zentavr
commented
5 years ago If someone tells me the flow how cuckoo works (mean which component calls what) - probably I can grab more debug info.
Open zentavr opened 5 years ago
zentavr
commented
5 years ago If someone tells me the flow how cuckoo works (mean which component calls what) - probably I can grab more debug info.
zentavr
commented
5 years ago Found something at
2018-07-27 22:51:24,932 [cuckoo.core.scheduler] INFO: Task #20: acquired machine cuckoo-2.0-sierra-bs (label=cuckoo-2.0-sierra-bs)
2018-07-27 22:51:25,199 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 9562 (interface=vboxnet0, host=192.168.56.105)
2018-07-27 22:51:25,199 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-07-27 22:51:25,217 [cuckoo.machinery.virtualbox] DEBUG: Starting vm cuckoo-2.0-sierra-bs
2018-07-27 22:51:25,553 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo-2.0-sierra-bs to vminit
2018-07-27 22:51:34,245 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo-2.0-sierra-bs, ip=192.168.56.105)
2018-07-27 22:51:35,248 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-27 22:51:36,254 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-27 22:51:37,261 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-27 22:51:38,269 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-27 22:51:39,274 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-27 22:51:39,285 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=cuckoo-2.0-sierra-bs, ip=192.168.56.105)
2018-07-27 22:51:39,294 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo-2.0-sierra-bs, ip=192.168.56.105, monitor=latest, size=109360)
2018-07-27 22:51:39,404 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: analysis still processing
2018-07-27 22:51:40,416 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: analysis still processing
2018-07-27 22:51:40,816 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2018-07-27 22:51:41,420 [cuckoo.core.guest] INFO: cuckoo-2.0-sierra-bs: analysis completed successfully
2018-07-27 22:51:41,483 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2018-07-27 22:51:41,483 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm cuckoo-2.0-sierra-bs
2018-07-27 22:51:44,355 [cuckoo.core.scheduler] DEBUG: Released database task #20
2018-07-27 22:51:44,364 [cuckoo.core.scheduler] INFO: Task #20: analysis procedure completed2018-07-25 19:24:35,433 [root] DEBUG: Starting analyzer from /private/tmp/tmpkgMWGf
2018-07-25 19:24:35,434 [root] DEBUG: Storing results at: /tmp/gYCsvk
2018-07-27 22:51:24,425 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-07-27 22:51:24,432 [modules.packages.zip] DEBUG: Missing file option, auto executing: Contents/
2018-07-27 22:51:24,443 [root] ERROR: Traceback (most recent call last):
File "/tmp/tmpkgMWGf/analyzer.py", line 193, in <module>
success = analyzer.run()
File "/tmp/tmpkgMWGf/analyzer.py", line 95, in run
self._analysis(package)
File "/tmp/tmpkgMWGf/analyzer.py", line 136, in _analysis
package.start()
File "/private/tmp/tmpkgMWGf/modules/packages/zip.py", line 60, in start
self.prepare()
File "/private/tmp/tmpkgMWGf/modules/packages/zip.py", line 47, in prepare
raise Exception("Unable to detect analysis package for the file %s" % target_name)
Exception: Unable to detect analysis package for the file Contents/
Traceback (most recent call last):
File "/tmp/tmpkgMWGf/analyzer.py", line 193, in <module>
success = analyzer.run()
File "/tmp/tmpkgMWGf/analyzer.py", line 95, in run
self._analysis(package)
File "/tmp/tmpkgMWGf/analyzer.py", line 136, in _analysis
package.start()
File "/private/tmp/tmpkgMWGf/modules/packages/zip.py", line 60, in start
self.prepare()
File "/private/tmp/tmpkgMWGf/modules/packages/zip.py", line 47, in prepare
raise Exception("Unable to detect analysis package for the file %s" % target_name)
Exception: Unable to detect analysis package for the file Contents/The content of the zip file is:
cuckoo@cuckoo-osx:~$ zip -sf Dokument2.app.zip
Archive contains:
Contents/
Contents/_CodeSignature/
Contents/_CodeSignature/CodeResources
Contents/MacOS/
Contents/MacOS/AppStore
Contents/Resources/
Contents/Resources/de.lproj/
Contents/Resources/de.lproj/MainMenu.strings
Contents/Resources/Base.lproj/
Contents/Resources/Base.lproj/MainMenu.nib
Contents/Resources/AppIcon.icns
Contents/Resources/en.lproj/
Contents/Resources/en.lproj/MainMenu.strings
Contents/PkgInfo
Contents/Info.plist
Total 15 entries (219267 bytes)
doomedraven
commented
5 years ago i would suggest to integrate this improvements/fixes https://github.com/phdphuc/mac-a-mal
zentavr
commented
5 years ago @doomedraven - the very big deal is that mac-a-mal uses not the latest cuckoo version
zentavr
commented
5 years ago I repacked the app:
cuckoo@cuckoo-osx:~$ zip -sf Dokument2.app.zip
Archive contains:
Dokument.app/
Dokument.app/Contents/
Dokument.app/Contents/_CodeSignature/
Dokument.app/Contents/_CodeSignature/CodeResources
Dokument.app/Contents/MacOS/
Dokument.app/Contents/MacOS/AppStore
Dokument.app/Contents/Resources/
Dokument.app/Contents/Resources/de.lproj/
Dokument.app/Contents/Resources/de.lproj/MainMenu.strings
Dokument.app/Contents/Resources/Base.lproj/
Dokument.app/Contents/Resources/Base.lproj/MainMenu.nib
Dokument.app/Contents/Resources/AppIcon.icns
Dokument.app/Contents/Resources/en.lproj/
Dokument.app/Contents/Resources/en.lproj/MainMenu.strings
Dokument.app/Contents/PkgInfo
Dokument.app/Contents/Info.plist
Total 16 entries (219267 bytes)The results are:
cuckoo.log:
2018-07-28 00:00:35,939 [cuckoo.core.scheduler] INFO: Task #22: acquired machine cuckoo-2.0-sierra-bs (label=cuckoo-2.0-sierra-bs)
2018-07-28 00:00:36,207 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 25563 (interface=vboxnet0, host=192.168.56.105)
2018-07-28 00:00:36,207 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-07-28 00:00:36,225 [cuckoo.machinery.virtualbox] DEBUG: Starting vm cuckoo-2.0-sierra-bs
2018-07-28 00:00:36,567 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo-2.0-sierra-bs to vminit
2018-07-28 00:00:45,278 [cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo-2.0-sierra-bs, ip=192.168.56.105)
2018-07-28 00:00:46,280 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-28 00:00:47,285 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-28 00:00:48,291 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-28 00:00:48,339 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-28 00:00:50,343 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: not ready yet
2018-07-28 00:00:50,354 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=cuckoo-2.0-sierra-bs, ip=192.168.56.105)
2018-07-28 00:00:50,360 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo-2.0-sierra-bs, ip=192.168.56.105, monitor=latest, size=109360)
2018-07-28 00:00:50,445 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: analysis still processing
2018-07-28 00:00:50,855 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2018-07-28 00:00:51,451 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: analysis still processing
2018-07-28 00:00:52,456 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: analysis still processing
2018-07-28 00:00:53,462 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: analysis still processing
2018-07-28 00:00:53,988 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.png
2018-07-28 00:00:54,077 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 2177065
2018-07-28 00:00:54,473 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: analysis still processing
2018-07-28 00:00:55,484 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: analysis still processing
...
...
2018-07-28 00:12:49,573 [cuckoo.core.guest] DEBUG: cuckoo-2.0-sierra-bs: analysis still processing
2018-07-28 00:12:50,579 [cuckoo.core.guest] INFO: cuckoo-2.0-sierra-bs: end of analysis reached!
2018-07-28 00:12:50,635 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2018-07-28 00:12:50,636 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm cuckoo-2.0-sierra-bs
2018-07-28 00:12:53,495 [cuckoo.core.scheduler] DEBUG: Released database task #22
2018-07-28 00:12:53,505 [cuckoo.core.scheduler] INFO: Task #22: analysis procedure completedanalysis.log:
2018-07-25 19:24:34,448 [root] DEBUG: Starting analyzer from /private/tmp/tmp_3iKDh
2018-07-25 19:24:34,449 [root] DEBUG: Storing results at: /tmp/EPGqdT
2018-07-28 00:00:35,402 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-07-28 00:00:35,411 [modules.packages.zip] DEBUG: Missing file option, auto executing: Dokument.app/
2018-07-28 00:00:35,423 [modules.packages.zip] DEBUG: Analysing file "Dokument.app/" using package "App"
2018-07-28 00:00:36,861 [PIL.PngImagePlugin] DEBUG: STREAM 'IHDR' 16 13
2018-07-28 00:00:36,861 [PIL.PngImagePlugin] DEBUG: STREAM 'iCCP' 41 3070
2018-07-28 00:00:36,861 [PIL.PngImagePlugin] DEBUG: iCCP profile name 'ICC Profile'
2018-07-28 00:00:36,862 [PIL.PngImagePlugin] DEBUG: Compression method 0
2018-07-28 00:00:36,862 [PIL.PngImagePlugin] DEBUG: STREAM 'iTXt' 3123 414
2018-07-28 00:00:36,862 [PIL.PngImagePlugin] DEBUG: STREAM 'IDAT' 3549 16384
2018-07-28 00:00:39,290 [PIL.PngImagePlugin] DEBUG: STREAM 'IHDR' 16 13
2018-07-28 00:00:39,291 [PIL.PngImagePlugin] DEBUG: STREAM 'iCCP' 41 3070
...
...
2018-07-27 15:12:51,485 [PIL.PngImagePlugin] DEBUG: iCCP profile name 'ICC Profile'
2018-07-27 15:12:51,486 [PIL.PngImagePlugin] DEBUG: Compression method 0
2018-07-27 15:12:51,486 [PIL.PngImagePlugin] DEBUG: STREAM 'iTXt' 3123 414
2018-07-27 15:12:51,486 [PIL.PngImagePlugin] DEBUG: STREAM 'IDAT' 3549 16384I can see nothing in Network, Behavior, buffers, etc.. I even cannot see if the program had been executed.
zentavr
commented
5 years ago I did a trick - I put 1.sh to the analysis:
#!/bin/bash
curl -k -o 1.iso http://archive.ubuntu.com/ubuntu/dists/bionic-updates/main/installer-amd64/current/images/netboot/mini.isoI cannot see any requests to ubuntu.com in the report at all.
doomedraven
commented
5 years ago should be for latest cuckoo
zentavr
commented
5 years ago @doomedraven, I installed mac-a-mal on cuckoo 2.0.6.2 and have the same issue: I have a very strong feeling that the malware had never been executed.
The scenario I used to install the patch is:
git clone --depth=1 https://github.com/cuckoosandbox/cuckoo.git . -b 2.0.6.2
git remote add mac-a-mal https://github.com/phdphuc/mac-a-mal-cuckoo.git
git pull --allow-unrelated-histories --no-edit -s recursive -X theirs mac-a-mal master
# Fix merge conflict (analyzer folder)
python stuff/monitor.py
python setup.py sdist
# Remove folders
rm -rf .git analyzer dist docs lib modules stuff tests web \
.codeclimate.yml .gitignore .travis.yml LICENSE README.md \
appveyor.yml conftest.py
... change the code ...
tar zcvf ../cuckoo-2.0.6.2-mac-a-mal-8bbec99d.tar.gz .
liliagm19
commented
5 years ago @zentavr Did you ever get this error after the analysis completes: "it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host. There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration"? I've been testing different Cuckoo versions with Mal-a-mac but I still can't make it work. And I am sure that the agent is working and that both the guest and the host can communicate with each other, the snapshot is also fine and the agent gets started from LaunchDaemons without issues.
zentavr
commented
5 years ago @liliagm19 I can check that only later next week.
liliagm19
commented
5 years ago @zentavr I checked other comments you made and I realized that I just needed to install PyYAML and bson on the vm, so it's working fine now. Thanks! Any advice to improve it would be much appreciated though.
campeador
commented
5 years ago Hello guys, I have been following your talks through github. Do you have any advanced on this?
I already have an OS X 10.12.6 over virtualbox working, with last agent (0.8)[executed with sudo] and last Cuckoo (2.0.6.2) over Ubuntu 18.04. I can submit the sample and get the report (with strings, screenshots and virustotal matches).
But i have the same feeling that @zentavr in the past it is like the sample is not be being executed.
cat analysis.log: 2018-11-11 20:24:14,130 [root] DEBUG: Starting analyzer from /tmp9aIZmm 2018-11-11 20:24:14,131 [root] DEBUG: Storing results at: /tmp/qmFqJx 2018-11-11 20:24:14,132 [root] DEBUG: Cuckoo OS X Analyser: Macnalyzer 2018-11-11 20:24:14,135 [root] DEBUG: Sugesstion: None; File_type: Mach-O i386 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL>; File_name: CallMe 2018-11-24 17:18:35,265 [analyzer] DEBUG: Started auxiliary module Screenshots 2018-11-24 17:18:38,658 [PIL.PngImagePlugin] DEBUG: STREAM 'IHDR' 16 13 2018-11-24 17:18:38,659 [PIL.PngImagePlugin] DEBUG: STREAM 'iCCP' 41 3070 2018-11-24 17:18:38,660 [PIL.PngImagePlugin] DEBUG: iCCP profile name 'ICC Profile' 2018-11-24 17:18:38,662 [PIL.PngImagePlugin] DEBUG: Compression method 0 2018-11-24 17:18:38,663 [PIL.PngImagePlugin] DEBUG: STREAM 'iTXt' 3123 414 2018-11-24 17:18:38,663 [PIL.PngImagePlugin] DEBUG: STREAM 'IDAT' 3549 16384 2018-11-24 17:18:41,174 [PIL.PngImagePlugin] DEBUG: STREAM 'IHDR' 16 13 2018-11-24 17:18:41,178 [PIL.PngImagePlugin] DEBUG: STREAM 'iCCP' 41 3070 2018-11-24 17:18:41,178 [PIL.PngImagePlugin] DEBUG: iCCP profile name 'ICC Profile' 2018-11-24 17:18:41,179 [PIL.PngImagePlugin] DEBUG: Compression method 0 2018-11-24 17:18:41,180 [PIL.PngImagePlugin] DEBUG: STREAM 'iTXt' 3123 414 2018-11-24 17:18:41,180 [PIL.PngImagePlugin] DEBUG: STREAM 'IDAT' 3549 16384 2018-11-24 17:18:43,520 [PIL.PngImagePlugin] DEBUG: STREAM 'IHDR' 16 13 2018-11-24 17:18:43,522 [PIL.PngImagePlugin] DEBUG: STREAM 'iCCP' 41 3070 2018-11-24 17:18:43,523 [PIL.PngImagePlugin] DEBUG: iCCP profile name 'ICC Profile' ....
cuckoo.log: cat cuckoo.log 2018-11-24 17:18:55,261 [cuckoo.core.scheduler] INFO: Task #27: acquired machine OSX108 (label=OSX108) 2018-11-24 17:18:55,369 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 24630 (interface=vboxnet0, host=192.168.56.101) 2018-11-24 17:18:55,370 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer 2018-11-24 17:18:56,119 [cuckoo.machinery.virtualbox] DEBUG: Starting vm OSX108 2018-11-24 17:18:56,428 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine OSX108 to Snapshot11 2018-11-24 17:19:23,286 [cuckoo.core.guest] INFO: Starting analysis on guest (id=OSX108, ip=192.168.56.101) 2018-11-24 17:19:24,346 [cuckoo.core.guest] DEBUG: OSX108: not ready yet 2018-11-24 17:19:24,365 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=OSX108, ip=192.168.56.101) 2018-11-24 17:19:24,536 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=OSX108, ip=192.168.56.101, monitor=latest, size=423674) 2018-11-24 17:19:24,890 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:25,904 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:26,918 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:27,934 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:28,269 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized. 2018-11-24 17:19:28,947 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:29,960 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:30,983 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:31,995 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:33,014 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:34,027 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:35,040 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:36,063 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:37,078 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:37,124 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.png 2018-11-24 17:19:37,293 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 412649 2018-11-24 17:19:38,092 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:39,104 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:39,574 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0002.png 2018-11-24 17:19:39,762 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 437470 2018-11-24 17:19:40,120 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:41,140 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:41,711 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0003.png 2018-11-24 17:19:41,941 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 438035 2018-11-24 17:19:42,153 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:43,168 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:19:43,909 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0004.png ..... 2018-11-24 17:22:23,743 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0076.png 2018-11-24 17:22:23,950 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 439849 2018-11-24 17:22:24,460 [cuckoo.core.guest] DEBUG: OSX108: analysis still processing 2018-11-24 17:22:25,461 [cuckoo.core.guest] INFO: OSX108: end of analysis reached! 2018-11-24 17:22:25,609 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer 2018-11-24 17:22:25,610 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm OSX108 2018-11-24 17:22:25,865 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0077.png 2018-11-24 17:22:26,065 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 440163 2018-11-24 17:22:29,287 [cuckoo.core.scheduler] DEBUG: Released database task #27 2018-11-24 17:22:29,619 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #27 2018-11-24 17:22:29,634 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files. 2018-11-24 17:22:29,634 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #27 2018-11-24 17:22:29,636 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #27 2018-11-24 17:22:29,637 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #27 2018-11-24 17:22:29,660 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #27 2018-11-24 17:22:29,660 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #27 2018-11-24 17:22:29,661 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #27 2018-11-24 17:22:29,948 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #27 2018-11-24 17:22:29,959 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #27 2018-11-24 17:22:29,966 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #27 2018-11-24 17:22:35,009 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #27 2018-11-24 17:22:35,580 [cuckoo.core.plugins] DEBUG: Executed processing module "VirusTotal" for task #27 2018-11-24 17:22:35,581 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #27 2018-11-24 17:22:35,582 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #27 2018-11-24 17:22:35,601 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #27 2018-11-24 17:22:35,607 [cuckoo.core.plugins] DEBUG: Running 540 signatures 2018-11-24 17:22:35,943 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivirus_virustotal 2018-11-24 17:22:35,955 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump" 2018-11-24 17:22:36,751 [cuckoo.core.plugins] DEBUG: Executed reporting module "MongoDB" 2018-11-24 17:22:36,752 [cuckoo.core.scheduler] INFO: Task #27: reports generation completed 2018-11-24 17:22:36,855 [cuckoo.core.scheduler] INFO: Task #27: analysis procedure completed
I already try it with differents cuckoo versions:
https://github.com/sandialabs/mac-sandbox/ https://github.com/rodionovd/cuckoo-osx-analyzer https://github.com/phdphuc/mac-a-mal-cuckoo
I think i am losing something because nothing is execution properly.
If it finally get it work I promise to documented.
zentavr
commented
5 years ago @campeador, we used to use Mac-a-mal
campeador
commented
5 years ago Thank you for your reply @zentavr , but do you finally get it works? I mean with last cuckoo and samples executing properly? Or how do you got it ?
liliagm19
commented
5 years ago @campeador What makes you think it's not executing? Are you comparing your results to other published reports about malicious Mac samples? Also, how did you get the screenshots to work? In my vm I only see what looks like a temporary png that is not being sent back to the server.
wroersma
commented
5 years ago Correct me if I'm wrong here but I do believe it's missing a generic package to run the package against if it doesn't find a working package for anything else? I have it not use those packages that it does support as well and still default to the generic one I had to make.
campeador
commented
5 years ago @liliagm19 It is not executing because i didn't see any traces of the execution. The Screenshot works intalling the Pillow packet in vm osx and be sure you are running the agent with python2. I think i finally do it works with mac a mal but i am tunning for be sure that all is working properly.
liliagm19
commented
5 years ago @campeador Everything is installed on the vm. But I'll reinstall again just in case, thanks.
My issue is:
I installed MacOS guests, put agent.py inside (as root) as a launchd daemon: /Library/LaunchDaemons/com.resec.agent.plist is the next
Seems like analyzer.py wants some additional stuff, so I installed:
Python 2.7.15 + libs
curl -O https://www.python.org/ftp/python/2.7.15/python-2.7.15-macosx10.9.pkg installer -pkg ./python-2.7.15-macosx10.9.pkg -target / pip install --upgrade pip pip install virtualenv pip install PyYAML pip install bson pip install Pillow
Agent is up and running, I can do HTTP requests to it and get /status or /environ results. The problem comes when I try to upload something. If I upload the binary - the analysis goes few minutes but as the result I can see not too much usable - probaply few things like DNS requests to apple web services and the things from public resources. No Screenshots, no info about dropped files and so on.
If I upload the *.app.zip file (without the password) - the analysis id "done" in seconds and nothing usable in the report happens.
I wonder if I can turn more verbose debugging for a agent.py or analyzer.py and have a clue what's going on?
My Cuckoo version and operating system are:
2.0.6 Ubuntu 16.04