The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.

[ajaybabu91]

when i execute calc.exe ERROR: Analysis failed: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted. 2015-06-09 10:08:38,123 [modules.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label WindowsXP_SP3_Cuckoo1 to path /home/ubuntu/cuckoo/storage/analyses/22/memory.dmp 2015-06-09 10:08:42,192 [modules.processing.behavior] INFO: Analysis results folder does not contain any file or injection was disabled. 2015-06-09 10:08:48,847 [volatility.obj] WARNING: NoneObject as string: Cannot find process session 2015-06-09 10:08:48,847 [volatility.obj] WARNING: NoneObject as string: Cannot find process session [x86] Gathering all referenced SSDTs from KTHREADs... Finding appropriate address space for tables... 2015-06-09 10:09:46,335 [modules.processing.memory] ERROR: Generic error executing volatility Traceback (most recent call last): File "/home/ubuntu/cuckoo/modules/processing/memory.py", line 1047, in run results = vol.run() File "/home/ubuntu/cuckoo/modules/processing/memory.py", line 961, in run results["ssdt"] = vol.ssdt() File "/home/ubuntu/cuckoo/modules/processing/memory.py", line 337, in ssdt mem_end=syscall_mod.DllBase + syscall_mod.SizeOfImage) File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/apihooks.py", line 739, in check_inline for op in distorm3.Decompose(va, data, distorm3.Decode32Bits): NameError: global name 'distorm3' is not defined 2015-06-09 10:09:46,359 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "NetworkAnalysis": Traceback (most recent call last): File "/home/ubuntu/cuckoo/lib/cuckoo/core/plugins.py", line 186, in process data = current.run() File "/home/ubuntu/cuckoo/modules/processing/network.py", line 593, in run sort_pcap(self.pcap_path, sorted_path) File "/home/ubuntu/cuckoo/modules/processing/network.py", line 708, in sort_pcap batch_sort(inc, outpath, output_class=lambda path: SortCap(path, linktype=inc.linktype)) File "/home/ubuntu/cuckoo/modules/processing/network.py", line 635, in batch_sort current_chunk = list(islice(input_iterator,buffer_size)) File "/home/ubuntu/cuckoo/modules/processing/network.py", line 677, in iter self.fd = dpkt.pcap.Reader(open(self.name, "rb")) IOError: [Errno 2] No such file or directory: '/home/ubuntu/cuckoo/storage/analyses/22/dump.pcap' 2015-06-09 10:09:46,968 [lib.cuckoo.common.objects] WARNING: Unable to match Yara signatures: 'error_on_warning' is an invalid keyword argument for this function 2015-06-09 10:09:49,897 [lib.cuckoo.core.scheduler] INFO: Task #22: reports generation completed (path=/home/ubuntu/cuckoo/storage/analyses/22) 2015-06-09 10:09:50,075 [lib.cuckoo.core.scheduler] INFO: Task #22: analysis procedure completed

[jhg]

Hi @ajaybabu91 this is same that #545 and this with monitor branch work better but still raise error.

[jbremer]

There are like 4 distinct errors in this traceback.. how did you get it in the first place?

[jhg]

The because I don't know, I think that because is in other module or don't abort all analysis and report each error. But I had look it: In this case two errors is because don't found 'md5' key but is two errors in modules that is diferrent. Cuckoo and W7 (still with new monitor) has errors, not in all installations, not all times, but has errors.

[ajaybabu91]

hi @jbremer thank you for the reply i resolved some problem . but still struggle with some problem like ERROR: Generic error executing volatility Traceback (most recent call last): File "/home/ubuntu/cuckoo/modules/processing/memory.py", line 1047, in run results = vol.run() File "/home/ubuntu/cuckoo/modules/processing/memory.py", line 961, in run results["ssdt"] = vol.ssdt() File "/home/ubuntu/cuckoo/modules/processing/memory.py", line 337, in ssdt mem_end=syscall_mod.DllBase + syscall_mod.SizeOfImage) File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/apihooks.py", line 739, in check_inline for op in distorm3.Decompose(va, data, distorm3.Decode32Bits): NameError: global name 'distorm3' is not defined 2015-06-09 10:09:46,359 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module

[ajaybabu91]

hi @jhg i still have ERROR : Generic error executing volatility ERROR: Generic error executing volatility Traceback (most recent call last): File "/home/ubuntu/cuckoo/modules/processing/memory.py", line 1047, in run results = vol.run() File "/home/ubuntu/cuckoo/modules/processing/memory.py", line 961, in run results["ssdt"] = vol.ssdt() File "/home/ubuntu/cuckoo/modules/processing/memory.py", line 337, in ssdt mem_end=syscall_mod.DllBase + syscall_mod.SizeOfImage) File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/apihooks.py", line 739, in check_inline for op in distorm3.Decompose(va, data, distorm3.Decode32Bits): NameError: global name 'distorm3' is not defined 2015-06-09 10:09:46,359 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module

[jhg]

@ajaybabu91 please, I don't show modules.packages.exe in your new traceback, how you resolved this?

[ajaybabu91]

@jhg i'll send a screen shot of the analysis ASAP

[ajaybabu91]

@jhg @jbremer i found these errors.. please help

[jhg]

@ajaybabu91 for NetworkAnalisys see #546 it is fixed. About volatility I'm not sure but see #495 and try check it. And, please, how to resolved error about modules.packages.exe? I interesting it, I has error with modules.packages.exe but not in XP else W7 and if you change some to resolved it I can try that.

[ajaybabu91]

@jhg dont remember how i resolved that even though i have some more errors while executing can you please tell me which installation manuel or guide are you following for cuckoo sandbox installation

[botherder]

Is the error with analysis package occurring with every file? It will raise that same error if for example the binary is corrupted or it is not for the architecture of the VM.

[jhg]

@botherder not is with every file, for example with pafish work but with samples fail and same sample I run in the same machine but manually and sample run fine. In #545 @jbremer try a sample and with monitor branch work fine, but I try same branch and still fail. Binary is well and run and is for 32bits and machine is 32 bits.

[jhg]

@botherder or @jbremer I find error, is UAC, if is active W7 not work (not only in phisical machine, in virtualbox machine neither)

[jbremer]

I'm going to close this issue, because:

• The executable should probably be loaded correctly now, after a whole lot of improvements on that part.
• The volatility didn't work because distorm3 was not installed. I think support for this has already been integrated or otherwise it's pretty much necessary for Volatility anyway, as they rely on it for a lot of plugins.
• The network/pcap race condition issue has been resolved.
• The yara error has been fixed.

Please let us know if you have any more issues when running the latest version of Cuckoo.