Open Nadacsc opened 8 years ago
Which version of Cuckoo are you running? It means that network data was sent partially, which is not a good thing, and most likely not related to the malware itself.
I am using the latest on the website 'Cuckoo Sandbox 2.0-RC1' not the github version as I want a stable version
Something that comes to mind is manually applying the following commit, https://github.com/cuckoosandbox/cuckoo/commit/e415bf9b6ca91c17d64bdaf355363d90fc364701. If you could do that and let me know if you're still having this exception, that'd be great.
many thanks , I'll try it and let you know if this solves the problem or not.
sorry, I am afraid the problem haven't been solved after these modifications ... any suggestion ?
It seems that cuckoo is taking too much memory ( I have 4GB and only cuckoo is running ) and maybe this is the cause of the problem .. I am saying that because sometimes it fail to generate the HTML report as well and the system become very slow, however , hopefully the latter error will only affect the html generating as I am interested only on Json reports.
I am still getting this error message :( .. any advice ?
can you provide some log to get more clues
Archive.zip I believe this is the log of 2 samples throw this error .. I am happy also to provide anything you need to identify the problem.
logs looks fine, can you reanalize that samples with debug mode? (cuckoo.py -d) and provide output
Can you also re-generate the report for that particular analysis, e.g., ./utils/process.py -r 3076
.
At least the BSON files from 3076
look fine to me. I have something in mind which might be the cause here, but please try re-generating the report first.
I've deleted all the records ' cuckoo.py --clean' and start fresh again and analysed the samples .. these are two samples which It seems that it throw this error again .. I am sorry I cannot re-generate the report now :( but I can do it for these samples if required BsonError.zip
@Nadacsc from what @jbremer mean, now try ./utils/process.py -r 14
and ./utils/process.py -r 21
as reprocess from already analyzed data, to see if you still getting the same error
in one of the log you have
2016-05-08 13:36:25,625 [lib.api.process] ERROR: Failed to execute process from path u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp\\ab16da2b5cf4ee1efb38d7cee144a208d14301e7703f43d6f5a0c315f48aa1a4.exe' with arguments ['bin\\inject-x86.exe', '--app', u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp\\AB16DA~1.EXE', '--apc', '--dll', 'C:\\eujyvbhwe\\bin\\monitor-x86.dll', '--config', 'c:\\docume~1\\nnnnnn\\locals~1\\temp\\tmp5mwpcq', '--curdir', u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp'] (Error: The pipe has been ended (ERROR_BROKEN_PIPE))
yes even if I regenerate the reports it always gives the same errors: for file 14 :
2016-05-08 13:36:25,625 [lib.api.process] ERROR: Failed to execute process from path u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp\\ab16da2b5cf4ee1efb38d7cee144a208d14301e7703f43d6f5a0c315f48aa1a4.exe' with arguments ['bin\\inject-x86.exe', '--app', u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp\\AB16DA~1.EXE', '--apc', '--dll', 'C:\\eujyvbhwe\\bin\\monitor-x86.dll', '--config', 'c:\\docume~1\\nnnnnn\\locals~1\\temp\\tmp5mwpcq', '--curdir', u'C:\\DOCUME~1\\nnnnnn\\LOCALS~1\\Temp'] (Error: The pipe has been ended(ERROR_BROKEN_PIPE))
and for file 21:
2016-05-08 13:36:34,030 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2016-05-08 13:36:34,046 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2016-05-08 13:36:34,046 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2016-05-08 13:36:34,046 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2016-05-08 13:36:34,062 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2016-05-08 13:36:34,062 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2016-05-08 13:36:40,890 [analyzer] DEBUG: Error resolving function jscript!COleScript_Compile through our custom callback.
and I can see these error in a number of samples especially errors reported in sample 21
Those warnings are unrelated to the original issue in this thread. What kind of file is 14? Can you share a hash?
it's an exe file this is the md5 of 14 : a4a37fc2790201637610f9a87cc9ef24 this is the md5 of 21 : 2fcbc73ff5acc5373fff7550cd81a8e7
If it's not related ! then it seems that the log of the files which threw "BsonParser" error looks always fine ! :( Attached is another sample which also looks fine ! but threw the same error ! any idea what's happening here please ? 330.zip
Hey has there been and forward progress on this? I'm running 2.0-dev I pulled from the github master about 30 days ago, and I'm still getting the error.
Thanks!
@copeland3300 a couple of items were discussed in this issue, which exact problem are you running into?
Hey thanks for getting back to me. Specifically, I'm getting the "BsonParser lacking data" errors
any hash?
I'll pull together a few files and post them along with the hashes.
Thanks!
On Mar 19, 2017 4:47 PM, "doomedraven" notifications@github.com wrote:
any hash?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/883#issuecomment-287646274, or mute the thread https://github.com/notifications/unsubscribe-auth/AIZ6A2S7iJIxjdnbjSdxR1wsmT-Klfkgks5rnZR8gaJpZM4IOIik .
Hello, I am using cuckoo2.06 version also this problem, I used a 64g server, run 10 VMs, I use it to analyze the same file repeatedly, he will have this error when the number of times, but he has Time will return to normal, I don't understand why
Hello, I am using cuckoo2.06 version also this problem, I used a 64g server, run 10 VMs, I use it to analyze the same file repeatedly, he will have this error when the number of times, but he has Time will return to normal, I don't understand why
Same issue here with cuckoo 2.0.7. However I am not analysing the same sample, but different ones. Every now and then, the cuckoo app will be unable to contact the agent running in the VM.
I am receiving this error for 'some' samples .. what does it mean ? Does this indicate wrong configuration / something wrong goes during the analysis .. or It indicates that there's something wrong with the malware sample it self !