Many thanks for having developed this incredible product. As a beginner to malware analysis, I find it very helpful and brilliantly designed.
I'm finding this error in my console. However the cuckoo daemon and other modules are working fine.
2020-11-30 07:45:43,865 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" for task #600
2020-11-30 07:45:43,917 [cuckoo.core.plugins] ERROR: Failed to run the processing module "ProcessMemory" for task #600:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 246, in process
data = current.run()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/procmemory.py", line 182, in run
self.create_idapy(proc)
File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/procmemory.py", line 48, in create_idapy
i.read(region["size"]).encode("base64").replace("\n", ""),
LookupError: unknown encoding: base64
2020-11-30 07:45:43,941 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" for task #600
.
.
.
2020-11-30 07:47:35,403 [cuckoo.processing.memory] DEBUG: Executing volatility 'modscan' module.
2020-11-30 07:47:48,640 [cuckoo.core.scheduler] ERROR: Failure in AnalysisManager.run
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/scheduler.py", line 766, in run
self.process_results()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/scheduler.py", line 707, in process_results
RunSignatures(results=results).run()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 554, in run
self.process_yara_matches()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 521, in process_yara_matches
loop_yara("dropped", dropped["path"], dropped["yara"])
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 498, in loop_yara
match = YaraMatch(match, category)
File "/usr/local/lib/python2.7/dist-packages/cuckoo/common/objects.py", line 449, in init
self._strings.append(s.decode("base64"))
LookupError: unknown encoding: base64
2020-11-30 07:47:51,696 [cuckoo.processing.memory] DEBUG: Executing volatility 'modscan' module.
I have set up cuckoo 2.0.7 on Ubuntu 18.04 LTS and am using Oracle VirtualBox. My guest VM has a Windows 7 64-bit with 4GB primary memory. The analysis information are stored on the host in MongoDB.
Due to secondary memory limitation, I had configured the memory dump to be deleted once the analysis is completed.
I have been submitting multiple analysis by submitting a folder as a whole to submit api. According to my limited understanding, the analysis process is not sequential and it is not like one samples is analyzed, files uploaded to host and then report prepared before moving on to next sample.
After submitting some 300 samples together, some 3 days into the process, during a power failure my system was turned off and cuckoo daemon was interrupted midway. But, on restarting the process resumed from where it left off and has been running perfectly fetching files from the queue.
Now, this error creeps in and I think it is because the memory dump is missing. I am not certain about cuckoo workflow. Pardon if I am technically wrong about the whole concept.
Is there a work around to prevent deletion of memory dump until the report is generated. Or should I be resubmitting the samples with this process utility. Should I disable deleting the memory dump to prevent this error. Or is this error due to some other issue completely unrelated to memory dump.
Even suggestions to any in-depth technical article about the working of cuckoo to understand the working is also deeply appreciated.
anandguddu
commented
3 years ago
Thanks for creating an issue! But first: did you read our community guidelines? https://cuckoo.sh/docs/introduction/community.html
My issue is:
Hi,
Many thanks for having developed this incredible product. As a beginner to malware analysis, I find it very helpful and brilliantly designed.
I'm finding this error in my console. However the cuckoo daemon and other modules are working fine.
I have set up cuckoo 2.0.7 on Ubuntu 18.04 LTS and am using Oracle VirtualBox. My guest VM has a Windows 7 64-bit with 4GB primary memory. The analysis information are stored on the host in MongoDB.
Due to secondary memory limitation, I had configured the memory dump to be deleted once the analysis is completed.
I have been submitting multiple analysis by submitting a folder as a whole to submit api. According to my limited understanding, the analysis process is not sequential and it is not like one samples is analyzed, files uploaded to host and then report prepared before moving on to next sample.
After submitting some 300 samples together, some 3 days into the process, during a power failure my system was turned off and cuckoo daemon was interrupted midway. But, on restarting the process resumed from where it left off and has been running perfectly fetching files from the queue.
Now, this error creeps in and I think it is because the memory dump is missing. I am not certain about cuckoo workflow. Pardon if I am technically wrong about the whole concept.
Is there a work around to prevent deletion of memory dump until the report is generated. Or should I be resubmitting the samples with this process utility. Should I disable deleting the memory dump to prevent this error. Or is this error due to some other issue completely unrelated to memory dump.
Even suggestions to any in-depth technical article about the working of cuckoo to understand the working is also deeply appreciated.
Thanks