reox
commented
6 years ago I have the same issue here in a Windows 10 VM but not only for Office files. I get in the analysis.log also the following line:
2018-08-10 10:01:28,055 [modules.auxiliary.dumptls] WARNING: You're not running the Cuckoo Agent as Administrator. Doing so will improve your analysis results!but as far as I can tell, the agent is started as Administrator and UAC is turned off. The problem seems to be that the monitor app tries to write to C:\ https://github.com/cuckoosandbox/monitor/blob/e071e63a66e831163a40abc45109fdf71fee829e/src/config.c#L82 and this is probably prohibited by windows 10, even for the Administrator account? It might be possible that this is a feature of Windows 10 and you can only create folders on C:, as I read in some forums that other people have problems writing files to C: as administrator too.
doomedraven
R42E
Thanks for creating an issue! But first: did you read our community guidelines? https://cuckoo.sh/docs/introduction/community.html
My issue is:
Got an error on the VM i do analysis on saying "Error fetching configuration file! This is a serious error. If encountered, please notify the Cuckoo Developers as this error prevents analysis.
My Cuckoo version and operating system are:
Cuckoo Version: 2.0.6 Host: Ubuntu 16.04 VirtualBox VM's running windows 7
This can be reproduced by:
Running a word Doc that has macro's
The log, error, files etc can be found at:
2018-07-11 14:42:59,253 [cuckoo.core.guest] DEBUG: loki-3: analysis still processing [111/1833] 2018-07-11 14:42:59,751 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0035.jpg 2018-07-11 14:42:59,756 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 69885 2018-07-11 14:43:00,264 [cuckoo.core.guest] DEBUG: loki-3: analysis still processing 2018-07-11 14:43:00,836 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0036.jpg 2018-07-11 14:43:00,843 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 69782 2018-07-11 14:43:01,273 [cuckoo.core.guest] DEBUG: loki-3: analysis still processing 2018-07-11 14:43:02,284 [cuckoo.core.guest] DEBUG: loki-3: analysis still processing 2018-07-11 14:43:03,294 [cuckoo.core.guest] DEBUG: loki-3: analysis still processing 2018-07-11 14:43:04,303 [cuckoo.core.guest] DEBUG: loki-3: analysis still processing 2018-07-11 14:43:05,310 [cuckoo.core.guest] DEBUG: loki-3: analysis still processing 2018-07-11 14:43:06,319 [cuckoo.core.guest] DEBUG: loki-3: analysis still processing 2018-07-11 14:43:07,329 [cuckoo.core.guest] DEBUG: loki-3: analysis still processing 2018-07-11 14:43:07,847 [cuckoo.core.resultserver] DEBUG: File upload request for memory/3536-1.dmp 2018-07-11 14:43:08,159 [cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_m ax_size, stopping upload. 2018-07-11 14:43:08,159 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 134217743 2018-07-11 14:43:08,335 [cuckoo.core.guest] DEBUG: loki-3: analysis still processing 2018-07-11 14:43:08,395 [cuckoo.core.resultserver] DEBUG: File upload request for memory/944-2.dmp 2018-07-11 14:43:08,584 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 56022632 2018-07-11 14:43:08,652 [cuckoo.core.resultserver] DEBUG: File upload request for files/3c6e31d74ef90 382_oteledata_3536_2.etl 2018-07-11 14:43:08,654 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 65536 2018-07-11 14:43:08,656 [cuckoo.core.resultserver] DEBUG: File upload request for files/1bb30e4c66fae d39_37d958f0157c4e87d39a5e7fab3aeccc090773d7f9dbe1d85bcb60985361f32e 2018-07-11 14:43:08,657 [cuckoo.core.resultserver] DEBUG: File upload request for files/7d77ba04f4cf8 de0~$normal.dotm 2018-07-11 14:43:08,657 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 1831 2018-07-11 14:43:08,658 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 162 2018-07-11 14:43:08,660 [cuckoo.core.resultserver] DEBUG: File upload request for files/f34e667cdfc3d 3e2_37d958f0157c4e87d39a5e7fab3aeccc090773d7f9dbe1d85bcb60985361f32e 2018-07-11 14:43:08,660 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 502 2018-07-11 14:43:08,661 [cuckoo.core.resultserver] DEBUG: File upload request for files/4826c0d860af8 84d~wrs{92276764-48f5-4c66-ac16-c97ad128ce07}.tmp 2018-07-11 14:43:08,662 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 1024 2018-07-11 14:43:08,662 [cuckoo.core.resultserver] DEBUG: File upload request for files/45bec485cc66c cb5_config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.5031&crev=30 2018-07-11 14:43:08,662 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 25679 2018-07-11 14:43:09,342 [cuckoo.core.guest] INFO: loki-3: analysis completed successfully 2018-07-11 14:43:09,410 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer 2018-07-11 14:43:09,410 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm loki-3 2018-07-11 14:43:10,846 [cuckoo.core.scheduler] DEBUG: Released database task #64 2018-07-11 14:43:10,903 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for ta sk #64 2018-07-11 14:43:10,934 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" fo r task #64 2018-07-11 14:43:10,943 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #6 4 2018-07-11 14:43:10,944 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for t ask #64 2018-07-11 14:43:10,944 [cuckoo.processing.memory] ERROR: VM memory dump not found: to create VM memo ry dumps you have to enable memory_dump in cuckoo.conf! 2018-07-11 14:43:10,944 [cuckoo.core.plugins] DEBUG: Executed processing module "Memory" for task #64 2018-07-11 14:43:12,934 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task # 64 2018-07-11 14:43:37,081 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for t ask #64 2018-07-11 14:43:37,082 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #6 4 2018-07-11 14:43:37,316 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for tas k #64 2018-07-11 14:43:37,326 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #6 4 11/7/2018 -- 14:43:37 - - This is Suricata version 3.0 RELEASE
11/7/2018 -- 14:43:44 - - all 13 packet processing threads, 4 management threads initialized
, engine started.
11/7/2018 -- 14:43:44 - - Signal Received. Stopping engine.
11/7/2018 -- 14:43:44 - - Pcap-file module read 1093 packets, 251804 bytes
2018-07-11 14:43:44,412 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=14aa7c6f8cbb3dcf7ff997a372667488 not found, skipping it..
2018-07-11 14:43:44,412 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=5af546317f89d12269043dadb669f023 not found, skipping it..
2018-07-11 14:43:44,412 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=fa33936d650a340861ec19f915f6226e not found, skipping it..
2018-07-11 14:43:44,413 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=7f5024bf5ea123bb4ab55b3a6df165a3 not found, skipping it..
2018-07-11 14:43:44,413 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=1e5de82c28057d1095c7eeef589504d6 not found, skipping it..
2018-07-11 14:43:44,413 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=6e2a810f4dd7935cc919a9d230cb389e not found, skipping it..
2018-07-11 14:43:44,413 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=670894249ad78d3207cc4e7943f29d5a not found, skipping it..
2018-07-11 14:43:44,414 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=85178078eb52035b34be85f4f2731585 not found, skipping it..
2018-07-11 14:43:44,414 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=a2bbf6a903ed77f1c57a8a53ae41657b not found, skipping it..
2018-07-11 14:43:44,414 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=b72879b4d759946c20fdd59e6cb959d0 not found, skipping it..
2018-07-11 14:43:44,414 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=5242fd68684a1187ee11e09c9772c9e4 not found, skipping it..
2018-07-11 14:43:44,414 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=5bda7f1dddbfe522a95d36e8f5306dae not found, skipping it..
2018-07-11 14:43:44,415 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=3ada7c3a67bbe48ab308c99a4c480706 not found, skipping it..
2018-07-11 14:43:44,415 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=2fb1690b5cb69cd83bde1741512f915f not found, skipping it..
2018-07-11 14:43:44,415 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=e1698084fe9dc7e9599ab059f3a44249 not found, skipping it..
2018-07-11 14:43:44,415 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=53a293b3b4dfe0e74cdf7241490bd01b not found, skipping it..
2018-07-11 14:43:44,416 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=bdcb4c2802b5fe520329911f93b9ecf3 not found, skipping it..
2018-07-11 14:43:44,416 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=247c5863a126682600feb18267aaf3dd not found, skipping it..
2018-07-11 14:43:44,416 [cuckoo.processing.suricata] WARNING: Suricata dropped file with id=None and
md5=58304cff2aa0141a5bf632c9d19349f5 not found, skipping it..
2018-07-11 14:43:44,416 [cuckoo.core.plugins] DEBUG: Executed processing module "Suricata" for task #
64
2018-07-11 14:43:44,426 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task
64
Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/network.py", line 887, in run results.update(p2.run()) File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/network.py", line 764, in run l = sorted(r.process(), key=lambda x: x[1]) File "/usr/local/lib/python2.7/dist-packages/httpreplay/reader.py", line 126, in process self.tcp and self.tcp.finish() File "/usr/local/lib/python2.7/dist-packages/httpreplay/smegma.py", line 90, in finish stream.finish() File "/usr/local/lib/python2.7/dist-packages/httpreplay/smegma.py", line 365, in finish self.s, self.ts, "tcp", "".join(self.sent), "".join(self.recv) File "/usr/local/lib/python2.7/dist-packages/httpreplay/smegma.py", line 591, in handle while self.states[self.state](self, s, ts): File "/usr/local/lib/python2.7/dist-packages/httpreplay/smegma.py", line 530, in state_stream sent.append(self.tls.decrypt_client(record.type, record.data)) File "/usr/local/lib/python2.7/dist-packages/httpreplay/smegma.py", line 422, in decrypt_client return self.decrypt(self.client_state, record_type, buf) File "/usr/local/lib/python2.7/dist-packages/httpreplay/smegma.py", line 411, in decrypt record_type, bytearray(buf) File "/usr/local/lib/python2.7/dist-packages/tlslite/recordlayer.py", line 548, in _decryptThenMAC raise TLSBadRecordMAC() TLSBadRecordMAC 2018-07-11 14:43:45,181 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #64 2018-07-11 14:43:45,182 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #64 2018-07-11 14:43:45,186 [cuckoo.processing.dumptls] INFO: Was unable to extract TLS master secret for server random 5b4616f87d31650624a0d1a9ad9a2a344f03a47f02fc6a5dc06c01e7a223c954, skipping it. 2018-07-11 14:43:45,187 [cuckoo.processing.dumptls] INFO: Was unable to extract TLS master secret for server random 5b4616f8f1d3338708132c117b7b6bbb3343a77b52f20310b39bbf25344bda24, skipping it. 2018-07-11 14:43:45,187 [cuckoo.processing.dumptls] INFO: Was unable to extract TLS master secret for server random 5b4616fb6c257ca86c3443b60f14c8662e5a7b7134baba4600cadceb7ae3632b, skipping it. 2018-07-11 14:43:45,188 [cuckoo.processing.dumptls] INFO: Was unable to extract TLS master secret for server random 5b4617019bb130d36aad5a6a7dbce35636abee352f17f61acad6037c15f2f7f2, skipping it. 2018-07-11 14:43:45,188 [cuckoo.processing.dumptls] INFO: Was unable to extract TLS master secret for server random 5b4616ffb9edbaaf1fdf70b7ee03782101ce7fdbda011925590d1dcef1297d56, skipping it. 2018-07-11 14:43:45,189 [cuckoo.processing.dumptls] INFO: Was unable to extract TLS master secret for server random 5b4616fb8c152817e3fda001d7e10f22d9283cc27f2ab14577e5627cfbbf08f1, skipping it. 2018-07-11 14:43:45,192 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #64 2018-07-11 14:43:45,196 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #64 2018-07-11 14:43:45,202 [cuckoo.core.plugins] DEBUG: Running 540 signatures 2018-07-11 14:43:45,515 [cuckoo.core.plugins] DEBUG: Analysis matched signature: allocates_rwx 2018-07-11 14:43:45,515 [cuckoo.core.plugins] DEBUG: Analysis matched signature: creates_doc 2018-07-11 14:43:45,515 [cuckoo.core.plugins] DEBUG: Analysis matched signature: creates_hidden_file 2018-07-11 14:43:45,515 [cuckoo.core.plugins] DEBUG: Analysis matched signature: process_martian 2018-07-11 14:43:45,516 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_urls 2018-07-11 14:43:45,516 [cuckoo.core.plugins] DEBUG: Analysis matched signature: injection_resumethread 2018-07-11 14:43:45,710 [cuckoo.core.plugins] DEBUG: Executed reporting module "ElasticSearch" 2018-07-11 14:43:45,897 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump" Jul 11 14:43:45 main.c:599 main(): THREAD 0x7fbc28dcd780 2018-07-11 14:43:47,137 [cuckoo.core.plugins] DEBUG: Executed reporting module "Moloch" 2018-07-11 14:43:53,839 [cuckoo.core.plugins] DEBUG: Executed reporting module "MongoDB" 2018-07-11 14:43:53,839 [cuckoo.core.scheduler] INFO: Task #64: reports generation completed 2018-07-11 14:43:53,849 [cuckoo.core.scheduler] INFO: Task #64: analysis procedure completed