Firefox & Chrome URL analysis : not working

[LetMeR00t]

Thanks for creating an issue! But first: did you read our community guidelines? https://cuckoo.sh/docs/introduction/community.html

My issue is: Adding or using other browser than IE

My Cuckoo version and operating system are: 2.0.6.1

This can be reproduced by:

Just start an analysis to test the URL in Firefox. For Firefox, nothing happened on the VM even if the command is successfully sent. For Chome, I copy the ff.py and adapt it to Google Chrome but in this case, the package is not recognize after a new compilation (using "python setup.py sdist develop")

The log, error, files etc can be found at:

I don't really have any log file for that except for Google Chrome :

Do we need to use a specific version of Firefox for what we are doing ?... I don't think so because when you put the command in the VM, it works...

FYI, my VM is a Windows 7 and I'm using Firefox & Chrome with quite recent versions

Thank's for your return

[twesterhever]

I would be interested in analysing URLs with a browser different than IE.

[jbremer]

@LetMeR00t did you also update $CWD/analyzer/...?

[LetMeR00t]

You're right @jbremer , however why my CWD is not updated when I compile the code from the source ? It's the same thing for my configuration files that aren't updated since the 2.0.6 upgrade...

[LetMeR00t]

Well it's not so easy :) I have a pop-up with "Invalid monitor mode" that showed up ... I will try to make it work.

[LetMeR00t]

@jbremer, is it possible that my error is coming from this line ? https://github.com/cuckoosandbox/monitor/blob/cec6f77488df41f2f724b5c9270de1bc53afe959/src/config.c#L72-L74

[RicoVZ]

Hi LetMeR00t,

When exactly are you getting this error? What analysis package are you using when this happens?

[LetMeR00t]

Hi @RicoVZ, I get this error at the start of my VM (actually you are seeing a screenshot of the VM). Apparently, Google Chrome doesn't start or well just for showing this message ... (as you seen on the taskbar, it's Google Chrome). Concerning Firefox, I don't have any error or opened browser when I'm running the analysis.

For Firefox, I'm using the already existing package. For Google Chrome, I'm using a "chrome.py" package which is the copy of the "ff.py" with the Google Chrome path in it.

[RicoVZ]

@LetMeR00t Thanks :smile: Can you share the copied chrome.py package with us?

[LetMeR00t]

Hi @RicoVZ , Here is the code :

# Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.

from lib.common.abstracts import Package

class Chrome(Package):
    """Chrome analysis package."""
    PATHS = [
        ("ProgramFiles", "Google", "Chrome", "Application", "chrome.exe"),
    ]

    def start(self, url):
        chrome = self.get_path("Google Chrome")
        # pass the URL instead of a filename in this case
        return self.execute(chrome, "--new-window \"%s\"" % url, url)

[RicoVZ]

@LetMeR00t

Thanks for posting it. :smile: There error is caused by how the argument are provide to self.execute.

The fuction signature of .execute is:

def execute(self, path, args, mode=None, maximize=False, env=None,
            source=None, trigger=None):
    """Starts an executable for analysis.
    @param path: executable path
    @param args: executable arguments
    @param mode: monitor mode - which functions to instrument
    @param maximize: whether the GUI should start maximized
    @param env: additional environment variables
    @param source: parent process of our process
    @param trigger: trigger to indicate analysis start
    @return: process pid
    """

At the moment, your arguments are passing to self.execute like this: self.execute("<path to Chrome>", "--new-window "http://example.com", "http://example.com"). 3 arguments. So the third is being put into the place for the mode argument.

All arguments to the executable you are starting should be passed as a list, like in subprocess.Popen

You should use:

return self.execute(chrome, ["--new-window", url])

[LetMeR00t]

Hi @RicoVZ , Nice catch, however Google Chrome is not working ... No GUI is started and no traffic is generated.

analysis.log

2018-06-26 20:40:27,078 [analyzer] DEBUG: Started auxiliary module Reboot
2018-06-26 20:40:27,171 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-06-26 20:40:27,171 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-06-26 20:40:27,171 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-06-26 20:40:27,280 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe' with arguments ['--new-window', 'https://www.airfrance.fr'] and pid 2856
2018-06-26 20:40:27,625 [analyzer] DEBUG: Loaded monitor into process with pid 2856
2018-06-26 20:40:27,750 [analyzer] INFO: Injected into process with pid 2364 and name u'chrome.exe'
2018-06-26 20:40:27,937 [analyzer] DEBUG: Loaded monitor into process with pid 2364
2018-06-26 20:40:28,062 [analyzer] INFO: Added new file to list with pid 2364 and path \Device\NamedPipe\crashpad_2856_KJWWHOGVCTIFVTHN
2018-06-26 20:40:28,092 [analyzer] INFO: Added new file to list with pid 2856 and path C:\Users\Sandbox\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
2018-06-26 20:40:29,983 [analyzer] INFO: Injected into process with pid 3068 and name u'chrome.exe'
2018-06-26 20:40:30,140 [analyzer] DEBUG: Loaded monitor into process with pid 3068
2018-06-26 20:40:49,584 [analyzer] INFO: Injected into process with pid 3392 and name u'chrome.exe'
2018-06-26 20:40:56,239 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:40:56,861 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:40:57,505 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:40:58,150 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:40:59,398 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:41:00,125 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:41:00,812 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:41:01,164 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-06-26 20:41:01,164 [analyzer] WARNING: File at path u'\\device\\namedpipe\\crashpad_2856_kjwwhogvctifvthn' does not exist, skip.
2018-06-26 20:41:01,164 [analyzer] INFO: Analysis completed.

cuckoo.log

2018-06-26 20:40:26,556 [cuckoo.core.scheduler] INFO: Task #2: acquired machine Windows (label=Windows)
2018-06-26 20:40:26,556 [cuckoo.auxiliary.mitm] DEBUG: TLS Master keys will be dropped in this file: /opt/cuckoo/storage/analyses/2/tlsmaster.mitm
2018-06-26 20:40:26,581 [cuckoo.auxiliary.mitm] INFO: Started mitm interception with PID 9532 (ip=192.168.56.1, port=8080).
2018-06-26 20:40:26,581 [cuckoo.core.plugins] DEBUG: Started auxiliary module: MITM
2018-06-26 20:40:26,628 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 9533 (interface=vboxnet0, host=192.168.56.101)
2018-06-26 20:40:26,628 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-06-26 20:40:26,983 [cuckoo.machinery.virtualbox] DEBUG: Starting vm Windows
2018-06-26 20:40:27,155 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine Windows to clean
2018-06-26 20:40:35,163 [cuckoo.core.guest] INFO: Starting analysis on guest (id=Windows, ip=192.168.56.101)
2018-06-26 20:40:36,217 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:40:37,224 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:40:38,229 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:40:38,235 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=Windows, ip=192.168.56.101)
2018-06-26 20:40:39,109 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=Windows, ip=192.168.56.101, monitor=latest, size=3854279)
2018-06-26 20:40:39,479 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:39,796 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2018-06-26 20:40:40,483 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:41,490 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:42,293 [cuckoo.core.resultserver] DEBUG: New process (pid=2856, ppid=172, name=chrome.exe)
2018-06-26 20:40:42,497 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:42,658 [cuckoo.core.resultserver] DEBUG: New process (pid=2364, ppid=2856, name=chrome.exe)
2018-06-26 20:40:43,501 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:44,488 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.jpg
2018-06-26 20:40:44,492 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 75699
2018-06-26 20:40:44,505 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:44,870 [cuckoo.core.resultserver] DEBUG: New process (pid=3068, ppid=2856, name=chrome.exe)
2018-06-26 20:40:45,510 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:46,516 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:47,520 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:48,524 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:49,528 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:50,532 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:51,536 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:52,541 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:53,316 [cuckoo.core.resultserver] DEBUG: File upload request for files/1d97c69aea85d3b0_CrashpadMetrics.pma
2018-06-26 20:40:53,320 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 1048576
2018-06-26 20:40:53,480 [cuckoo.core.resultserver] DEBUG: File upload request for files/49f573f57ba97415_BrowserMetrics-5B250415-988.pma
2018-06-26 20:40:53,501 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 8388608
2018-06-26 20:40:53,546 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:53,974 [cuckoo.core.resultserver] DEBUG: File upload request for files/945e8a6c72ea933e_BrowserMetrics-5B330BE0-B28.pma
2018-06-26 20:40:53,992 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 8388608
2018-06-26 20:40:54,550 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:55,555 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:56,559 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:57,567 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:58,572 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:59,577 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:41:00,581 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:41:01,585 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:41:02,590 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:41:03,594 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:41:04,599 [cuckoo.core.guest] DEBUG: Windows: analysis still processing

I added the concerning files

files.zip

I also tried with Firefox and it's the same, not working...

analysis.log

2018-06-26 20:46:54,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpype8_u
2018-06-26 20:46:54,000 [analyzer] DEBUG: Pipe server name: \??\PIPE\gnhZctqbuiEQFZirZSQkBWeKl
2018-06-26 20:46:54,000 [analyzer] DEBUG: Log pipe server name: \??\PIPE\HRlMUUfwBPwPByiHaVQBYFmIDlSbI
2018-06-26 20:46:54,467 [analyzer] DEBUG: Started auxiliary module DbgView
2018-06-26 20:46:54,687 [analyzer] DEBUG: Started auxiliary module Disguise
2018-06-26 20:46:54,890 [analyzer] DEBUG: Loaded monitor into process with pid 504
2018-06-26 20:46:54,890 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-06-26 20:46:54,890 [analyzer] DEBUG: Started auxiliary module Human
2018-06-26 20:46:56,078 [modules.auxiliary.installcert] INFO: Successfully installed PFX certificate.
2018-06-26 20:46:56,078 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-06-26 20:46:56,078 [analyzer] DEBUG: Started auxiliary module Reboot
2018-06-26 20:46:56,187 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-06-26 20:46:56,187 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-06-26 20:46:56,187 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-06-26 20:46:56,296 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Mozilla Firefox\\firefox.exe' with arguments ['https://www.airfrance.fr'] and pid 2932
2018-06-26 20:46:57,046 [analyzer] DEBUG: Loaded monitor into process with pid 2932
2018-06-26 20:47:29,322 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-06-26 20:47:29,322 [analyzer] INFO: Analysis completed.

cuckoo.log

2018-06-26 20:46:54,634 [cuckoo.core.scheduler] INFO: Task #3: acquired machine Windows (label=Windows)
2018-06-26 20:46:54,634 [cuckoo.auxiliary.mitm] DEBUG: TLS Master keys will be dropped in this file: /opt/cuckoo/storage/analyses/3/tlsmaster.mitm
2018-06-26 20:46:54,638 [cuckoo.auxiliary.mitm] INFO: Started mitm interception with PID 10106 (ip=192.168.56.1, port=8080).
2018-06-26 20:46:54,638 [cuckoo.core.plugins] DEBUG: Started auxiliary module: MITM
2018-06-26 20:46:54,656 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 10107 (interface=vboxnet0, host=192.168.56.101)
2018-06-26 20:46:54,657 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-06-26 20:46:54,966 [cuckoo.machinery.virtualbox] DEBUG: Starting vm Windows
2018-06-26 20:46:56,046 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine Windows to clean
2018-06-26 20:47:03,451 [cuckoo.core.guest] INFO: Starting analysis on guest (id=Windows, ip=192.168.56.101)
2018-06-26 20:47:04,453 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:47:05,460 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:47:06,463 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:47:06,477 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=Windows, ip=192.168.56.101)
2018-06-26 20:47:06,748 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=Windows, ip=192.168.56.101, monitor=latest, size=3854279)
2018-06-26 20:47:07,089 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:07,402 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2018-06-26 20:47:08,094 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:09,097 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:10,108 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:10,356 [cuckoo.core.resultserver] DEBUG: New process (pid=2932, ppid=2500, name=firefox.exe)
2018-06-26 20:47:11,118 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:11,371 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.jpg
2018-06-26 20:47:11,391 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 75701
2018-06-26 20:47:12,125 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:13,136 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:14,141 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:15,145 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:16,149 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:17,153 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:18,158 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:19,163 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:20,168 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:21,173 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:22,179 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:23,184 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:24,188 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:25,192 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:26,196 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:27,200 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:28,204 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:29,210 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:30,215 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:31,220 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:32,224 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:33,229 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:34,233 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:35,237 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:36,242 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:37,248 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:38,252 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:38,829 [cuckoo.core.resultserver] DEBUG: File upload request for files/fd4c9fda9cd3f9ae_cookies.sqlite-shm
2018-06-26 20:47:38,835 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 32768
2018-06-26 20:47:39,171 [cuckoo.core.resultserver] DEBUG: File upload request for files/e3b0c44298fc1c14_cookies.sqlite-wal
2018-06-26 20:47:39,256 [cuckoo.core.guest] INFO: Windows: analysis completed successfully
2018-06-26 20:47:39,332 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: MITM
2018-06-26 20:47:39,365 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer

files.zip

My opinion is that new version of Firefox and Google Chrome can't work this Cuckoo, am I wrong ? Which version of Google Chrome / Firefox are you using on your side ?

Thank's for you help.

[LetMeR00t]

Here the information about my Google Chrome and Firefox versions in the guest :

[AndyCorreas]

could somebody work with firefox and cuckoo sandobox ?

[1earch]

After a deeper analysis, it seems that a Firefox analysis can be run disabling the option "Enable injection" ("Enable behavioral analysis").

When this option is enabled, the firefox process is launched (in a sleeping state) under the guest environment (Win7 in my case), but the process seems to not be woken up by inject-x64.exe. I think this option enables Cuckoo's analyzer.py to perform a DLL injection using ìnject-x{64,86}.exe`. This injection let the analyzer be aware of all system calls. My conclusion is that the injected DLL isn't compatible with Firefox.

@jbremer @RicoVZ Does this help you understanding the source of the problem?

[Khadu]

Hi @jbremer I'm running win10, when I disable Behavior Analysis from web interface IE opens and browse through the URL, but on running from the terminal IE does not open up. So the problem is behavior analysis is not turned off when I run from terminal, I couldn't find any option to disable anywhere in the code. Can you please guide me to disable behavior analysis?

[Khadu]

I was able to disable behavior analysis from terminal by implementing following options.

cuckoo submit --package ie --options procmemdup=yes,route=none,free=yes --url example.com

[doomedraven]

the newest version of chrome/ff won't work with it, so go for older versions

[ag-michael]

@jbremer Any update on this,windows10 behavioral analysis has been broken for a long time. the DLL injection does not appear to work.

[doomedraven]

Windows 10never was supported