 15:08:51,424 [cuckoo.core.guest] WARNING: cuckoo1: analysis caught an exception
Traceback (most recent call last):
File "C:/tmp53iwul/analyzer.py", line 798, in
2018-02-09 15:08:51,434 [cuckoo.core.plugins] ERROR: Unable to stop auxiliary module: Sniffer
Traceback (most recent call last):
File "/Users/userID/venv_cuckoo4/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 162, in stop
module.stop()
File "/Users/userID/venv_cuckoo4/lib/python2.7/site-packages/cuckoo/auxiliary/sniffer.py", line 154, in stop
(out, err, faq("permission-denied-for-tcpdump"))
CuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis; stdout = '' and stderr = "tcpdump: vboxnet0: You don't have permission to capture on that device\n((cannot open BPF device) /dev/bpf0: Permission denied)\n". Did you enable the extra capabilities to allow running tcpdump as non-root user and disable AppArmor properly (the latter only applies to Ubuntu-based distributions with AppArmor, see also https://cuckoo.sh/docs/faq/index.html#permission-denied-for-tcpdump)?
2018-02-09 15:08:51,438 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm cuckoo1
2018-02-09 15:08:54,032 [cuckoo.core.scheduler] DEBUG: Released database task #3
2018-02-09 15:08:54,060 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #3
2018-02-09 15:08:54,061 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #3
2018-02-09 15:08:54,061 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #3
2018-02-09 15:08:54,061 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #3
2018-02-09 15:08:54,062 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #3
2018-02-09 15:08:54,063 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #3
2018-02-09 15:08:54,063 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #3
2018-02-09 15:08:54,064 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #3
2018-02-09 15:08:54,470 [cuckoo.processing.static] CRITICAL: You do not have the m2crypto library installed preventing certificate extraction. Please read the Cuckoo documentation on installing m2crypto (you need SWIG installed and then pip install m2crypto==0.24.0)!
2018-02-09 15:08:54,505 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #3
2018-02-09 15:08:54,637 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #3
2018-02-09 15:08:54,773 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #3
2018-02-09 15:08:54,774 [cuckoo.processing.network] WARNING: The PCAP file does not exist at path "/Users/userID/.cuckoo/storage/analyses/3/dump.pcap".
2018-02-09 15:08:54,774 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #3
2018-02-09 15:08:54,775 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #3
2018-02-09 15:08:54,775 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #3
2018-02-09 15:08:54,777 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #3
2018-02-09 15:08:54,778 [cuckoo.core.plugins] DEBUG: Running 0 signatures
2018-02-09 15:08:54,787 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
rev3nant
commented
6 years ago You can close this on my end. Blew away 'cwd' and 'venv' and rebuilt it making sure any pip installs took place within the venv. Also did sudo chmod o+r /dev/bpf* and re-ran cuckoo. all set
rev3nant
commented
6 years ago Or, maybe I'm an idiot who doesn't know what he's talking about and that's perfectly okay as well ^_^
Still relatively new to all this but mainly saying that because it seemed to work okay and now it's doing the same thing again.
Sample: WannaCry <<== Pulled it down from theZoo MD5 | 84c82835a5d21bbcf75a61706d8ab549 SHA1 | 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 SHA256 | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Host: MacBook PRO 10.13.3 High Sierra Guest: Windows 7 x64 with basically same configuration as @gugronnier above (mine is using a valid Windows license MAK key) using VBox v. 5.2.6 (fwiw 5.2.12 is available just haven't upgraded it yet) Cuckoo Sandbox 2.0.5 with all community addons as well
2018-05-23 09:03:51,594 [cuckoo.core.scheduler] INFO: Task #17: acquired machine cuckoo1 (label=cuckoo1)
2018-05-23 09:03:51,600 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 21058 (interface=vboxnet0, host=192.168.56.101)
2018-05-23 09:03:51,601 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-05-23 09:03:51,617 [cuckoo.machinery.virtualbox] DEBUG: Starting vm cuckoo1
2018-05-23 09:03:51,929 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo1 to its current snapshot
2018-05-23 09:03:57,420 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.101)
2018-05-23 09:03:58,428 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2018-05-23 09:03:59,435 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2018-05-23 09:04:00,447 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet
2018-05-23 09:04:01,165 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=cuckoo1, ip=192.168.56.101)
2018-05-23 09:04:01,188 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.101, monitor=latest, size=3814549)
2018-05-23 09:04:01,538 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing
2018-05-23 09:04:01,678 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2018-05-23 09:04:02,541 [cuckoo.core.guest] WARNING: cuckoo1: analysis caught an exception
Traceback (most recent call last):
File "C:/tmpuxomd/analyzer.py", line 798, in
2018-05-23 09:04:02,548 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer 2018-05-23 09:04:02,548 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm cuckoo1 2018-05-23 09:04:05,341 [cuckoo.core.scheduler] DEBUG: Released database task #17 2018-05-23 09:04:05,374 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #17 2018-05-23 09:04:05,376 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #17 2018-05-23 09:04:05,377 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #17 2018-05-23 09:04:05,377 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #17 2018-05-23 09:04:05,378 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #17 2018-05-23 09:04:05,378 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #17 2018-05-23 09:04:05,379 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #17 2018-05-23 09:04:05,379 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #17 2018-05-23 09:04:06,565 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #17 2018-05-23 09:04:06,565 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #17 2018-05-23 09:04:07,037 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #17 2018-05-23 09:04:07,041 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #17 2018-05-23 09:04:07,042 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #17 2018-05-23 09:04:07,042 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #17 2018-05-23 09:04:07,045 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #17 2018-05-23 09:04:07,047 [cuckoo.core.plugins] DEBUG: Running 539 signatures 2018-05-23 09:04:07,180 [cuckoo.core.plugins] ERROR: Failed to run 'on_complete' of the url_file signature Traceback (most recent call last): File "/Users/obfuscate/venv_cuckoo10/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 413, in call_signature if not signature.matched and handler(*args, **kwargs): File "/Users/obfuscate/.cuckoo/signatures/windows/url_file.py", line 21, in on_complete if "Internet shortcut" not in self.file.get("type", ""): AttributeError: 'URLFile' object has no attribute 'file' 2018-05-23 09:04:07,209 [cuckoo.core.plugins] DEBUG: Analysis matched signature: packer_entropy 2018-05-23 09:04:07,210 [cuckoo.core.plugins] DEBUG: Analysis matched signature: peid_packer 2018-05-23 09:04:07,210 [cuckoo.core.plugins] DEBUG: Analysis matched signature: pe_unknown_resource_name 2018-05-23 09:04:07,216 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
Any help or comments greatly appreciated!
I have the same error than https://github.com/cuckoosandbox/cuckoo/issues/1672 and than https://github.com/cuckoosandbox/cuckoo/issues/1918 for a keylogger sample (md5 : 0cdaa9794ce629a66f3f1e26eb7f412e)
My VM is Windows 7 Pro x64 (6.1.7601 SP1 Build 7601) cuckoosandbox version 2.0.5 with all community addons
My VM config:
execution:
log of the problem: `2018-02-02 16:57:35,468 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized. 2018-02-02 16:57:39,723 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.jpg 2018-02-02 16:57:39,735 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 32805 2018-02-02 16:57:39,912 [cuckoo.core.guest] DEBUG: cuckoo1: analysis still processing 2018-02-02 16:57:45,821 [cuckoo.core.guest] WARNING: cuckoo1: analysis caught an exception Traceback (most recent call last): File "C:/tmpv6gtas/analyzer.py", line 798, in
success = analyzer.run()
File "C:/tmpv6gtas/analyzer.py", line 650, in run
pids = self.package.start(self.target)
File "C:\tmpv6gtas\modules\packages\exe.py", line 23, in start
return self.execute(path, args=shlex.split(args))
File "C:\tmpv6gtas\lib\common\abstracts.py", line 166, in execute
"Unable to execute the initial process, analysis aborted."
CuckooPackageError: Unable to execute the initial process, analysis aborted.
2018-02-02 16:57:45,999 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer 2018-02-02 16:57:46,000 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm Cuckoo_W7x64`