search

idanr1986 / cuckoo-droid

CuckooDroid - Automated Android Malware Analysis with Cuckoo Sandbox.
582 stars 134 forks source link

no behavioral information #40

Open Eterna1 opened 7 years ago

Eterna1 commented 7 years ago

hello. I have this problem. APKs are "analyzed" but there are no behavioral information (except network) . files logs/droidmon.txt and logs/droidmon_error.txt are empty.

My android is in version is 4.1 (ARM) I used the second setup - Preparing the Guest (Android Emulator). I use cuckoo 2.0 as server.

logs/xposed.txt looks:

-----------------

Sep 1, 2017 4:20:35 PM UTC

Loading Xposed v54 (for Zygote)...

Running ROM 'sdk-eng 4.1.2 MASTER 1741836 test-keys' with fingerprint 'generic/sdk/generic:4.1.2/MASTER/1741836:eng/test-keys'

Loading modules from /data/app/com.emulator.antidetect-1.apk

  Loading class com.emulator.antidetect.HookLauncher

Loading modules from /data/app/com.cuckoodroid.droidmon-1.apk

  Loading class com.cuckoodroid.droidmon.InstrumentationManager

my cuckoo log looks normal:

2017-09-04 18:18:11,144 [cuckoo.core.guest] DEBUG: ddd_1: analysis not completed yet (status=2)
2017-09-04 18:18:11,548 [cuckoo.core.resultserver] DEBUG: File upload request for logs/xposed.log
2017-09-04 18:18:11,548 [cuckoo.core.resultserver] DEBUG: Uploaded file length: 454
2017-09-04 18:18:11,562 [cuckoo.core.resultserver] DEBUG: File upload request for logs/droidmon.log
2017-09-04 18:18:11,577 [cuckoo.core.resultserver] DEBUG: File upload request for logs/droidmon_error.log
2017-09-04 18:18:12,178 [cuckoo.core.guest] INFO: ddd_1: analysis completed successfully
2017-09-04 18:18:12,391 [cuckoo.machinery.avd] DEBUG: Stopping vm ddd_1
2017-09-04 18:18:12,392 [cuckoo.machinery.avd] INFO: Stopping AVD listening on port 5554
2017-09-04 18:18:13,734 [cuckoo.core.scheduler] DEBUG: Released database task #24
2017-09-04 18:18:13,852 [cuckoo.core.plugins] DEBUG: Executed processing module "AnalysisInfo" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:13,853 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:13,854 [cuckoo.core.plugins] DEBUG: Executed processing module "Droidmon" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:13,854 [cuckoo.core.plugins] DEBUG: Executed processing module "Dropped" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:13,855 [cuckoo.core.plugins] DEBUG: Executed processing module "DroppedBuffer" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:13,856 [cuckoo.core.plugins] DEBUG: Executed processing module "MetaInfo" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:13,856 [cuckoo.core.plugins] DEBUG: Executed processing module "ProcessMemory" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:13,856 [cuckoo.core.plugins] DEBUG: Executed processing module "Procmon" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:14,318 [cuckoo.core.plugins] DEBUG: Executed processing module "Screenshots" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:14,319 [cuckoo.core.plugins] DEBUG: Executed processing module "Static" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:14,730 [cuckoo.core.plugins] DEBUG: Executed processing module "Strings" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:14,860 [cuckoo.core.plugins] DEBUG: Executed processing module "TargetInfo" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:14,862 [cuckoo.core.plugins] ERROR: Failed to run the processing module "NetworkAnalysis" for task #24:
Traceback (most recent call last):
  File "/home/a/venv/local/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 238, in process
    data = current.run()
  File "/home/a/venv/local/lib/python2.7/site-packages/cuckoo/processing/network.py", line 887, in run
    sort_pcap(self.pcap_path, sorted_path)
  File "/home/a/venv/local/lib/python2.7/site-packages/cuckoo/processing/network.py", line 1032, in sort_pcap
    batch_sort(inc, outpath, output_class=lambda path: SortCap(path, linktype=inc.linktype))
  File "/home/a/venv/local/lib/python2.7/site-packages/cuckoo/processing/network.py", line 954, in batch_sort
    current_chunk = list(islice(input_iterator, buffer_size))
  File "/home/a/venv/local/lib/python2.7/site-packages/cuckoo/processing/network.py", line 1018, in next
    sip, dip, sport, dport, proto = flowtuple_from_raw(raw, self.linktype)
  File "/home/a/venv/local/lib/python2.7/site-packages/cuckoo/processing/network.py", line 1045, in flowtuple_from_raw
    sport, dport = l3.sport, l3.dport
AttributeError: 'str' object has no attribute 'sport'
2017-09-04 18:18:14,985 [cuckoo.core.plugins] DEBUG: Executed processing module "TLSMasterSecrets" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:15,010 [cuckoo.core.plugins] DEBUG: Executed processing module "Debug" on analysis at "/home/a/.cuckoo/storage/analyses/24"
2017-09-04 18:18:15,013 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=amsi_bypass minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,015 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=applocker_bypass minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,023 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=metasploit_shellcode minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,024 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=powerfun minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,024 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=powershell_bitstransfer minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,025 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=powershell_c2dns minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,025 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=powershell_ddi_rc4 minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,025 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=powershell_dfsp minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,025 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=powershell_di minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,025 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=powershell_empire minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,026 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=powershell_meterpreter minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,026 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=powershell_reg_add minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,026 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=powershell_unicorn minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,026 [cuckoo.core.plugins] DEBUG: You are running a version of Cuckoo that's not compatible with this signature (either it's too old or too new): cuckoo=2.0.3 signature=powerworm minversion=2.0.4 maxversion=None
2017-09-04 18:18:15,030 [cuckoo.core.plugins] DEBUG: Running 458 signatures
2017-09-04 18:18:15,124 [cuckoo.core.plugins] DEBUG: Executed reporting module "Feedback"
2017-09-04 18:18:15,128 [cuckoo.core.plugins] DEBUG: Executed reporting module "JsonDump"
2017-09-04 18:18:15,477 [cuckoo.core.plugins] DEBUG: Executed reporting module "MongoDB"
2017-09-04 18:18:15,477 [cuckoo.core.scheduler] INFO: Task #24: reports generation completed (path=/home/a/.cuckoo/storage/analyses/24)
2017-09-04 18:18:15,591 [cuckoo.core.scheduler] INFO: Task #24: analysis procedure completed
Eterna1 commented 7 years ago

In xposed framework Window I have text:

Versions:          active         bundled
app_process          ---                  58
XposedBridge.jar   54                  54

does this mean that Xposed is not installed succesfully on my android right?

Eterna1 commented 7 years ago

This issue is the same as https://github.com/idanr1986/cuckoo-droid/issues/4. It works now