search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.54k stars 1.7k forks source link

[cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files. #3119

Open ianaflo opened 3 years ago

ianaflo commented 3 years ago
My issue is:

Hello everyone, I have set up cuckoo on an ubuntu 20 machine, with a win7 guest. I submitted a number of malware samples and the analysis is happening (I can see the logs) except for the behaviour analysis part. I get the error mentioned in the title, I have UAC and firewall disabled on windows, and the agent is ran as administrator, yet i still dont get any behaviour analysis. I also have it enabled in the config file processing.conf: [behavior] enabled = yes

I am new at this, if you need additional info please let me know kindly :D I read all the things I could find for this issue but nothing seems to solve the issue..

My Cuckoo version and operating system are:

my cuckoo version is 2.0.7 and OS ubuntu 20

The log, error, files etc can be found here:

The log from cuckoo -d: 2020-10-14 08:04:31,506 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine cuckoo1 to Snapshot 1 2020-10-14 08:04:37,119 [cuckoo.core.guest] INFO: Starting analysis #11 on guest (id=cuckoo1, ip=192.168.56.101) 2020-10-14 08:04:38,125 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet 2020-10-14 08:04:39,128 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet 2020-10-14 08:04:40,131 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet 2020-10-14 08:04:41,134 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet 2020-10-14 08:04:42,137 [cuckoo.core.guest] DEBUG: cuckoo1: not ready yet 2020-10-14 08:04:42,679 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=cuckoo1, ip=192.168.56.101) 2020-10-14 08:04:42,758 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.101, monitor=latest, size=3884763) 2020-10-14 08:04:44,646 [cuckoo.core.resultserver] DEBUG: Task #11: live log analysis.log initialized. 2020-10-14 08:04:48,478 [cuckoo.core.guest] DEBUG: cuckoo1: analysis #11 still processing 2020-10-14 08:04:53,644 [cuckoo.core.guest] DEBUG: cuckoo1: analysis #11 still processing 2020-10-14 08:04:56,481 [cuckoo.core.resultserver] DEBUG: Task #11: File upload for 'shots/0001.jpg' 2020-10-14 08:04:56,517 [cuckoo.core.resultserver] DEBUG: Task #11 uploaded file length: 126838 2020-10-14 08:04:57,932 [cuckoo.core.resultserver] DEBUG: Task #11: File upload for 'shots/0002.jpg' 2020-10-14 08:04:58,051 [cuckoo.core.resultserver] DEBUG: Task #11 uploaded file length: 137371 2020-10-14 08:04:58,792 [cuckoo.core.guest] DEBUG: cuckoo1: analysis #11 still processing 2020-10-14 08:05:03,835 [cuckoo.core.guest] DEBUG: cuckoo1: analysis #11 still processing 2020-10-14 08:05:08,875 [cuckoo.core.guest] DEBUG: cuckoo1: analysis #11 still processing 2020-10-14 08:05:13,912 [cuckoo.core.guest] DEBUG: cuckoo1: analysis #11 still processing 2020-10-14 08:05:15,619 [cuckoo.core.resultserver] DEBUG: Task #11: File upload for 'shots/0003.jpg' 2020-10-14 08:05:15,670 [cuckoo.core.resultserver] DEBUG: Task #11 uploaded file length: 144865 2020-10-14 08:05:17,939 [cuckoo.core.guest] INFO: cuckoo1: analysis completed successfully 2020-10-14 08:05:17,944 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Replay 2020-10-14 08:05:18,025 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer 2020-10-14 08:05:25,973 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label cuckoo1 to path /home/nw/.cuckoo/storage/analyses/11/memory.dmp 2020-10-14 08:05:25,974 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm cuckoo1 2020-10-14 08:05:27,251 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.56.101 for task #11 2020-10-14 08:05:27,252 [cuckoo.core.resultserver] DEBUG: Cancel for task 11 2020-10-14 08:05:27,261 [cuckoo.core.scheduler] DEBUG: Released database task #11 2020-10-14 08:05:27,294 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" for task #11 2020-10-14 08:05:27,294 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files. 2020-10-14 08:05:27,295 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #11 2020-10-14 08:05:27,296 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" for task #11 2020-10-14 08:05:27,297 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" for task #11 2020-10-14 08:05:29,699 [cuckoo.processing.memory] DEBUG: Executing volatility 'pslist' module. 2020-10-14 08:05:30,032 [cuckoo.processing.memory] DEBUG: Executing volatility 'psxview' module. 2020-10-14 08:05:45,778 [cuckoo.processing.memory] DEBUG: Executing volatility 'callbacks' module. 2020-10-14 08:06:03,426 [cuckoo.processing.memory] DEBUG: Executing volatility 'ssdt' module. [x64] Gathering all referenced SSDTs from KeAddSystemServiceTable... Finding appropriate address space for tables... 2020-10-14 08:06:05,772 [cuckoo.processing.memory] DEBUG: Skipping 'timers' volatility module 2020-10-14 08:06:05,773 [cuckoo.processing.memory] DEBUG: Skipping 'messagehooks' volatility module 2020-10-14 08:06:05,775 [cuckoo.processing.memory] DEBUG: Executing volatility 'getsids' module. 2020-10-14 08:06:07,659 [cuckoo.processing.memory] DEBUG: Executing volatility 'privs' module. 2020-10-14 08:06:09,422 [cuckoo.processing.memory] DEBUG: Executing volatility 'malfind' module. 2020-10-14 08:06:14,634 [cuckoo.processing.memory] DEBUG: Skipping 'apihooks' volatility module 2020-10-14 08:06:14,635 [cuckoo.processing.memory] DEBUG: Executing volatility 'dlllist' module. 2020-10-14 08:06:17,130 [cuckoo.processing.memory] DEBUG: Executing volatility 'handles' module. 2020-10-14 08:06:50,864 [cuckoo.processing.memory] DEBUG: Executing volatility 'ldrmodules' module. 2020-10-14 08:07:03,600 [cuckoo.processing.memory] DEBUG: Executing volatility 'mutantscan' module. 2020-10-14 08:07:08,576 [cuckoo.processing.memory] DEBUG: Executing volatility 'devicetree' module. 2020-10-14 08:07:14,019 [cuckoo.processing.memory] DEBUG: Executing volatility 'svcscan' module. 2020-10-14 08:07:15,973 [cuckoo.processing.memory] DEBUG: Executing volatility 'modscan' module. 2020-10-14 08:07:20,789 [cuckoo.processing.memory] DEBUG: Executing volatility 'yarascan' module. 2020-10-14 08:08:05,469 [cuckoo.processing.memory] DEBUG: Executing volatility 'netscan' module. 2020-10-14 08:08:12,434 [cuckoo.core.plugins] DEBUG: Executed processing module "Memory" for task #11 2020-10-14 08:08:12,437 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #11 2020-10-14 08:08:12,437 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" for task #11 2020-10-14 08:08:12,438 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #11 2020-10-14 08:08:12,520 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" for task #11 2020-10-14 08:08:12,797 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" for task #11 2020-10-14 08:08:12,831 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" for task #11 2020-10-14 08:08:12,858 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" for task #11 2020-10-14 08:08:17,922 [cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" for task #11 2020-10-14 08:08:18,428 [cuckoo.core.plugins] DEBUG: Executed processing module "VirusTotal" for task #11 2020-10-14 08:08:18,428 [cuckoo.core.plugins] DEBUG: Executed processing module "Extracted" for task #11 2020-10-14 08:08:18,429 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" for task #11 2020-10-14 08:08:18,432 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" for task #11 2020-10-14 08:08:18,449 [cuckoo.core.plugins] DEBUG: Running 542 signatures 2020-10-14 08:08:18,563 [cuckoo.core.plugins] DEBUG: Analysis matched signature: antivirus_virustotal 2020-10-14 08:08:18,563 [cuckoo.core.plugins] DEBUG: Analysis matched signature: volatility_handles_1 2020-10-14 08:08:18,564 [cuckoo.core.plugins] DEBUG: Analysis matched signature: volatility_ldrmodules_1 2020-10-14 08:08:18,564 [cuckoo.core.plugins] DEBUG: Analysis matched signature: volatility_malfind_2 2020-10-14 08:08:18,564 [cuckoo.core.plugins] DEBUG: Analysis matched signature: volatility_modscan_1 2020-10-14 08:08:18,564 [cuckoo.core.plugins] DEBUG: Analysis matched signature: volatility_svcscan_1 2020-10-14 08:08:18,564 [cuckoo.core.plugins] DEBUG: Analysis matched signature: volatility_svcscan_2 2020-10-14 08:08:18,564 [cuckoo.core.plugins] DEBUG: Analysis matched signature: volatility_svcscan_3 2020-10-14 08:08:18,962 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump" 2020-10-14 08:08:19,018 [cuckoo.core.plugins] DEBUG: Executed reporting module "SingleFile" 2020-10-14 08:08:19,467 [cuckoo.core.plugins] DEBUG: Executed reporting module "MongoDB" 2020-10-14 08:08:19,467 [cuckoo.core.scheduler] INFO: Task #11: reports generation completed 2020-10-14 08:08:19,476 [cuckoo.core.scheduler] INFO: Task #11: analysis procedure completed

ianaflo commented 3 years ago

ok so i found the issue, it wasnt mentioned anywhere in the many tutorials that I followed. I had python 2.7 64 bit on my Windows guest machine (because everything i set up was 64 bit), and i read in this article: Python 2.7.X 32-bit 37 (Even if it is a 64-bit OS!) Pillow 32-bit 44 (Even if it is a 64-bit OS!)

Also, on the guest vm i had a user called cuckoo that had admin privileges, and i ran the agent.py as admin but that was part of the issue i think. I unlocked the administrator account and logged in in that one and ran the agent.py there and it works better..

This issue can be closed.