Open E3L-1 opened 8 years ago
can you share hash(es) to test it?
I've tried it with multiple non-malicious pdfs. I attached a non-malicious one from a SANS webcast here. You should be able to replicate with any though.
well here no crashes and everything works fine
what are you running for your guest machine? Does it match what i have above?
I'm beginning to wonder if this is based on particular patches being applied or not applied across different installations. So for example, in my win7sp0 box, i have the following patches applied: 982861 KB2454826 KB958488
What about you? Side note. just found an easy way to get this with powershell; Get-Hotfix
@E3L-1 that vms are w7sp1x32, i don't remember which patches installed there and which not as those vms is for years in production, but it was totally updated w7sp1
I just tried adding SP1 to my win7x64 installation. That did not make a difference. :(
I'm going to have to try later versions of Adobe Reader :-) If you could share some Cuckoo reports, that'd be helpful as well. For what it's worth, Adobe Reader 9.0.0 should work for sure.
Ahh - That worked! Thank you! :)
So, from the testing i did, Adobe 10+ is not working. Here's a cuckoo report of a similar failure referenced in my above post with the logs. 124.zip
Another question for you which seems related. If not, i'll open another issue. What version of IE are you running? The behavior is slightly different than above in that it at least successfuly opens the process, but then it immediately stops. You don't ever see IE opening in the screenshots and i also watched from the vsphere console. It never opens it.
I'm running IE 9.0.8112.16421. Maybe it's a simple IE version thing like the Adobe reader?
2016-09-20 22:05:01,030 [analyzer] DEBUG: Starting analyzer from: C:\mjopm
2016-09-20 22:05:01,078 [analyzer] DEBUG: Pipe server name: \\.\PIPE\YsGDwiNqGzSGfzwjJeMLweUzV
2016-09-20 22:05:01,078 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\eriQyrKcrKFgnPehqvqGYpHBwxpFf
2016-09-20 22:05:01,078 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2016-09-20 22:05:01,078 [analyzer] INFO: Automatically selected analysis package "ie"
2016-09-20 22:05:02,496 [analyzer] DEBUG: Started auxiliary module Disguise
2016-09-20 22:05:02,887 [analyzer] DEBUG: Loaded monitor into process with pid 496
2016-09-20 22:05:02,887 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2016-09-20 22:05:02,887 [analyzer] DEBUG: Started auxiliary module Human
2016-09-20 22:05:02,887 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2016-09-20 22:05:02,887 [analyzer] DEBUG: Started auxiliary module Reboot
2016-09-20 22:05:02,996 [analyzer] DEBUG: Started auxiliary module RecentFiles
2016-09-20 22:05:02,996 [analyzer] DEBUG: Started auxiliary module Screenshots
2016-09-20 22:05:03,417 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments ['www.microsoft.com'] and pid 2768
2016-09-20 22:05:03,588 [analyzer] DEBUG: Loaded monitor into process with pid 2768
2016-09-20 22:05:04,243 [analyzer] DEBUG: Received request to inject pid=2768, but we are already injected there.
2016-09-20 22:05:05,507 [analyzer] INFO: Process with pid 2768 has terminated
2016-09-20 22:05:05,507 [analyzer] INFO: Process list is empty, terminating analysis.
2016-09-20 22:05:06,522 [analyzer] INFO: Terminating remaining processes before shutdown.
2016-09-20 22:05:06,522 [analyzer] INFO: Analysis completed.
I'm having the same issue with Win 7 (32-bit) and Acrobat Reader 9.0.0. This is the log:
2016-10-20 14:20:56,019 [analyzer] DEBUG: Starting analyzer from: C:\gureic
2016-10-20 14:20:56,039 [analyzer] DEBUG: Pipe server name: \\.\PIPE\qHAdBZvNTdcHgOffAXoULasGhfDaIkS
2016-10-20 14:20:56,039 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\AuqWtPuPARuIuENMpddBM
2016-10-20 14:20:56,039 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2016-10-20 14:20:56,039 [analyzer] INFO: Automatically selected analysis package "pdf"
2016-10-20 14:21:00,095 [analyzer] DEBUG: Started auxiliary module Disguise
2016-10-20 14:21:00,456 [analyzer] DEBUG: Loaded monitor into process with pid 468
2016-10-20 14:21:00,466 [lib.api.process] INFO: Successfully injected process with pid None
2016-10-20 14:21:00,466 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2016-10-20 14:21:00,466 [analyzer] DEBUG: Started auxiliary module Human
2016-10-20 14:21:00,466 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2016-10-20 14:21:00,466 [analyzer] DEBUG: Started auxiliary module Screenshots
2016-10-20 14:21:00,615 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe' with arguments [u'C:\\Users\\YOLAND~1\\AppData\\Local\\Temp\\Court-Order0.pdf'] and pid 1960
2016-10-20 14:21:01,236 [analyzer] DEBUG: Loaded monitor into process with pid 1960
2016-10-20 14:21:01,377 [analyzer] DEBUG: Received request to inject pid=1960, but we are already injected there.
2016-10-20 14:21:09,007 [lib.common.results] ERROR: Exception uploading file c:\users\yoland~1\appdata\local\temp\tmp5_qokg to host: timed out
2016-10-20 14:21:09,167 [lib.api.process] INFO: Memory dump of process with pid 1960 completed
2016-10-20 14:21:09,658 [analyzer] INFO: Process with pid 1960 has terminated
2016-10-20 14:21:09,658 [analyzer] INFO: Process list is empty, terminating analysis.
2016-10-20 14:21:10,661 [analyzer] INFO: Analysis completed.
Having same exact issue here with Win7x64 and Reader 9 (10,11,DC also). Running RC1. Any one found a solution? Thanks.
Sorry for the late reply. Please use Adobe 9 for now, there are some issues with Adobe 11 that prevent a proper analysis in Cuckoo. Last time I did some investigations as to why this is the case I didn't succeed in finding the issue, but I'll check it once again sometime in the future :-)
Hi guys. If you want work with Adobe 11 you must disable "Enhanced Security" and "Protected mode" in the preferences of program.
Steps:
Good luck
@jbremer maybe add this to disguise reg patcher? https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/protectedmode.html
I have been unable to analyze PDFs when behavioral analysis is set to run. The only way a PDF will run is with process injection disabled.
My setup is this:
Here's a similar report of this problem. https://community.cuckoosandbox.org/t/analysing-pdf-files-problems/167/5
Here's one of the latest logs.
Any ideas?