Behavioral analysis feature breaks Office

[doria90]

Hi All, I've been playing with the latest cuckoo (2.0.5) and have noticed a persistent issue with running Office when behavioral analysis is turned on - it simply doesn't work. When using a Windows 10 analysis machine, this is what you get: And when using a Windows 7 machine it simply crashes.

Analysis machines are with UAC disabled and using the Administrator account. Here's the analyzer log: 2018-03-27 14:34:58,003 [analyzer] DEBUG: Starting analyzer from: C:\tmpabdmci 2018-03-27 14:34:58,006 [analyzer] DEBUG: Pipe server name: \??\PIPE\lMTWnDKJMnRusgpO 2018-03-27 14:34:58,006 [analyzer] DEBUG: Log pipe server name: \??\PIPE\YiAaaQmawxXZwirlXLuYGVlpW 2018-03-27 14:34:58,138 [analyzer] DEBUG: Started auxiliary module DbgView 2018-03-27 14:34:58,515 [analyzer] DEBUG: Started auxiliary module Disguise 2018-03-27 14:34:58,716 [analyzer] DEBUG: Loaded monitor into process with pid 664 2018-03-27 14:34:58,716 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets 2018-03-27 14:34:58,716 [analyzer] DEBUG: Started auxiliary module Human 2018-03-27 14:34:58,716 [analyzer] DEBUG: Started auxiliary module InstallCertificate 2018-03-27 14:34:58,716 [analyzer] DEBUG: Started auxiliary module Reboot 2018-03-27 14:34:58,762 [analyzer] DEBUG: Started auxiliary module RecentFiles 2018-03-27 14:34:58,762 [analyzer] DEBUG: Started auxiliary module Screenshots 2018-03-27 14:34:58,762 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n 2018-03-27 14:34:58,871 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\WINWORD.EXE' with arguments [u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\asd.docx'] and pid 8168 2018-03-27 14:34:59,278 [analyzer] DEBUG: Loaded monitor into process with pid 8168 2018-03-27 14:34:59,809 [analyzer] DEBUG: Received request to inject pid=8168, but we are already injected there. 2018-03-27 14:34:59,839 [analyzer] INFO: Added new file to list with pid 8168 and path \Device\NamedPipe\wkssvc 2018-03-27 14:35:00,342 [analyzer] INFO: Added new file to list with pid 8168 and path C:\Users\Administrator\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres 2018-03-27 14:35:04,851 [analyzer] INFO: Added new file to list with pid 8168 and path C:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session-journal 2018-03-27 14:35:04,868 [analyzer] INFO: Added new file to list with pid 8168 and path C:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db.session 2018-03-27 14:35:04,898 [analyzer] INFO: Added new file to list with pid 8168 and path C:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal 2018-03-27 14:35:28,211 [analyzer] INFO: Analysis timeout hit, terminating analysis. 2018-03-27 14:35:28,243 [analyzer] WARNING: File at path u'\\device\\namedpipe\\wkssvc' does not exist, skip. 2018-03-27 14:35:28,243 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\microsoft\\office\\otele\\winword.exe.db.session-journal' does not exist, skip. 2018-03-27 14:35:28,243 [analyzer] INFO: Analysis completed.

I think it has something to do with the monitor and it's injections but I'm not sure. Looking forward for this discussion, let me know if there's anything else I can provide.

Amit

[doria90]

Plus, where can one disable this "Behavioral analysis" in advance? I tried looking into the configuration files and manually disabling it in the submission.js file under cuckoo\web\static\js\cuckoo without any luck: I tried setting it to false in the default_analysis_options and many other but none of them worked in the JS file.

[doomedraven]

no injection on webgui/submission, something like that

[doria90]

@doomedraven I couldn't find it, could you be more specific?

[doomedraven]

[doria90]

Oh now I get you.. I'm aware of this one - I'm trying to have it disabled all the time so I won't have to manually disable it for each analysis.

On Tue, Mar 27, 2018 at 5:00 PM doomedraven notifications@github.com wrote:

[image: captura de pantalla 2018-03-27 a las 15 59 44] https://user-images.githubusercontent.com/1856495/37972141-e9a404f2-31d7-11e8-9287-b92999bc5039.png

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/2200#issuecomment-376535711, or mute the thread https://github.com/notifications/unsubscribe-auth/AMLlrZuvhCOpRg2i0_Jds4O5zy7IvvtPks5tikX1gaJpZM4S8xLh .

[doomedraven]

edit the webgui source code and done

[RicoVZ]

Hi doria90,

If other default default options are desired, these can be change in this web controller: https://github.com/cuckoosandbox/cuckoo/blob/master/cuckoo/web/controllers/submission/api.py#L39

In your case, you would set enable-injection to False.

[doria90]

hi Ricardo, I've actually played with these settings quite a lot but couldn't get them to change in practice. Were you able to get that done?

On Thu, May 31, 2018 at 3:28 PM Ricardo van Zutphen < notifications@github.com> wrote:

Hi doria90,

If other default default options are desired, these can be change in this web controller: https://github.com/cuckoosandbox/cuckoo/blob/master/cuckoo/web/controllers/submission/api.py#L39

In your case, you would set enable-injection to False.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/2200#issuecomment-393514056, or mute the thread https://github.com/notifications/unsubscribe-auth/AMLlrf3x33NhsP6SZPxu8aSeGMiczuH_ks5t3-IEgaJpZM4S8xLh .

[ag-michael]

Any updates on this? this is still broken

[ag-michael]

I've tried to duplicate what the process.py script does for this step: https://i.imgur.com/X7fdplC.png I've only gotten this far. As you can see in the screenshot,the excel process is left suspended which mimicks what happens when running an analysis on windows 10 machines with behavior-analysis turned on.

I've also tried with the latest zer0m0n drivers with no luck.