Closed jezkerwin closed 6 months ago
Hello, sorry for delay, i was able to reproduce it, thank you for reporting it, fixed here https://github.com/kevoreilly/CAPEv2/commit/c972a9b631119afd6671ab6417852d629e596670
update and restart web service systemctl restart cape-web
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
This is more of a general question rather than a problem to set my expectations. Just built an instance following the official instructions and have configured a x64 windows 10 guest.
I'm submitting this sample https://bazaar.abuse.ch/sample/c165d80706ccb48e3d5f77a51068771dec247362a8726588c563f335a3df5b6e/ which is a lockbit ransomware sample.
When watching the VM guest via virt-manager as the analysis is being conducted I would've thought I would see the typcial ransomware page of "your files have been locked" when the sample is being executed on the VM. If I run the malware sample exe manually inside the VM (ie. via a double-click) I get the 'your files are locked, pay us bitcoin' money, but I'm not seeing it during the analysis.
My quesiton is, is this normal behaviour, is the malware sample being executed in the background via the agent and I'm just not simply seeing the actual activity on the VM guest or could there be something else happening that I'm not seeing.
Current Behavior
The analysis report shows signatures that seems to suggest that it has detected 'ransomware' activity, but doesn't show the usual page on the windows VM so no screen shot is captured showing that, I'm wondering if this is normal?
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
Run cape using poetry
cape@capev2:/opt/CAPEv2$ poetry run python3 cuckoo.py -d
Submit the lockbit sample using poetry
cape@capev2:/opt/CAPEv2$ poetry run python3 utils/submit.py -d --platform windows /home/cape/c165d80706ccb48e3d5f77a51068771dec247362a8726588c563f335a3df5b6e.zip
Received the following error, but the job seems to submit successfully.
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).
Analysis Logs
cuckoo.conf
The only change on in the cuckoo.conf file from the
cuckoo.conf.default
file is the ip address of the results server, which I've set to the host only KVM network of10.10.1.1
kvm.conf
Nothing too much change in this file, only specifiy the analysis VM guest
auxiliary.conf
Only thing changed was turning off the sniffer, I think that was causing some issues.