search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.56k stars 1.71k forks source link

cuckoo sandbox run for a minute and it's over #2565

Open icedxu opened 5 years ago

icedxu commented 5 years ago

I set the timeout cuckoo submit --enforce-timeout 480 /home/icedxu/ransomware/ cuckoo ,but I get a error, cuckoo sandbox run for a minute and it's over. and I can not get any information; what should I do?

doomedraven commented 5 years ago

READ THE MANUAL

icedxu commented 5 years ago

I set the timeout in cuckoo.conf,but it ends fast

[timeouts]

Set the default analysis timeout expressed in seconds. This value will be

used to define after how many seconds the analysis will terminate unless

otherwise specified at submission.

default = 430

Set the critical timeout expressed in (relative!) seconds. It will be added

to the default timeout above and after this timeout is hit

Cuckoo will consider the analysis failed and it will shutdown the machine

no matter what. When this happens the analysis results will most likely

be lost.

critical = 430

Maximum time to wait for virtual machine status change. For example when

shutting down a vm. Default is 60 seconds.

vm_state = 60

how can I solve it?

doomedraven commented 5 years ago

did you see enforce timeout on submission, become familiar with all options first

icedxu commented 5 years ago

I run "cuckoo submit --enforce-timeout 430 " and It also have this error.

hiblackbear commented 5 years ago

It is likely that you need to specify exactly what error occurred. I can not tell if I can not just say no. Give me the log.

icedxu commented 5 years ago

analysis.log :

2018-11-29 15:22:43,000 [analyzer] DEBUG: Starting analyzer from: C:\tmp5istdc 2018-11-29 15:22:43,108 [analyzer] DEBUG: Pipe server name: \??\PIPE\wreQdPbuUrlIVuEAFtbDhQGFWJLhbxzn 2018-11-29 15:22:43,108 [analyzer] DEBUG: Log pipe server name: \??\PIPE\rVQdkaPfdokhZrObslyyCRGKWYP 2018-11-29 15:22:43,108 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically. 2018-11-29 15:22:43,108 [analyzer] INFO: Automatically selected analysis package "exe" 2018-11-29 15:22:45,625 [analyzer] DEBUG: Started auxiliary module DbgView 2018-11-29 15:22:46,092 [analyzer] DEBUG: Started auxiliary module Disguise 2018-11-29 15:22:46,358 [analyzer] DEBUG: Loaded monitor into process with pid 504 2018-11-29 15:22:46,358 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets 2018-11-29 15:22:46,358 [analyzer] DEBUG: Started auxiliary module Human 2018-11-29 15:22:46,358 [analyzer] DEBUG: Started auxiliary module InstallCertificate 2018-11-29 15:22:46,358 [analyzer] DEBUG: Started auxiliary module Reboot 2018-11-29 15:22:46,437 [analyzer] DEBUG: Started auxiliary module RecentFiles 2018-11-29 15:22:46,453 [analyzer] DEBUG: Started auxiliary module Screenshots 2018-11-29 15:22:46,453 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n 2018-11-29 15:22:46,562 [lib.api.process] INFO: Successfully executed process from path u'C:\Users\icedxu\AppData\Local\Temp\00aac214f17f5a8541ebac49ac9cfd9536cf2cf8a1d7540271a1f1297f990c86.exe' with arguments '' and pid 2916 2018-11-29 15:22:47,155 [analyzer] DEBUG: Loaded monitor into process with pid 2916 2018-11-29 15:30:19,109 [analyzer] INFO: Injected into process with pid 2972 and name u'fncllqjcmbid.exe' 2018-11-29 15:30:19,220 [analyzer] INFO: Injected into process with pid 3084 and name u'cmd.exe' 2018-11-29 15:30:19,250 [analyzer] INFO: Process with pid 2916 has terminated 2018-11-29 15:30:19,266 [analyzer] DEBUG: Loaded monitor into process with pid 2972 2018-11-29 15:30:19,625 [analyzer] DEBUG: Loaded monitor into process with pid 3084 2018-11-29 15:30:20,250 [analyzer] INFO: Process with pid 3084 has terminated 2018-11-29 15:30:30,266 [analyzer] INFO: Analysis timeout hit, terminating analysis. 2018-11-29 15:30:30,266 [analyzer] INFO: Analysis completed.

above "2018-11-29 15:30:19,250 [analyzer] INFO: Process with pid 2916 has terminated",and I run this ranomware in the virtualbox without cuckoo sandbox, I working;but use the cuckoo sandbox,it does not working

icedxu commented 5 years ago

2018-11-29 16:16:03,720 [cuckoo.core.scheduler] INFO: Task #7: acquired machine win7 (label=win7) 2018-11-29 16:16:03,728 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 9271 (interface=vboxnet0, host=192.168.56.101) 2018-11-29 16:16:06,961 [cuckoo.core.guest] INFO: Starting analysis on guest (id=win7, ip=192.168.56.101) 2018-11-29 16:16:12,641 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.8 (id=win7, ip=192.168.56.101) 2018-11-29 16:16:30,237 [cuckoo.core.guest] INFO: win7: analysis completed successfully 2018-11-29 16:16:33,140 [cuckoo.core.scheduler] INFO: Starting analysis of FILE "09a117b673212a5acac9ddeb3bf9953dbbbf6efa84c789481f9c39d8e03d1b24" (task #8, options "") 2018-11-29 16:16:33,288 [cuckoo.core.scheduler] INFO: Task #8: acquired machine win7 (label=win7) 2018-11-29 16:16:33,298 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 9442 (interface=vboxnet0, host=192.168.56.101) 2018-11-29 16:16:37,654 [cuckoo.core.guest] INFO: Starting analysis on guest (id=win7, ip=192.168.56.101) 2018-11-29 16:16:39,932 [cuckoo.core.scheduler] INFO: Task #7: reports generation completed 2018-11-29 16:16:39,951 [cuckoo.core.scheduler] INFO: Task #7: analysis procedure completed

As shown above,the cuckoo sandbox ends so fast?

doomedraven commented 5 years ago

since 22 to 30 its 8 mins run, so taht sin't fast and in second one i doubt you have enabled the enforce timeout bcz process ends

icedxu commented 5 years ago

Yes, I used the enforce timeout, because if I don't use enforce timeout,it ends fast. however , the cuckoo sandbox working not better,the ransomware not run in the vbox.

doomedraven commented 5 years ago

that is your work to fix all antivm inside of vm, and vbox is just so antivm friendly... good luck