human.py automated interaction will often start the Settings app and/or Microsoft Store in Windows 10 Pro 21H2 build 19044.2965

[seanthegeek]

Expected Behavior

human.py automated interaction should not cause applications other than the sample to launch.

Current Behavior

The Windows 10 Settings app and/or the Microsoft store will often (but not always!) launch at some point while the analysis is running, even after removing %USERPROFILE%\AppData\Local\Microsoft\WindowsApps from the user PATH environment variable as described here https://github.com/kevoreilly/CAPEv2/issues/1237#issuecomment-1308208474 , and setting multiple Group Policy settings to try and disable the Microsoft Store.

Failure Information (for bugs)

This particular analysis was a JavaScript file that attempts to drop QuakBot, but it happens with almost any and every analysis when automated interaction is not disabled (e.g., pafish).

The Windows Store opens almost immediately after the sample is detonated, without even touching the Start menu (not sure why it is complaining about the internet connection when you can see the icon in the system tray shows an active internet connection).

Right after that, the Settings app opens.

Somehow, CAPE navigates to the Display options, despite that option not being visible in the small size of the settings window.

Then the Microsoft Store window behind the Settings window is closed.

Then somehow, the Settings app is back to the main page before the analysis ends

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. Set up a CAPE VM running Windows 10 21H2 (possibly newer versions too, but I have not tested that yet. I can provide install ISOs if needed), with or without all current Windows update patches applied
2. Remove %USERPROFILE%\AppData\Local\Microsoft\WindowsApps from the user PATH environment variable
3. Set the Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off access to the Store Group Policy setting to Enabled
4. Set the Computer Configuration\Administrative Templates\Windows Components\Store\Disable all apps from Microsoft Store Group Policy setting to Enabled
5. Set the Computer Configuration\Administrative Templates\Windows Components\Store\Turn off Automatic Download and Install of updates Group Policy setting to Enabled
6. Set the Computer Configuration\Administrative Templates\Windows Components\Store\Turn off the Store application Group Policy setting toEnabled`
7. Reboot the VM
8. Take a running snapshot for use with CAPE
9. Run multiple files and/or URLs through the analysis VM with automated interaction enabled
10. Run the same samples with automated interaction disabled for comparison

Context

Question	Answer
Git commit	2868a2f6337bd343568211f1a0893c3add71035c
OS version	Windows 10 Pro 21H2 build 19044.2965

The problem of complications introduced by new Windows builds is only going to get worse. Microsoft does not provide ISOs for older releases of Windows 10 or 11 anymore unless you are a MSDN subscriber. This means that people building new sandbox VMs will be forced to use the latest release ISO or download potentially tainted older ISOs from third party mirrors. I'm lucky that I horded old ISOs back when Microsoft offered those ISOs for anyone to download directly.

[doomedraven]

i have the same version, just following that comment from another issue sovled that for me so i guess you will need to dig into how to solve that or wait till someone will solve that for you.

PS thanks for improving a lot issue descriptions <3

[RoemIko]

You also need to remove %USERPROFILE%\AppData\Local\Microsoft\WindowsApps in the public folder, not just the account folder

[seanthegeek]

You also need to remove %USERPROFILE%\AppData\Local\Microsoft\WindowsApps in the public folder, not just the account folder

@RoemIko Do you mean delete the actual folder? Not just removing it from the PATH of the user?

[RoemIko]

Yes delete the entire folder

[seanthegeek]

@RoemIko I don't see any AppData folder under C:\Users\Public. I just tried deleting the WindowsApp folder for my actual user, and that did not resolve the problem.

@doomedraven Looking around the settings, it looks like there isn't a way to disable clicking? That might have a side effect of working around this issue. I'd like to allow it to move the mouse, but not click on random things. That can do other unexpected things when analyzing a an Office document or a URL in a browser.

[doomedraven]

idk, i did that long time ago, took snapshot and forgot about this, so i can't really help here much more

[RoemIko]

@seanthegeek is there another user account that can have that folder? I removed the appdata folder on the sandbox user and the public folder one. Which solved the problem on my end.

As for disabling clicking, you have to look in human.py where the function click_mouse is defined. Removing or altering it should help with your issue.

[RoemIko]

Also did you reboot the vm after removing the map?

[RoemIko]

I see what I did, I removed the folder out of the default user, try removing C:\Users\Default\AppData\Local\Microsoft\WindowsApp

[seanthegeek]

Thanks. I just tried that and it didn't work either.

Even before that change, I'm seeing the return of the black screen issue I described in #1562 that I thought I had fixed, even after reverting to a known good snapshot. These issues (that no one else sems to have) are making me question the integrity of my SSD...and my sanity. 😅

I think my next step will be trying to rebuild everything from scratch on a new SSD. I'm not looking forward to going through phone activation for Windows and Office again. I'm absolutly backing up that new VM right after I do that, before I touch anything else.🤦🏼‍♂️

[seanthegeek]

Yep! it was a faulty SSD. I rebuilt my entire sandbox from scratch and the Windows Store and black screen issues did not pop up again.

I highly recommend the WD Red SN700 4 TB NVMe SSD (WDS400T1R0C) It is intended for NAS use and has a high durability rating of 5100 terabytes written (TBW).

[seanthegeek]

I spoke too soon. The random black screen issue is fixed, but the Microsoft Store and/or Windows Settings keeps popping up close to the end of a 200 second analysis run. Nore of the above suggestions worked, so I decided to fully remove the Microsoft store app using PowerShell as Administrator.

Get-AppxPackage -alluser *WindowsStore* | Remove-Appxpackage
Clear-History

However, the Settings app still opened up. Interestingly, pafish is the only sample that has done this that I've noticed so far.

@doomedraven @RoemIko Can you try running pafish64.exe in your CAPE instance for 200 seconds and let me know what happens?

https://github.com/a0rtega/pafish/releases/download/v0.6/pafish64.exe

[seanthegeek]

pafish is not the only sample that does this after all. a js dropper opened the Settttings app too

[seanthegeek]

I have reverted to a snapshot from before I removed the Microsoft Store. For now, I have set human_windows to no in the auxiliary_modules section of conf/auxiliary.conf. In a way it's nice, because it's one less thing our analysists have to remember when investigating a URL with live interaction. 😅

[RoemIko]

Sorry for the late reply, but my instance does not open the microsoft store or settings apps after removing the directory mentioned above. I tested with PaFish and with the following samples

123EDD3964EACCD437E0FF8405468F93C5FC27C509E39E402D878FEAC5772123
27581AB44D1EA9116059D6D244296669E618E9D82B85D3B8FC699401EE244BC8
67C3FF85084673708DE653609B8DA8E577C894D0670C16E4C5CB757DC40E5D50
758BABB4A9A5FE4B8C01249407865B66D21151853EF0D89CBCDB5C4094381C27
7E8C547FCC86E26B973E4C974DA8EE2C4CFE84846E2CDFCD7F265929D27602F9
859A131B0865317EBF58FE6AEBFEA8F1C930D087A365CAA1C38286F4A2DA05DA
95D144A3F878347C96562AF564FA54BBA59E451845AEC4EC328B342564917E4C
966CFB695ADAA54A40C5306273DE74F5DE0924A7E874EE498591818C5A963B35
9B60EF3F360061599935DCBCF4AA96F13B4121F7AD88D5B8CEA0CECABC2281A6
A1653F99E47125596487D61C3C66D5D865BA3F0991203203660F51DA24CF0F4A
AAE59FCE5C67C5EE3574F440E65A31889F081832DB3E214D7110FA0F52640FF4
C58F4A0F76ACACB9CC4FCCED3DA5F60583277490FFFADB6BC0B7F94DCFE75595
EDC15A47B8012E8B5C579865336EAAED2F458DAC3C46F341BC2956F49823F373
F4784D48CD2A8CC765E9FCEDD275C97BB1261B0355386C0E6A7F31FC9A0DBF17

[RoemIko]

2023-06-01 08:34:26,780 [root] INFO: Date set to: 20230613T07:58:49, timeout set to: 200

[seanthegeek]

Hmm. The only other possible difference I can think of is the Windows patch level. I had to install Windows patches to avoid the crashing issue I described in #1588, and with Windows 10+ patches being cumulative, I have no idea when a patch might have been introduced that breaks or fixes something with CAPE.

@RoemIko @doomedraven Can you please try cloning one of your known good Windows 10 VMs, install the latest Windows patches, and see if you can reproduce the problem?

[doomedraven]

I dont have time for that and im not interested in that testing sorry

El mié, 14 jun 2023, 16:23, Sean Whalen @.***> escribió:

Hmm. The only other possible difference I can think of is the Windows patch level. I had to install Windows patches to avoid the crashing issue I described in #1588 https://github.com/kevoreilly/CAPEv2/issues/1588, and with Windows 10+ patches being cumulative, I have no idea when a patch might have been introduced that breaks or fixes something with CAPE.

@RoemIko https://github.com/RoemIko @doomedraven https://github.com/doomedraven Can you please try cloning one of your known good Windows 10 VMs, install the latest Windows patches, and see if you can reproduce the problem?

— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/1564#issuecomment-1591322349, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH35AWPEQ6SCTBRCOXCLXLHCONANCNFSM6AAAAAAYUWEAKY . You are receiving this because you were mentioned.Message ID: @.***>

[seanthegeek]

Apparently this was also caused by #1618 because it hasn't happened since I fixed that.