search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.49k stars 1.7k forks source link

Analyzer not working properly in Windows XP #2941

Open IceM4nn opened 4 years ago

IceM4nn commented 4 years ago
My issue is:

Analyzer in Windows XP guest is not working properly and stuck at auxiliary module Disguise. Behavioral analysis is empty.

My Cuckoo version and operating system are:

Host is Ubuntu 18.04 amd64 Guest is Windows XP x64 SP2 Cuckoo version is 2.0.7 Machinery is KVM

This can be reproduced by:

Upload any samples to Windows XP. (pdf, docx also same)

Other information

Firewall has been disabled. The agent is running as Administrator privileged. Host and guest can communicated each other (ping and curl to guest port 8000 works fine). In this test, I upload pafish.exe. I also view the VM during the analysis and seems nothing happened. no cmd window open. if I upload other file type also seems nothing happened. no pdf reader nor ms word are opened.

The log, error, files etc can be found at:

analyzer.log

2020-01-15 14:54:35,015 [analyzer] DEBUG: Starting analyzer from: C:\tmplmjmou
2020-01-15 14:54:35,062 [analyzer] DEBUG: Pipe server name: \??\PIPE\cOxVBIudTDtIYIJdOtQZ
2020-01-15 14:54:35,078 [analyzer] DEBUG: Log pipe server name: \??\PIPE\bnlmSCKjQzhNFWhZaUZoQJmVMZfcWB
2020-01-15 14:54:36,655 [analyzer] DEBUG: Started auxiliary module DbgView
2020-01-15 14:54:37,765 [analyzer] DEBUG: Started auxiliary module Disguise

cuckoo.log

2020-01-15 14:54:35,965 [cuckoo.core.scheduler] INFO: Task #1: acquired machine windowsxp_x64 (label=windowsxp_x64)
2020-01-15 14:54:35,966 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.122.101 for task #1
2020-01-15 14:54:35,996 [cuckoo.auxiliary.mitm] INFO: Started mitm interception with PID 14914 (ip=192.168.122.1, port=50000).
2020-01-15 14:54:36,003 [cuckoo.core.plugins] DEBUG: Started auxiliary module: MITM
2020-01-15 14:54:36,005 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Replay
2020-01-15 14:54:36,036 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 14915 (interface=virbr0, host=192.168.122.101)
2020-01-15 14:54:36,037 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2020-01-15 14:54:36,166 [cuckoo.common.abstracts] DEBUG: Starting machine windowsxp_x64
2020-01-15 14:54:36,167 [cuckoo.common.abstracts] DEBUG: Getting status for windowsxp_x64
2020-01-15 14:54:36,222 [cuckoo.common.abstracts] DEBUG: Using snapshot live-snapshot2 for virtual machine windowsxp_x64
2020-01-15 14:54:51,091 [cuckoo.common.abstracts] DEBUG: Getting status for windowsxp_x64
2020-01-15 14:54:51,163 [cuckoo.core.guest] INFO: Starting analysis #1 on guest (id=windowsxp_x64, ip=192.168.122.101)
2020-01-15 14:54:51,293 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=windowsxp_x64, ip=192.168.122.101)
2020-01-15 14:54:51,365 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=windowsxp_x64, ip=192.168.122.101, monitor=latest, size=3886003)
2020-01-15 14:54:58,784 [cuckoo.core.resultserver] DEBUG: Task #1: live log analysis.log initialized.
2020-01-15 14:55:03,026 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:55:10,643 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:55:15,799 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:55:21,096 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:55:26,269 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:55:31,402 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:55:36,553 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:55:45,381 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:55:50,516 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:55:55,651 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:56:00,900 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:56:06,089 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:56:11,245 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:56:19,896 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:56:25,092 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:56:30,183 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:56:35,271 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:56:40,442 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:56:45,522 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:56:50,787 [cuckoo.core.guest] DEBUG: windowsxp_x64: analysis #1 still processing
2020-01-15 14:56:58,533 [cuckoo.core.guest] INFO: windowsxp_x64: end of analysis reached!
2020-01-15 14:56:58,561 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: MITM
2020-01-15 14:56:58,561 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Replay
2020-01-15 14:56:58,635 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2020-01-15 14:56:58,636 [cuckoo.common.abstracts] DEBUG: Stopping machine windowsxp_x64
2020-01-15 14:56:58,636 [cuckoo.common.abstracts] DEBUG: Getting status for windowsxp_x64
2020-01-15 14:56:59,426 [cuckoo.common.abstracts] DEBUG: Getting status for windowsxp_x64
2020-01-15 14:56:59,449 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.122.101 for task #1
2020-01-15 14:56:59,449 [cuckoo.core.resultserver] DEBUG: Cancel <Context for LOG> for task 1
2020-01-15 14:56:59,461 [cuckoo.core.scheduler] DEBUG: Released database task #1
2020-01-15 14:56:59,519 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #1
2020-01-15 14:56:59,520 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files.
2020-01-15 14:56:59,521 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #1
2020-01-15 14:56:59,522 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #1
2020-01-15 14:56:59,523 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #1
2020-01-15 14:56:59,525 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #1
2020-01-15 14:56:59,526 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #1
2020-01-15 14:56:59,527 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #1
2020-01-15 14:56:59,528 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #1
2020-01-15 14:57:00,173 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #1
2020-01-15 14:57:00,185 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #1
2020-01-15 14:57:00,956 [cuckoo.processing.suricata] WARNING: Unable to find the files-json.log log file
2020-01-15 14:57:00,957 [cuckoo.core.plugins] DEBUG: Executed processing module "Suricata" for task #1
2020-01-15 14:57:00,969 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #1
2020-01-15 14:57:01,052 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #1
2020-01-15 14:57:01,053 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #1
2020-01-15 14:57:01,054 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #1
2020-01-15 14:57:01,061 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #1
2020-01-15 14:57:01,342 [cuckoo.core.plugins] DEBUG: Running 542 signatures
2020-01-15 14:57:01,887 [cuckoo.core.plugins] DEBUG: Analysis matched signature: packer_entropy
2020-01-15 14:57:01,898 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2020-01-15 14:57:02,311 [cuckoo.core.plugins] DEBUG: Executed reporting module "MongoDB"
2020-01-15 14:57:02,312 [cuckoo.core.scheduler] INFO: Task #1: reports generation completed
2020-01-15 14:57:02,340 [cuckoo.core.scheduler] INFO: Task #1: analysis procedure completed
IceM4nn commented 4 years ago

Does anyone here got the same issue? to be specific with Windows XP. Any solution? The analyzer stuck at auxiliary module Disguise and not completing the analysis properly. The analysis hit timeout and shutdown the VM.

nartes commented 4 years ago

I'm using Windows XP as well. Seems like monitor inject-*.exe has problems. It doesn't terminate. Procmon confirms that monitor-*.dll is loaded. But since inject-*.exe doesn't stop. There's an error some where or a hangup. Which results in a not complete dll entrypoint execution. The first time analyzer.py tries to call inject is in DumpTLSMasterSecrets (dumptls.py) auxiliary module.

These issue claimed to fix a bug - #1581, #1484.