cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.71k forks source link

Firefox & Chrome URL analysis : not working #2329

Open LetMeR00t opened 6 years ago

LetMeR00t commented 6 years ago

Thanks for creating an issue! But first: did you read our community guidelines? https://cuckoo.sh/docs/introduction/community.html

My issue is: Adding or using other browser than IE
My Cuckoo version and operating system are: 2.0.6.1
This can be reproduced by:

Just start an analysis to test the URL in Firefox. For Firefox, nothing happened on the VM even if the command is successfully sent. For Chome, I copy the ff.py and adapt it to Google Chrome but in this case, the package is not recognize after a new compilation (using "python setup.py sdist develop")

The log, error, files etc can be found at:

I don't really have any log file for that except for Google Chrome : capture du 2018-06-16 15-21-28

Do we need to use a specific version of Firefox for what we are doing ?... I don't think so because when you put the command in the VM, it works...

FYI, my VM is a Windows 7 and I'm using Firefox & Chrome with quite recent versions

Thank's for your return

twesterhever commented 6 years ago

I would be interested in analysing URLs with a browser different than IE.

jbremer commented 6 years ago

@LetMeR00t did you also update $CWD/analyzer/...?

LetMeR00t commented 6 years ago

You're right @jbremer , however why my CWD is not updated when I compile the code from the source ? It's the same thing for my configuration files that aren't updated since the 2.0.6 upgrade...

LetMeR00t commented 6 years ago

Well it's not so easy :) I have a pop-up with "Invalid monitor mode" that showed up ... I will try to make it work.

LetMeR00t commented 6 years ago

@jbremer, is it possible that my error is coming from this line ? https://github.com/cuckoosandbox/monitor/blob/cec6f77488df41f2f724b5c9270de1bc53afe959/src/config.c#L72-L74 0001

RicoVZ commented 6 years ago

Hi LetMeR00t,

When exactly are you getting this error? What analysis package are you using when this happens?

LetMeR00t commented 6 years ago

Hi @RicoVZ, I get this error at the start of my VM (actually you are seeing a screenshot of the VM). Apparently, Google Chrome doesn't start or well just for showing this message ... (as you seen on the taskbar, it's Google Chrome). Concerning Firefox, I don't have any error or opened browser when I'm running the analysis.

For Firefox, I'm using the already existing package. For Google Chrome, I'm using a "chrome.py" package which is the copy of the "ff.py" with the Google Chrome path in it.

RicoVZ commented 6 years ago

@LetMeR00t Thanks :smile: Can you share the copied chrome.py package with us?

LetMeR00t commented 6 years ago

Hi @RicoVZ , Here is the code : capture d ecran de 2018-06-19 18-53-41

# Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com)
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.

from lib.common.abstracts import Package

class Chrome(Package):
    """Chrome analysis package."""
    PATHS = [
        ("ProgramFiles", "Google", "Chrome", "Application", "chrome.exe"),
    ]

    def start(self, url):
        chrome = self.get_path("Google Chrome")
        # pass the URL instead of a filename in this case
        return self.execute(chrome, "--new-window \"%s\"" % url, url)
RicoVZ commented 6 years ago

@LetMeR00t

Thanks for posting it. :smile: There error is caused by how the argument are provide to self.execute.

The fuction signature of .execute is:

def execute(self, path, args, mode=None, maximize=False, env=None,
            source=None, trigger=None):
    """Starts an executable for analysis.
    @param path: executable path
    @param args: executable arguments
    @param mode: monitor mode - which functions to instrument
    @param maximize: whether the GUI should start maximized
    @param env: additional environment variables
    @param source: parent process of our process
    @param trigger: trigger to indicate analysis start
    @return: process pid
    """

At the moment, your arguments are passing to self.execute like this: self.execute("<path to Chrome>", "--new-window "http://example.com", "http://example.com"). 3 arguments. So the third is being put into the place for the mode argument.

All arguments to the executable you are starting should be passed as a list, like in subprocess.Popen

You should use:

return self.execute(chrome, ["--new-window", url])
LetMeR00t commented 6 years ago

Hi @RicoVZ , Nice catch, however Google Chrome is not working ... No GUI is started and no traffic is generated.

analysis.log

2018-06-26 20:40:27,078 [analyzer] DEBUG: Started auxiliary module Reboot
2018-06-26 20:40:27,171 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-06-26 20:40:27,171 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-06-26 20:40:27,171 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-06-26 20:40:27,280 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe' with arguments ['--new-window', 'https://www.airfrance.fr'] and pid 2856
2018-06-26 20:40:27,625 [analyzer] DEBUG: Loaded monitor into process with pid 2856
2018-06-26 20:40:27,750 [analyzer] INFO: Injected into process with pid 2364 and name u'chrome.exe'
2018-06-26 20:40:27,937 [analyzer] DEBUG: Loaded monitor into process with pid 2364
2018-06-26 20:40:28,062 [analyzer] INFO: Added new file to list with pid 2364 and path \Device\NamedPipe\crashpad_2856_KJWWHOGVCTIFVTHN
2018-06-26 20:40:28,092 [analyzer] INFO: Added new file to list with pid 2856 and path C:\Users\Sandbox\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
2018-06-26 20:40:29,983 [analyzer] INFO: Injected into process with pid 3068 and name u'chrome.exe'
2018-06-26 20:40:30,140 [analyzer] DEBUG: Loaded monitor into process with pid 3068
2018-06-26 20:40:49,584 [analyzer] INFO: Injected into process with pid 3392 and name u'chrome.exe'
2018-06-26 20:40:56,239 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:40:56,861 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:40:57,505 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:40:58,150 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:40:59,398 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:41:00,125 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:41:00,812 [lib.api.process] INFO: Memory dump of process with pid 2856 completed
2018-06-26 20:41:01,164 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-06-26 20:41:01,164 [analyzer] WARNING: File at path u'\\device\\namedpipe\\crashpad_2856_kjwwhogvctifvthn' does not exist, skip.
2018-06-26 20:41:01,164 [analyzer] INFO: Analysis completed.

cuckoo.log

2018-06-26 20:40:26,556 [cuckoo.core.scheduler] INFO: Task #2: acquired machine Windows (label=Windows)
2018-06-26 20:40:26,556 [cuckoo.auxiliary.mitm] DEBUG: TLS Master keys will be dropped in this file: /opt/cuckoo/storage/analyses/2/tlsmaster.mitm
2018-06-26 20:40:26,581 [cuckoo.auxiliary.mitm] INFO: Started mitm interception with PID 9532 (ip=192.168.56.1, port=8080).
2018-06-26 20:40:26,581 [cuckoo.core.plugins] DEBUG: Started auxiliary module: MITM
2018-06-26 20:40:26,628 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 9533 (interface=vboxnet0, host=192.168.56.101)
2018-06-26 20:40:26,628 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-06-26 20:40:26,983 [cuckoo.machinery.virtualbox] DEBUG: Starting vm Windows
2018-06-26 20:40:27,155 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine Windows to clean
2018-06-26 20:40:35,163 [cuckoo.core.guest] INFO: Starting analysis on guest (id=Windows, ip=192.168.56.101)
2018-06-26 20:40:36,217 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:40:37,224 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:40:38,229 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:40:38,235 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=Windows, ip=192.168.56.101)
2018-06-26 20:40:39,109 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=Windows, ip=192.168.56.101, monitor=latest, size=3854279)
2018-06-26 20:40:39,479 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:39,796 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2018-06-26 20:40:40,483 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:41,490 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:42,293 [cuckoo.core.resultserver] DEBUG: New process (pid=2856, ppid=172, name=chrome.exe)
2018-06-26 20:40:42,497 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:42,658 [cuckoo.core.resultserver] DEBUG: New process (pid=2364, ppid=2856, name=chrome.exe)
2018-06-26 20:40:43,501 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:44,488 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.jpg
2018-06-26 20:40:44,492 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 75699
2018-06-26 20:40:44,505 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:44,870 [cuckoo.core.resultserver] DEBUG: New process (pid=3068, ppid=2856, name=chrome.exe)
2018-06-26 20:40:45,510 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:46,516 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:47,520 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:48,524 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:49,528 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:50,532 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:51,536 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:52,541 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:53,316 [cuckoo.core.resultserver] DEBUG: File upload request for files/1d97c69aea85d3b0_CrashpadMetrics.pma
2018-06-26 20:40:53,320 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 1048576
2018-06-26 20:40:53,480 [cuckoo.core.resultserver] DEBUG: File upload request for files/49f573f57ba97415_BrowserMetrics-5B250415-988.pma
2018-06-26 20:40:53,501 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 8388608
2018-06-26 20:40:53,546 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:53,974 [cuckoo.core.resultserver] DEBUG: File upload request for files/945e8a6c72ea933e_BrowserMetrics-5B330BE0-B28.pma
2018-06-26 20:40:53,992 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 8388608
2018-06-26 20:40:54,550 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:55,555 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:56,559 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:57,567 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:58,572 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:40:59,577 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:41:00,581 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:41:01,585 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:41:02,590 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:41:03,594 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:41:04,599 [cuckoo.core.guest] DEBUG: Windows: analysis still processing

I added the concerning files

files.zip

I also tried with Firefox and it's the same, not working...

analysis.log

2018-06-26 20:46:54,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpype8_u
2018-06-26 20:46:54,000 [analyzer] DEBUG: Pipe server name: \??\PIPE\gnhZctqbuiEQFZirZSQkBWeKl
2018-06-26 20:46:54,000 [analyzer] DEBUG: Log pipe server name: \??\PIPE\HRlMUUfwBPwPByiHaVQBYFmIDlSbI
2018-06-26 20:46:54,467 [analyzer] DEBUG: Started auxiliary module DbgView
2018-06-26 20:46:54,687 [analyzer] DEBUG: Started auxiliary module Disguise
2018-06-26 20:46:54,890 [analyzer] DEBUG: Loaded monitor into process with pid 504
2018-06-26 20:46:54,890 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-06-26 20:46:54,890 [analyzer] DEBUG: Started auxiliary module Human
2018-06-26 20:46:56,078 [modules.auxiliary.installcert] INFO: Successfully installed PFX certificate.
2018-06-26 20:46:56,078 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-06-26 20:46:56,078 [analyzer] DEBUG: Started auxiliary module Reboot
2018-06-26 20:46:56,187 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-06-26 20:46:56,187 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-06-26 20:46:56,187 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-06-26 20:46:56,296 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Mozilla Firefox\\firefox.exe' with arguments ['https://www.airfrance.fr'] and pid 2932
2018-06-26 20:46:57,046 [analyzer] DEBUG: Loaded monitor into process with pid 2932
2018-06-26 20:47:29,322 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-06-26 20:47:29,322 [analyzer] INFO: Analysis completed.

cuckoo.log

2018-06-26 20:46:54,634 [cuckoo.core.scheduler] INFO: Task #3: acquired machine Windows (label=Windows)
2018-06-26 20:46:54,634 [cuckoo.auxiliary.mitm] DEBUG: TLS Master keys will be dropped in this file: /opt/cuckoo/storage/analyses/3/tlsmaster.mitm
2018-06-26 20:46:54,638 [cuckoo.auxiliary.mitm] INFO: Started mitm interception with PID 10106 (ip=192.168.56.1, port=8080).
2018-06-26 20:46:54,638 [cuckoo.core.plugins] DEBUG: Started auxiliary module: MITM
2018-06-26 20:46:54,656 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 10107 (interface=vboxnet0, host=192.168.56.101)
2018-06-26 20:46:54,657 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-06-26 20:46:54,966 [cuckoo.machinery.virtualbox] DEBUG: Starting vm Windows
2018-06-26 20:46:56,046 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine Windows to clean
2018-06-26 20:47:03,451 [cuckoo.core.guest] INFO: Starting analysis on guest (id=Windows, ip=192.168.56.101)
2018-06-26 20:47:04,453 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:47:05,460 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:47:06,463 [cuckoo.core.guest] DEBUG: Windows: not ready yet
2018-06-26 20:47:06,477 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=Windows, ip=192.168.56.101)
2018-06-26 20:47:06,748 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=Windows, ip=192.168.56.101, monitor=latest, size=3854279)
2018-06-26 20:47:07,089 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:07,402 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2018-06-26 20:47:08,094 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:09,097 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:10,108 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:10,356 [cuckoo.core.resultserver] DEBUG: New process (pid=2932, ppid=2500, name=firefox.exe)
2018-06-26 20:47:11,118 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:11,371 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.jpg
2018-06-26 20:47:11,391 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 75701
2018-06-26 20:47:12,125 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:13,136 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:14,141 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:15,145 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:16,149 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:17,153 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:18,158 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:19,163 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:20,168 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:21,173 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:22,179 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:23,184 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:24,188 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:25,192 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:26,196 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:27,200 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:28,204 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:29,210 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:30,215 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:31,220 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:32,224 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:33,229 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:34,233 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:35,237 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:36,242 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:37,248 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:38,252 [cuckoo.core.guest] DEBUG: Windows: analysis still processing
2018-06-26 20:47:38,829 [cuckoo.core.resultserver] DEBUG: File upload request for files/fd4c9fda9cd3f9ae_cookies.sqlite-shm
2018-06-26 20:47:38,835 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 32768
2018-06-26 20:47:39,171 [cuckoo.core.resultserver] DEBUG: File upload request for files/e3b0c44298fc1c14_cookies.sqlite-wal
2018-06-26 20:47:39,256 [cuckoo.core.guest] INFO: Windows: analysis completed successfully
2018-06-26 20:47:39,332 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: MITM
2018-06-26 20:47:39,365 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer

files.zip

My opinion is that new version of Firefox and Google Chrome can't work this Cuckoo, am I wrong ? Which version of Google Chrome / Firefox are you using on your side ?

Thank's for you help.

LetMeR00t commented 6 years ago

Here the information about my Google Chrome and Firefox versions in the guest :

capture d ecran de 2018-06-26 20-51-46 capture d ecran de 2018-06-26 20-51-56

AndyCorreas commented 5 years ago

could somebody work with firefox and cuckoo sandobox ?

1earch commented 5 years ago

After a deeper analysis, it seems that a Firefox analysis can be run disabling the option "Enable injection" ("Enable behavioral analysis").

When this option is enabled, the firefox process is launched (in a sleeping state) under the guest environment (Win7 in my case), but the process seems to not be woken up by inject-x64.exe. I think this option enables Cuckoo's analyzer.py to perform a DLL injection using ìnject-x{64,86}.exe`. This injection let the analyzer be aware of all system calls. My conclusion is that the injected DLL isn't compatible with Firefox.

@jbremer @RicoVZ Does this help you understanding the source of the problem?

Khadu commented 5 years ago

Hi @jbremer I'm running win10, when I disable Behavior Analysis from web interface IE opens and browse through the URL, but on running from the terminal IE does not open up. So the problem is behavior analysis is not turned off when I run from terminal, I couldn't find any option to disable anywhere in the code. Can you please guide me to disable behavior analysis?

Khadu commented 5 years ago

I was able to disable behavior analysis from terminal by implementing following options.

cuckoo submit --package ie --options procmemdup=yes,route=none,free=yes --url example.com

doomedraven commented 5 years ago

the newest version of chrome/ff won't work with it, so go for older versions

ag-michael commented 4 years ago

@jbremer Any update on this,windows10 behavioral analysis has been broken for a long time. the DLL injection does not appear to work.

doomedraven commented 4 years ago

Windows 10never was supported