No Behavioral analysis (volatility instantiation failure)

[andrisr223]

Hello,

For now I am stuck with obtaining behavioral analysis for a sample. I did a reinstall of CAPEv2, volatility instantiation from python fails. Would be grateful for pointers where to dig.

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [+] I am running the latest version
• [+] I did read the README!
• [+] I checked the documentation and found no answer
• [+] I checked to make sure that this issue has not already been filed (similar issue per logs #2075, but did not help)
• [+] I'm reporting the issue to the correct repository (for multi-repository projects)
• [?] I have read and checked all configs (with all optional parts) Most likely I am missing something regarding memory.conf (diff from default attached)

Expected Behavior

Behavioral analysis shows some process information.

Current Behavior

Behavioral analysis tab does not show any information, Just text Process Tree, logs show that volatility execution failed.

Failure Information (for bugs)

poetry run vol -v -f storage/analyses/5/memory.dmp windows.info works and shows information.

Steps to Reproduce

Submit a sample through the web interface, wait until completion.

Context

Question	Answer
Git commit	commit 15e7642cdf588559fa56c5a1d8daaaf94c20fb47
OS version	Linux 6.5.0-27-generic #28~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 15 10:51:06 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

The box has more than 64Gb of RAM.

Failure Logs

2024-05-08 08:32:55,312 [root] INFO: Processing analysis data for Task #5
2024-05-08 08:39:01,337 [Task 5] [volatility3.framework.symbols.windows.pdbutil] WARNING: Symbol file could not be downloaded from remote server                                                                                                    
2024-05-08 08:39:01,345 [Task 5] [root] ERROR: Generic error executing volatility
Traceback (most recent call last):
  File "/opt/CAPEv2/utils/../modules/processing/memory.py", line 342, in run
    results = vol.run()
  File "/opt/CAPEv2/utils/../modules/processing/memory.py", line 245, in run
    results["pslist"] = vol3.run("windows.pslist.PsList")
  File "/opt/CAPEv2/utils/../modules/processing/memory.py", line 135, in run
    constructed = plugins.construct_plugin(self.ctx, automagics, plugin, "plugins", None, None)
  File "/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/volatility3/framework/plugins/__init__.py", line 60, in construct_plugin
    raise exceptions.UnsatisfiedException(unsatisfied)
volatility3.framework.exceptions.UnsatisfiedException
2024-05-08 08:39:01,346 [Task 5] [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "Memory": 'NoneType' object has no attribute 'delete_memdump_on_exception'
Traceback (most recent call last):
  File "/opt/CAPEv2/utils/../modules/processing/memory.py", line 342, in run
    results = vol.run()
  File "/opt/CAPEv2/utils/../modules/processing/memory.py", line 245, in run
    results["pslist"] = vol3.run("windows.pslist.PsList")
  File "/opt/CAPEv2/utils/../modules/processing/memory.py", line 135, in run
    constructed = plugins.construct_plugin(self.ctx, automagics, plugin, "plugins", None, None)
  File "/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/volatility3/framework/plugins/__init__.py", line 60, in construct_plugin
    raise exceptions.UnsatisfiedException(unsatisfied)
volatility3.framework.exceptions.UnsatisfiedException

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/CAPEv2/utils/../lib/cuckoo/core/plugins.py", line 247, in process
    data = current.run()
  File "/opt/CAPEv2/utils/../modules/processing/memory.py", line 345, in run
    if self.options.basic.delete_memdump_on_exception:
AttributeError: 'NoneType' object has no attribute 'delete_memdump_on_exception'
2024-05-08 08:39:51,615 [Task 5] [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "extract_overlay_data": 'extract_overlay_data' object has no attribute 'key'
Traceback (most recent call last):
  File "/opt/CAPEv2/utils/../lib/cuckoo/core/plugins.py", line 253, in process
    return {current.key: data}
AttributeError: 'extract_overlay_data' object has no attribute 'key'
2024-05-08 08:39:51,805 [root] INFO: Reports generation completed for Task #5

/opt/CAPEv2$ poetry run vol -v -f storage/analyses/5/memory.dmp windows.info
Volatility 3 Framework 2.5.2
INFO     volatility3.cli: Volatility plugins path: ['/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/volatility3/plugins', '/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/volatility3/symbols', '/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/volatility3/framework/symbols']
INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump
INFO     volatility3.framework.automagic: Detected a windows category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
INFO     volatility3.framework.symbols.windows.pdbconv: Download PDB file...r  
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschemasymbols/ntkrnlmp.pdb/89284D0CA6ACC8274B9A44BD5AF9290B1/ntkrnlmp.pdb
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema                                                                   
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder                                                                         
INFO     volatility3.framework.automagic: Running automagic: KernelModule

Variable    Value
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema

Kernel Base 0xf80562a00000
DTB 0x1ad000
Symbols file:///home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/volatility3/symbols/windows/ntkrnlmp.pdb/89284D0CA6ACC8274B9A44BD5AF9290B-1.json.xz
Is64Bit True
IsPAE   False
layer_name  0 WindowsIntel32e
memory_layer    1 Elf64Layer
base_layer  2 FileLayer
KdVersionBlock  0xf8056360f3a0
Major/Minor 15.19041
MachineType 34404
KeNumberProcessors  1
SystemTime  2024-05-08 05:28:11
NtSystemRoot    C:\Windows
NtProductType   NtProductWinNt
NtMajorVersion  10
NtMinorVersion  0INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema

PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine  34404
PE TimeDateStamp    Fri May 20 08:24:42 2101

$ diff -u default/memory.conf.default memory.conf 
--- default/memory.conf.default 2024-05-07 12:56:20.000000000 +0000
+++ memory.conf 2024-05-08 06:49:10.626719023 +0000
@@ -18,50 +18,43 @@
 # Scans for hidden/injected code and dlls
 # http://code.google.com/p/volatility/wiki/CommandReferenceMal23#malfind
 [malfind]
-enabled = no
+enabled = yes
 filter = on

 # Lists official processes. Does not detect hidden processes
-# https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#pslist
+# http://code.google.com/p/volatility/wiki/CommandReference23#pslist
 [pslist]
-enabled = no
+enabled = yes
 filter = off

-# Process listing in tree form. Does not detect hidden processes (Don't work currently in CAPE)
-# https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#pstree
+# Lists hidden processes. Uses several tricks to identify them
+# http://code.google.com/p/volatility/wiki/CommandReferenceMal23#psxview
 [pstree]
 enabled = no
 filter = off

-# Lists hidden processes. Enumerate processes in the Kernel memory using pool tag scanning _POOL_HEADER
-# https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#psscan
-[psscan]
-enabled = no
-filter = off
-
-
 # Show callbacks
 # http://code.google.com/p/volatility/wiki/CommandReferenceMal23#callbacks
 [callbacks]
-enabled = no
+enabled = yes
 filter = off

 # Show sids
 # http://code.google.com/p/volatility/wiki/CommandReference23#getsids
 [getsids]
-enabled = no
+enabled = yes
 filter = off

 # Show privileges
 # http://code.google.com/p/volatility/wiki/CommandReference23#privs
 [privs]
-enabled = no
+enabled = yes
 filter = off

 # Display processes' loaded DLLs- Does not display hidden DLLs
 # http://code.google.com/p/volatility/wiki/CommandReference23#dlllist
 [dlllist]
-enabled = no
+enabled = yes
 filter = on

[doomedraven]

do git pull and restart processing sudo systemctl restart cape-processor. that should handle vol3 exception for pslist, why that happens idk, i don't use vol for long time already

[andrisr223]

Ok, thanks! (the exception is no more) Will try to figure out, what causes this for me..