Issue when i try analyze file with cuckoo!

[manolete66]

Thanks for creating an issue! But first: did you read our community guidelines? https://cuckoo.sh/docs/introduction/community.html

My issue is:

Hellow, im a student who is trying to set cuckoo enviorement for a class project. I configured all following the community guidelines of cuckoo but i get a issue.

In this link i show what the running cuckoo take out for screen. https://ibb.co/mCVptL

I need to point that i ran agent.py in the virtual machine (in my case windows7) as administrator and to transfer the data to analyze i opened a new terminal and wrote "cuckoo submit ejemplo" and this showed me a sucessfull submit message.

If someone can help me I will be grateful. Thanks for your time.

My Cuckoo version and operating system are:

Cuckoo Sandbox 2.0.6 Ubuntu 16.04 LTS

This can be reproduced by:

The log, error, files etc can be found at:

[doomedraven]

1. did you take snapshot in running state?
2. if 1 is yes, are you able to do curl vm_ip:8000 once analysis start

[manolete66]

Hellow doomedraven, i did and it was sucessfully. First i ran cuckoo, then i submited the file and finally i did curl 192.168.56.101:8000 (the ip of my virtual machine)

Here u can see the images:

https://ibb.co/fkJ7Xf https://ibb.co/hZH1sf

[doomedraven]

is that error happens to all your samples or only some?

[manolete66]

I tried only with VirusPrueba.bat but as u can see when i did the submit nothing happend and i cant understand it. Its like cuckoo cant recive the task to analyze. Furthermore, i dont know if the message which does reference to the timeout of the guest is normal, u can see it in cuckoo terminal logs that i uploaded. Thanks for ur time doomedraven!

[doomedraven]

well from the images it shows what it works normally, try different samples, and if it fails only on this one you will need to investigate, but normally it always the bad configuration problem

[manolete66]

Okay, ill try with other example to analyze. Last question, when i submit the task to analyze, in cuckoo logs i should see something which indicates that the task uploaded correctly?

[doomedraven]

read last 2 lines from your image here https://ibb.co/fkJ7Xf

[manolete66]

Hi again doomedraven, i got execute my own task (the file virusPrueba.bat appointed before) with cuckoo and this is the result:

https://ibb.co/faWqcq

Im not sure about the warning that cuckoo shows. Why no logs are generated?

This image contents the storage folder of the analisys:

https://ibb.co/bOimHq

Note: buffer, extracted, files, logs, network, shots are empty.

[doomedraven]

yep it means something went wrong, it can be what your script generate too much behavior so it need to be increased(enable -d for debug to see that msg) or idl, but run with debug mode so maybe there some clues

[manolete66]

Here u can see doom, the debug of cuckoo's execution:

https://ibb.co/jfCGkA https://ibb.co/hqstXq

Idk what is the problem, its like all be good except for the showed warning. Thanks for ur time.

[doomedraven]

can you post the vbox conf from configs ?

[manolete66]

virtualbox.conf:

https://ibb.co/huD8Xq https://ibb.co/gVJxQA https://ibb.co/h3n2sq

cuckoo.conf:

https://ibb.co/e7BvCq https://ibb.co/j4F0dV https://ibb.co/bFBTXq https://ibb.co/nwPhsq

[doomedraven]

all looks fine weird, what about ifconfig output? + do you have any custom iptables?

[manolete66]

ifconfig: https://ibb.co/ksSoFA

I havent got configured ip tables, i need it for communicate host and guest? I configured a only-host adapter and i can ping correctly between host and guest.

[doomedraven]

if i tell you truth im not sure what happens, you need to start tcpdump or wireshark and investigate why it has problem to send packages back, or wait

can you explain me step by step how did you run cuckoo? which users root and cuckoo? only cuckoo there could be a problem

[manolete66]

I run cuckoo with my own user whose name is "equipo". I added it to vbox users with this command:

sudo usermod -a -G vboxusers equipo

I didnt do more for users configuration.

[manolete66]

Doom, i advanced. I configured ip tables and now i could do the analyze of the file from the web interface of cuckoo. Here u can see the results:

https://ibb.co/nOLE5A https://ibb.co/d8YCsq https://ibb.co/k6zVdV https://ibb.co/egydXq https://ibb.co/hn0gkA

Nevertheless, i got the same warning:

https://ibb.co/bP58Xq I think that this execution was sucessfully but idk what is the warning and why it appears. The same directorys which i said that were empty are empty again (in storage, analyze 5, buffer, extracted, files, logs and shots)

[doomedraven]

vale por partes :P

1. vboxusers y cuckoo son diferentes prueba ejecutar todo en diferentes terminales
2. sudo cuckoo -d rooter -g equipo
3. cuckoo -d
4. cuckoo -d web -H 0.0.0.0
5. cuckoo -d process a1

[foolishhare]

Doom, i advanced. I configured ip tables and now i could do the analyze of the file from the web interface of cuckoo. Here u can see the results:

https://ibb.co/nOLE5A https://ibb.co/d8YCsq https://ibb.co/k6zVdV https://ibb.co/egydXq https://ibb.co/hn0gkA

Nevertheless, i got the same warning:

https://ibb.co/bP58Xq I think that this execution was sucessfully but idk what is the warning and why it appears. The same directorys which i said that were empty are empty again (in storage, analyze 5, buffer, extracted, files, logs and shots)

1) How named your user in guest VM(Windows)? 2) Did you run agent.py with admin privileges? I had same problem. My user in VM was cuckoo - so i changed it to "Administrator" And add agent.py to Task Scheduler, and mark checkbox "Run with highest privileges " That solve my problem.

[manolete66]

Doome, muy buenas de nuevo. He vuelto a intentar el analizar algo con cuckoo y estoy reciviendo este fallo:

2018-12-11 12:45:23,924 [cuckoo.core.guest] INFO: Virtual Machine /status failed (CuckooGuestError('Cuckoo Agent failed without error status, please try upgrading to the latest version of agent.py (>= 0.8) and notify us if the issue persists.',))

Creo que tengo toda la configuracion de cuckoo correcta. Ha que puede deberse este error?

[doomedraven]

My friend told me what this happens with latests versions of vbox only

[doomedraven]

Puedes probar version un pelin mas desqctualuzada de vbox pa ver

[manolete66]

The life in cuckoo is hard :( I will try with a older version of VB and after i'll tell u the result.

[doomedraven]

vbox sucks :P use kvm https://github.com/doomedraven/Tools/blob/master/Virtualization/kvm-qemu.sh

[manolete66]

Im installing the graphic interface of Virtual-Manager and configuring the guest and network enviroment. When i finish i'll tell u about the results of a cuckoo analyze.

PD: Some tips for the configuration of guest/network-guest in Virtual-manager?

[doomedraven]

@manolete66 i hope you figurated that out no? it pretty easy to configure networking and everything with virt-manager

[manolete66]

https://ibb.co/ZKLgLQb https://ibb.co/WKrjyV2

I configured all with kvm and in the images u can see the result.

In different terminals i ran:

sudo cuckoo -d rooter -g equipo cuckoo -d cuckoo submit VirusPrueba.bat

[doomedraven]

try also cuckoo -d -g equipo

[manolete66]

When i enter the above command i recive a error:

Error: no such option: -g

Idk if this command should work or whats happening.

[doomedraven]

cuckoo --help

[doomedraven]

ok --user equipo

[manolete66]

I tried and i got this: Failed to drop privileges to equipo: [Errno 1] Operation not permitted

[doomedraven]

what about ls -lah $HOME/.cwd basically you have fiels under different permission/user? do you have specific user for cuckoo or you have in equipo home folder?

[manolete66]

I have it in equipo home folder and all my files in $HOME are under equipo user. I cant understand this error :( .cwd doesnt exist in my $HOME A month ago i could execute cuckoo with normally but now always get the same error:

2018-12-11 12:45:23,924 [cuckoo.core.guest] INFO: Virtual Machine /status failed (CuckooGuestError('Cuckoo Agent failed without error status, please try upgrading to the latest version of agent.py (>= 0.8) and notify us if the issue persists.',))

[doomedraven]

That is bcz default group and user is cuckoo is why you should run everything under that user and not custom, for custom you need to use - - user and - g

Add cuckoo user change to it and enjoy

El lun., 17 dic. 2018 11:34, manolete66 notifications@github.com escribió:

I have it in equipo home folder and all my files in $HOME are under equipo user. I cant understand this error :( .cwd doesnt exist in my $HOME A month ago i could execute cuckoo with normally but now always get the same error:

2018-12-11 12:45:23,924 [cuckoo.core.guest] INFO: Virtual Machine /status failed (CuckooGuestError('Cuckoo Agent failed without error status, please try upgrading to the latest version of agent.py (>= 0.8) and notify us if the issue persists.',))

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/2547#issuecomment-447797840, or mute the thread https://github.com/notifications/unsubscribe-auth/ABxT70u2BzzLW-OQdFkACCvYdr58CKHsks5u53MygaJpZM4YLiYX .

[manolete66]

I cant run cuckoo -d --user equipo becouse it says:

Failed to drop privileges to equipo: [Errno 1] Operation not permitted

Then it cant find the option -g:

Error: no such option: -g

[manolete66]

Im a few lost in this permission problem.

[doomedraven]

--help helps Add cuckoo user and run everything under it and issue will be solved

El lun., 17 dic. 2018 11:47, manolete66 notifications@github.com escribió:

Im a few lost in this permission problem.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/2547#issuecomment-447801496, or mute the thread https://github.com/notifications/unsubscribe-auth/ABxT78L4Jk7Q3EKml7Zp3fNONN2LRcjdks5u53YpgaJpZM4YLiYX .

[manolete66]

okey i will try, thanks for all doomedraven.

[manolete66]

Ok doome, i did the next:

1) sudo adduser cuckoo 2) usermod -G libvirtd -a cuckoo 3) usermod -G kvm -a cuckoo 4) I closed session in my computer and enter again. 5) Ran cuckoo -d --user cuckoo Got this error:

2018-12-17 11:59:11,405 [cuckoo] CRITICAL: CuckooCriticalError: Error initializing machines: Cannot connect to libvirt

What is happening?

[doomedraven]

basically you can't connect to kvm/qemu, but you are in group, check in case if group name is libvirt(without d), i saw that once