Critical:"BsonParser lacking data."

[Nadacsc]

I am receiving this error for 'some' samples .. what does it mean ? Does this indicate wrong configuration / something wrong goes during the analysis .. or It indicates that there's something wrong with the malware sample it self !

[jbremer]

Which version of Cuckoo are you running? It means that network data was sent partially, which is not a good thing, and most likely not related to the malware itself.

[Nadacsc]

I am using the latest on the website 'Cuckoo Sandbox 2.0-RC1' not the github version as I want a stable version

[jbremer]

Something that comes to mind is manually applying the following commit, https://github.com/cuckoosandbox/cuckoo/commit/e415bf9b6ca91c17d64bdaf355363d90fc364701. If you could do that and let me know if you're still having this exception, that'd be great.

[Nadacsc]

many thanks , I'll try it and let you know if this solves the problem or not.

[Nadacsc]

sorry, I am afraid the problem haven't been solved after these modifications ... any suggestion ?

[Nadacsc]

It seems that cuckoo is taking too much memory ( I have 4GB and only cuckoo is running ) and maybe this is the cause of the problem .. I am saying that because sometimes it fail to generate the HTML report as well and the system become very slow, however , hopefully the latter error will only affect the html generating as I am interested only on Json reports.

[Nadacsc]

I am still getting this error message :( .. any advice ?

[doomedraven]

can you provide some log to get more clues

[Nadacsc]

Archive.zip I believe this is the log of 2 samples throw this error .. I am happy also to provide anything you need to identify the problem.

[doomedraven]

logs looks fine, can you reanalize that samples with debug mode? (cuckoo.py -d) and provide output

[jbremer]

Can you also re-generate the report for that particular analysis, e.g., ./utils/process.py -r 3076. At least the BSON files from 3076 look fine to me. I have something in mind which might be the cause here, but please try re-generating the report first.

[Nadacsc]

I've deleted all the records ' cuckoo.py --clean' and start fresh again and analysed the samples .. these are two samples which It seems that it throw this error again .. I am sorry I cannot re-generate the report now :( but I can do it for these samples if required BsonError.zip

[doomedraven]

@Nadacsc from what @jbremer mean, now try ./utils/process.py -r 14 and ./utils/process.py -r 21 as reprocess from already analyzed data, to see if you still getting the same error

in one of the log you have

2016-05-08 13:36:25,625 [lib.api.process] ERROR: Failed to execute process from path u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp\\ab16da2b5cf4ee1efb38d7cee144a208d14301e7703f43d6f5a0c315f48aa1a4.exe' with arguments ['bin\\inject-x86.exe', '--app', u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp\\AB16DA~1.EXE', '--apc', '--dll', 'C:\\eujyvbhwe\\bin\\monitor-x86.dll', '--config', 'c:\\docume~1\\nnnnnn\\locals~1\\temp\\tmp5mwpcq', '--curdir', u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp'] (Error: The pipe has been ended (ERROR_BROKEN_PIPE))

[Nadacsc]

yes even if I regenerate the reports it always gives the same errors: for file 14 :

2016-05-08 13:36:25,625 [lib.api.process] ERROR: Failed to execute process from path u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp\\ab16da2b5cf4ee1efb38d7cee144a208d14301e7703f43d6f5a0c315f48aa1a4.exe' with arguments ['bin\\inject-x86.exe', '--app', u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp\\AB16DA~1.EXE', '--apc', '--dll', 'C:\\eujyvbhwe\\bin\\monitor-x86.dll', '--config', 'c:\\docume~1\\nnnnnn\\locals~1\\temp\\tmp5mwpcq', '--curdir', u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp'] (Error: The pipe has been ended(ERROR_BROKEN_PIPE))

and for file 21:

2016-05-08 13:36:34,030 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2016-05-08 13:36:34,046 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2016-05-08 13:36:34,046 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2016-05-08 13:36:34,046 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2016-05-08 13:36:34,062 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2016-05-08 13:36:34,062 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2016-05-08 13:36:40,890 [analyzer] DEBUG: Error resolving function jscript!COleScript_Compile through our custom callback.

and I can see these error in a number of samples especially errors reported in sample 21

[jbremer]

Those warnings are unrelated to the original issue in this thread. What kind of file is 14? Can you share a hash?

[Nadacsc]

it's an exe file this is the md5 of 14 : a4a37fc2790201637610f9a87cc9ef24 this is the md5 of 21 : 2fcbc73ff5acc5373fff7550cd81a8e7

If it's not related ! then it seems that the log of the files which threw "BsonParser" error looks always fine ! :( Attached is another sample which also looks fine ! but threw the same error ! any idea what's happening here please ? 330.zip

[copeland3300]

Hey has there been and forward progress on this? I'm running 2.0-dev I pulled from the github master about 30 days ago, and I'm still getting the error.

Thanks!

[jbremer]

@copeland3300 a couple of items were discussed in this issue, which exact problem are you running into?

[copeland3300]

Hey thanks for getting back to me. Specifically, I'm getting the "BsonParser lacking data" errors

[doomedraven]

any hash?

[copeland3300]

I'll pull together a few files and post them along with the hashes.

Thanks!

On Mar 19, 2017 4:47 PM, "doomedraven" notifications@github.com wrote:

any hash?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/883#issuecomment-287646274, or mute the thread https://github.com/notifications/unsubscribe-auth/AIZ6A2S7iJIxjdnbjSdxR1wsmT-Klfkgks5rnZR8gaJpZM4IOIik .

[ghost]

Hello, I am using cuckoo2.06 version also this problem, I used a 64g server, run 10 VMs, I use it to analyze the same file repeatedly, he will have this error when the number of times, but he has Time will return to normal, I don't understand why

[soutzis]

Hello, I am using cuckoo2.06 version also this problem, I used a 64g server, run 10 VMs, I use it to analyze the same file repeatedly, he will have this error when the number of times, but he has Time will return to normal, I don't understand why

Same issue here with cuckoo 2.0.7. However I am not analysing the same sample, but different ones. Every now and then, the cuckoo app will be unable to contact the agent running in the VM.