doomedraven
commented
7 years ago No idea, i dont use vbox
Closed yujiaxinlong closed 7 years ago
doomedraven
commented
7 years ago No idea, i dont use vbox
ramirez3805
commented
7 years ago Oops, my fault, was running as root by mistake. Thanks.
ramirez3805
commented
7 years ago Well, the windows part works. So at the least we know the issue is related to Ubuntu. BTW, is there a post on understanding the results?
doomedraven
commented
7 years ago did you solve it? i just downloaded ubuntu 16.04.1 x32 and created vm, installed agent and everythign wofks just fine, now working on stap part
ramirez3805
commented
7 years ago What's the stap part, that's incredible. Mine should be x64 bit, but I can try a 32 bit on Tuesday. Not sure what the heck can be wrong.
On Jan 1, 2017 10:18 AM, "doomedraven" notifications@github.com wrote:
did you solve it? i just downloaded ubuntu 16.04.1 x32 and created vm, installed agent and everythign wofks just fine, now working on stap part
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/810#issuecomment-269906760, or mute the thread https://github.com/notifications/unsubscribe-auth/AWHl2g6u4pCktRn8Ymqmoz8_IBuEyZ6hks5rN8OmgaJpZM4HvoH9 .
doomedraven
commented
7 years ago inside of vm
sudo apt-get install systemtap
sudo apt-get install gcc
sudo apt-get install linux-headers-$(uname -r)
wget https://raw.githubusercontent.com/cuckoosandbox/cuckoo/master/data/strace.stp
sudo stap -r $(uname -r) strace.stp -m stap_ -vvv
# wait until start seeing "staprun:main:x modpath=....."
# it will drop stap_.ko in the same folder
#place it in /root/.cuckoo/
#IMPORTANT
# filename should start with stap_ and ends with .koi have it working with behavior and everything now :)
MrAdz350
commented
7 years ago I've had no joy getting the STAP module to work on various distros (CentOS7, FC23, Ubuntu 14 LTS).
I followed your instructions and setup a fresh Ubuntu 16.04 x86 install and ran the commands above, but during the STAP module compilation, the stap command hangs at "Pass 5: starting run" and I don't see the "staprun:main:x" you mention. I do however get what looks like a valid KO file, but when running samples through the VM, the LKM pulled back is empy, so I am guessing something is not working as expected.
Did you do any additional config on the Ubuntu setup?
doomedraven
commented
7 years ago try execute $(uname -r) and replace with output in one of the vm i got error, and passed output by hand
also try staprun -v ./stap_cuckoo.ko to see if it correct or not
the lkm not solved yet, but with this you will able get behavior
doomedraven
commented
7 years ago about that modprobe it with -vvv not -v, my fail, but try staprun
MrAdz350
commented
7 years ago OK, the addition of -vvv showed that the module was compiling OK. Bizzarely, I can compile using the same CLI arguments and get a resulting KO file with different size/checksum.
Having tried your suggestion of manually entering the output of "uname -r", it appears the STAP file is now generating, but there is an error in the Cuckoo debug logs as per the below:
2017-01-03 10:32:09,116 [lib.cuckoo.core.scheduler] INFO: File already exists at "/opt/cuckoo-virtual/storage/binaries/e08910543e9be6e2f415f4bc61fcb5e6e54b87b1b5fe982959116a7aced8e2ca"
2017-01-03 10:32:09,183 [lib.cuckoo.core.scheduler] INFO: Task #833: acquired machine Linux-1 (label=Ubuntu 16.04 (x86))
2017-01-03 10:32:09,203 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 28407 (interface=vboxnet0, host=192.168.56.111, pcap=/opt/cuckoo-virtual/storage/analyses/833/dump.pcap)
2017-01-03 10:32:09,204 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2017-01-03 10:32:09,254 [modules.machinery.virtualbox] DEBUG: Starting vm Ubuntu 16.04 (x86)
2017-01-03 10:32:09,255 [modules.machinery.virtualbox] DEBUG: Getting status for Ubuntu 16.04 (x86)
2017-01-03 10:32:09,597 [modules.machinery.virtualbox] DEBUG: Machine Ubuntu 16.04 (x86) status saved
2017-01-03 10:32:09,669 [modules.machinery.virtualbox] DEBUG: Using snapshot BASELINE2 for virtual machine Ubuntu 16.04 (x86)
2017-01-03 10:32:09,847 [modules.machinery.virtualbox] DEBUG: Getting status for Ubuntu 16.04 (x86)
2017-01-03 10:32:10,192 [modules.machinery.virtualbox] DEBUG: Machine Ubuntu 16.04 (x86) status saved
2017-01-03 10:32:15,925 [modules.machinery.virtualbox] DEBUG: Getting status for Ubuntu 16.04 (x86)
2017-01-03 10:32:16,330 [modules.machinery.virtualbox] DEBUG: Machine Ubuntu 16.04 (x86) status running
2017-01-03 10:32:16,396 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=Linux-1, ip=192.168.56.111)
2017-01-03 10:32:17,409 [lib.cuckoo.core.guest] DEBUG: Linux-1: not ready yet
2017-01-03 10:32:18,417 [lib.cuckoo.core.guest] DEBUG: Linux-1: not ready yet
2017-01-03 10:32:19,413 [lib.cuckoo.core.guest] DEBUG: Linux-1: not ready yet
2017-01-03 10:32:21,423 [lib.cuckoo.core.guest] DEBUG: Linux-1: not ready yet
2017-01-03 10:32:22,432 [lib.cuckoo.core.guest] DEBUG: Linux-1: not ready yet
2017-01-03 10:32:23,429 [lib.cuckoo.core.guest] DEBUG: Linux-1: not ready yet
2017-01-03 10:32:24,502 [lib.cuckoo.core.guest] DEBUG: Linux-1: waiting for status 0x0001
2017-01-03 10:32:24,539 [lib.cuckoo.core.guest] DEBUG: Linux-1: status ready
2017-01-03 10:32:24,728 [lib.cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=Linux-1, ip=192.168.56.111, monitor=latest, size=35210)
2017-01-03 10:32:25,410 [lib.cuckoo.core.guest] DEBUG: Linux-1: analyzer started with PID 5076
2017-01-03 10:32:25,448 [lib.cuckoo.core.guest] DEBUG: Linux-1: waiting for completion
2017-01-03 10:32:26,249 [lib.cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2017-01-03 10:32:26,466 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:27,486 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:28,503 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:29,526 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:30,543 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:31,561 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:32,578 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:33,595 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:34,616 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:35,637 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:36,659 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:37,678 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:38,621 [lib.cuckoo.core.resultserver] DEBUG: File upload request for logs/all.stap
2017-01-03 10:32:38,691 [lib.cuckoo.core.resultserver] DEBUG: Uploaded file length: 7531
2017-01-03 10:32:38,701 [lib.cuckoo.core.guest] DEBUG: Linux-1: analysis not completed yet (status=2)
2017-01-03 10:32:38,709 [lib.cuckoo.core.resultserver] DEBUG: File upload request for logs/all.lkm
2017-01-03 10:32:39,730 [lib.cuckoo.core.guest] INFO: Linux-1: analysis completed successfully
2017-01-03 10:32:39,773 [lib.cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2017-01-03 10:32:39,775 [modules.machinery.virtualbox] DEBUG: Stopping vm Ubuntu 16.04 (x86)
2017-01-03 10:32:39,775 [modules.machinery.virtualbox] DEBUG: Getting status for Ubuntu 16.04 (x86)
2017-01-03 10:32:40,116 [modules.machinery.virtualbox] DEBUG: Machine Ubuntu 16.04 (x86) status running
2017-01-03 10:32:41,148 [modules.machinery.virtualbox] DEBUG: Getting status for Ubuntu 16.04 (x86)
2017-01-03 10:32:41,482 [modules.machinery.virtualbox] DEBUG: Machine Ubuntu 16.04 (x86) status poweroff
2017-01-03 10:32:41,758 [lib.cuckoo.core.scheduler] DEBUG: Released database task #833
2017-01-03 10:32:41,911 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:41,913 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:41,922 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "BehaviorAnalysis" for task #833:
Traceback (most recent call last):
File "/opt/cuckoo-virtual/lib/cuckoo/core/plugins.py", line 242, in process
data = current.run()
File "/opt/cuckoo-virtual/modules/processing/behavior.py", line 307, in run
res = hhandler(event)
File "/opt/cuckoo-virtual/modules/processing/behavior.py", line 132, in handle_process_event
"process_path": process["process_path"],
KeyError: 'process_path'
2017-01-03 10:32:41,929 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:41,938 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Debug" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:41,939 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:41,940 [modules.processing.memory] ERROR: Memory dump not found: to run volatility you have to enable memory_dump
2017-01-03 10:32:41,941 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Memory" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:41,942 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:41,943 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:41,944 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:41,968 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Static" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:42,168 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Strings" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:42,272 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:42,273 [modules.processing.baseline] INFO: Could not find a baseline report for machine 'Linux-1', skipping it.
2017-01-03 10:32:42,274 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Baseline" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:42,281 [modules.processing.network] DEBUG: Whitelisting Disabled.
2017-01-03 10:32:42,285 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:42,286 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" on analysis at "/opt/cuckoo-virtual/storage/analyses/833"
2017-01-03 10:32:42,349 [lib.cuckoo.core.plugins] DEBUG: Running 418 signatures
2017-01-03 10:32:42,695 [lib.cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2017-01-03 10:32:42,695 [lib.cuckoo.core.plugins] DEBUG: Reporting module mattermost not found in configuration fileyah, ["process_path"], KeyError: 'process_path' 2017-01-03 10:32:41,929
is what i told to @jbremer in PM
to make behavior working i was need to patch
vim /opt/cuckoov2/modules/processing/behavior.py
line 131
and change it to
"process_path": process.get("process_path", None),i will push pr to fix it
doomedraven
commented
7 years ago https://github.com/cuckoosandbox/cuckoo/pull/1230
i going to add documentation about that stap, and will do it with x64 to test it, to see if that also works fine
MrAdz350
commented
7 years ago Yeah some documentation and experimentation with distros known to support this would be awesome.
Your PR doesn't seem to solve the error for me, but I can live with exporting the stap.log if needed for now until the final fix is merged in.
doomedraven
commented
7 years ago doomedraven
commented
7 years ago a bit better documentation about all this https://github.com/cuckoosandbox/cuckoo/pull/1231/files
doomedraven
commented
7 years ago @ramirez3805 it works just fine here on x64
ramirez3805
commented
7 years ago Guys, you know I'm a little behind with knowledge on these things so a bit a patience with me but when I ran the command, I got
wildcard '*' matched 'chroot'
wildcard '*' matched 'clock_getres'
wildcard '*' matched 'clock_gettime'
wildcard '*' matched 'clock_nanosleep'
wildcard '*' matched 'clock_settime'
wildcard '*' matched 'close'
wildcard '*' matched 'compat_adjtimex'
wildcard '*' matched 'compat_clock_nanosleep'
wildcard '*' matched 'compat_execve'
wildcard '*' matched 'compat_futex'
wildcard '*' matched 'compat_futimesat'
wildcard '*' matched 'compat_getitimer'
wildcard '*' matched 'compat_io_getevents'
wildcard '*' matched 'compat_io_setup'
wildcard '*' matched 'compat_io_submit'
wildcard '*' matched 'compat_nanosleep'
wildcard '*' matched 'compat_ppoll'
wildcard '*' matched 'compat_pselect6'
wildcard '*' matched 'compat_pselect7'
wildcard '*' matched 'compat_rt_sigprocmask'
wildcard '*' matched 'compat_select'
wildcard '*' matched 'compat_setitimer'
wildcard '*' matched 'compat_signalfd'
wildcard '*' matched 'compat_sys_msgctl'
wildcard '*' matched 'compat_sys_msgrcv'
wildcard '*' matched 'compat_sys_msgsnd'
wildcard '*' matched 'compat_sys_recvmsg'
wildcard '*' matched 'compat_sys_semctl'
wildcard '*' matched 'compat_sys_semtimedop'
wildcard '*' matched 'compat_sys_sendmsg'
wildcard '*' matched 'compat_sys_shmat'
wildcard '*' matched 'compat_sys_shmctl'
wildcard '*' matched 'compat_sys_utimes'
wildcard '*' matched 'compat_utime'
wildcard '*' matched 'compat_utimensat'
wildcard '*' matched 'compat_vmsplice'
wildcard '*' matched 'connect'
wildcard '*' matched 'creat'
wildcard '*' matched 'delete_module'
wildcard '*' matched 'dup'
wildcard '*' matched 'dup2'
Probe point __nd_syscall.dup3.return! sufficient, skipped __nd_syscall.dup2.return
wildcard '*' matched 'epoll_create'
Probe point __nd_syscall.epoll_create1.return! sufficient, skipped __nd_syscall.epoll_create.return?
wildcard '*' matched 'epoll_ctl'
wildcard '*' matched 'epoll_pwait'
wildcard '*' matched 'epoll_wait'
wildcard '*' matched 'eventfd'
Probe point __nd_syscall.eventfd2.return! sufficient, skipped __nd_syscall.eventfd.return?
wildcard '*' matched 'execve'
wildcard '*' matched 'exit'
wildcard '*' matched 'exit_group'
wildcard '*' matched 'faccessat'
wildcard '*' matched 'fadvise64'
wildcard '*' matched 'fadvise64_64'
wildcard '*' matched 'fchdir'
wildcard '*' matched 'fchmod'
wildcard '*' matched 'fchmodat'
wildcard '*' matched 'fchown'
wildcard '*' matched 'fchown16'
wildcard '*' matched 'fchownat'
wildcard '*' matched 'fcntl'
wildcard '*' matched 'fdatasync'
wildcard '*' matched 'fgetxattr'
wildcard '*' matched 'flistxattr'
wildcard '*' matched 'flock'
wildcard '*' matched 'fork'
semantic error: while resolving probe point: identifier 'kprobe' at :1416:32
source: probe nd_syscall.fork.return = kprobe.function("do_fork").return
^
wildcard '*' matched 'fremovexattr'
wildcard '*' matched 'fsetxattr'
wildcard '*' matched 'fstat'
wildcard '*' matched 'fstatat'
wildcard '*' matched 'fstatfs'
wildcard '*' matched 'fstatfs64'
wildcard '*' matched 'fsync'
wildcard '*' matched 'ftruncate'
wildcard '*' matched 'ftruncate64'
wildcard '*' matched 'futex'
wildcard '*' matched 'futimesat'
wildcard '*' matched 'get_mempolicy'
wildcard '*' matched 'get_thread_area'
wildcard '*' matched 'getcwd'
wildcard '*' matched 'getdents'
wildcard '*' matched 'getegid'
wildcard '*' matched 'geteuid'
wildcard '*' matched 'getgid'
wildcard '*' matched 'getgroups'
wildcard '*' matched 'gethostname'
wildcard '*' matched 'getitimer'
wildcard '*' matched 'getpeername'
wildcard '*' matched 'getpgid'
wildcard '*' matched 'getpgrp'
wildcard '*' matched 'getpid'
wildcard '*' matched 'getppid'
wildcard '*' matched 'getpriority'
wildcard '*' matched 'getresgid'
wildcard '*' matched 'getresuid'
wildcard '*' matched 'getrlimit'
wildcard '*' matched 'getrusage'
wildcard '*' matched 'getsid'
wildcard '*' matched 'getsockname'
wildcard '*' matched 'getsockopt'
wildcard '*' matched 'gettid'
wildcard '*' matched 'gettimeofday'
wildcard '*' matched 'getuid'
wildcard '*' matched 'getxattr'
wildcard '*' matched 'init_module'
wildcard '*' matched 'inotify_add_watch'
wildcard '*' matched 'inotify_init'
Probe point __nd_syscall.inotify_init1.return! sufficient, skipped __nd_syscall.inotify_init.return?
wildcard '*' matched 'inotify_rm_watch'
wildcard '*' matched 'io_cancel'
wildcard '*' matched 'io_destroy'
wildcard '*' matched 'io_getevents'
wildcard '*' matched 'io_setup'
wildcard '*' matched 'io_submit'
wildcard '*' matched 'ioctl'
wildcard '*' matched 'ioperm'
wildcard '*' matched 'iopl'
wildcard '*' matched 'ioprio_get'
wildcard '*' matched 'ioprio_set'
wildcard '*' matched 'ipc'
wildcard '*' matched 'kexec_load'
wildcard '*' matched 'keyctl'
wildcard '*' matched 'kill'
wildcard '*' matched 'lchown'
wildcard '*' matched 'lchown16'
wildcard '*' matched 'lgetxattr'
wildcard '*' matched 'link'
wildcard '*' matched 'linkat'
wildcard '*' matched 'listen'
wildcard '*' matched 'listxattr'
wildcard '*' matched 'llistxattr'
wildcard '*' matched 'llseek'
wildcard '*' matched 'lookup_dcookie'
wildcard '*' matched 'lremovexattr'
wildcard '*' matched 'lseek'
wildcard '*' matched 'lsetxattr'
wildcard '*' matched 'lstat'
wildcard '*' matched 'madvise'
wildcard '*' matched 'mbind'
wildcard '*' matched 'migrate_pages'
wildcard '*' matched 'mincore'
wildcard '*' matched 'mkdir'
wildcard '*' matched 'mkdirat'
wildcard '*' matched 'mknod'
wildcard '*' matched 'mknodat'
wildcard '*' matched 'mlock'
wildcard '*' matched 'mlockall'
wildcard '*' matched 'mmap2'
wildcard '*' matched 'modify_ldt'
wildcard '*' matched 'mount'
wildcard '*' matched 'move_pages'
wildcard '*' matched 'mprotect'
wildcard '*' matched 'mq_getsetattr'
wildcard '*' matched 'mq_notify'
wildcard '*' matched 'mq_open'
wildcard '*' matched 'mq_timedreceive'
wildcard '*' matched 'mq_timedsend'
wildcard '*' matched 'mq_unlink'
wildcard '*' matched 'mremap'
wildcard '*' matched 'msgctl'
wildcard '*' matched 'msgget'
wildcard '*' matched 'msgrcv'
wildcard '*' matched 'msgsnd'
wildcard '*' matched 'msync'
wildcard '*' matched 'munlock'
wildcard '*' matched 'munlockall'
wildcard '*' matched 'munmap'
wildcard '*' matched 'nanosleep'
wildcard '*' matched 'ni_syscall'
wildcard '*' matched 'nice'
wildcard '*' matched 'open'
wildcard '*' matched 'openat'
wildcard '*' matched 'pause'
wildcard '*' matched 'personality'
wildcard '*' matched 'pipe'
Probe point __nd_syscall.pipe2.return! sufficient, skipped __nd_syscall.pipe.return
wildcard '*' matched 'pivot_root'
wildcard '*' matched 'poll'
wildcard '*' matched 'ppoll'
wildcard '*' matched 'prctl'
wildcard '*' matched 'pread'
wildcard '*' matched 'pselect6'
wildcard '*' matched 'pselect7'
wildcard '*' matched 'ptrace'
wildcard '*' matched 'pwrite'
wildcard '*' matched 'pwrite32'
wildcard '*' matched 'quotactl'
wildcard '*' matched 'read'
wildcard '*' matched 'readahead'
wildcard '*' matched 'readdir'
wildcard '*' matched 'readlink'
wildcard '*' matched 'readlinkat'
wildcard '*' matched 'readv'
wildcard '*' matched 'reboot'
wildcard '*' matched 'recv'
wildcard '*' matched 'recvfrom'
wildcard '*' matched 'recvmsg'
wildcard '*' matched 'remap_file_pages'
wildcard '*' matched 'removexattr'
wildcard '*' matched 'rename'
wildcard '*' matched 'renameat'
wildcard '*' matched 'request_key'
wildcard '*' matched 'restart_syscall'
wildcard '*' matched 'rmdir'
wildcard '*' matched 'rt_sigaction'
wildcard '*' matched 'rt_sigaction32'
wildcard '*' matched 'rt_sigpending'
wildcard '*' matched 'rt_sigprocmask'
wildcard '*' matched 'rt_sigqueueinfo'
wildcard '*' matched 'rt_sigreturn'
wildcard '*' matched 'rt_sigsuspend'
wildcard '*' matched 'rt_sigtimedwait'
wildcard '*' matched 'sched_get_priority_max'
wildcard '*' matched 'sched_get_priority_min'
wildcard '*' matched 'sched_getaffinity'
wildcard '*' matched 'sched_getparam'
wildcard '*' matched 'sched_getscheduler'
wildcard '*' matched 'sched_rr_get_interval'
wildcard '*' matched 'sched_setaffinity'
wildcard '*' matched 'sched_setparam'
wildcard '*' matched 'sched_setscheduler'
wildcard '*' matched 'sched_yield'
wildcard '*' matched 'select'
wildcard '*' matched 'semctl'
wildcard '*' matched 'semget'
wildcard '*' matched 'semop'
wildcard '*' matched 'semtimedop'
wildcard '*' matched 'send'
wildcard '*' matched 'sendfile'
wildcard '*' matched 'sendmmsg'
wildcard '*' matched 'sendmsg'
wildcard '*' matched 'sendto'
wildcard '*' matched 'set_mempolicy'
wildcard '*' matched 'set_thread_area'
wildcard '*' matched 'set_tid_address'
wildcard '*' matched 'set_zone_reclaim'
wildcard '*' matched 'setdomainname'
wildcard '*' matched 'setfsgid'
wildcard '*' matched 'setfsuid'
wildcard '*' matched 'setgid'
wildcard '*' matched 'setgroups'
wildcard '*' matched 'sethostname'
wildcard '*' matched 'setitimer'
wildcard '*' matched 'setpgid'
wildcard '*' matched 'setpriority'
wildcard '*' matched 'setregid'
wildcard '*' matched 'setregid16'
wildcard '*' matched 'setresgid'
wildcard '*' matched 'setresgid16'
wildcard '*' matched 'setresuid'
wildcard '*' matched 'setresuid16'
wildcard '*' matched 'setreuid'
wildcard '*' matched 'setreuid16'
wildcard '*' matched 'setrlimit'
wildcard '*' matched 'setsid'
wildcard '*' matched 'setsockopt'
wildcard '*' matched 'settimeofday'
wildcard '*' matched 'settimeofday32'
wildcard '*' matched 'setuid'
wildcard '*' matched 'setxattr'
wildcard '*' matched 'sgetmask'
wildcard '*' matched 'shmat'
wildcard '*' matched 'shmctl'
wildcard '*' matched 'shmdt'
wildcard '*' matched 'shmget'
wildcard '*' matched 'shutdown'
wildcard '*' matched 'sigaction'
wildcard '*' matched 'sigaction32'
wildcard '*' matched 'sigaltstack'
wildcard '*' matched 'signal'
wildcard '*' matched 'signalfd'
Probe point __nd_syscall.signalfd4.return! sufficient, skipped __nd_syscall.signalfd.return?
wildcard '*' matched 'sigpending'
wildcard '*' matched 'sigprocmask'
wildcard '*' matched 'sigreturn'
wildcard '*' matched 'sigsuspend'
wildcard '*' matched 'socket'
wildcard '*' matched 'socketpair'
wildcard '*' matched 'splice'
wildcard '*' matched 'ssetmask'
wildcard '*' matched 'stat'
wildcard '*' matched 'statfs'
wildcard '*' matched 'statfs64'
wildcard '*' matched 'stime'
wildcard '*' matched 'swapoff'
wildcard '*' matched 'swapon'
wildcard '*' matched 'symlink'
wildcard '*' matched 'symlinkat'
wildcard '*' matched 'sync'
wildcard '*' matched 'sysctl'
wildcard '*' matched 'sysfs'
wildcard '*' matched 'sysinfo'
wildcard '*' matched 'syslog'
wildcard '*' matched 'tee'
wildcard '*' matched 'tgkill'
wildcard '*' matched 'time'
wildcard '*' matched 'timer_create'
wildcard '*' matched 'timer_delete'
wildcard '*' matched 'timer_getoverrun'
wildcard '*' matched 'timer_gettime'
wildcard '*' matched 'timer_settime'
wildcard '*' matched 'timerfd'
wildcard '*' matched 'times'
wildcard '*' matched 'tkill'
wildcard '*' matched 'truncate'
wildcard '*' matched 'tux'
wildcard '*' matched 'umask'
wildcard '*' matched 'umount'
wildcard '*' matched 'uname'
wildcard '*' matched 'unlink'
wildcard '*' matched 'unlinkat'
wildcard '*' matched 'unshare'
wildcard '*' matched 'uselib'
wildcard '*' matched 'ustat'
wildcard '*' matched 'ustat32'
wildcard '*' matched 'utime'
wildcard '*' matched 'utimensat'
wildcard '*' matched 'utimes'
wildcard '*' matched 'vhangup'
wildcard '*' matched 'vm86'
wildcard '*' matched 'vm86old'
wildcard '*' matched 'vmsplice'
wildcard '*' matched 'wait4'
wildcard '*' matched 'waitid'
wildcard '*' matched 'write'
wildcard '*' matched 'writev'
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
blacklist regexps:
blfn: ^(atomic_notifier_call_chain|default_do_nmi|__die|die_nmi|do_debug|do_general_protection|do_int3|do_IRQ|do_page_fault|do_sparc64_fault|do_trap|dummy_nmi_callback|flush_icache_range|ia64_bad_break|ia64_do_page_fault|ia64_fault|io_check_error|mem_parity_error|nmi_watchdog_tick|notifier_call_chain|oops_begin|oops_end|program_check_exception|single_step_exception|sync_regs|unhandled_fault|unknown_nmi_error|xen_[gs]et_debugreg|xen_irq_.*|xen_.*_fl_direct.*|check_events|xen_adjust_exception_frame|xen_iret.*|xen_sysret64.*|test_ti_thread_flag.*|inat_get_opcode_attribute|system_call_after_swapgs|HYPERVISOR_[gs]et_debugreg|HYPERVISOR_event_channel_op|hash_64|hash_ptr|native_set_pte|.*raw_.*_lock.*|.*raw_.*_unlock.*|.*raw_.*_trylock.*|.*read_lock.*|.*read_unlock.*|.*read_trylock.*|.*write_lock.*|.*write_unlock.*|.*write_trylock.*|.*write_seqlock.*|.*write_sequnlock.*|.*spin_lock.*|.*spin_unlock.*|.*spin_trylock.*|.*spin_is_locked.*|rwsem_.*lock.*|.*mutex_.*lock.*|raw_.*|atomic_.*|atomic64_.*|get_bh|put_bh|.*apic.*|.*APIC.*|.*softirq.*|.*IRQ.*|.*_intr.*|__delay|.*kernel_text.*|get_current|current_.*|.*exception_tables.*|.*setup_rt_frame.*|.*preempt_count.*|preempt_schedule|special_mapping_.*|.*_pte_.*)$
blfn_ret: ^(do_exit|sys_exit|sys_exit_group)$
blfile: ^(kernel/kprobes\.c|arch/.*/kernel/kprobes\.c|.*/include/asm/io\.h|.*/include/asm/io_64\.h|.*/include/asm/bitops\.h|drivers/ide/ide-iops\.c|arch/.*/kernel/paravirt\.c|.*/include/asm/paravirt\.h|fs/seq_file\.c)$
blsection: ^(\.init\.|\.exit\.|\.devinit\.|\.devexit\.|\.cpuinit\.|\.cpuexit\.|\.meminit\.|\.memexit\.)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct task_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct mm_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct mm_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Probe point process.begin! sufficient, skipped nd_syscall.fork.return! syscall.fork.return
Probe point process.end! sufficient, skipped nd_syscall.exit! syscall.exit
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct task_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct task_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct task_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct task_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct task_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct task_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct task_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct task_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct task_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct task_struct (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: using cached /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko' = [0x10000-0x102c0, bias 0 file /home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko ELF machine i?86|x86_64 (code 3)
focused on module '/home/mario/.systemtap/cache/ad/typequery_ada96bd8e307331237aaa5f2d3361116_651.ko'
literal_stmt_for_pointer: finding value for struct thread_info (/tmp/stapu69MLC/typequery_kmod_1/typequery_kmod_1.c)
Pass 2: analyzed script: 641 probe(s), 284 function(s), 28 embed(s), 33 global(s) using 30424virt/24312res/6480shr/18308data kb, in 40usr/130sys/335real ms.
Pass 2: analysis failed. [man error::pass2]
Tip: /usr/share/doc/systemtap/README.Debian should help you get started.
Running rm -rf /tmp/stapISnv2e
Spawn waitpid result (0x0): 0
Removed temporary directory "/tmp/stapISnv2e"```can you provide the exact version of os, arch etc, i see debian, i suppouse from previous comment it is ubuntu 16.04 x64?
how you executed command? i need more data to get better idea what could be wrong
ramirez3805
commented
7 years ago Sorry, this is my info. The 16.04 is the host.
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trustyRunning on kernel 4.4.0-53-generic
doomedraven
commented
7 years ago i not tested it on 14.04, do you have a specific dependency for 14.04? or you could switch to 16.04 as it more modern and also LTS to know if i need dig into 14.04 problem or i can save a bit of time :)
ramirez3805
commented
7 years ago I preferred to use 14.04 but I won't complain and go along with 16.04. I will clone this one either way and try just doing an upgrade to 16 and then you want me to run those commands? Is that the process?
doomedraven
commented
7 years ago yes, or download fresh iso and install it, will be much faster, at least by my experience then upgrade, just install/upgrade, check dependencies, and try to compile stap and check if agent is running, thats all :)
ramirez3805
commented
7 years ago Will test and let you know. Thanks!
doomedraven
commented
7 years ago great :) you are welcome
ramirez3805
commented
7 years ago This is the error I am getting now, I placed the file in the .cuckoo directory, I had to create it though, it was not there. I am also pretty sure I did not have to leave that running correct?
2017-01-05 15:49:23,212 [root] DEBUG: Imported "signatures" modules:
2017-01-05 15:49:23,212 [root] DEBUG: |-- CreatesExe
2017-01-05 15:49:23,213 [root] DEBUG: `-- SystemMetrics
2017-01-05 15:49:23,213 [root] DEBUG: Imported "processing" modules:
2017-01-05 15:49:23,213 [root] DEBUG: |-- AnalysisInfo
2017-01-05 15:49:23,213 [root] DEBUG: |-- MetaInfo
2017-01-05 15:49:23,213 [root] DEBUG: |-- ApkInfo
2017-01-05 15:49:23,213 [root] DEBUG: |-- Baseline
2017-01-05 15:49:23,213 [root] DEBUG: |-- BehaviorAnalysis
2017-01-05 15:49:23,214 [root] DEBUG: |-- DroppedBuffer
2017-01-05 15:49:23,214 [root] DEBUG: |-- Debug
2017-01-05 15:49:23,214 [root] DEBUG: |-- Droidmon
2017-01-05 15:49:23,214 [root] DEBUG: |-- Dropped
2017-01-05 15:49:23,214 [root] DEBUG: |-- TLSMasterSecrets
2017-01-05 15:49:23,214 [root] DEBUG: |-- GooglePlay
2017-01-05 15:49:23,214 [root] DEBUG: |-- Irma
2017-01-05 15:49:23,215 [root] DEBUG: |-- Memory
2017-01-05 15:49:23,215 [root] DEBUG: |-- MISP
2017-01-05 15:49:23,215 [root] DEBUG: |-- NetworkAnalysis
2017-01-05 15:49:23,215 [root] DEBUG: |-- ProcessMemory
2017-01-05 15:49:23,215 [root] DEBUG: |-- Procmon
2017-01-05 15:49:23,215 [root] DEBUG: |-- Screenshots
2017-01-05 15:49:23,215 [root] DEBUG: |-- Snort
2017-01-05 15:49:23,215 [root] DEBUG: |-- Static
2017-01-05 15:49:23,216 [root] DEBUG: |-- Strings
2017-01-05 15:49:23,216 [root] DEBUG: |-- Suricata
2017-01-05 15:49:23,216 [root] DEBUG: |-- TargetInfo
2017-01-05 15:49:23,216 [root] DEBUG: `-- VirusTotal
2017-01-05 15:49:23,216 [root] DEBUG: Imported "auxiliary" modules:
2017-01-05 15:49:23,216 [root] DEBUG: |-- MITM
2017-01-05 15:49:23,216 [root] DEBUG: |-- Reboot
2017-01-05 15:49:23,216 [root] DEBUG: |-- Services
2017-01-05 15:49:23,217 [root] DEBUG: `-- Sniffer
2017-01-05 15:49:23,217 [root] DEBUG: Imported "reporting" modules:
2017-01-05 15:49:23,217 [root] DEBUG: |-- ElasticSearch
2017-01-05 15:49:23,217 [root] DEBUG: |-- JsonDump
2017-01-05 15:49:23,217 [root] DEBUG: |-- Mattermost
2017-01-05 15:49:23,217 [root] DEBUG: |-- Moloch
2017-01-05 15:49:23,217 [root] DEBUG: |-- MongoDB
2017-01-05 15:49:23,217 [root] DEBUG: |-- Notification
2017-01-05 15:49:23,218 [root] DEBUG: `-- ReportHTML
2017-01-05 15:49:23,218 [root] DEBUG: Imported "machinery" modules:
2017-01-05 15:49:23,218 [root] DEBUG: `-- VirtualBox
2017-01-05 15:49:23,219 [root] DEBUG: Checking for locked tasks..
2017-01-05 15:49:23,232 [root] DEBUG: Checking for pending service tasks..
2017-01-05 15:49:23,240 [root] DEBUG: Initializing Yara...
2017-01-05 15:49:23,241 [root] DEBUG: |-- index_binaries.yar
2017-01-05 15:49:23,241 [root] DEBUG: `-- index_memory.yar
2017-01-05 15:49:23,246 [lib.cuckoo.core.resultserver] DEBUG: ResultServer running on 192.168.56.1:2042.
2017-01-05 15:49:23,247 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2017-01-05 15:49:23,535 [modules.machinery.virtualbox] DEBUG: Getting status for Ubuntu14upgrade
2017-01-05 15:49:23,633 [modules.machinery.virtualbox] DEBUG: Machine Ubuntu14upgrade status poweroff
2017-01-05 15:49:23,715 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2017-01-05 15:49:23,729 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2017-01-05 15:49:24,838 [lib.cuckoo.core.scheduler] DEBUG: Processing task #51
2017-01-05 15:49:24,848 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "519e571b220e3a844e5e629dd3e5664f03d488e0781fc1d124378d9b3a417fda" (task #51, options "")
2017-01-05 15:49:24,871 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/mario/cuckoo/storage/binaries/519e571b220e3a844e5e629dd3e5664f03d488e0781fc1d124378d9b3a417fda"
2017-01-05 15:49:24,933 [lib.cuckoo.core.scheduler] INFO: Task #51: acquired machine Ubuntu14upgrade (label=Ubuntu14upgrade)
2017-01-05 15:49:24,945 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 19659 (interface=vboxnet0, host=192.168.56.101, pcap=/home/mario/cuckoo/storage/analyses/51/dump.pcap)
2017-01-05 15:49:24,945 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2017-01-05 15:49:25,034 [modules.machinery.virtualbox] DEBUG: Starting vm Ubuntu14upgrade
2017-01-05 15:49:25,034 [modules.machinery.virtualbox] DEBUG: Getting status for Ubuntu14upgrade
2017-01-05 15:49:25,133 [modules.machinery.virtualbox] DEBUG: Machine Ubuntu14upgrade status poweroff
2017-01-05 15:49:25,234 [modules.machinery.virtualbox] DEBUG: Using current snapshot for virtual machine Ubuntu14upgrade
2017-01-05 15:49:25,673 [modules.machinery.virtualbox] DEBUG: Getting status for Ubuntu14upgrade
2017-01-05 15:49:25,754 [modules.machinery.virtualbox] DEBUG: Machine Ubuntu14upgrade status saved
2017-01-05 15:49:30,131 [modules.machinery.virtualbox] DEBUG: Getting status for Ubuntu14upgrade
2017-01-05 15:49:30,207 [modules.machinery.virtualbox] DEBUG: Machine Ubuntu14upgrade status running
2017-01-05 15:49:30,435 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=Ubuntu14upgrade, ip=192.168.56.101)
2017-01-05 15:49:31,442 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: not ready yet
2017-01-05 15:49:32,449 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: not ready yet
2017-01-05 15:49:33,463 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: waiting for status 0x0001
2017-01-05 15:49:33,471 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: status ready
2017-01-05 15:49:33,474 [lib.cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=Ubuntu14upgrade, ip=192.168.56.101, monitor=latest, size=35210)
2017-01-05 15:49:33,497 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analyzer started with PID 1995
2017-01-05 15:49:33,549 [lib.cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2017-01-05 15:49:33,590 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: waiting for completion
2017-01-05 15:49:34,596 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analysis not completed yet (status=2)
2017-01-05 15:49:35,604 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analysis not completed yet (status=2)
2017-01-05 15:49:36,609 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analysis not completed yet (status=2)
2017-01-05 15:49:37,618 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analysis not completed yet (status=2)
2017-01-05 15:49:38,627 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analysis not completed yet (status=2)
2017-01-05 15:49:39,638 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analysis not completed yet (status=2)
2017-01-05 15:49:40,647 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analysis not completed yet (status=2)
2017-01-05 15:49:41,656 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analysis not completed yet (status=2)
2017-01-05 15:49:42,664 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analysis not completed yet (status=2)
2017-01-05 15:49:43,671 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analysis not completed yet (status=2)
2017-01-05 15:49:44,678 [lib.cuckoo.core.guest] DEBUG: Ubuntu14upgrade: analysis not completed yet (status=2)
2017-01-05 15:49:45,641 [lib.cuckoo.core.resultserver] DEBUG: File upload request for logs/all.stap
2017-01-05 15:49:45,648 [lib.cuckoo.core.resultserver] DEBUG: Uploaded file length: 8334
2017-01-05 15:49:45,649 [lib.cuckoo.core.resultserver] DEBUG: File upload request for logs/all.lkm
2017-01-05 15:49:45,686 [lib.cuckoo.core.guest] INFO: Ubuntu14upgrade: analysis completed successfully
2017-01-05 15:49:45,798 [lib.cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2017-01-05 15:49:45,799 [modules.machinery.virtualbox] DEBUG: Stopping vm Ubuntu14upgrade
2017-01-05 15:49:45,799 [modules.machinery.virtualbox] DEBUG: Getting status for Ubuntu14upgrade
2017-01-05 15:49:45,910 [modules.machinery.virtualbox] DEBUG: Machine Ubuntu14upgrade status running
2017-01-05 15:49:46,980 [modules.machinery.virtualbox] DEBUG: Getting status for Ubuntu14upgrade
2017-01-05 15:49:47,085 [modules.machinery.virtualbox] DEBUG: Machine Ubuntu14upgrade status poweroff
2017-01-05 15:49:47,814 [lib.cuckoo.core.scheduler] DEBUG: Released database task #51
2017-01-05 15:49:47,836 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:47,837 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:47,839 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "BehaviorAnalysis" for task #51:
Traceback (most recent call last):
File "/home/mario/cuckoo/lib/cuckoo/core/plugins.py", line 242, in process
data = current.run()
File "/home/mario/cuckoo/modules/processing/behavior.py", line 307, in run
res = hhandler(event)
File "/home/mario/cuckoo/modules/processing/behavior.py", line 132, in handle_process_event
"process_path": process["process_path"],
KeyError: 'process_path'
2017-01-05 15:49:47,840 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:47,842 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Debug" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:47,843 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:47,843 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:47,843 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:47,856 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Static" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:47,858 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Strings" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:47,861 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:47,867 [modules.processing.network] DEBUG: Whitelisting Disabled.
2017-01-05 15:49:52,885 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:52,886 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" on analysis at "/home/mario/cuckoo/storage/analyses/51"
2017-01-05 15:49:52,886 [lib.cuckoo.core.plugins] DEBUG: Running 0 signatures
2017-01-05 15:49:52,894 [lib.cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2017-01-05 15:49:52,907 [lib.cuckoo.core.plugins] DEBUG: Executed reporting module "MongoDB"
2017-01-05 15:49:52,908 [lib.cuckoo.core.scheduler] INFO: Task #51: reports generation completed (path=/home/mario/cuckoo/storage/analyses/51)
2017-01-05 15:49:53,028 [lib.cuckoo.core.scheduler] INFO: Task #51: analysis procedure completed```that error is answered in one of previous comments, but it already merged, so just update cuckoo and try for new :)
doomedraven
commented
7 years ago yes you don't need to leave it running, and it should be in /root/.cuckoo
ramirez3805
commented
7 years ago Don't kill me lol but how exactly do I update cuckoo?
The migration detailed here? http://docs.cuckoosandbox.org/en/latest/installation/upgrade/
Or should I do the git from earlier ?
doomedraven
commented
7 years ago hehe no problem :)
open terminal, go to folder with cuckoo, and do git pull or just do this oneline mod :)
https://github.com/cuckoosandbox/cuckoo/pull/1230/files#diff-538e3edaa84288051c2010e4fd1af4dc
ramirez3805
commented
7 years ago Wow, it works. I want to cry right now. After all these months. So it wasn't my fault it wasn't working! lol. Also, question, this is my analysis sample, I'm comparing it to yours and I see it has more behavioral and network info. Why is that?
doomedraven
commented
7 years ago that wasn't executed in correct vm, as there was a lot of noise from different apps etc :)
i glad to hear what everything works now, I hope @jbremer will merge/improve+merge that small linux guest documentation PR, to make it easier for the rest
doomedraven
commented
7 years ago lol also it funny it took 2 month to solve it :D
ramirez3805
commented
7 years ago Well, at least I didn't get fired from my job lol. Everyone kind of just thinks I suck. Which I'm not anywhere near the level you guys are in but I thought setting up something someone else created with documentation was going to be much easier. 2 months for you was about 4 for me because I actually started trying and researching on my own for a while until I ended up replying to this post. But again, thank you for having so much patience with me. I know that must have not been easy.
doomedraven
commented
7 years ago no problem, that always make more easier to help when people provide good log/whatever, and you don't need ask for again and again :) ya tienes un regalo de reyes magos ;)
ramirez3805
commented
7 years ago Wow, impressive with the Spanish, we could have just spoken Spanish the whole time lol. That's my first language.
On Jan 5, 2017 5:29 PM, "doomedraven" notifications@github.com wrote:
no problem, that always make more easier to help when people provide good log/whatever, and you don't need ask for again and again :) ya tienes un regalo de reyes magos ;)
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/810#issuecomment-270776419, or mute the thread https://github.com/notifications/unsubscribe-auth/AWHl2tDDqFne3Hg69QB826AhfmRIenmKks5rPW6ygaJpZM4HvoH9 .
doomedraven
commented
7 years ago yup, I speak Spanish, but that is not my native lang, but the rest wouldn't understand how to solve the issue later :D
ramirez3805
commented
7 years ago I'm sure haha. Thanks.
On Jan 5, 2017 6:34 PM, "doomedraven" notifications@github.com wrote:
yup, I speak Spanish, but that is not my native lang, but the rest wouldn't understand how to solve the issue later :D
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/810#issuecomment-270789440, or mute the thread https://github.com/notifications/unsubscribe-auth/AWHl2kwDSqXNj7VxTk75Qf53aFEHUJviks5rPX3wgaJpZM4HvoH9 .
doomedraven
commented
7 years ago you are welcome :)
ramirez3805
commented
7 years ago I can't believe this but I'm getting an error on the Windows side I think because of the change we did.
2017-01-09 14:21:45,548 [root] DEBUG: Imported "signatures" modules:
2017-01-09 14:21:45,548 [root] DEBUG: |-- CreatesExe
2017-01-09 14:21:45,548 [root] DEBUG: `-- SystemMetrics
2017-01-09 14:21:45,548 [root] DEBUG: Imported "processing" modules:
2017-01-09 14:21:45,549 [root] DEBUG: |-- AnalysisInfo
2017-01-09 14:21:45,549 [root] DEBUG: |-- MetaInfo
2017-01-09 14:21:45,549 [root] DEBUG: |-- ApkInfo
2017-01-09 14:21:45,549 [root] DEBUG: |-- Baseline
2017-01-09 14:21:45,549 [root] DEBUG: |-- BehaviorAnalysis
2017-01-09 14:21:45,549 [root] DEBUG: |-- DroppedBuffer
2017-01-09 14:21:45,549 [root] DEBUG: |-- Debug
2017-01-09 14:21:45,550 [root] DEBUG: |-- Droidmon
2017-01-09 14:21:45,550 [root] DEBUG: |-- Dropped
2017-01-09 14:21:45,550 [root] DEBUG: |-- TLSMasterSecrets
2017-01-09 14:21:45,550 [root] DEBUG: |-- GooglePlay
2017-01-09 14:21:45,550 [root] DEBUG: |-- Irma
2017-01-09 14:21:45,550 [root] DEBUG: |-- Memory
2017-01-09 14:21:45,550 [root] DEBUG: |-- MISP
2017-01-09 14:21:45,550 [root] DEBUG: |-- NetworkAnalysis
2017-01-09 14:21:45,551 [root] DEBUG: |-- ProcessMemory
2017-01-09 14:21:45,551 [root] DEBUG: |-- Procmon
2017-01-09 14:21:45,551 [root] DEBUG: |-- Screenshots
2017-01-09 14:21:45,551 [root] DEBUG: |-- Snort
2017-01-09 14:21:45,551 [root] DEBUG: |-- Static
2017-01-09 14:21:45,551 [root] DEBUG: |-- Strings
2017-01-09 14:21:45,551 [root] DEBUG: |-- Suricata
2017-01-09 14:21:45,551 [root] DEBUG: |-- TargetInfo
2017-01-09 14:21:45,552 [root] DEBUG: `-- VirusTotal
2017-01-09 14:21:45,552 [root] DEBUG: Imported "auxiliary" modules:
2017-01-09 14:21:45,552 [root] DEBUG: |-- MITM
2017-01-09 14:21:45,552 [root] DEBUG: |-- Reboot
2017-01-09 14:21:45,552 [root] DEBUG: |-- Services
2017-01-09 14:21:45,552 [root] DEBUG: `-- Sniffer
2017-01-09 14:21:45,552 [root] DEBUG: Imported "reporting" modules:
2017-01-09 14:21:45,553 [root] DEBUG: |-- ElasticSearch
2017-01-09 14:21:45,553 [root] DEBUG: |-- JsonDump
2017-01-09 14:21:45,553 [root] DEBUG: |-- Mattermost
2017-01-09 14:21:45,553 [root] DEBUG: |-- Moloch
2017-01-09 14:21:45,553 [root] DEBUG: |-- MongoDB
2017-01-09 14:21:45,554 [root] DEBUG: |-- Notification
2017-01-09 14:21:45,554 [root] DEBUG: `-- ReportHTML
2017-01-09 14:21:45,554 [root] DEBUG: Imported "machinery" modules:
2017-01-09 14:21:45,554 [root] DEBUG: `-- VirtualBox
2017-01-09 14:21:45,555 [root] DEBUG: Checking for locked tasks..
2017-01-09 14:21:45,568 [root] DEBUG: Checking for pending service tasks..
2017-01-09 14:21:45,576 [root] DEBUG: Initializing Yara...
2017-01-09 14:21:45,577 [root] DEBUG: |-- index_binaries.yar
2017-01-09 14:21:45,577 [root] DEBUG: `-- index_memory.yar
2017-01-09 14:21:45,582 [lib.cuckoo.core.resultserver] DEBUG: ResultServer running on 192.168.56.1:2042.
2017-01-09 14:21:45,583 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2017-01-09 14:21:45,918 [modules.machinery.virtualbox] DEBUG: Getting status for Windows
2017-01-09 14:21:45,999 [modules.machinery.virtualbox] DEBUG: Machine Windows status poweroff
2017-01-09 14:21:46,080 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2017-01-09 14:21:46,093 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2017-01-09 14:21:47,207 [lib.cuckoo.core.scheduler] DEBUG: Processing task #64
2017-01-09 14:21:47,217 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "zbot" (task #64, options "")
2017-01-09 14:21:47,242 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/mario/cuckoo/storage/binaries/080064ebbec07cb8a173b99ac8a0392595548aad6bdcc8f6a8ff1bb4d91c2252"
2017-01-09 14:21:47,317 [lib.cuckoo.core.scheduler] INFO: Task #64: acquired machine Windows (label=Windows)
2017-01-09 14:21:47,328 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 9523 (interface=vboxnet0, host=192.168.56.101, pcap=/home/mario/cuckoo/storage/analyses/64/dump.pcap)
2017-01-09 14:21:47,329 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2017-01-09 14:21:47,484 [modules.machinery.virtualbox] DEBUG: Starting vm Windows
2017-01-09 14:21:47,484 [modules.machinery.virtualbox] DEBUG: Getting status for Windows
2017-01-09 14:21:47,582 [modules.machinery.virtualbox] DEBUG: Machine Windows status poweroff
2017-01-09 14:21:47,665 [modules.machinery.virtualbox] DEBUG: Using current snapshot for virtual machine Windows
2017-01-09 14:21:48,122 [modules.machinery.virtualbox] DEBUG: Getting status for Windows
2017-01-09 14:21:48,208 [modules.machinery.virtualbox] DEBUG: Machine Windows status saved
2017-01-09 14:21:53,476 [modules.machinery.virtualbox] DEBUG: Getting status for Windows
2017-01-09 14:21:53,567 [modules.machinery.virtualbox] DEBUG: Machine Windows status running
2017-01-09 14:21:53,813 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=Windows, ip=192.168.56.101)
2017-01-09 14:21:54,818 [lib.cuckoo.core.guest] DEBUG: Windows: not ready yet
2017-01-09 14:21:55,824 [lib.cuckoo.core.guest] DEBUG: Windows: not ready yet
2017-01-09 14:21:56,831 [lib.cuckoo.core.guest] DEBUG: Windows: not ready yet
2017-01-09 14:21:57,839 [lib.cuckoo.core.guest] DEBUG: Windows: not ready yet
2017-01-09 14:21:58,854 [lib.cuckoo.core.guest] DEBUG: Windows: waiting for status 0x0001
2017-01-09 14:21:58,865 [lib.cuckoo.core.guest] DEBUG: Windows: status ready
2017-01-09 14:21:58,868 [lib.cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=Windows, ip=192.168.56.101, monitor=latest, size=35210)
2017-01-09 14:21:58,935 [lib.cuckoo.core.guest] DEBUG: Windows: analyzer started with PID 4088
2017-01-09 14:21:59,005 [lib.cuckoo.core.guest] DEBUG: Windows: waiting for completion
2017-01-09 14:21:59,058 [lib.cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2017-01-09 14:22:00,012 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:01,021 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:02,027 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:03,033 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:04,038 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:05,046 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:06,053 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:07,063 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:08,071 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:09,080 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:10,089 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:11,102 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:12,108 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:13,116 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:14,124 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:15,134 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:16,144 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:17,150 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:18,155 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:19,161 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:20,168 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:21,178 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:22,187 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:23,198 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:24,207 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:25,217 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:26,226 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:27,237 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:28,246 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:29,255 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:30,265 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:31,284 [lib.cuckoo.core.guest] DEBUG: Windows: analysis not completed yet (status=2)
2017-01-09 14:22:32,293 [lib.cuckoo.core.scheduler] ERROR: Error from the Cuckoo Guest: Analysis failed: The package "modules.packages.generic" start function encountered an unhandled exception: [Error 2] The system cannot find the file specified
2017-01-09 14:22:32,410 [lib.cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2017-01-09 14:22:32,411 [modules.machinery.virtualbox] DEBUG: Stopping vm Windows
2017-01-09 14:22:32,411 [modules.machinery.virtualbox] DEBUG: Getting status for Windows
2017-01-09 14:22:32,521 [modules.machinery.virtualbox] DEBUG: Machine Windows status running
2017-01-09 14:22:33,600 [modules.machinery.virtualbox] DEBUG: Getting status for Windows
2017-01-09 14:22:33,698 [modules.machinery.virtualbox] DEBUG: Machine Windows status poweroff
2017-01-09 14:22:33,998 [lib.cuckoo.core.scheduler] DEBUG: Released database task #64
2017-01-09 14:22:34,023 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,024 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,026 [modules.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files.
2017-01-09 14:22:34,026 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,027 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,030 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Debug" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,031 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,031 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,031 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,415 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Static" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,429 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "Strings" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,436 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,461 [modules.processing.network] DEBUG: Whitelisting Disabled.
2017-01-09 14:22:34,551 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "NetworkAnalysis" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,551 [lib.cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" on analysis at "/home/mario/cuckoo/storage/analyses/64"
2017-01-09 14:22:34,552 [lib.cuckoo.core.plugins] DEBUG: Running 0 signatures
2017-01-09 14:22:34,576 [lib.cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2017-01-09 14:22:34,600 [lib.cuckoo.core.plugins] DEBUG: Executed reporting module "MongoDB"
2017-01-09 14:22:34,600 [lib.cuckoo.core.scheduler] INFO: Task #64: reports generation completed (path=/home/mario/cuckoo/storage/analyses/64)
2017-01-09 14:22:34,740 [lib.cuckoo.core.scheduler] INFO: Task #64: analysis procedure completed```can you share hash of that file to try to see what is wrong with generic package?
ramirez3805
commented
7 years ago 6cc60b1efb8d82b827634e7e42f2c3c981b1aff6 I tried multiple samples and get the same issue :(
ramirez3805
commented
7 years ago When I run the sample, I'm seeing a command prompt open up saying the system cannot accept the date entered. To enter a new date.
ramirez3805
commented
7 years ago Okay, disregard that, I forgot to change the configuration to Windows, but now that I did I get this
2017-01-09 14:41:04,694 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2017-01-09 14:41:05,195 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2017-01-09 14:41:05,209 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2017-01-09 14:41:21,713 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "rootkitiso.exe" (task #66, options "")
2017-01-09 14:41:21,757 [lib.cuckoo.core.scheduler] INFO: File already exists at "/home/mario/cuckoo/storage/binaries/ad8f79421a19919bdcbf4635fbd6b265e2e970487947f936e07d35ae8fbd6d5d"
2017-01-09 14:41:21,828 [lib.cuckoo.core.scheduler] INFO: Task #66: acquired machine Windows (label=Windows)
2017-01-09 14:41:21,846 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 10109 (interface=vboxnet0, host=192.168.56.101, pcap=/home/mario/cuckoo/storage/analyses/66/dump.pcap)
2017-01-09 14:41:28,222 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=Windows, ip=192.168.56.101)
2017-01-09 14:41:33,248 [lib.cuckoo.core.guest] ERROR: No valid analyzer found at path: /home/mario/cuckoo/analyzer/Windows
2017-01-09 14:41:33,249 [lib.cuckoo.core.scheduler] ERROR: Error from the Cuckoo Guest: No valid analyzer found for Windows platform!
2017-01-09 14:41:35,974 [modules.processing.behavior] WARNING: Analysis results folder does not exist at path '/home/mario/cuckoo/storage/analyses/66/logs'.
2017-01-09 14:41:36,327 [modules.processing.static] CRITICAL: You do not have the m2crypto library installed preventing certificate extraction: pip install m2crypto
2017-01-09 14:41:36,507 [lib.cuckoo.core.scheduler] INFO: Task #66: reports generation completed (path=/home/mario/cuckoo/storage/analyses/66)
2017-01-09 14:41:36,614 [lib.cuckoo.core.scheduler] INFO: Task #66: analysis procedure completed```first what is strange is what is not recognized as PE32 file, as it should pick the exe package, at least in my case it picked correctly, and if i run with generic package it can't start sample
i think is because you did typo in config, is windows not Windows in config ;)
ramirez3805
commented
7 years ago You are a DAMN genius! Thank you! I hope that was the last time I bother you lol. Also, I saw that I can not close the ticket.
doomedraven
commented
7 years ago hehe you are welcome, yah is not your ticket, so you don't have permissions to close it, but i think @jbremer should already close it
jbremer
commented
7 years ago Happy to see your issue got resolved, thanks @doomedraven!
doomedraven
commented
7 years ago btw that is offtopic, but i think @ramirez3805 and you @jbremer will be interested in, i'm doing documentation how to integrate arm/mips/mispsel arch to cuckoo with qemu, I will push/update that linux documentation PR once I have everything done
met trouble when visiting page of analyzed file in webUI
I saw similar problem in #736 I also met
[modules.processing.network] ERROR: Failed to process packet: 'type' Traceback (most recent call last):and https://github.com/cuckoosandbox/cuckoo/commit/ff06882db68058797aebcb7d3f24d01e8b24f48f fixed it, but not the webUI problem error message:Error during template renderingIn template /home/yu/cuckoo/web/templates/analysis/network/_dns.html, error at line 14 Reverse for 'analysis.views.moloch' with arguments '()' and keyword arguments '{u'host': u'yujia-VirtualBox [08:00:27:5a:13:07]._workstation._tcp.local'}' not found. 1 pattern(s) tried: ['analysis/moloch/(?P<ip>[\\d\\.]+)?/(?P<host>[a-zA-Z0-9-\\.]+)?/(?P<src_ip>[a-zA-Z0-9\\.]+)?/(?P<src_port>\\d+|None)?/(?P<dst_ip>[a-zA-Z0-9\\.]+)?/(?P<dst_port>\\d+|None)?/(?P<sid>\\d+)?']