z1pwn
commented
3 years ago I alse tried in Guest(Win7 x86, Ubuntu16.04 64), but it seems have the same results.
Open z1pwn opened 3 years ago
z1pwn
commented
3 years ago I alse tried in Guest(Win7 x86, Ubuntu16.04 64), but it seems have the same results.
z1pwn
commented
3 years ago {
"info": {
"added": 1601200770.0,
"started": 1601200771.0,
"duration": 188,
"ended": 1601200959.0,
"owner": null,
"score": 1.0,
"id": 51,
"category": "file",
"git": {
"head": "13cbe0d9e457be3673304533043e992ead1ea9b2",
"fetch_head": "13cbe0d9e457be3673304533043e992ead1ea9b2"
},
"monitor": "2deb9ccd75d5a7a3fe05b2625b03a8639d6ee36b",
"package": "",
"route": "none",
"custom": null,
"machine": {
"status": "stopped",
"name": "win7",
"label": "Win7_pro_64",
"manager": "VirtualBox",
"started_on": "2020-09-27 09:59:31",
"shutdown_on": "2020-09-27 10:02:39"
},
"platform": null,
"version": "2.0.7",
"options": ""
},
"signatures": [
{
"families": [],
"description": "This executable has a PDB path",
"severity": 1,
"ttp": {},
"markcount": 1,
"references": [],
"marks": [
{
"category": "pdb_path",
"ioc": "C:\\Users\\Ayoub\\Documents\\projects\\al-khaser\\Release\\al-khaser.pdb",
"type": "ioc",
"description": null
}
],
"name": "has_pdb"
},
{
"families": [],
"description": "The executable contains unknown PE section names indicative of a packer (could be a false positive)",
"severity": 1,
"ttp": {
"T1045": {
"short": "Software Packing",
"long": "Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory."
}
},
"markcount": 1,
"references": [],
"marks": [
{
"category": "section",
"ioc": ".gfids",
"type": "ioc",
"description": null
}
],
"name": "pe_features"
},
{
"families": [],
"description": "Communicates with host for which no DNS query was performed",
"severity": 3,
"ttp": {},
"markcount": 1,
"references": [],
"marks": [
{
"host": "23.192.171.71",
"type": "generic"
}
],
"name": "nolookup_communication"
}
],
"target": {
"category": "file",
"file": {
"yara": [],
"sha1": "c2748ea68413e8d60a28783447416e2d54a24f29",
"name": "al-khaser_x86.exe",
"type": "PE32 executable (console) Intel 80386, for MS Windows",
"sha256": "bde677d9d74f0d3d3f9855355b343451f4cddf081a32e6b69e3b2eb2eeb09d52",
"urls": [],
"crc32": "EADE6BB4",
"path": "..../.cuckoo/storage/binaries/bde677d9d74f0d3d3f9855355b343451f4cddf081a32e6b69e3b2eb2eeb09d52",
"ssdeep": null,
"size": 180736,
"sha512": "bc70072ba42f59faca9d0b41a23c0fb7051e6569d8f796d9d136414725de78fbc52fdec44039d77a5942dd34a9a896202cd1ab8a6778e6b0a2fd489100f97b1b",
"md5": "0b6e4970254e51ac4bb32a80ec00a3e2"
}
},
"network": {
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "114.114.114.114",
"offset": 14587,
"time": 6.333096027374268,
"dport": 53,
"sport": 49425
},
{
"src": "192.168.56.101",
"dst": "114.114.114.114",
"offset": 14787,
"time": 5.956736087799072,
"dport": 53,
"sport": 51048
},
{
"src": "192.168.56.101",
"dst": "114.114.114.114",
"offset": 15062,
"time": 7.924299001693726,
"dport": 53,
"sport": 52698
},
{
"src": "192.168.56.101",
"dst": "114.114.114.114",
"offset": 15299,
"time": 3.0775821208953857,
"dport": 53,
"sport": 57093
},
{
"src": "192.168.56.101",
"dst": "114.114.114.114",
"offset": 15536,
"time": 4.714946031570435,
"dport": 53,
"sport": 61113
},
{
"src": "192.168.56.101",
"dst": "114.114.114.114",
"offset": 15811,
"time": 6.340932130813599,
"dport": 53,
"sport": 63138
},
{
"src": "192.168.56.101",
"dst": "192.168.56.1",
"offset": 16023,
"time": 6.410918951034546,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.1",
"offset": 26175,
"time": 5.956423997879028,
"dport": 53,
"sport": 51048
},
{
"src": "192.168.56.101",
"dst": "192.168.56.1",
"offset": 26276,
"time": 3.0773990154266357,
"dport": 53,
"sport": 57093
},
{
"src": "192.168.56.101",
"dst": "192.168.56.1",
"offset": 26377,
"time": 4.7147650718688965,
"dport": 53,
"sport": 61113
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 26478,
"time": 6.021542072296143,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 31158,
"time": 12.128622055053711,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 34484,
"time": 4.499052047729492,
"dport": 5355,
"sport": 50696
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 34812,
"time": 2.7251391410827637,
"dport": 5355,
"sport": 52769
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 35140,
"time": 5.948792934417725,
"dport": 5355,
"sport": 55843
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 35504,
"time": 3.975093126296997,
"dport": 5355,
"sport": 56006
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 35868,
"time": 7.938569068908691,
"dport": 5355,
"sport": 57056
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 36272,
"time": 3.0880820751190186,
"dport": 5355,
"sport": 59576
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 36676,
"time": 5.960533142089844,
"dport": 5355,
"sport": 60898
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 37074,
"time": 3.989098072052002,
"dport": 3702,
"sport": 55646
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 45466,
"time": 6.036669969558716,
"dport": 1900,
"sport": 56009
}
],
"dns_servers": [
"114.114.114.114",
"192.168.56.1"
],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [
"114.114.114.114",
"23.192.171.71"
],
"pcap_sha256": "ab6177d9af37528fadcf084236ad08196a96055ca4a63e6189e00e3593a55231",
"dns": [
{
"type": "AAAA",
"request": "dns.msftncsi.com",
"answers": [
{
"data": "fd3e:4f5a:5b81::1",
"type": "AAAA"
}
]
},
{
"type": "PTR",
"request": "1.56.168.192.in-addr.arpa",
"answers": []
},
{
"type": "A",
"request": "dns.msftncsi.com",
"answers": [
{
"data": "131.107.255.255",
"type": "A"
}
]
},
{
"type": "A",
"request": "teredo.ipv6.microsoft.com",
"answers": []
}
],
"http_ex": [],
"domains": [
{
"ip": "131.107.255.255",
"domain": "dns.msftncsi.com"
},
{
"ip": "",
"domain": "teredo.ipv6.microsoft.com"
}
],
"dead_hosts": [],
"sorted_pcap_sha256": "d925f6e78d49494d21c39d601debef029a069089b6059a6aeceeacbfcd9d3863",
"irc": [],
"https_ex": []
},
"static": {
"pdb_path": "C:\\Users\\Ayoub\\Documents\\projects\\al-khaser\\Release\\al-khaser.pdb",
"pe_imports": [
{
"imports": [
{
"name": "VirtualFree",
"address": "0x41f028"
},
{
"name": "GetSystemInfo",
"address": "0x41f02c"
},
{
"name": "Sleep",
"address": "0x41f030"
},
{
"name": "SetLastError",
"address": "0x41f034"
},
{
"name": "GetLastError",
"address": "0x41f038"
},
{
"name": "OutputDebugStringW",
"address": "0x41f03c"
},
{
"name": "VerSetConditionMask",
"address": "0x41f040"
},
{
"name": "VerifyVersionInfoW",
"address": "0x41f044"
},
{
"name": "GetModuleHandleW",
"address": "0x41f048"
},
{
"name": "QueryInformationJobObject",
"address": "0x41f04c"
},
{
"name": "OpenProcess",
"address": "0x41f050"
},
{
"name": "GetCurrentProcessId",
"address": "0x41f054"
},
{
"name": "SetHandleInformation",
"address": "0x41f058"
},
{
"name": "CreateMutexW",
"address": "0x41f05c"
},
{
"name": "RaiseException",
"address": "0x41f060"
},
{
"name": "SetUnhandledExceptionFilter",
"address": "0x41f064"
},
{
"name": "DeviceIoControl",
"address": "0x41f068"
},
{
"name": "LocalAlloc",
"address": "0x41f06c"
},
{
"name": "CreateFileW",
"address": "0x41f070"
},
{
"name": "GetDiskFreeSpaceExW",
"address": "0x41f074"
},
{
"name": "LocalFree",
"address": "0x41f078"
},
{
"name": "GlobalMemoryStatusEx",
"address": "0x41f07c"
},
{
"name": "GetTickCount",
"address": "0x41f080"
},
{
"name": "GetSystemFirmwareTable",
"address": "0x41f084"
},
{
"name": "EnumSystemFirmwareTables",
"address": "0x41f088"
},
{
"name": "ExpandEnvironmentStringsW",
"address": "0x41f08c"
},
{
"name": "GetWindowsDirectoryW",
"address": "0x41f090"
},
{
"name": "WaitForSingleObject",
"address": "0x41f094"
},
{
"name": "ReadFile",
"address": "0x41f098"
},
{
"name": "GetConsoleScreenBufferInfo",
"address": "0x41f09c"
},
{
"name": "SetConsoleTextAttribute",
"address": "0x41f0a0"
},
{
"name": "VirtualProtect",
"address": "0x41f0a4"
},
{
"name": "GetStdHandle",
"address": "0x41f0a8"
},
{
"name": "MultiByteToWideChar",
"address": "0x41f0ac"
},
{
"name": "FormatMessageW",
"address": "0x41f0b0"
},
{
"name": "HeapAlloc",
"address": "0x41f0b4"
},
{
"name": "LocalSize",
"address": "0x41f0b8"
},
{
"name": "GetProcessHeap",
"address": "0x41f0bc"
},
{
"name": "GetConsoleWindow",
"address": "0x41f0c0"
},
{
"name": "SetConsoleTitleW",
"address": "0x41f0c4"
},
{
"name": "HeapFree",
"address": "0x41f0c8"
},
{
"name": "GetFileAttributesW",
"address": "0x41f0cc"
},
{
"name": "CreateToolhelp32Snapshot",
"address": "0x41f0d0"
},
{
"name": "Process32NextW",
"address": "0x41f0d4"
},
{
"name": "Process32FirstW",
"address": "0x41f0d8"
},
{
"name": "CreateEventW",
"address": "0x41f0dc"
},
{
"name": "DecodePointer",
"address": "0x41f0e0"
},
{
"name": "SetEndOfFile",
"address": "0x41f0e4"
},
{
"name": "WriteConsoleW",
"address": "0x41f0e8"
},
{
"name": "HeapSize",
"address": "0x41f0ec"
},
{
"name": "SetFilePointerEx",
"address": "0x41f0f0"
},
{
"name": "ReadConsoleW",
"address": "0x41f0f4"
},
{
"name": "GetConsoleMode",
"address": "0x41f0f8"
},
{
"name": "GetConsoleCP",
"address": "0x41f0fc"
},
{
"name": "FlushFileBuffers",
"address": "0x41f100"
},
{
"name": "GetStringTypeW",
"address": "0x41f104"
},
{
"name": "SetStdHandle",
"address": "0x41f108"
},
{
"name": "SetEnvironmentVariableA",
"address": "0x41f10c"
},
{
"name": "IsDebuggerPresent",
"address": "0x41f110"
},
{
"name": "AddVectoredExceptionHandler",
"address": "0x41f114"
},
{
"name": "RemoveVectoredExceptionHandler",
"address": "0x41f118"
},
{
"name": "GetThreadContext",
"address": "0x41f11c"
},
{
"name": "GetCurrentThread",
"address": "0x41f120"
},
{
"name": "VirtualAlloc",
"address": "0x41f124"
},
{
"name": "GetProcAddress",
"address": "0x41f128"
},
{
"name": "LoadLibraryW",
"address": "0x41f12c"
},
{
"name": "FreeEnvironmentStringsW",
"address": "0x41f130"
},
{
"name": "GetEnvironmentStringsW",
"address": "0x41f134"
},
{
"name": "GetOEMCP",
"address": "0x41f138"
},
{
"name": "IsValidCodePage",
"address": "0x41f13c"
},
{
"name": "FindNextFileA",
"address": "0x41f140"
},
{
"name": "VirtualQuery",
"address": "0x41f144"
},
{
"name": "FindFirstFileExA",
"address": "0x41f148"
},
{
"name": "FindClose",
"address": "0x41f14c"
},
{
"name": "GetTimeZoneInformation",
"address": "0x41f150"
},
{
"name": "CloseHandle",
"address": "0x41f154"
},
{
"name": "CheckRemoteDebuggerPresent",
"address": "0x41f158"
},
{
"name": "lstrlenW",
"address": "0x41f15c"
},
{
"name": "GetCurrentProcess",
"address": "0x41f160"
},
{
"name": "GetCPInfo",
"address": "0x41f164"
},
{
"name": "HeapReAlloc",
"address": "0x41f168"
},
{
"name": "GetFileType",
"address": "0x41f16c"
},
{
"name": "LCMapStringW",
"address": "0x41f170"
},
{
"name": "CompareStringW",
"address": "0x41f174"
},
{
"name": "GetACP",
"address": "0x41f178"
},
{
"name": "GetCommandLineW",
"address": "0x41f17c"
},
{
"name": "GetCommandLineA",
"address": "0x41f180"
},
{
"name": "GetModuleHandleExW",
"address": "0x41f184"
},
{
"name": "ExitProcess",
"address": "0x41f188"
},
{
"name": "GetModuleFileNameA",
"address": "0x41f18c"
},
{
"name": "WriteFile",
"address": "0x41f190"
},
{
"name": "WideCharToMultiByte",
"address": "0x41f194"
},
{
"name": "LoadLibraryExW",
"address": "0x41f198"
},
{
"name": "FreeLibrary",
"address": "0x41f19c"
},
{
"name": "QueryPerformanceCounter",
"address": "0x41f1a0"
},
{
"name": "GetCurrentThreadId",
"address": "0x41f1a4"
},
{
"name": "GetSystemTimeAsFileTime",
"address": "0x41f1a8"
},
{
"name": "InitializeSListHead",
"address": "0x41f1ac"
},
{
"name": "UnhandledExceptionFilter",
"address": "0x41f1b0"
},
{
"name": "GetStartupInfoW",
"address": "0x41f1b4"
},
{
"name": "IsProcessorFeaturePresent",
"address": "0x41f1b8"
},
{
"name": "TerminateProcess",
"address": "0x41f1bc"
},
{
"name": "EncodePointer",
"address": "0x41f1c0"
},
{
"name": "RtlUnwind",
"address": "0x41f1c4"
},
{
"name": "EnterCriticalSection",
"address": "0x41f1c8"
},
{
"name": "LeaveCriticalSection",
"address": "0x41f1cc"
},
{
"name": "DeleteCriticalSection",
"address": "0x41f1d0"
},
{
"name": "InitializeCriticalSectionAndSpinCount",
"address": "0x41f1d4"
},
{
"name": "TlsAlloc",
"address": "0x41f1d8"
},
{
"name": "TlsGetValue",
"address": "0x41f1dc"
},
{
"name": "TlsSetValue",
"address": "0x41f1e0"
},
{
"name": "TlsFree",
"address": "0x41f1e4"
}
],
"dll": "KERNEL32.dll"
},
{
"imports": [
{
"name": "KillTimer",
"address": "0x41f244"
},
{
"name": "GetSystemMetrics",
"address": "0x41f248"
},
{
"name": "GetShellWindow",
"address": "0x41f24c"
},
{
"name": "GetWindowThreadProcessId",
"address": "0x41f250"
},
{
"name": "MessageBoxW",
"address": "0x41f254"
},
{
"name": "GetCursorPos",
"address": "0x41f258"
},
{
"name": "FindWindowW",
"address": "0x41f25c"
},
{
"name": "MoveWindow",
"address": "0x41f260"
},
{
"name": "TranslateMessage",
"address": "0x41f264"
},
{
"name": "GetMessageW",
"address": "0x41f268"
},
{
"name": "DispatchMessageW",
"address": "0x41f26c"
},
{
"name": "SetTimer",
"address": "0x41f270"
}
],
"dll": "USER32.dll"
},
{
"imports": [
{
"name": "RegQueryValueExW",
"address": "0x41f000"
},
{
"name": "RegOpenKeyExW",
"address": "0x41f004"
},
{
"name": "GetTokenInformation",
"address": "0x41f008"
},
{
"name": "RegCloseKey",
"address": "0x41f00c"
},
{
"name": "OpenProcessToken",
"address": "0x41f010"
}
],
"dll": "ADVAPI32.dll"
},
{
"imports": [
{
"name": "SHGetSpecialFolderPathW",
"address": "0x41f228"
}
],
"dll": "SHELL32.dll"
},
{
"imports": [
{
"name": "CoCreateInstance",
"address": "0x41f28c"
},
{
"name": "CoSetProxyBlanket",
"address": "0x41f290"
},
{
"name": "CoInitializeSecurity",
"address": "0x41f294"
},
{
"name": "CoInitializeEx",
"address": "0x41f298"
},
{
"name": "CoUninitialize",
"address": "0x41f29c"
}
],
"dll": "ole32.dll"
},
{
"imports": [
{
"name": "SafeArrayGetElement",
"address": "0x41f1f4"
},
{
"name": "SafeArrayGetUBound",
"address": "0x41f1f8"
},
{
"name": "SafeArrayAccessData",
"address": "0x41f1fc"
},
{
"name": "VariantClear",
"address": "0x41f200"
},
{
"name": "SafeArrayGetLBound",
"address": "0x41f204"
}
],
"dll": "OLEAUT32.dll"
},
{
"imports": [
{
"name": "IcmpSendEcho",
"address": "0x41f018"
},
{
"name": "GetAdaptersInfo",
"address": "0x41f01c"
},
{
"name": "IcmpCreateFile",
"address": "0x41f020"
}
],
"dll": "IPHLPAPI.DLL"
},
{
"imports": [
{
"name": "StrStrIW",
"address": "0x41f230"
},
{
"name": "StrCmpIW",
"address": "0x41f234"
},
{
"name": "PathCombineW",
"address": "0x41f238"
},
{
"name": "StrCmpW",
"address": "0x41f23c"
}
],
"dll": "SHLWAPI.dll"
},
{
"imports": [
{
"name": "GetProcessImageFileNameW",
"address": "0x41f20c"
}
],
"dll": "PSAPI.DLL"
},
{
"imports": [
{
"name": "WNetGetProviderNameW",
"address": "0x41f1ec"
}
],
"dll": "MPR.dll"
},
{
"imports": [
{
"name": "SetupDiGetDeviceRegistryPropertyW",
"address": "0x41f214"
},
{
"name": "SetupDiDestroyDeviceInfoList",
"address": "0x41f218"
},
{
"name": "SetupDiEnumDeviceInfo",
"address": "0x41f21c"
},
{
"name": "SetupDiGetClassDevsW",
"address": "0x41f220"
}
],
"dll": "SETUPAPI.dll"
},
{
"imports": [
{
"name": "timeKillEvent",
"address": "0x41f278"
},
{
"name": "timeGetDevCaps",
"address": "0x41f27c"
},
{
"name": "timeEndPeriod",
"address": "0x41f280"
},
{
"name": "timeSetEvent",
"address": "0x41f284"
}
],
"dll": "WINMM.dll"
}
],
"peid_signatures": null,
"keys": [],
"signature": [],
"pe_timestamp": "2017-12-12 15:48:59",
"pe_exports": [],
"imported_dll_count": 12,
"pe_imphash": "d5913e4c386d5bf8737e68c17063fc1b",
"pe_resources": [
{
"name": "RT_MANIFEST",
"language": "LANG_ENGLISH",
"filetype": "XML 1.0 document text",
"sublanguage": "SUBLANG_ENGLISH_US",
"offset": "0x0002f060",
"size": "0x0000017d"
}
],
"pe_versioninfo": [],
"pe_sections": [
{
"size_of_data": "0x0001d600",
"virtual_address": "0x00001000",
"entropy": 6.629160026636643,
"name": ".text",
"virtual_size": "0x0001d555"
},
{
"size_of_data": "0x0000bc00",
"virtual_address": "0x0001f000",
"entropy": 4.897395959595448,
"name": ".rdata",
"virtual_size": "0x0000bbae"
},
{
"size_of_data": "0x00000c00",
"virtual_address": "0x0002b000",
"entropy": 2.203508080794779,
"name": ".data",
"virtual_size": "0x0000161c"
},
{
"size_of_data": "0x00000200",
"virtual_address": "0x0002d000",
"entropy": 2.2015970416700728,
"name": ".gfids",
"virtual_size": "0x00000120"
},
{
"size_of_data": "0x00000200",
"virtual_address": "0x0002e000",
"entropy": 0.0,
"name": ".tls",
"virtual_size": "0x00000002"
},
{
"size_of_data": "0x00000200",
"virtual_address": "0x0002f000",
"entropy": 4.717678832946755,
"name": ".rsrc",
"virtual_size": "0x000001e0"
},
{
"size_of_data": "0x00001a00",
"virtual_address": "0x00030000",
"entropy": 6.671567709991031,
"name": ".reloc",
"virtual_size": "0x000019f0"
}
]
},
"debug": {
"action": [],
"dbgview": [],
"errors": [],
"log": [
"2020-09-27 09:59:30,078 [analyzer] DEBUG: Starting analyzer from: C:\\tmp6nc__j\n",
"2020-09-27 09:59:30,078 [analyzer] DEBUG: Pipe server name: \\??\\PIPE\\klnycDfIqCRjwGRNUJIDUdgYeeuK\n",
"2020-09-27 09:59:30,078 [analyzer] DEBUG: Log pipe server name: \\??\\PIPE\\LNoBiJMLntzimTDmUYGCoPqJECLOiO\n",
"2020-09-27 09:59:30,078 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.\n",
"2020-09-27 09:59:30,092 [analyzer] INFO: Automatically selected analysis package \"exe\"\n",
"2020-09-27 09:59:30,390 [analyzer] DEBUG: Started auxiliary module DbgView\n",
"2020-09-27 09:59:31,154 [analyzer] DEBUG: Started auxiliary module Disguise\n",
"2020-09-27 09:59:32,339 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets\n",
"2020-09-27 09:59:32,433 [analyzer] DEBUG: Started auxiliary module Human\n",
"2020-09-27 09:59:32,433 [analyzer] DEBUG: Started auxiliary module InstallCertificate\n",
"2020-09-27 09:59:32,433 [analyzer] DEBUG: Started auxiliary module Reboot\n",
"2020-09-27 09:59:32,448 [analyzer] DEBUG: Started auxiliary module RecentFiles\n",
"2020-09-27 09:59:32,526 [analyzer] DEBUG: Started auxiliary module Screenshots\n",
"2020-09-27 09:59:32,526 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n\n",
"2020-09-27 09:59:33,914 [lib.api.process] INFO: Successfully executed process from path u'C:\\\\Users\\\\CUCKOO~1\\\\AppData\\\\Local\\\\Temp\\\\al-khaser_x86.exe' with arguments '' and pid 2884\n",
"2020-09-27 10:02:30,661 [analyzer] INFO: Analysis timeout hit, terminating analysis.\n",
"2020-09-27 10:02:30,661 [analyzer] INFO: Analysis completed.\n"
],
"cuckoo": [
"2020-09-27 09:59:30,985 [cuckoo.core.scheduler] INFO: Task #51: acquired machine win7 (label=Win7_pro_64)\n",
"2020-09-27 09:59:30,985 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.56.101 for task #51\n",
"2020-09-27 09:59:30,986 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Replay\n",
"2020-09-27 09:59:31,206 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 32762 (interface=vboxnet0, host=192.168.56.101)\n",
"2020-09-27 09:59:31,207 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer\n",
"2020-09-27 09:59:31,402 [cuckoo.machinery.virtualbox] DEBUG: Starting vm Win7_pro_64\n",
"2020-09-27 09:59:31,818 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine Win7_pro_64 to cuckoo_win7\n",
"2020-09-27 09:59:39,702 [cuckoo.core.guest] INFO: Starting analysis #51 on guest (id=win7, ip=192.168.56.101)\n",
"2020-09-27 09:59:40,706 [cuckoo.core.guest] DEBUG: win7: not ready yet\n",
"2020-09-27 09:59:41,709 [cuckoo.core.guest] DEBUG: win7: not ready yet\n",
"2020-09-27 09:59:42,713 [cuckoo.core.guest] DEBUG: win7: not ready yet\n",
"2020-09-27 09:59:47,626 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7, ip=192.168.56.101)\n",
"2020-09-27 09:59:57,032 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7, ip=192.168.56.101, monitor=latest, size=3885868)\n",
"2020-09-27 10:00:15,614 [cuckoo.core.resultserver] DEBUG: Task #51: live log analysis.log initialized.\n",
"2020-09-27 10:00:19,636 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0001.jpg'\n",
"2020-09-27 10:00:19,646 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 46314\n",
"2020-09-27 10:00:20,794 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0002.jpg'\n",
"2020-09-27 10:00:20,799 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 55459\n",
"2020-09-27 10:00:24,920 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0003.jpg'\n",
"2020-09-27 10:00:24,932 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 99393\n",
"2020-09-27 10:00:25,978 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0004.jpg'\n",
"2020-09-27 10:00:25,985 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 98278\n",
"2020-09-27 10:00:28,198 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0005.jpg'\n",
"2020-09-27 10:00:28,347 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 105436\n",
"2020-09-27 10:00:29,437 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0006.jpg'\n",
"2020-09-27 10:00:29,451 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 110722\n",
"2020-09-27 10:00:34,677 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0007.jpg'\n",
"2020-09-27 10:00:34,686 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 110210\n",
"2020-09-27 10:00:35,761 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0008.jpg'\n",
"2020-09-27 10:00:35,775 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 108703\n",
"2020-09-27 10:00:41,105 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0009.jpg'\n",
"2020-09-27 10:00:41,117 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 106157\n",
"2020-09-27 10:00:48,077 [cuckoo.core.guest] DEBUG: win7: analysis #51 still processing\n",
"2020-09-27 10:01:14,028 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0010.jpg'\n",
"2020-09-27 10:01:14,043 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 105905\n",
"2020-09-27 10:01:15,073 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0011.jpg'\n",
"2020-09-27 10:01:15,090 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 106179\n",
"2020-09-27 10:01:16,125 [cuckoo.core.guest] DEBUG: win7: analysis #51 still processing\n",
"2020-09-27 10:01:40,740 [cuckoo.core.resultserver] DEBUG: Task #51: File upload for 'shots/0012.jpg'\n",
"2020-09-27 10:01:40,758 [cuckoo.core.resultserver] DEBUG: Task #51 uploaded file length: 111629\n",
"2020-09-27 10:01:44,084 [cuckoo.core.guest] DEBUG: win7: analysis #51 still processing\n",
"2020-09-27 10:01:53,294 [cuckoo.core.resultserver] DEBUG: Task #51: File upload fo"
]
},
"screenshots": [
{
"path": ".../.cuckoo/storage/analyses/51/shots/0001.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0002.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0003.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0004.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0005.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0006.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0007.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0008.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0009.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0010.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0011.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0012.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0013.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0014.jpg",
"ocr": ""
},
{
"path": ".../.cuckoo/storage/analyses/51/shots/0015.jpg",
"ocr": ""
}
],
"strings": [
"!This program cannot be run in DOS mode.",
"QRichd",
"`.rdata",
"@.data",
".gfids",
"@.reloc",
"L$$Qj#",
"D$H;D$Pu",
"D$L;D$Tu",
"u=h mB",
"u-h,mB",
"RhIPCA",
";VWhppB",
"T$8SSR",
"T$8SSR",
"t$(+t$,F",
"QQSVWd",
"URPQQh`",
";t$,v-",
"UQPXY]Y[",
"Tt1jhZ;",
"Tt1jhZ;",
"^$+^8+",
"t0jXXf",
"~$+~8+",
"t0jXXf",
"~$+~8+",
"F2jgYf;",
"SVWjA_jZ+",
"uBjAYjZ+",
"QSSSSj",
"u0jAXf;",
"u0jAXf;",
"Wj0XPV",
"SSPQSS",
"u kE$<",
">:uBFV",
"WWWPWS",
"u-PWWS",
"SSVWh ",
"f9:t!V",
"|VWj=S",
"QQSWj0j@",
"PPPPPWS",
"PP9E u:PPVWP",
"D8(HXt:f",
"D8(Ht5F",
"SVjA[jZ^+",
"jAZjZ^",
"v!j\"X_^[",
"PPPPPPPP",
"VC20XC00U",
"Unknown exception",
"bad allocation",
"bad array new length",
"bad exception",
"FlsAlloc",
"FlsFree",
"FlsGetValue",
"FlsSetValue",
"InitializeCriticalSectionEx",
"__based(",
"__cdecl",
"__pascal",
"__stdcall",
"__thiscall",
"__fastcall",
"__vectorcall",
"__clrcall",
"__eabi",
"__ptr64",
"__restrict",
"__unaligned",
"restrict(",
" delete",
"operator",
"`vftable'",
"`vbtable'",
"`vcall'",
"`typeof'",
"`local static guard'",
"`string'",
"`vbase destructor'",
"`vector deleting destructor'",
"`default constructor closure'",
"`scalar deleting destructor'",
"`vector constructor iterator'",
"`vector destructor iterator'",
"`vector vbase constructor iterator'",
"`virtual displacement map'",
"`eh vector constructor iterator'",
"`eh vector destructor iterator'",
"`eh vector vbase constructor iterator'",
"`copy constructor closure'",
"`udt returning'",
"`local vftable'",
"`local vftable constructor closure'",
" new[]",
" delete[]",
"`omni callsig'",
"`placement delete closure'",
"`placement delete[] closure'",
"`managed vector constructor iterator'",
"`managed vector destructor iterator'",
"`eh vector copy constructor iterator'",
"`eh vector vbase copy constructor iterator'",
"`dynamic initializer for '",
"`dynamic atexit destructor for '",
"`vector copy constructor iterator'",
"`vector vbase copy constructor iterator'",
"`managed vector copy constructor iterator'",
"`local static thread guard'",
"operator \"\" ",
" Type Descriptor'",
" Base Class Descriptor at (",
" Base Class Array'",
" Class Hierarchy Descriptor'",
" Complete Object Locator'",
"`h````",
"xpxxxx",
"`h`hhh",
"xwpwpp",
"(null)",
"CorExitProcess",
"CompareStringEx",
"GetCurrentPackageId",
"GetSystemTimePreciseAsFileTime",
"LCMapStringEx",
"LocaleNameToLCID",
"NAN(SNAN)",
"nan(snan)",
"NAN(IND)",
"nan(ind)",
"Sunday",
"Monday",
"Tuesday",
"Wednesday",
"Thursday",
"Friday",
"Saturday",
"January",
"February",
"August",
"September",
"October",
"November",
"December",
"MM/dd/yy",
"dddd, MMMM dd, yyyy",
"HH:mm:ss",
"SunMonTueWedThuFriSat",
"JanFebMarAprMayJunJulAugSepOctNovDec",
"\u001f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~",
"\u001f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~",
"[aOni*{",
"~ $s%r",
"@b;zO]",
"v2!L.2",
"1#QNAN",
"1#SNAN",
"?5Wg4p",
"%S#[k\u001f=",
"\"B <1=",
"_hypot",
"_nextafter",
"[*] Delay value is set to %u minutes ...",
"NtClose",
"NtQueryInformationProcess",
"NtQueryObject",
"NtCreateDebugObject",
"NtQuerySystemInformation",
"NtSetInformationThread",
"NtYieldExecution",
"string too long",
"invalid string position",
"CsrGetProcessId",
"VirtualBox",
"First call failed :(",
"Second call failed :(",
"wine_get_unix_file_name",
"IsWow64Process",
"Error allocating memory needed to call GetAdaptersinfo",
"RtlGetVersion",
"GetNativeSystemInfo",
"GetProductInfo",
"K.$NtDelayExecution",
"Data Buffer",
"Unable to open handle.",
"IcmpCreatefile returned error: %ld",
"Unable to allocate memory",
"C:\\Users\\Ayoub\\Documents\\projects\\al-khaser\\Release\\al-khaser.pdb",
".text$mn",
".text$x",
".idata$5",
".00cfg",
".CRT$XCA",
".CRT$XCAA",
".CRT$XCZ",
".CRT$XIA",
".CRT$XIAA",
".CRT$XIAC",
".CRT$XIC",
".CRT$XIZ",
".CRT$XLA",
".CRT$XLF",
".CRT$XLZ",
".CRT$XPA",
".CRT$XPX",
".CRT$XPXA",
".CRT$XPZ",
".CRT$XTA",
".CRT$XTZ",
".rdata",
".rdata$T",
".rdata$r",
".rdata$sxdata",
".rdata$zzzdbg",
".rtc$IAA",
".rtc$IZZ",
".rtc$TAA",
".rtc$TZZ",
".xdata$x",
".idata$2",
".idata$3",
".idata$4",
".idata$6",
".data$r",
".gfids$x",
".gfids$y",
".tls$ZZZ",
".rsrc$01",
".rsrc$02",
"GetCurrentProcess",
"CheckRemoteDebuggerPresent",
"CloseHandle",
"LoadLibraryW",
"GetProcAddress",
"VirtualAlloc",
"GetCurrentThread",
"GetThreadContext",
"RemoveVectoredExceptionHandler",
"AddVectoredExceptionHandler",
"IsDebuggerPresent",
"VirtualProtect",
"VirtualFree",
"GetSystemInfo",
"SetLastError",
"GetLastError",
"OutputDebugStringW",
"VerSetConditionMask",
"VerifyVersionInfoW",
"GetModuleHandleW",
"QueryInformationJobObject",
"OpenProcess",
"GetCurrentProcessId",
"SetHandleInformation",
"CreateMutexW",
"RaiseException",
"SetUnhandledExceptionFilter",
"DeviceIoControl",
"LocalAlloc",
"CreateFileW",
"GetDiskFreeSpaceExW",
"LocalFree",
"GlobalMemoryStatusEx",
"GetTickCount",
"GetSystemFirmwareTable",
"EnumSystemFirmwareTables",
"ExpandEnvironmentStringsW",
"GetWindowsDirectoryW",
"WaitForSingleObject",
"ReadFile",
"GetConsoleScreenBufferInfo",
"SetConsoleTextAttribute",
"lstrlenW",
"GetStdHandle",
"MultiByteToWideChar",
"FormatMessageW",
"HeapAlloc",
"LocalSize",
"GetProcessHeap",
"GetConsoleWindow",
"SetConsoleTitleW",
"HeapFree",
"GetFileAttributesW",
"CreateToolhelp32Snapshot",
"Process32NextW",
"Process32FirstW",
"CreateEventW",
"KERNEL32.dll",
"GetShellWindow",
"GetWindowThreadProcessId",
"MessageBoxW",
"GetCursorPos",
"FindWindowW",
"MoveWindow",
"GetSystemMetrics",
"KillTimer",
"TranslateMessage",
"SetTimer",
"DispatchMessageW",
"GetMessageW",
"USER32.dll",
"GetTokenInformation",
"RegQueryValueExW",
"RegOpenKeyExW",
"OpenProcessToken",
"RegCloseKey",
"ADVAPI32.dll",
"SHGetSpecialFolderPathW",
"SHELL32.dll",
"CoUninitialize",
"CoCreateInstance",
"CoSetProxyBlanket",
"CoInitializeSecurity",
"CoInitializeEx",
"ole32.dll",
"OLEAUT32.dll",
"GetAdaptersInfo",
"IcmpSendEcho",
"IcmpCreateFile",
"IPHLPAPI.DLL",
"StrCmpW",
"StrStrIW",
"StrCmpIW",
"PathCombineW",
"SHLWAPI.dll",
"GetProcessImageFileNameW",
"PSAPI.DLL",
"WNetGetProviderNameW",
"MPR.dll",
"SetupDiDestroyDeviceInfoList",
"SetupDiEnumDeviceInfo",
"SetupDiGetDeviceRegistryPropertyW",
"SetupDiGetClassDevsW",
"SETUPAPI.dll",
"timeGetDevCaps",
"timeKillEvent",
"timeEndPeriod",
"timeSetEvent",
"WINMM.dll",
"QueryPerformanceCounter",
"GetCurrentThreadId",
"GetSystemTimeAsFileTime",
"InitializeSListHead",
"UnhandledExceptionFilter",
"GetStartupInfoW",
"IsProcessorFeaturePresent",
"TerminateProcess",
"EncodePointer",
"RtlUnwind",
"EnterCriticalSection",
"LeaveCriticalSection",
"DeleteCriticalSection",
"InitializeCriticalSectionAndSpinCount",
"TlsAlloc",
"TlsGetValue",
"TlsSetValue",
"TlsFree",
"FreeLibrary",
"LoadLibraryExW",
"WideCharToMultiByte",
"WriteFile",
"GetModuleFileNameA",
"ExitProcess",
"GetModuleHandleExW",
"GetCommandLineA",
"GetCommandLineW",
"GetACP",
"CompareStringW",
"LCMapStringW",
"GetFileType",
"HeapReAlloc",
"GetCPInfo",
"GetTimeZoneInformation",
"FindClose",
"FindFirstFileExA",
"FindNextFileA",
"IsValidCodePage",
"GetOEMCP",
"GetEnvironmentStringsW",
"FreeEnvironmentStringsW",
"SetEnvironmentVariableA",
"SetStdHandle",
"GetStringTypeW",
"FlushFileBuffers",
"GetConsoleCP",
"GetConsoleMode",
"ReadConsoleW",
"SetFilePointerEx",
"HeapSize",
"WriteConsoleW",
"SetEndOfFile",
"DecodePointer",
"VirtualQuery",
" ",
"abcdefghijklmnopqrstuvwxyz",
"ABCDEFGHIJKLMNOPQRSTUVWXYZ",
" ",
"abcdefghijklmnopqrstuvwxyz",
"ABCDEFGHIJKLMNOPQRSTUVWXYZ",
".?AVbad_alloc@std@@",
".?AVexception@std@@",
".?AVlogic_error@std@@",
".?AVlength_error@std@@",
".?AVout_of_range@std@@",
".?AVtype_info@@",
".?AVbad_array_new_length@std@@",
".?AVbad_exception@std@@",
"<?xml version='1.0' encoding='UTF-8' standalone='yes'?>",
"<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>",
" <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">",
" <security>",
" <requestedPrivileges>",
" <requestedExecutionLevel level='asInvoker' uiAccess='false' />",
" </requestedPrivileges>",
" </security>",
" </trustInfo>",
"</assembly>",
"1$1+111M1]1",
"2!3+393>3E3m3w3",
"4\u001f414B4N4Y4c4x4",
"5,5=5N5Z5b5g5n5",
"696H6W6",
"7+7a7p7",
"7,8S8i8",
"9-9=9f9t9~9",
"96:?:M:[:q:",
":\u001f;9;v;",
";6<K<P<",
"<-=B=G=",
">'>1>=>L>X>m>",
"?&?7?l?",
"1 1'1.151<1C1J1Q1X1_1",
"2F3K3t3",
"6$6*6V6s6",
"7-82888?8Z8",
"8\"9S9X9d9k9{9",
"9=:d:|:",
"2'2F2K2g2q2~2",
"3,353>3E3L3S3Z3a3",
"5*5H5|5",
"5)6.6;6Z6x6",
"7S7Z7~7",
"7>8K8v8|8",
"939O9n9",
"9 :,:3:G:",
";\u001f<)<5<<<C<J<m<",
">N>d>z>",
">8?O?g?",
"0/191@1G1N1U1\\1c1j1q1x1",
"2(252E2U2",
"2$3A3|3",
"5J5T5[5b5i5p5w5~5",
"5/6P6p6",
"888>8M8h8u8",
":.:7:_:",
":!;T;q;",
"<(<\\<e<",
"=+=J=h=",
">Z>_>l>",
"?*?>?P?^?",
"1&2E2Y2f2v2",
"2!3T3q3",
"4*545a5g5",
"7)7.747;7K7f7l7{7",
"8$9A9o9x9",
";(;5;M;",
"<1<n<s<",
"=,>R>_>d>t>",
">!?a?x?",
"1;1]1s1",
"1:3A3L3h3t3",
"3'4?4M4j4{4",
"6=6D6_6f6",
"7\"7,767@7J7o7x7",
"8-8;8I8Y8`8l8",
"90:<:a:j:v:",
";9;B;M;Y;b;h;q;|;",
"<(<7<=<T<b<i<",
">B>d>|>",
"?6?Q?p?",
"1L1]1b1g1",
"4*4;4a4v4}4",
"51595R5",
"6'6-6T6z6",
"8,818V8a8~8",
"9 :):6:A:J:Y:d:z:",
";(;1;6;<;F;P;`;p;",
"2:3e3U4h4",
"6-6I6S6]6k6",
"7]7u7z7",
"<1<M<m<{<",
"=3=;=e=",
"> >D>P>U>Z>~>",
"?(?M?_?k?u?",
"1'151E1Z1q1",
"2&2w2!3",
"%0)0-0105090=0A0",
"0E1I1M1Q1U1Y1]1a1",
"1u2y2}2",
"O1k1o1s1w1{1",
"2 2S2e2",
"2,333U3",
"0;0V0a0",
"242F2R2Z2r2",
"5#7B7l7",
"8(8-888C8P8^8p8",
"9\"9>9n9}9",
";\u001f;1;L;",
"= =(=.=6=A=K=Q=e=q=",
"=\u001f>(>0>",
"2'232L2_2",
"33494K4",
"4)5/5q?",
"0 0\\0l0",
"2\"2,2H2S2X2]2x2",
"3'313M3X3]3b3",
"474B4G4L4j4",
"5\"5F5X5d5r5",
"7\"8R8m8",
"0C1?2S2",
"4$404A4J4",
"5?5I5<:",
"=F=M=]=l=s=",
"0;1M1S1",
"97:A:\\:~:",
"0<0h0e1z1",
"3\"3.3;3C3K3S3[3d3m3u3",
"5A5I5m5v5",
"6F8Q8X8^8m8t8~8",
"9Y9d9q9z9",
"90:::O:_:",
";%;3;:;@;[;b;",
"1 151h1o1v1}1",
"5(5X5m5{5",
":*:8:@:",
":[;C<0=J=",
">)>c>j>",
"?$?b?o?",
"1&181J1\\1n1",
"2\u001f212C2",
"415~5V6",
"334`4m4",
"8 8?8]8",
";,;_;|;",
"3M3T3Y6",
"=->@>v>",
">#?;?n?",
"1 252d2{2",
"2+2]2w2",
"?#?0?B?",
"'0<0E0N0%2A2[2",
"4Q5W5\\5b5s508u8Q9",
":Y:a:i:q:y:",
";!;-;9;Y;",
"3.3S3_3k3~3",
"3%414=4I4\\4",
"9N=Q>b>",
"3.3:3A3S3o3",
"5,5054585<5@5D5H5L5P5T5X5\\5`5|5",
"7 7$7(7,7074787<7@7D7H7L7P7T7X7\\7`7d7h7l7p7t7x7|7",
"8 8$8(8,8084888<8@8D8H8L8P8T8X8\\8`8d8h8l8p8t8",
"0 0$0(0,0004080D0L0P0T0X0\\0",
"; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\\;`;d;h;t;x;|;",
"\\5d5l5t5|5",
"6$6,646<6D6L6T6\\6d6l6t6|6",
"7$7,747<7D7L7T7\\7d7l7t7|7",
"8$8,848<8D8L8T8\\8d8l8t8|8",
"9$9,949<9D9L9T9\\9d9l9t9|9",
":$:,:4:<:D:L:T:\\:d:l:t:|:",
";$;,;4;<;D;L;T;\\;d;l;t;|;",
"<$<,<4<<<D<L<T<\\<d<l<t<",
"7 7(70787@7H7P7X7`7h7p7x7",
"8 8(80888@8H8P8X8`8h8p8x8",
"9 9(90989@9H9P9X9`9h9p9x9",
": :(:0:8:@:H:P:X:`:h:p:x:",
"; ;(;0;8;@;H;P;X;`;h;p;x;",
"< <(<0<8<@<H<P<X<`<h<p<x<",
"= =(=0=8=@=H=P=X=`=h=p=x=",
";$;,;4;<;D;L;T;\\;d;l;t;|;",
"=0=4=D=H=P=h=x=|=",
">$>(>,>0>8>P>`>d>t>x>|>",
"? ?8?H?L?\\?`?d?l?",
"4D4X4h4x4",
"5 545<5D5L5P5T5\\5p5",
"60686<6T6X6t6x6",
"7(7H7h7",
"8(80848P8p8",
"989X9x9",
":8:X:x:",
";8;X;x;",
"01`1p1",
"Aadvapi32",
"api-ms-win-core-fibers-l1-1-1",
"api-ms-win-core-synch-l1-2-0",
"kernel32",
"(null)",
"mscoree.dll",
"Bapi-ms-win-appmodel-runtime-l1-1-1",
"api-ms-win-core-datetime-l1-1-1",
"api-ms-win-core-file-l2-1-1",
"api-ms-win-core-localization-l1-2-1",
"api-ms-win-core-localization-obsolete-l1-2-0",
"api-ms-win-core-processthreads-l1-1-2",
"api-ms-win-core-string-l1-1-0",
"api-ms-win-core-sysinfo-l1-2-1",
"api-ms-win-core-winrt-l1-1-0",
"api-ms-win-core-xstate-l2-1-0",
"api-ms-win-rtcore-ntuser-window-l1-1-0",
"api-ms-win-security-systemfunctions-l1-1-0",
"ext-ms-win-kernel32-package-current-l1-1-0",
"ext-ms-win-ntuser-dialogbox-l1-1-0",
"ext-ms-win-ntuser-windowstation-l1-1-0",
"user32",
"Sunday",
"Monday",
"Tuesday",
"Wednesday",
"Thursday",
"Friday",
"Saturday",
"January",
"February",
"August",
"September",
"October",
"November",
"December",
"MM/dd/yy",
"dddd, MMMM dd, yyyy",
"HH:mm:ss",
"UTF-16LEUNICODE",
"Bja-JP",
" ((((( H",
" ( ",
" ((((( H",
"zh-CHS",
"az-AZ-Latn",
"uz-UZ-Latn",
"kok-IN",
"syr-SY",
"div-MV",
"quz-BO",
"sr-SP-Latn",
"az-AZ-Cyrl",
"uz-UZ-Cyrl",
"quz-EC",
"sr-SP-Cyrl",
"quz-PE",
"smj-NO",
"bs-BA-Latn",
"smj-SE",
"sr-BA-Latn",
"sma-NO",
"sr-BA-Cyrl",
"sma-SE",
"sms-FI",
"smn-FI",
"zh-CHT",
"az-az-cyrl",
"az-az-latn",
"bs-ba-latn",
"div-mv",
"kok-in",
"quz-bo",
"quz-ec",
"quz-pe",
"sma-no",
"sma-se",
"smj-no",
"smj-se",
"smn-fi",
"sms-fi",
"sr-ba-cyrl",
"sr-ba-latn",
"sr-sp-cyrl",
"sr-sp-latn",
"syr-sy",
"uz-uz-cyrl",
"uz-uz-latn",
"zh-chs",
"zh-cht",
"CONOUT$",
"[al-khaser version 0.71]",
"Process is running under WOW64",
"Debugger Detection",
"Checking IsDebuggerPresent API () ",
"Checking PEB.BeingDebugged ",
"Checking CheckRemoteDebuggerPresentAPI () ",
"Checking PEB.NtGlobalFlag ",
"Checking ProcessHeap.Flags ",
"Checking ProcessHeap.ForceFlags ",
"Checking NtQueryInformationProcess with ProcessDebugPort ",
"Checking NtQueryInformationProcess with ProcessDebugFlags ",
"Checking NtQueryInformationProcess with ProcessDebugObject ",
"Checking NtSetInformationThread with ThreadHideFromDebugger ",
"Checking CloseHandle with an invalide handle ",
"Checking UnhandledExcepFilterTest ",
"Checking OutputDebugString ",
"Checking Hardware Breakpoints ",
"Checking Software Breakpoints ",
"Checking Interupt 0x2d ",
"Checking Interupt 1 ",
"Checking Memory Breakpoints PAGE GUARD: ",
"Checking If Parent Process is explorer.exe: ",
"Checking SeDebugPrivilege : ",
"Checking NtQueryObject with ObjectTypeInformation : ",
"Checking NtQueryObject with ObjectAllTypesInformation : ",
"Checking NtYieldExecution : ",
"Checking CloseHandle protected handle trick : ",
"Checking NtQuerySystemInformation with SystemKernelDebuggerInformation : ",
"Checking SharedUserData->KdDebuggerEnabled : ",
"Checking if process in in a job : ",
"Generic Sandboxe/VM Detection",
"Checking Number of processors in machine: ",
"Checking Interupt Descriptor Table location: ",
"Checking Local Descriptor Table location: ",
"Checking Global Descriptor Table location: ",
"Checking Number of cores in machine using WMI: ",
"Checking hard disk size using WMI: ",
"Checking hard disk size using DeviceIoControl: ",
"Checking SetupDi_diskdrive: ",
"Checking mouse movement: ",
"Checking memory space using GlobalMemoryStatusEx: ",
"Checking disk size using GetDiskFreeSpaceEx: ",
"Checking if CPU hypervisor field is set using cpuid(0x1)",
"Checking hypervisor vendor using cpuid(0x40000000)",
"Checking SMBIOS firmware : ",
"Checking ACPI tables : ",
"Check if time has been accelerated: ",
"VirtualBox Detection",
"Checking dir oracle\\virtualbox guest additions\\: ",
"Checking Mac Address start with 08:00:27: ",
"Checking VBoxTrayToolWndClass / VBoxTrayToolWnd: ",
"Checking VirtualBox Shared Folders network provider: ",
"Checking DeviceId from WMI: ",
"Checking Mac address from WMI: ",
"Checking NTEventLog from WMI: ",
"VMWare Detection",
"Checking VMWare network adapter name: ",
"Checking VMWare directory: ",
"Virtual PC Detection",
"QEMU Detection",
"Xen Detection",
"Wine Detection",
"Checking Wine via dll exports: ",
"Paralles Detection",
"Timing-attacks",
"[+] Performing a sleep using NtDelayexecution:",
"NtDelayexecution was bypassed ... ",
"[+] Performing a sleep() in a loop:",
"Sleep in loop was bypassed ... ",
"[*] Delaying execution using SetTimer():",
"timing_SetTimer was bypassed ... ",
"[*] Delaying execution using timeSetEvent():",
"timeSetEvent was bypassed ... ",
"[*] Delaying execution using WaitForSingleObject():",
"WaitForSingleObject was bypassed ... ",
"[*] Delaying execution using IcmpSendEcho():",
"IcmpSendEcho was bypassed ... ",
"Checking RDTSC Locky trick: ",
"Checking RDTSC which force a VM Exit (cpuid): ",
"Analysis-tools",
"Anti Dumping",
"Analysis done, I hope you didn't get red flags :)",
"ollydbg.exe",
"ProcessHacker.exe",
"tcpview.exe",
"autoruns.exe",
"autorunsc.exe",
"filemon.exe",
"procmon.exe",
"regmon.exe",
"procexp.exe",
"idaq.exe",
"idaq64.exe",
"ImmunityDebugger.exe",
"Wireshark.exe",
"dumpcap.exe",
"HookExplorer.exe",
"ImportREC.exe",
"PETools.exe",
"LordPE.exe",
"SysInspector.exe",
"proc_analyzer.exe",
"sysAnalyzer.exe",
"sniff_hit.exe",
"windbg.exe",
"joeboxcontrol.exe",
"joeboxserver.exe",
"Checking process of malware analysis tool: %s: ",
"ntdll.dll",
"DebugObject",
"random",
"\\Windows\\System32\\conhost.exe",
"dcsrss.exe",
"Random name",
"I am critical function, you should protect against int3 bps %d",
"DLL_PROCESS_ATTACH",
"I am running from a TLS callbacks, did you see that?",
"[*] Erasing PE header from memory",
"[*] Increasing SizeOfImage in PE Header to: 0x100000",
"sbiedll.dll",
"dbghelp.dll",
"api_log.dll",
"dir_watch.dll",
"pstorec.dll",
"vmcheck.dll",
"wpespy.dll",
"Checking if process loaded modules contains: %s ",
"SELECT * FROM Win32_Processor",
"NumberOfCores",
"SELECT * FROM Win32_LogicalDisk",
"\\\\.\\PhysicalDrive0",
"vmware",
"virtual",
"KVMKVMKVM",
"Microsoft Hv",
"VMwareVMware",
"XenVMMXenVMM",
"prl hyperv ",
"VBoxVBoxVBox",
"prl_cc.exe",
"prl_tools.exe",
"Checking Parallels processes: %s",
"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"Identifier",
"HARDWARE\\Description\\System",
"SystemBiosVersion",
"Checking reg key %s: ",
"VideoBiosVersion",
"VIRTUALBOX",
"SystemBiosDate",
"06/23/99",
"Checking reg key HARDWARE\\Description\\System - %s is set to %s:",
"HARDWARE\\ACPI\\DSDT\\VBOX__",
"HARDWARE\\ACPI\\FADT\\VBOX__",
"HARDWARE\\ACPI\\RSDT\\VBOX__",
"SOFTWARE\\Oracle\\VirtualBox Guest Additions",
"SYSTEM\\ControlSet001\\Services\\VBoxGuest",
"SYSTEM\\ControlSet001\\Services\\VBoxMouse",
"SYSTEM\\ControlSet001\\Services\\VBoxService",
"SYSTEM\\ControlSet001\\Services\\VBoxSF",
"SYSTEM\\ControlSet001\\Services\\VBoxVideo",
"system32\\drivers\\VBoxMouse.sys",
"system32\\drivers\\VBoxGuest.sys",
"system32\\drivers\\VBoxSF.sys",
"system32\\drivers\\VBoxVideo.sys",
"system32\\vboxdisp.dll",
"system32\\vboxhook.dll",
"system32\\vboxmrxnp.dll",
"system32\\vboxogl.dll",
"system32\\vboxoglarrayspu.dll",
"system32\\vboxoglcrutil.dll",
"system32\\vboxoglerrorspu.dll",
"system32\\vboxoglfeedbackspu.dll",
"system32\\vboxoglpackspu.dll",
"system32\\vboxoglpassthroughspu.dll",
"system32\\vboxservice.exe",
"system32\\vboxtray.exe",
"system32\\VBoxControl.exe",
"Checking file %s: ",
"oracle\\virtualbox guest additions\\",
"%ProgramW6432%",
"\\\\.\\VBoxMiniRdrDN",
"\\\\.\\VBoxGuest",
"\\\\.\\pipe\\VBoxMiniRdDN",
"\\\\.\\VBoxTrayIPC",
"\\\\.\\pipe\\VBoxTrayIPC",
"Checking device %s: ",
"VBoxTrayToolWndClass",
"VBoxTrayToolWnd",
"VirtualBox Shared Folders",
"vboxservice.exe",
"vboxtray.exe",
"Checking virtual box processe %s: ",
"SELECT * FROM Win32_PnPEntity",
"DeviceId",
"PCI\\VEN_80EE&DEV_CAFE",
"SELECT * FROM Win32_NetworkAdapterConfiguration",
"MACAddress",
"08:00:27",
"SELECT * FROM Win32_NTEventlogFile",
"FileName",
"System",
"Sources",
"vboxvideo",
"VMSrvc.exe",
"VMUSrvc.exe",
"Checking Virtual PC processes %s: ",
"VMWARE",
"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0",
"Checking reg key %s:",
"SOFTWARE\\VMware, Inc.\\VMware Tools",
"system32\\drivers\\vmmouse.sys",
"system32\\drivers\\vmhgfs.sys",
"VMWare\\",
"00:05:69",
"00:0c:29",
"00:1C:14",
"00:50:56",
"Checking MAC starting with: %s",
"VMWare",
"\\\\.\\HGFS",
"\\\\.\\vmci",
"kernel32.dll",
"GetModuleHandle",
"eSOFTWARE\\Wine",
"xenservice.exe",
"Checking Citrix Xen process: ",
"[ BAD ]",
"[ GOOD ]",
"-------------------------[%s]-------------------------",
"[*] %s",
"[*] %s -> %d",
"Shared\\Common.cpp",
"Al-Khaser - by Lord Noteworthy",
"OS: %s",
"%s failed with error %d: %s",
"log.txt",
"Error allocating memory needed to call GetAdaptersinfo.",
"oMicrosoft ",
"Windows 10 ",
"Windows Server 2016 Technical Preview ",
"Windows Vista ",
"Windows Server 2008 ",
"Windows 7 ",
"Windows Server 2008 R2 ",
"Windows 8 ",
"Windows Server 2012",
"Ultimate Edition",
"Professional",
"Home Premium Edition",
"Home Basic Edition",
"Enterprise Edition",
"Business Edition",
"Starter Edition",
"Cluster Server Edition",
"Datacenter Edition",
"Datacenter Edition (core installation)",
"Enterprise Edition (core installation)",
"Enterprise Edition for Itanium-based Systems",
"Small Business Server",
"Small Business Server Premium Edition",
"Standard Edition",
"Standard Edition (core installation)",
"Web Server Edition",
"Windows Server 2003 R2, ",
"Windows Storage Server 2003",
"Windows Home Server",
"Windows XP Professional x64 Edition",
"Windows Server 2003, ",
"Datacenter Edition for Itanium-based Systems",
"Datacenter x64 Edition",
"Enterprise x64 Edition",
"Standard x64 Edition",
"Compute Cluster Edition",
"Web Edition",
"Windows XP ",
"Home Edition",
"Windows 2000 ",
"Datacenter Server",
"Advanced Server",
"Server",
" (build %d)",
" 64-bit",
" 32-bit",
"CreateToolhelp32Snapshot",
"Process32First",
"CoInitializeEx",
"CoInitializeSecurity",
"CoCreateInstance",
"ROOT\\CIMV2",
"ConnectServer",
"CoSetProxyBlanket",
"ExecQuery",
"CreateEvent"
],
"metadata": {
"output": {
"pcap": {
"basename": "dump.pcap",
"sha256": "ab6177d9af37528fadcf084236ad08196a96055ca4a63e6189e00e3593a55231",
"dirname": ""
}
}
}
}# Enable or disable the available processing modules [yes/no].
# If you add a custom processing module to your Cuckoo setup, you have to add
# a dedicated entry in this file, or it won't be executed.
# You can also add additional options under the section of your module and
# they will be available in your Python class.
[analysisinfo]
enabled = yes
[apkinfo]
enabled = no
# Decompiling dex files with androguard in a heavy operation. For large dex
# files it can really take quite a while - it is recommended to limit to a
# certain filesize.
decompilation_threshold = 5000000
[baseline]
enabled = no
[behavior]
enabled = yes
[buffer]
enabled = yes
[debug]
enabled = yes
[droidmon]
enabled = no
[dropped]
enabled = yes
[dumptls]
enabled = yes
[extracted]
enabled = yes
[googleplay]
enabled = no
android_id =
google_login =
google_password =
[memory]
# Create a memory dump of the entire Virtual Machine. This memory dump will
# then be analyzed using Volatility to locate interesting events that can be
# extracted from memory.
enabled = no
[misp]
enabled = no
url =
apikey =
# Maximum amount of IOCs to look up (hard limit).
maxioc = 100
[network]
enabled = yes
# Allow domain whitelisting
whitelist_dns = no
# Allow DNS responses from your configured DNS server for whitelisting to
# deactivate when responses come from some other DNS
# Can be also multiple like : 8.8.8.8,8.8.4.4
allowed_dns =
[procmemory]
# Enables the creation of process memory dumps for each analyzed process right
# before they terminate themselves or right before the analysis finishes.
enabled = yes
# It is possible to load these process memory dumps in IDA Pro through the
# generation of IDA Python-based script files. Although currently symbols and
# such are not properly recovered, it is still nice to get a quick look at
# specific memory addresses of a process.
idapro = no
# Extract executable images from this process memory dump. This allows us to
# relatively easily extract injected executables.
extract_img = yes
# Also extract DLL files from the process memory dump.
extract_dll = no
# Delete process memory dumps after analysis to save disk space.
dump_delete = no
[procmon]
# Enable procmon processing. This only takes place when the "procmon=1" option
# is set for an analysis.
enabled = yes
[screenshots]
enabled = yes
# Set to the actual tesseract path (i.e., /usr/bin/tesseract or similar)
# rather than "no" to enable OCR analysis of screenshots.
# Note: doing OCR on the screenshots is a rather slow process.
tesseract = no
[snort]
enabled = no
# Following are various configurable settings. When in use of a recent 2.9.x.y
# version of Snort there is no need to change any of the following settings as
# they represent the defaults.
#
snort = /usr/local/bin/snort
conf = /etc/snort/snort.conf
[static]
enabled = yes
# On bigger PDF files PeePDF may take a substantial amount of time to perform
# static analysis of PDF files, with times of over an hour per file estimated
# in production. This option will by default limit the maximum processing time
# to one minute, but this may be adjusted accordingly. Note that if the timeout
# is hit, no static analysis results through PeePDF will be available.
pdf_timeout = 60
[strings]
enabled = yes
[suricata]
enabled = no
# Following are various configurable settings. When in use of a recent version
# of Suricata there is no need to change any of the following settings as they
# represent the defaults.
suricata = /usr/bin/suricata
conf = /etc/suricata/suricata.yaml
eve_log = eve.json
files_log = files-json.log
files_dir = files
# By specifying the following line our processing module can use the socket
# mode in Suricata. This is quite the performance improvement as instead of
# having to load all the Suricata rules for each time the processing module is
# ran (i.e., for every task), the rules are only loaded once and then we talk
# to its API. This does require running Suricata as follows or similar;
# "suricata --unix-socket -D".
# (Please find more information in utils/suricata.sh for now).
# socket = /var/run/suricata/cuckoo.socket
socket =
[targetinfo]
enabled = yes
[virustotal]
enabled = no
# How much time we can wait to establish VirusTotal connection and get the
# report.
timeout = 60
# Enable this option if you want to submit files to VirusTotal not yet available
# in their database.
# NOTE: if you are dealing with sensitive stuff, enabling this option you could
# leak some files to VirusTotal.
scan = no
# Add your VirusTotal API key here. The default API key, kindly provided
# by the VirusTotal team, should enable you with a sufficient throughput
# and while being shared with all our users, it shouldn't affect your use.
key = a0283a2c3d55728300d064874239b5346fb991317e8449fe43c902879d758088
[irma]
enabled = no
# IRMA @ github : https://github.com/quarkslab/irma
# How much time we can wait to establish IRMA connection and get the report.
timeout = 60
# Enable this option if you want to submit files to IRMA not yet available.
scan = no
# Force scan of submitted files
force = no
# URL to your IRMA installation
# For example : https://your.irma.host
url =
# Probes to use on your IRMA instance
# If not specified, will default to using all available probes
# Expects comma separated list
# For example : ClamAV,F-Secure,Avast,ESET,eScan,Avira,Sophos,McAfee,Kaspersky,GData,Comodo,Bitdefender
probes =[virtualbox]
# Specify which VirtualBox mode you want to run your machines on.
# Can be "gui" or "headless". Please refer to VirtualBox's official
# documentation to understand the differences.
mode = headless
# Path to the local installation of the VBoxManage utility.
path = /usr/bin/VBoxManage
# If you are running Cuckoo on Mac OS X you have to change the path as follows:
# path = /Applications/VirtualBox.app/Contents/MacOS/VBoxManage
# Default network interface.
interface = vboxnet0
# Specify a comma-separated list of available machines to be used. For each
# specified ID you have to define a dedicated section containing the details
# on the respective machine. (E.g. cuckoo1,cuckoo2,cuckoo3)
machines = win7
# If remote control is enabled in cuckoo.conf, specify a port range to use.
# Virtualbox will bind the VRDP interface to the first available port.
controlports = 5000-5050
[win7]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = Win7_pro_64
# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows
# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail.
ip = 192.168.56.101
# (Optional) Specify the snapshot name to use. If you do not specify a snapshot
# name, the VirtualBox MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
snapshot = cuckoo_win7
# (Optional) Specify the name of the network interface that should be used
# when dumping network traffic from this machine with tcpdump. If specified,
# overrides the default interface specified in auxiliary.conf
# Example (vboxnet0 is the interface name):
interface =
# (Optional) Specify the IP of the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the IP address for the Result Server as your machine sees it. If you don't specify an
# address here, the machine will use the default value from cuckoo.conf.
# NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
# Example:
resultserver_ip =
# (Optional) Specify the port for the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the port for the Result Server as your machine sees it. If you don't specify a port
# here, the machine will use the default value from cuckoo.conf.
# Example:
resultserver_port =
# (Optional) Set your own tags. These are comma separated and help to identify
# specific VMs. You can run samples on VMs with tag you require.
tags =
# Mostly unused for now. Please don't fill it out.
options =
# (Optional) Specify the OS profile to be used by volatility for this
# virtual machine. This will override the guest_profile variable in
# memory.conf which solves the problem of having multiple types of VMs
# and properly determining which profile to use.
osprofile =
[ubuntu]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = Ubuntu16.04
# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = linux
# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail.
ip = 192.168.56.102
# (Optional) Specify the snapshot name to use. If you do not specify a snapshot
# name, the VirtualBox MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
snapshot = cuckoo_ubuntu
# (Optional) Specify the name of the network interface that should be used
# when dumping network traffic from this machine with tcpdump. If specified,
# overrides the default interface specified in auxiliary.conf
# Example (vboxnet0 is the interface name):
interface =
# (Optional) Specify the IP of the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the IP address for the Result Server as your machine sees it. If you don't specify an
# address here, the machine will use the default value from cuckoo.conf.
# NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
# Example:
resultserver_ip =
# (Optional) Specify the port for the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the port for the Result Server as your machine sees it. If you don't specify a port
# here, the machine will use the default value from cuckoo.conf.
# Example:
resultserver_port =
# (Optional) Set your own tags. These are comma separated and help to identify
# specific VMs. You can run samples on VMs with tag you require.
tags =
# Mostly unused for now. Please don't fill it out.
options =
# (Optional) Specify the OS profile to be used by volatility for this
# virtual machine. This will override the guest_profile variable in
# memory.conf which solves the problem of having multiple types of VMs
# and properly determining which profile to use.
osprofile =
[ubuntu32]
# Specify the label name of the current machine as specified in your
# VirtualBox configuration.
label = Ubuntu16.04_32
# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = linux
# Specify the IP address of the current virtual machine. Make sure that the
# IP address is valid and that the host machine is able to reach it. If not,
# the analysis will fail.
ip = 192.168.56.103
# (Optional) Specify the snapshot name to use. If you do not specify a snapshot
# name, the VirtualBox MachineManager will use the current snapshot.
# Example (Snapshot1 is the snapshot name):
snapshot = cuckoo_ubuntu
# (Optional) Specify the name of the network interface that should be used
# when dumping network traffic from this machine with tcpdump. If specified,
# overrides the default interface specified in auxiliary.conf
# Example (vboxnet0 is the interface name):
interface =
# (Optional) Specify the IP of the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the IP address for the Result Server as your machine sees it. If you don't specify an
# address here, the machine will use the default value from cuckoo.conf.
# NOTE: if you set this option you have to set result server IP to 0.0.0.0 in cuckoo.conf.
# Example:
resultserver_ip =
# (Optional) Specify the port for the Result Server, as your virtual machine sees it.
# The Result Server will always bind to the address and port specified in cuckoo.conf,
# however you could set up your virtual network to use NAT/PAT, so you can specify here
# the port for the Result Server as your machine sees it. If you don't specify a port
# here, the machine will use the default value from cuckoo.conf.
# Example:
resultserver_port =
# (Optional) Set your own tags. These are comma separated and help to identify
# specific VMs. You can run samples on VMs with tag you require.
tags =
# Mostly unused for now. Please don't fill it out.
options =
# (Optional) Specify the OS profile to be used by volatility for this
# virtual machine. This will override the guest_profile variable in
# memory.conf which solves the problem of having multiple types of VMs
# and properly determining which profile to use.
osprofile =
[honeyd]
# For more information on this VM please refer to the "services" section of
# the conf/auxiliary.conf configuration file. This machine is a bit special
# in the way that its used as an additional VM for an analysis.
# *NOTE* that if this functionality is used, the VM should be registered in
# the "machines" list in the beginning of this file.
label = honeyd
platform = linux
ip = 192.168.56.100
# The tags should at least contain "service" and the name of this service.
# This way the services auxiliary module knows how to find this particular VM.
tags = service, honeyd
# Not all services actually have a Cuckoo Agent running in the VM, for those
# services one can specify the "noagent" option so Cuckoo will just wait until
# the end of the analysis instead of trying to connect to the non-existing
# Cuckoo Agent. We can't really intercept any inter-VM communication from the
# host / gateway so in order to dump traffic between VMs we have to use a
# different network dumping approach. For this machine we use the "nictrace"
# functionality from VirtualBox (which is basically their internal tcpdump)
# and thus properly dumps inter-VM traffic.
options = nictrace noagent
Thanks for creating an issue! But first: did you read our community guidelines? https://cuckoo.sh/docs/introduction/community.html
My issue is:
I can only get the Static Analysis, but the problem is I cant get any behavior, network, dropped files etc. [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files.
My Cuckoo version and operating system are:
Cuckoo version : v2.0.7 OS : Ubuntu16.04 64 Guest : Windows7 64 (the same result in Win7 x86 and Ubuntu 16.04 64)
This can be reproduced by:
The log, error, files etc can be found at:
2020-09-27 16:28:48,520 [cuckoo.core.scheduler] DEBUG: Processing task #58 2020-09-27 16:28:48,526 [cuckoo.core.scheduler] INFO: Starting analysis of FILE "test2.py" (task #58, options "") 2020-09-27 16:28:48,567 [cuckoo.core.scheduler] INFO: Task #58: acquired machine win7 (label=Win7_pro_64) 2020-09-27 16:28:48,567 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.56.101 for task #58 2020-09-27 16:28:48,568 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Replay 2020-09-27 16:28:48,799 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 5886 (interface=vboxnet0, host=192.168.56.101) 2020-09-27 16:28:48,799 [cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer 2020-09-27 16:28:48,852 [cuckoo.machinery.virtualbox] DEBUG: Starting vm Win7_pro_64 2020-09-27 16:28:49,250 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine Win7_pro_64 to cuckoo_win7 2020-09-27 16:28:57,354 [cuckoo.core.guest] INFO: Starting analysis #58 on guest (id=win7, ip=192.168.56.101) 2020-09-27 16:28:58,357 [cuckoo.core.guest] DEBUG: win7: not ready yet 2020-09-27 16:28:59,360 [cuckoo.core.guest] DEBUG: win7: not ready yet 2020-09-27 16:29:00,364 [cuckoo.core.guest] DEBUG: win7: not ready yet 2020-09-27 16:29:05,231 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7, ip=192.168.56.101) 2020-09-27 16:29:14,641 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7, ip=192.168.56.101, monitor=latest, size=3885868) 2020-09-27 16:29:33,231 [cuckoo.core.resultserver] DEBUG: Task #58: live log analysis.log initialized. 2020-09-27 16:29:37,238 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0001.jpg' 2020-09-27 16:29:37,257 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46348 2020-09-27 16:29:38,648 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0002.jpg' 2020-09-27 16:29:38,654 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46646 2020-09-27 16:29:46,174 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0003.jpg' 2020-09-27 16:29:46,182 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 47477 2020-09-27 16:29:47,215 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0004.jpg' 2020-09-27 16:29:47,225 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46644 2020-09-27 16:29:51,527 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0005.jpg' 2020-09-27 16:29:51,533 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 47340 2020-09-27 16:29:52,573 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0006.jpg' 2020-09-27 16:29:52,579 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46644 2020-09-27 16:30:01,219 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0007.jpg' 2020-09-27 16:30:01,229 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 47477 2020-09-27 16:30:02,276 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0008.jpg' 2020-09-27 16:30:02,294 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46644 2020-09-27 16:30:05,526 [cuckoo.core.guest] DEBUG: win7: analysis #58 still processing 2020-09-27 16:30:33,433 [cuckoo.core.guest] DEBUG: win7: analysis #58 still processing 2020-09-27 16:30:47,258 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0009.jpg' 2020-09-27 16:30:47,264 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 47337 2020-09-27 16:30:48,303 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0010.jpg' 2020-09-27 16:30:48,408 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46647 2020-09-27 16:30:49,486 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0011.jpg' 2020-09-27 16:30:49,556 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 47479 2020-09-27 16:30:50,649 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0012.jpg' 2020-09-27 16:30:50,653 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46647 2020-09-27 16:30:52,728 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0013.jpg' 2020-09-27 16:30:52,797 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 47337 2020-09-27 16:30:53,908 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0014.jpg' 2020-09-27 16:30:53,916 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46647 2020-09-27 16:30:54,982 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0015.jpg' 2020-09-27 16:30:54,985 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 47337 2020-09-27 16:30:56,057 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0016.jpg' 2020-09-27 16:30:56,070 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46931 2020-09-27 16:30:57,131 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0017.jpg' 2020-09-27 16:30:57,143 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46647 2020-09-27 16:31:01,342 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0018.jpg' 2020-09-27 16:31:01,347 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 47479 2020-09-27 16:31:01,439 [cuckoo.core.guest] DEBUG: win7: analysis #58 still processing 2020-09-27 16:31:02,382 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0019.jpg' 2020-09-27 16:31:02,386 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46647 2020-09-27 16:31:22,473 [cuckoo.core.resultserver] DEBUG: Task #58: File upload for 'shots/0020.jpg' 2020-09-27 16:31:22,481 [cuckoo.core.resultserver] DEBUG: Task #58 uploaded file length: 46357 2020-09-27 16:31:23,870 [cuckoo.core.resultserver] DEBUG: Task #58 had connection reset for
2020-09-27 16:31:29,380 [cuckoo.core.guest] INFO: win7: analysis completed successfully
2020-09-27 16:31:29,389 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Replay
2020-09-27 16:31:29,423 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2020-09-27 16:31:32,239 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label Win7_pro_64 to path /home/zjsec/.cuckoo/storage/analyses/58/memory.dmp
2020-09-27 16:31:32,240 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm Win7_pro_64
2020-09-27 16:31:34,442 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.56.101 for task #58
2020-09-27 16:31:34,452 [cuckoo.core.scheduler] DEBUG: Released database task #58
2020-09-27 16:31:34,473 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #58
2020-09-27 16:31:34,474 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files.
2020-09-27 16:31:34,474 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #58 2020-09-27 16:31:34,474 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #58 2020-09-27 16:31:34,475 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #58 2020-09-27 16:31:34,476 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #58 2020-09-27 16:31:34,477 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #58 2020-09-27 16:31:34,477 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #58 2020-09-27 16:31:34,692 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #58 2020-09-27 16:31:34,697 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #58 2020-09-27 16:31:34,698 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #58 2020-09-27 16:31:34,702 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #58 2020-09-27 16:31:34,756 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #58 2020-09-27 16:31:34,757 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #58 2020-09-27 16:31:34,757 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #58 2020-09-27 16:31:34,759 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #58 2020-09-27 16:31:34,785 [cuckoo.core.plugins] DEBUG: Running 542 signatures 2020-09-27 16:31:34,909 [cuckoo.core.plugins] DEBUG: Analysis matched signature: nolookup_communication 2020-09-27 16:31:34,911 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"