the guest can't change status and hasn't be able contact the host

[socengsoc]

Thanks for creating an issue! But first: did you read our community guidelines? https://cuckoo.sh/docs/introduction/community.html

My issue is:

i submitted the .exe Malware sample then the guest tried to change the status but it's failed then the waiting time finished and the analysis also failed . i have googled the error and i get the issue with ID's #572 and #2247

i followed the solutions on previous issues , i checked the resultserver IP and it's the same on the machinary file and cuckoo file . everything is seem ok i have ensured the firewall and the antivirus is disabled . the cuckoo host IP : 192.168.56.1 the guest (Win7) IP :192.168.56.101 the network adapter mode is host-only the host and guest can communicate each other (ping) .

My Cuckoo version and operating system are:

cuckoo version : 2.5 the HOST : Ubuntu the guest : Windows 7 64 bit

This can be reproduced by:

The log, error, files etc can be found at:

[doomedraven]

stupid question, as i see status "saved", in which state you took the snapshot?

[socengsoc]

@doomedraven as i know that after submit the malware the status of the guest change from power off to the running and that did not happen . also why the error occurred . what the error is means ? is the analysis has complete ?

[doomedraven]

so the snapshot is in running state correct? can you start malware analysis and from host execute curl 192.168.56.101:8000 and post result?

[socengsoc]

i have started the analysis and then execute the curl 192.168.56.101:8000 the result is no route to host

then i telnet the host from guest telnet 192.168.56.1 on port 23 the connection is failed .

the host and guest can ping each other . the network adapter is host only mode no need to add any route between the host and guest

the firewall and the antivrus are disabled , also i run the Win CMD as admin and telnet again the same issue .

[doomedraven]

forget about ping, ping is useless here, so as the curl fails cuckoo can't connect with agent and this is why you have this problem, you need to investigate your network configuration/iptables/ufw/etc

[socengsoc]

i didn't add any rule on the iptable or modify the network config. i follwo the documentation on the installation .

[doomedraven]

your OS could, but you see what your host has problem with networking to reach so without access to your host it hard to say what is wrong, like do you use static route or do you use rooter?

like host, ubuntu, but which version, >17.0x known to add their own iptables

[socengsoc]

@doomedraven @jbremer @RicoVZ

i know that the connection issue is out of cuckoo range but i have done my best , if any one can help me i appreciate the effort . i have printed the routing table on the Linux Ubuntu 16.4 , the routing to the guest is exist

also i have printed the routing table on the guest , also the route to the host is exist

the curl 192.168.56.101:8080 the connection refused while telnet 192.168.56.101 is working fine the success of the analysis is depending on the ability of Host to contact the guest

[doomedraven]

bcz there is nothing on 8080, agent is on 8000

[RicoVZ]

Hi socengsoc,

Could you try the following steps in this order:

1. Submit a file using the command line tool, using the following command and parameters cuckoo submit somefile --timeout 300 --enforce-timeout.
2. Start cuckoo cuckoo --debug.
3. When the logging says it is starting your machine, try: curl http://machine_ip:8000 a few times.

This causes an HTTP request to be sent to the Cuckoo agent (which should be running in your vm on TCP/8000 when you take the snapshot). The request should be sent when the vm is running, otherwise no route to it can be found.

From the telnet it looks like network traffic can reach the vm at least. The check I am suggesting (In the order I stated) is to verify if the agent is actually running and responding.

Besides this, please post a full cuckoo.log on a site like https://pastebin.com/, and post the link here. Please do not post the log output in a comment, as the Github markup will make it almost unreadable.

[socengsoc]

@RicoVZ thanks for the reply and sorry for late the URL for cuckoo log is : https://pastebin.com/dmVFHs0Y

i have done the previous steps and the error now is not shown i didn't know how and why . i have get new warning /error message as the following snapshot

[RicoVZ]

@socengsoc Thanks for posting the logs. :smile:

An analysis package seems to crash. Can you post the analysis.log file for this analysis? You can find it in $CWD/storage/analyses/13/analysis.log. I looks like you submitted an exe file with the ie package.

What happens when you do not provide an analysis package?

[socengsoc]

the URL for analysis log is

https://pastebin.com/UYuYDK47

[socengsoc]

@RicoVZ i have determined the analysis package type as the following line

cuckoo submit --package exe /tmp/0.exe --timeout 300 --enforce-timeout

////////////////////////////////////////////////// 2018-05-12 11:06:57,105 [analyzer] DEBUG: Starting analyzer from: C:\tmpj7vgwc 2018-05-12 11:06:57,121 [analyzer] DEBUG: Pipe server name: \??\PIPE\EAjUWTCEGrJaJIjORClFDv 2018-05-12 11:06:57,121 [analyzer] DEBUG: Log pipe server name: \??\PIPE\TYZniBGVscUnFEVpHZCHmdVsfydAMP 2018-05-12 11:06:57,323 [analyzer] DEBUG: Started auxiliary module DbgView 2018-05-12 11:06:57,651 [analyzer] DEBUG: Started auxiliary module Disguise 2018-05-12 11:06:57,808 [modules.auxiliary.dumptls] WARNING: You're not running the Cuckoo Agent as Administrator. Doing so will improve your analysis results! 2018-05-12 11:06:57,808 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets 2018-05-12 11:06:57,808 [analyzer] DEBUG: Started auxiliary module Human 2018-05-12 11:06:57,808 [analyzer] DEBUG: Started auxiliary module InstallCertificate 2018-05-12 11:06:57,808 [analyzer] DEBUG: Started auxiliary module Reboot 2018-05-12 11:06:58,151 [analyzer] DEBUG: Started auxiliary module RecentFiles 2018-05-12 11:06:58,151 [analyzer] DEBUG: Started auxiliary module Screenshots 2018-05-12 11:06:58,151 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n 2018-05-12 11:06:58,167 [modules.auxiliary.screenshots] INFO: Python Image Library (either PIL or Pillow) is not installed, screenshots are disabled.