mitmproxy only failed in cuckoo

secusoc commented 6 years ago

Hello, i have an issue with mitmproxy ONLY during Cuckoo's analysis

CONFIG:

Host = Ubuntu 16.04
Guest = Win7
Action for MITM:
Install python3.6, install mitmproxy
Add iptables rules
        $ sudo iptables -A FORWARD -o enp3s0f0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
        $ sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
        $ sudo iptables -A POSTROUTING -t nat -j MASQUERADE
        $ sudo iptables -t nat -A PREROUTING -i vboxnet0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 50000
        $ sudo iptables -t nat -A PREROUTING -i vboxnet0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 50000
Add ...ca-cert.p12 in IE's CA store and in .cuckoo/analyzer/windows/bin/cert.p12
Modify auxiliary.conf 
        [mitm]
        enabled = yes
        mitmdump = /usr/local/bin/mitmdump      
        port_base = 50000
        script = stuff/mitm.py
        certificate = bin/cert.p12
Create .mitmproxy/config.yaml to use an upstream server

Iptables are the same for both test

MANUEL TEST OK:

I launch manually mitmdump -p 5000 on cuckoo's host
    $ mitmdump -p 50000
        Proxy server listening at http://*:50000
I start manually my VM and do tests:
    IE > conf no proxy > https://www.google.com =>  ERROR:  "Page can't be load"
    IE > conf proxy = IP_cuckoo:50000 > https://www.google.com      =>  OK
    IE > conf proxy = 192.168.56.1:50000 > https://www.google.com => OK
Result ok in mitmdump terminal:
    $ mitmdump -p 50000
        Proxy server listening at http://*:50000
        192.168.56.10:49162: clientconnect
        192.168.56.10:49163: GET https://www.google.fr/?gws_rd=ssl
                          << 200 OK 69.29k
        192.168.56.10:49164: clientconnect

CUCKOO ANALYSIS FAILED

Run analysis for https://www.google.com
In report:      No HTTP request
            IE shot.jpg show:    "Proxy server does not answer. check your proxy settings 192.168.56.1:50000"

Analyzer Log

2018-08-17 12:24:50,015 [analyzer] DEBUG: Starting analyzer from: C:\tmppjql8o
2018-08-17 12:24:50,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\NdIKCkCHYrvXjxyTezNZgx
2018-08-17 12:24:50,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\VGoEcEeDIllNbjnHGdozHywolJnxlp
2018-08-17 12:24:50,483 [analyzer] DEBUG: Started auxiliary module DbgView
2018-08-17 12:25:03,427 [analyzer] DEBUG: Started auxiliary module Disguise
2018-08-17 12:25:03,647 [analyzer] DEBUG: Loaded monitor into process with pid 476
2018-08-17 12:25:03,647 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-08-17 12:25:03,647 [analyzer] DEBUG: Started auxiliary module Human
2018-08-17 12:25:03,835 [modules.auxiliary.installcert] INFO: Successfully installed PFX certificate.
2018-08-17 12:25:03,835 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-08-17 12:25:03,835 [analyzer] DEBUG: Started auxiliary module Reboot
2018-08-17 12:25:04,552 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-08-17 12:25:04,552 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-08-17 12:25:04,552 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-08-17 12:25:04,599 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments ['https://www.google.com'] and pid 2240
2018-08-17 12:25:04,724 [analyzer] DEBUG: Loaded monitor into process with pid 2240
2018-08-17 12:25:06,194 [analyzer] INFO: Added new file to list with pid 2240 and path C:\Users\test\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CDF77EA1-A207-11E8-A471-080027DEC754}.dat
2018-08-17 12:25:06,335 [analyzer] INFO: Added new file to list with pid 2240 and path C:\Users\test\AppData\Local\Temp\~DF9E4FDE14C9D12ECB.TMP
2018-08-17 12:25:06,552 [analyzer] INFO: Added new file to list with pid 2240 and path C:\Users\test\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CDF77EA3-A207-11E8-A471-080027DEC754}.dat
2018-08-17 12:25:06,569 [analyzer] INFO: Added new file to list with pid 2240 and path C:\Users\test\AppData\Local\Temp\~DF5A386CE0994C4FEE.TMP
2018-08-17 12:25:06,865 [analyzer] DEBUG: Following legitimate IE11 process: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2240 CREDAT:209921 /prefetch:2!
2018-08-17 12:25:06,897 [analyzer] INFO: Injected into process with pid 1076 and name u'iexplore.exe'
2018-08-17 12:25:07,585 [lib.api.process] INFO: Memory dump of process with pid 1076 completed
2018-08-17 12:25:07,819 [analyzer] DEBUG: Loaded monitor into process with pid 1076
2018-08-17 12:25:08,147 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-08-17 12:25:08,147 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-08-17 12:25:08,147 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-08-17 12:25:08,147 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-08-17 12:25:08,147 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-08-17 12:25:08,147 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-08-17 12:25:08,147 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-08-17 12:25:08,147 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-08-17 12:25:08,163 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-08-17 12:25:08,163 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-08-17 12:25:08,163 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-08-17 12:25:08,163 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-08-17 12:25:08,163 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-08-17 12:25:08,163 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-08-17 12:25:22,052 [analyzer] INFO: Added new file to list with pid 2240 and path C:\Users\test\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D83154A4-A207-11E8-A471-080027DEC754}.dat
2018-08-17 12:25:22,069 [analyzer] INFO: Added new file to list with pid 2240 and path C:\Users\test\AppData\Local\Temp\~DF0DE45034C615B238.TMP
2018-08-17 12:25:22,288 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-08-17 12:25:22,288 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-08-17 12:25:22,288 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-08-17 12:25:22,288 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-08-17 12:25:22,288 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-08-17 12:25:22,288 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-08-17 12:25:22,288 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-08-17 12:25:22,302 [analyzer] INFO: io=NULL
2018-08-17 12:25:22,302 [analyzer] DEBUG: Error resolving function jscript9!JsGlobalObjectDefaultEvalHelper through our custom callback.
2018-08-17 12:25:22,302 [analyzer] INFO: io=NULL
2018-08-17 12:25:22,302 [analyzer] DEBUG: Error resolving function jscript9!JsGlobalObjectDefaultEvalHelper through our custom callback.
2018-08-17 12:25:22,319 [analyzer] INFO: io=NULL
2018-08-17 12:25:22,319 [analyzer] DEBUG: Error resolving function jscript9!JsGlobalObjectDefaultEvalHelper through our custom callback.
2018-08-17 12:25:22,319 [analyzer] INFO: io=NULL
2018-08-17 12:25:22,319 [analyzer] DEBUG: Error resolving function jscript9!JsGlobalObjectDefaultEvalHelper through our custom callback.
2018-08-17 12:25:50,522 [analyzer] INFO: Added new file to list with pid 1076 and path C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YY24CWN\proxyerror[2]
2018-08-17 12:25:50,569 [analyzer] INFO: Added new file to list with pid 1076 and path C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z7Q6FWPJ\NewErrorPageTemplate[3]
2018-08-17 12:25:50,569 [analyzer] INFO: Added new file to list with pid 1076 and path C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z7Q6FWPJ\errorPageStrings[1]
2018-08-17 12:25:50,585 [analyzer] INFO: Added new file to list with pid 1076 and path C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N3TA2IMS\httpErrorPagesScripts[1]
2018-08-17 12:25:50,615 [analyzer] INFO: io=NULL
2018-08-17 12:25:50,615 [analyzer] DEBUG: Error resolving function jscript9!JsGlobalObjectDefaultEvalHelper through our custom callback.
2018-08-17 12:27:03,990 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-08-17 12:27:09,960 [lib.api.process] INFO: Memory dump of process with pid 2240 completed
2018-08-17 12:27:15,210 [lib.api.process] INFO: Memory dump of process with pid 1076 completed
2018-08-17 12:27:15,210 [analyzer] INFO: Error dumping file from path "c:\users\test\appdata\local\temp\~df0de45034c615b238.tmp": [Errno 13] Permission denied: u'c:\\users\\test\\appdata\\local\\temp\\~df0de45034c615b238.tmp'
2018-08-17 12:27:15,224 [analyzer] INFO: Error dumping file from path "c:\users\test\appdata\local\temp\~df9e4fde14c9d12ecb.tmp": [Errno 13] Permission denied: u'c:\\users\\test\\appdata\\local\\temp\\~df9e4fde14c9d12ecb.tmp'
2018-08-17 12:27:15,256 [analyzer] INFO: Error dumping file from path "c:\users\test\appdata\local\temp\~df5a386ce0994c4fee.tmp": [Errno 13] Permission denied: u'c:\\users\\test\\appdata\\local\\temp\\~df5a386ce0994c4fee.tmp'
2018-08-17 12:27:15,256 [analyzer] INFO: Analysis completed.

cuckoo.log

2018-08-17 12:24:50,900 [cuckoo.core.scheduler] INFO: Task #84: acquired machine Win7_x64_IE11_Java7u65 (label=Win7_x64_IE11_Java7u65)
2018-08-17 12:24:50,916 [cuckoo.auxiliary.mitm] INFO: Started mitm interception with PID 8642 (ip=192.168.56.1, port=50001).
2018-08-17 12:24:50,916 [cuckoo.core.plugins] DEBUG: Started auxiliary module: MITM
2018-08-17 12:24:50,933 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 8643 (interface=vboxnet0, host=192.168.56.10)
2018-08-17 12:24:50,933 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-08-17 12:24:50,954 [cuckoo.machinery.virtualbox] DEBUG: Starting vm Win7_x64_IE11_Java7u65
2018-08-17 12:24:51,473 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine Win7_x64_IE11_Java7u65 to test_mitm6
2018-08-17 12:24:56,735 [cuckoo.core.guest] INFO: Starting analysis on guest (id=Win7_x64_IE11_Java7u65, ip=192.168.56.10)
2018-08-17 12:24:57,740 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: not ready yet
2018-08-17 12:24:58,746 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: not ready yet
2018-08-17 12:24:59,752 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: not ready yet
2018-08-17 12:25:00,757 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: not ready yet
2018-08-17 12:25:01,771 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=Win7_x64_IE11_Java7u65, ip=192.168.56.10)
2018-08-17 12:25:01,802 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=Win7_x64_IE11_Java7u65, ip=192.168.56.10, monitor=latest, size=3853622)
2018-08-17 12:25:02,143 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 12:25:02,445 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2018-08-17 12:25:04,164 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 12:25:04,665 [cuckoo.core.resultserver] DEBUG: New process (pid=2240, ppid=1196, name=iexplore.exe)
2018-08-17 12:25:05,174 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 12:25:05,958 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.jpg
2018-08-17 12:27:08,747 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 12:27:09,477 [cuckoo.core.resultserver] DEBUG: File upload request for memory/2240-1.dmp
2018-08-17 12:27:09,779 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 12:27:09,807 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 109083864
2018-08-17 12:27:13,814 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 12:27:14,795 [cuckoo.core.resultserver] DEBUG: File upload request for memory/1076-2.dmp
2018-08-17 12:27:14,839 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 12:27:15,154 [cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2018-08-17 12:27:15,155 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 134217743
2018-08-17 12:27:15,225 [cuckoo.core.resultserver] DEBUG: File upload request for files/f606ea25f8d1aee0_proxyerror[2]
2018-08-17 12:27:15,225 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 1538
2018-08-17 12:27:15,245 [cuckoo.core.resultserver] DEBUG: File upload request for files/f82e99852449d805_recoverystore.{cdf77ea1-a207-11e8-a471-080027dec754}.dat
2018-08-17 12:27:15,245 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 5632
2018-08-17 12:27:15,248 [cuckoo.core.resultserver] DEBUG: File upload request for files/11451760978dc724_{d83154a4-a207-11e8-a471-080027dec754}.dat
2018-08-17 12:27:15,249 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 3584
2018-08-17 12:27:15,251 [cuckoo.core.resultserver] DEBUG: File upload request for files/204d95c6fb161368_newerrorpagetemplate[3]
2018-08-17 12:27:15,252 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 1310
2018-08-17 12:27:15,254 [cuckoo.core.resultserver] DEBUG: File upload request for files/46e019fa34465f4e_httperrorpagesscripts[1]
2018-08-17 12:27:15,255 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 8714
2018-08-17 12:27:15,258 [cuckoo.core.resultserver] DEBUG: File upload request for files/b456b22fe619f156_{cdf77ea3-a207-11e8-a471-080027dec754}.dat
2018-08-17 12:27:15,259 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 4096
2018-08-17 12:27:15,261 [cuckoo.core.resultserver] DEBUG: File upload request for files/0ca7639d966359f2_errorpagestrings[1]
2018-08-17 12:27:15,262 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 3339
2018-08-17 12:28:00,360 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 12:28:01,370 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 12:28:02,371 [cuckoo.core.guest] INFO: Win7_x64_IE11_Java7u65: end of analysis reached!
2018-08-17 12:28:02,380 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: MITM
2018-08-17 12:28:02,414 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2018-08-17 12:28:11,536 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #84
2018-08-17 12:28:11,540 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #84
2018-08-17 12:28:11,543 [cuckoo.core.plugins] DEBUG: Running 540 signatures
2018-08-17 12:28:12,245 [cuckoo.core.plugins] DEBUG: Analysis matched signature: dead_host
2018-08-17 12:28:12,245 [cuckoo.core.plugins] DEBUG: Analysis matched signature: persistence_ads
2018-08-17 12:28:12,246 [cuckoo.core.plugins] DEBUG: Analysis matched signature: allocates_rwx
2018-08-17 12:28:12,246 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivirus_virustotal
2018-08-17 12:28:12,247 [cuckoo.core.plugins] DEBUG: Analysis matched signature: protection_rx
2018-08-17 12:28:12,247 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_ip_urls
2018-08-17 12:28:12,247 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_urls
2018-08-17 12:28:12,248 [cuckoo.core.plugins] DEBUG: Analysis matched signature: injection_resumethread
2018-08-17 12:28:12,248 [cuckoo.core.plugins] DEBUG: Analysis matched signature: uses_windows_utilities
2018-08-17 12:28:12,854 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2018-08-17 12:28:14,999 [cuckoo.core.plugins] DEBUG: Executed reporting module "SingleFile"

Thanks for your help

doomedraven commented 6 years ago

try install mitmproxy with pip2, as cuckoo is py2, not py3

secusoc commented 6 years ago

Hi doomedraven Mitmproxy 4 only possible with python3.6 Could you give me the last MITM number version you use to download it ?

doomedraven commented 6 years ago

i don't use mitmproxy so you will need to find it in your own

secusoc commented 6 years ago

Same after uninstall mitm4 and install mitm0.18 for python 2.7 cuckoo = 2.0.6 python = 2.7 mitmdump = 0.18.2

Manual test succeed Cuckoo's fail with same message:

Analyzer Log

2018-08-17 15:51:39,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpycpcdp
2018-08-17 15:51:39,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\ICJNRrhhLMROpTDEViUkF
2018-08-17 15:51:39,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\XOXVsOrmuBEVTbbUOCDjQAhAYr
2018-08-17 15:51:39,467 [analyzer] DEBUG: Started auxiliary module DbgView
2018-08-17 15:51:39,921 [analyzer] DEBUG: Started auxiliary module Disguise
2018-08-17 15:51:40,155 [analyzer] DEBUG: Loaded monitor into process with pid 472
2018-08-17 15:51:40,155 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-08-17 15:51:40,155 [analyzer] DEBUG: Started auxiliary module Human
2018-08-17 15:51:41,546 [modules.auxiliary.installcert] INFO: Successfully installed PFX certificate.
2018-08-17 15:51:41,546 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-08-17 15:51:41,546 [analyzer] DEBUG: Started auxiliary module Reboot
2018-08-17 15:51:41,733 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-08-17 15:51:41,733 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-08-17 15:51:41,733 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2018-08-17 15:51:41,780 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments ['https://www.facebook.com'] and pid 2516
2018-08-17 15:51:41,921 [analyzer] DEBUG: Loaded monitor into process with pid 2516
2018-08-17 15:51:43,000 [analyzer] INFO: Added new file to list with pid 2516 and path C:\Users\test\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AB3BF6DB-A224-11E8-9458-080027DEC754}.dat
2018-08-17 15:51:43,030 [analyzer] INFO: Added new file to list with pid 2516 and path C:\Users\test\AppData\Local\Temp\~DF57924FFA4EB5B381.TMP
2018-08-17 15:51:43,562 [analyzer] INFO: Added new file to list with pid 2516 and path C:\Users\test\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AB3BF6DD-A224-11E8-9458-080027DEC754}.dat
2018-08-17 15:51:43,578 [analyzer] INFO: Added new file to list with pid 2516 and path C:\Users\test\AppData\Local\Temp\~DF3888ED858E417B19.TMP
2018-08-17 15:51:43,828 [analyzer] DEBUG: Following legitimate IE11 process: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:209921 /prefetch:2!
2018-08-17 15:51:43,937 [analyzer] INFO: Injected into process with pid 2416 and name u'iexplore.exe'
2018-08-17 15:51:44,062 [lib.api.process] INFO: Memory dump of process with pid 2416 completed
2018-08-17 15:51:44,265 [analyzer] DEBUG: Loaded monitor into process with pid 2416
2018-08-17 15:51:44,421 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-08-17 15:51:44,421 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-08-17 15:51:44,421 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-08-17 15:51:44,421 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-08-17 15:51:44,437 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-08-17 15:51:44,437 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-08-17 15:51:44,437 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-08-17 15:51:44,453 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-08-17 15:51:44,453 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-08-17 15:51:44,467 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-08-17 15:51:44,467 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-08-17 15:51:44,467 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-08-17 15:51:44,467 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-08-17 15:51:44,467 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-08-17 15:52:00,346 [analyzer] INFO: Added new file to list with pid 2516 and path C:\Users\test\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B6265F56-A224-11E8-9458-080027DEC754}.dat
2018-08-17 15:52:00,365 [analyzer] INFO: Added new file to list with pid 2516 and path C:\Users\test\AppData\Local\Temp\~DFF42200EC89936094.TMP
2018-08-17 15:52:00,555 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-08-17 15:52:00,555 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-08-17 15:52:00,555 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-08-17 15:52:00,555 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-08-17 15:52:00,555 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-08-17 15:52:00,573 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-08-17 15:52:00,573 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-08-17 15:52:00,592 [analyzer] INFO: io=NULL
2018-08-17 15:52:00,592 [analyzer] DEBUG: Error resolving function jscript9!JsGlobalObjectDefaultEvalHelper through our custom callback.
2018-08-17 15:52:00,592 [analyzer] INFO: io=NULL
2018-08-17 15:52:00,592 [analyzer] DEBUG: Error resolving function jscript9!JsGlobalObjectDefaultEvalHelper through our custom callback.
2018-08-17 15:52:00,592 [analyzer] INFO: io=NULL
2018-08-17 15:52:00,592 [analyzer] DEBUG: Error resolving function jscript9!JsGlobalObjectDefaultEvalHelper through our custom callback.
2018-08-17 15:52:00,592 [analyzer] INFO: io=NULL
2018-08-17 15:52:00,592 [analyzer] DEBUG: Error resolving function jscript9!JsGlobalObjectDefaultEvalHelper through our custom callback.
2018-08-17 15:52:37,746 [analyzer] INFO: Added new file to list with pid 2416 and path C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YY24CWN\proxyerror[3]
2018-08-17 15:52:37,769 [analyzer] INFO: Added new file to list with pid 2416 and path C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YY24CWN\NewErrorPageTemplate[1]
2018-08-17 15:52:37,792 [analyzer] INFO: Added new file to list with pid 2416 and path C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G9J3O55R\errorPageStrings[1]
2018-08-17 15:52:37,815 [analyzer] INFO: Added new file to list with pid 2416 and path C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z7Q6FWPJ\httpErrorPagesScripts[2]
2018-08-17 15:52:37,976 [analyzer] INFO: io=NULL
2018-08-17 15:52:37,999 [analyzer] DEBUG: Error resolving function jscript9!JsGlobalObjectDefaultEvalHelper through our custom callback.
2018-08-17 15:53:59,408 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-08-17 15:54:05,213 [lib.api.process] INFO: Memory dump of process with pid 2516 completed
2018-08-17 15:54:08,664 [lib.api.process] INFO: Memory dump of process with pid 2416 completed
2018-08-17 15:54:08,674 [analyzer] INFO: Error dumping file from path "c:\users\test\appdata\local\temp\~df57924ffa4eb5b381.tmp": [Errno 13] Permission denied: u'c:\\users\\test\\appdata\\local\\temp\\~df57924ffa4eb5b381.tmp'
2018-08-17 15:54:08,694 [analyzer] INFO: Error dumping file from path "c:\users\test\appdata\local\temp\~df3888ed858e417b19.tmp": [Errno 13] Permission denied: u'c:\\users\\test\\appdata\\local\\temp\\~df3888ed858e417b19.tmp'
2018-08-17 15:54:08,703 [analyzer] INFO: Error dumping file from path "c:\users\test\appdata\local\temp\~dff42200ec89936094.tmp": [Errno 13] Permission denied: u'c:\\users\\test\\appdata\\local\\temp\\~dff42200ec89936094.tmp'
2018-08-17 15:54:08,703 [analyzer] INFO: Analysis completed.

Cuckoo Log


2018-08-17 15:51:39,755 [cuckoo.core.scheduler] INFO: Task #89: acquired machine Win7_x64_IE11_Java7u65 (label=Win7_x64_IE11_Java7u65)
2018-08-17 15:51:39,762 [cuckoo.auxiliary.mitm] INFO: Started mitm interception with PID 6846 (ip=192.168.56.1, port=50000).
2018-08-17 15:51:39,763 [cuckoo.core.plugins] DEBUG: Started auxiliary module: MITM
2018-08-17 15:51:39,770 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 6847 (interface=vboxnet0, host=192.168.56.10)
2018-08-17 15:51:39,771 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-08-17 15:51:39,795 [cuckoo.machinery.virtualbox] DEBUG: Starting vm Win7_x64_IE11_Java7u65
2018-08-17 15:51:40,331 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine Win7_x64_IE11_Java7u65 to test_mitm9
2018-08-17 15:51:45,051 [cuckoo.core.guest] INFO: Starting analysis on guest (id=Win7_x64_IE11_Java7u65, ip=192.168.56.10)
2018-08-17 15:51:46,055 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: not ready yet
2018-08-17 15:51:47,060 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: not ready yet
2018-08-17 15:51:48,066 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: not ready yet
2018-08-17 15:51:49,071 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: not ready yet
2018-08-17 15:51:50,082 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=Win7_x64_IE11_Java7u65, ip=192.168.56.10)
2018-08-17 15:51:50,115 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=Win7_x64_IE11_Java7u65, ip=192.168.56.10, monitor=latest, size=3855011)
2018-08-17 15:51:50,461 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:51:50,820 [cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2018-08-17 15:51:51,471 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:51:52,479 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:51:53,490 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:51:53,682 [cuckoo.core.resultserver] DEBUG: New process (pid=2516, ppid=2504, name=iexplore.exe)
2018-08-17 15:51:54,498 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:51:54,999 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0001.jpg
2018-08-17 15:51:55,056 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 278033
2018-08-17 15:51:55,506 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:51:55,883 [cuckoo.core.resultserver] DEBUG: File upload request for memory/2416-1.dmp
2018-08-17 15:51:55,908 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 4281160
2018-08-17 15:51:56,031 [cuckoo.core.resultserver] DEBUG: New process (pid=2416, ppid=2516, name=iexplore.exe)
2018-08-17 15:51:56,233 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0002.jpg
2018-08-17 15:51:56,242 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 135721
2018-08-17 15:51:56,527 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:51:57,361 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0003.jpg
2018-08-17 15:51:57,368 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 72135
2018-08-17 15:51:57,537 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:51:58,546 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:51:59,556 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:00,564 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:01,573 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:02,582 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:03,592 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:04,601 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:05,610 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:06,620 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:07,629 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:08,639 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:09,648 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:10,658 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:11,666 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:12,677 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:13,686 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:14,695 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:15,705 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:16,714 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:17,724 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:18,734 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:19,742 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:20,751 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:21,761 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:22,770 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:23,781 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:24,795 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:25,805 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:26,815 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:27,825 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:28,835 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:29,846 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:30,857 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:31,868 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:32,878 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:33,888 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:34,898 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:35,907 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:36,918 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:37,927 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:38,935 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:39,896 [cuckoo.core.resultserver] DEBUG: File upload request for shots/0004.jpg
2018-08-17 15:52:39,915 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 111364
2018-08-17 15:52:39,943 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:40,954 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:41,963 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:42,971 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:43,980 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:44,988 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:45,995 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:47,003 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:48,011 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:49,020 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:50,028 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:51,036 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:52,045 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:53,054 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:54,064 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:55,074 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:56,083 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:57,092 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:58,101 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:52:59,111 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:00,121 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:01,152 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:02,162 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:03,172 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:04,181 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:05,192 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:06,202 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:07,212 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:08,222 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:09,231 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:10,240 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:11,251 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:12,261 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:13,271 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:14,282 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:15,291 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:16,301 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:17,311 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:18,323 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:19,333 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:20,342 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:21,351 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:22,361 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:23,370 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:24,380 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:25,389 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:26,417 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:27,449 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:28,459 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:29,469 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:30,479 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:31,489 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:32,499 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:33,508 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:34,518 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:35,529 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:36,538 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:37,549 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:38,558 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:39,568 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:40,581 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:41,591 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:42,601 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:43,610 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:44,621 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:45,631 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:46,641 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:47,651 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:48,662 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:49,671 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:50,681 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:51,690 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:52,701 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:53,710 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:54,723 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:55,730 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:56,776 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:57,824 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:58,871 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:53:59,918 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:00,661 [cuckoo.core.resultserver] DEBUG: File upload request for memory/2516-1.dmp
2018-08-17 15:54:00,966 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:01,013 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 109735440
2018-08-17 15:54:01,976 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:02,990 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:04,001 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:05,011 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:06,000 [cuckoo.core.resultserver] DEBUG: File upload request for memory/2416-2.dmp
2018-08-17 15:54:06,059 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:06,426 [cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2018-08-17 15:54:06,427 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 134217743
2018-08-17 15:54:06,500 [cuckoo.core.resultserver] DEBUG: File upload request for files/46e019fa34465f4e_httperrorpagesscripts[2]
2018-08-17 15:54:06,501 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 8714
2018-08-17 15:54:06,503 [cuckoo.core.resultserver] DEBUG: File upload request for files/0ca7639d966359f2_errorpagestrings[1]
2018-08-17 15:54:06,504 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 3339
2018-08-17 15:54:06,507 [cuckoo.core.resultserver] DEBUG: File upload request for files/f606ea25f8d1aee0_proxyerror[3]
2018-08-17 15:54:06,507 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 1538
2018-08-17 15:54:06,534 [cuckoo.core.resultserver] DEBUG: File upload request for files/2ac6a95e9fbe15ad_{b6265f56-a224-11e8-9458-080027dec754}.dat
2018-08-17 15:54:06,535 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 3584
2018-08-17 15:54:06,537 [cuckoo.core.resultserver] DEBUG: File upload request for files/204d95c6fb161368_newerrorpagetemplate[1]
2018-08-17 15:54:06,538 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 1310
2018-08-17 15:54:06,541 [cuckoo.core.resultserver] DEBUG: File upload request for files/0b3d064c81233eff_recoverystore.{ab3bf6db-a224-11e8-9458-080027dec754}.dat
2018-08-17 15:54:06,542 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 5632
2018-08-17 15:54:06,545 [cuckoo.core.resultserver] DEBUG: File upload request for files/890627a82090c2b8_{ab3bf6dd-a224-11e8-9458-080027dec754}.dat
2018-08-17 15:54:06,546 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 4096
2018-08-17 15:54:07,069 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:08,079 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:09,089 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:10,099 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:11,109 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:12,119 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:13,128 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:14,137 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:15,147 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:16,155 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:17,166 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:18,177 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:19,187 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:20,201 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:21,211 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:22,219 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:23,228 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:24,235 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:25,243 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:26,253 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:27,261 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:28,272 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:29,282 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:30,292 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:31,300 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:32,309 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:33,316 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:34,326 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:35,337 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:36,346 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:37,355 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:38,364 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:39,373 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:40,383 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:41,392 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:42,401 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:43,411 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:44,420 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:45,430 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:46,508 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:47,519 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:48,530 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:49,540 [cuckoo.core.guest] DEBUG: Win7_x64_IE11_Java7u65: analysis still processing
2018-08-17 15:54:50,541 [cuckoo.core.guest] INFO: Win7_x64_IE11_Java7u65: end of analysis reached!
2018-08-17 15:54:50,549 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: MITM
2018-08-17 15:54:50,578 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2018-08-17 15:54:50,579 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm Win7_x64_IE11_Java7u65
2018-08-17 15:54:52,234 [cuckoo.core.scheduler] DEBUG: Released database task #89
2018-08-17 15:54:52,268 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #89
2018-08-17 15:54:52,373 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #89
2018-08-17 15:54:52,403 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #89
2018-08-17 15:54:52,403 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #89
2018-08-17 15:54:56,849 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #89
2018-08-17 15:54:59,345 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #89
2018-08-17 15:54:59,345 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #89
2018-08-17 15:54:59,406 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #89
2018-08-17 15:54:59,407 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #89
2018-08-17 15:54:59,407 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #89
2018-08-17 15:54:59,407 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #89
2018-08-17 15:54:59,433 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #89
2018-08-17 15:54:59,994 [cuckoo.core.plugins] DEBUG: Executed processing module "VirusTotal" for task #89
2018-08-17 15:54:59,994 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #89
2018-08-17 15:54:59,995 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #89
2018-08-17 15:55:00,000 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #89
2018-08-17 15:55:00,003 [cuckoo.core.plugins] DEBUG: Running 540 signatures
2018-08-17 15:55:00,666 [cuckoo.core.plugins] DEBUG: Analysis matched signature: dead_host
2018-08-17 15:55:00,666 [cuckoo.core.plugins] DEBUG: Analysis matched signature: persistence_ads
2018-08-17 15:55:00,666 [cuckoo.core.plugins] DEBUG: Analysis matched signature: allocates_rwx
2018-08-17 15:55:00,667 [cuckoo.core.plugins] DEBUG: Analysis matched signature: protection_rx
2018-08-17 15:55:00,667 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_ip_urls
2018-08-17 15:55:00,667 [cuckoo.core.plugins] DEBUG: Analysis matched signature: memdump_urls
2018-08-17 15:55:00,668 [cuckoo.core.plugins] DEBUG: Analysis matched signature: injection_resumethread
2018-08-17 15:55:00,668 [cuckoo.core.plugins] DEBUG: Analysis matched signature: uses_windows_utilities
2018-08-17 15:55:01,184 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2018-08-17 15:55:03,809 [cuckoo.core.plugins] DEBUG: Executed reporting module "SingleFile"

Did someone succeed to use it in cuckoo ?

secusoc commented 6 years ago

I try multiple configuration in IE proxy settings: cuckoo's IP, 192.168.56.1, nothing... And i have always the same error: "Proxy server doesn't answer. check your proxy settings 192.168.56.1:50000" (I do a new snapshot for every Proxy change then i'm sure the new settings are used)

For those who use MITM, what do you put in IE proxy settings and in iptables ? Do we really need to put something in this because iptables will redirect 443 and 80 requests to Mitm ?

doomedraven commented 6 years ago

but wait, do you see reqs reaching proxy?

secusoc commented 6 years ago

No nothing arrive to mitmproxy when analysis run in Cuckoo (IE says proxy doesn't answer) If i start this same VM and use IE manually=> it works (see requests in mitmproxxy)

I thought it was iptables, but rules never change (same for both)
I change mitmproxy 0.18.2 with another version which can resolve problems (find in mitm's forum) => same
I change mitm's port to 60000 => same
I configure logging for mitm => Works manually but when cuckoo's running: No log!

Nothing arrive to mitmproxy but i don't understand why (try a lot of proxy settings, no firewall...) Strange that always same error for every test : "check your proxy settings 192.168.56.1:60000" (even if no proxy configure in IE) Nothing wrong in Cuckoo's log

doomedraven commented 6 years ago

i will need to check when i will have a bit of free time, but in past it worked just fine

doomedraven commented 6 years ago

ok few(stupid) questions

do you use cuckoo rooter?
the vm is the same which you use with cuckoo?
is the cert is the same?

i just saw my old notes, i was setting iptables for forward traffic with mitmproxy scripting, as it also didn't work in that way did you try this one?

https://docs.mitmproxy.org/stable/howto-transparent/ ?

secusoc commented 6 years ago

1) yes i use cuckoo rooter (internet mode) 2) VM is the same 3) Cert is the same 4) No try (but i'm going to read it and try)

doomedraven commented 6 years ago

ok roouter might be a problem did you do a iptable monitoring when you start analysis? as you have an iptables and rooter

secusoc commented 6 years ago

Test i've just done:

a) Purge all iptables

sudo iptables -L -t nat
        Chain PREROUTING (policy ACCEPT)
        target     prot opt source               destination

        Chain INPUT (policy ACCEPT)
        target     prot opt source               destination

        Chain OUTPUT (policy ACCEPT)
        target     prot opt source               destination

        Chain POSTROUTING (policy ACCEPT)
        target     prot opt source               destination

sudo iptables -L -t filter
        Chain INPUT (policy ACCEPT)
        target     prot opt source               destination

        Chain FORWARD (policy ACCEPT)
        target     prot opt source               destination

        Chain OUTPUT (policy ACCEPT)
        target     prot opt source               destination

b) Add rules manually

sudo iptables -A FORWARD -o enp3s0f0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo iptables -t nat -A PREROUTING -i vboxnet0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 60000
sudo iptables -t nat -A PREROUTING -i vboxnet0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 60000

Result:

sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 60000
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 60000

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

sudo iptables -L -t filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.56.0/24      anywhere             ctstate NEW
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

c) Run a cuckoo's analysis (no reboot for rooter then only my iptables rules)


Error from machine 'Win7_x64_IE11_Java7u65': it appears that this Virtual Machine hasn't been configured properly as the Cuckoo Host wasn't able to connect to the Guest. 
There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration

Error processing task #101: it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host. 
There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration

d) Reboot cuckoo -d


sudo supervisorctl restart cuckoo:cuckoo-daemon
        cuckoo:cuckoo-daemon: stopped
        cuckoo:cuckoo-daemon: started

Result:

sudo iptables -L -t nat
        Chain PREROUTING (policy ACCEPT)
        target     prot opt source               destination
        REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 60000
        REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 60000

        Chain INPUT (policy ACCEPT)
        target     prot opt source               destination

        Chain OUTPUT (policy ACCEPT)
        target     prot opt source               destination

        Chain POSTROUTING (policy ACCEPT)
        target     prot opt source               destination
        MASQUERADE  all  --  anywhere             anywhere
        MASQUERADE  all  --  anywhere             anywhere

sudo iptables -L -t filter
        Chain INPUT (policy ACCEPT)
        target     prot opt source               destination
        ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
        ACCEPT     tcp  --  VM-MR-V.xxxxxx     web1-v.xxxxxx      tcp dpt:2042
        DROP       all  --  VM-MR-V.xxxxxx     anywhere

        Chain FORWARD (policy DROP)
        target     prot opt source               destination
        ACCEPT     all  --  192.168.56.0/24      anywhere             ctstate NEW
        ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
        ACCEPT     all  --  VM-MR-V.xxxxxx     anywhere
        ACCEPT     all  --  anywhere             VM-MR-V.xxxxxx

        Chain OUTPUT (policy ACCEPT)
        target     prot opt source               destination
        ACCEPT     tcp  --  web1-v.xxxxxx      VM-MR-V.xxxxxx     tcp dpt:8000
        DROP       all  --  VM-MR-V.xxxxxx     anywhere

e) Run cuckoo's analysis: Same error as before: "check your proxy settings 192.168.56.1:60000"

doomedraven commented 6 years ago

add logging for dropped so you will see what is filtering what

secusoc commented 6 years ago

Ok then after logging packets: SYN from vboxnet to 192.168.56.1:60000 was not Accept => I add a rule: iptables -A INPUT -i vboxnet0 -s 192.168.56.0/24 -d 192.168.56.1 -m conntrack --ctstate NEW -j ACCEPT => Now i can see in that request go out shot

But 2 problems:

I don't have any HTTP request in "Network analysis" (i can see them in PCAP)
When i export analysis: NOTHING in mitm.log and tlsmaster.txt

Then i think it miss something...

doomedraven commented 6 years ago

Now check tcpdump command putput qith ps aux when analydis start, as your iptables hijacks traffic

secusoc commented 6 years ago

(Test for https://www.facebook.com)

I put some debug point every where:

No more packets are blocked by iptables (all packets not matching rule are print and i see nothing for vboxnet0)
I tcpdump traffic (port 80 and 443) on every iface and nothing (Because all traffic from IE is going to MITM"s tunnel on port 50000)

I "strace" mitm.py and see all requests arrived and pass to my upstream proxy and send back to my Guest

    10200 sendto(25, "HTTP/1.1 200 Connection establis"..., 39, 0, NULL, 0) = 39
    10201 sendto(8, "CONNECT connect.facebook.net:443"..., 234, 0, NULL, 0) = 234
    10201 sendto(28, "HTTP/1.1 200 Connection establis"..., 39, 0, NULL, 0) = 39
    10237 sendto(25, "CONNECT static.xx.fbcdn.net:443 "..., 228, 0, NULL, 0 <unfinished ...>
    10238 sendto(26, "CONNECT static.xx.fbcdn.net:443 "..., 228, 0, NULL, 0 <unfinished ...>
    10235 sendto(28, "CONNECT static.xx.fbcdn.net:443 "..., 228, 0, NULL, 0) = 228
    10238 sendto(17, "HTTP/1.1 200 Connection establis"..., 39, 0, NULL, 0 <unfinished ...>

I clear whitelist domains to be sure to see everything
I test different configuration on IE settings but all gave same results No proxy proxy = 192.168.56.1:50000 proxy = cuckoo_host:50000

RESULTS: All HTTPS request are resolved and send back to my guest. MITM working as a Proxy (good point) But still have 3 "report" problems: a) In network analysis: "HTTP(s) (9)" but there is "No traffic" in details pane (and don't see http traffic in strace, pcap, tcpdump only CONNECT Request report in "TCP" or "IRC") b) mitm.log => empty (even if it send/receive traffic!) c) tlsmasters => empty

I disable MITM and i see HTTP(s) request details for the same URL

Conclusion: MITM is working as a Proxy but don't give information in: log, tlsmasters and HTTP traffic details

If someone succed to use MITM with Cuckoo: Could you try https://www.facebook.com to see if you have same problems If not could u give: Iptables config, IE settings, Http request details ?

Thanks in advance

Sandbox-It commented 6 years ago

I'm having this same exact issue with the same setup and similar config. Mitmproxy works when manually started and the VM is manually started. I receive the same IE proxy server is not responding error as secucoc when cuckoo is running the show. I have also noticed that cuckoo is using the same IP as the resultserver in cuckoo.conf for mitmproxy which I thought was odd. I can see with netstat that mitmproxy is listening on port 50000 while the analysis is running.

ytakeda-sec commented 5 years ago

I was suffering from the same problem. I solved this problem.

I was able to see https data with the following settings.

auxiliary.conf:

[mitm]
port_base = 8443

I think that the following two were the causes.

The default value of port_base in auxiliary.conf was 50000
The handlers registered in cuckoo/processing/network.py:Pcap2:__init__() did NOT contain 50000

Another possible solution is to modify cuckoo/processing/network.py as follows.

  class Pcap2(object):
      """Interprets the PCAP file through the httpreplay library which parses
      the various protocols, decrypts and decodes them, and then provides us
      with the high level representation of it."""

      def __init__(self, pcap_path, tlsmaster, network_path):
          self.pcap_path = pcap_path
          self.network_path = network_path

          self.handlers = {
              25: httpreplay.cut.smtp_handler,
              80: httpreplay.cut.http_handler,
              443: lambda: httpreplay.cut.https_handler(tlsmaster),
              465: httpreplay.cut.smtp_handler,
              587: httpreplay.cut.smtp_handler,
              4443: lambda: httpreplay.cut.https_handler(tlsmaster),
              8000: httpreplay.cut.http_handler,
              8080: httpreplay.cut.http_handler,
              8443: lambda: httpreplay.cut.https_handler(tlsmaster),
+             50000: lambda: httpreplay.cut.https_handler(tlsmaster),
          }

      def run(self):

Thanks.

LetMeR00t commented 5 years ago

Hi guys, As I see your issue here, you don't have the result of your HTTPS decryption traffic. I also have the same issue as yours guys and I opened a case here : https://github.com/cuckoosandbox/cuckoo/issues/2103 I finally made a patch that allows the HTTPS decryption. It's working with the last version of cuckoo. If you want to try, be my guest, you have to use two PRs not used at the moment :

Cuckoo : https://github.com/cuckoosandbox/cuckoo/pull/2104
httpreplay : https://github.com/hatching/httpreplay/pull/15 Once you compile these versions, you will be able to decrypt your traffic (a file named tlsmaster.mitm is created in each of your result folder). If you have any trouble, please contact me. Hope it will help you

obert01 commented 5 years ago

Hello @LetMeR00t,

I have just tested Cuckoo with a local merge of the following two pull requests:

Cuckoo: https://github.com/cuckoosandbox/cuckoo/pull/2104
httpreplay: https://github.com/hatching/httpreplay/pull/25

Unfortunately, my tlsmaster.txt file is still empty, and I only see HTTP requests/responses in the web interface (no HTTPS).

I think I am testing the right code, because the tlsmaster.mitm file contains all random and secrets. IN the dump.mitm file, I find all my traffic, including HTTPS requests and responses.

In the logs, I only see all the auxiliary and processing modules initializing, but no specific message related to tlsmaster.txt or other TLS stuff.

Could you help me debugging? What should I check?

obert01 commented 5 years ago

Sorry, I was trying httpreplay PR https://github.com/hatching/httpreplay/pull/25 instead of httpreplay PR https://github.com/hatching/httpreplay/pull/15

It works perfectly now. tlsmaster.txt is still empty, but I suppose it is not used anymore.

LetMeR00t commented 5 years ago

Hi @obert01, Great news, tlsmaster.txt is normally used but I was never able to use it :) You can specify custom parameters to mitmproxy in your home folder (.mitmproxy) if you want (see mitmproxy website)

cuckoosandbox / cuckoo

mitmproxy only failed in cuckoo #2440