search

kevoreilly / CAPEv2

Malware Configuration And Payload Extraction
https://capesandbox.com/analysis/
Other
1.76k stars 389 forks source link

Processing Error: "Exception when processing task: 'info'" #2159

Closed RebootPhoenix closed 2 weeks ago

RebootPhoenix commented 3 weeks ago

About accounts on capesandbox.com

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

Expected Behavior

After submitting a sample via the web interface, it reports analysis complete in the logs and completes the report processing.

Current Behavior

Submitting a sample via the web interface works, logs report analysis completes, but the web interface reports failed_processing. I do not understand how to solve the exception message thrown in the logs

Steps to Reproduce

  1. Installed fresh with default settings as recommended in the docs
  2. Configured confs as guided.
  3. Logs report everything is up and running.
  4. Uploaded sample https://bazaar.abuse.ch/sample/a775277953ea0daab3cbec4aa2b37c5e0052172c05f7d4d0e8c39894c58fabe0/ via the web interface, using default parameters.
  5. Fails with "failed_processing"

Context

Question Answer
Git commit commit 9765ef8e9e7e50bb7055dc1110c99c7eddad3240
Host OS version Ubuntu 22.04
Guest OS V Windows 10 Home Premium
VM software Qemu - KVM, Virt-Manager

Failure Logs

from $ journalctl -u cape-processor: 

Jun 07 12:24:32 cape python3[4678]: 2024-06-07 12:24:32,897 [root] INFO: Processing analysis data for Task #9
Jun 07 12:24:33 cape python3[4678]: 2024-06-07 12:24:32,999 [root] ERROR: [9] Exception when processing task: 'info'
Jun 07 12:24:33 cape python3[4678]: pebble.common.RemoteTraceback: Traceback (most recent call last):
Jun 07 12:24:33 cape python3[4678]:   File "/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/pebble/common.py", line 174, in process_execute
Jun 07 12:24:33 cape python3[4678]:     return function(*args, **kwargs)
Jun 07 12:24:33 cape python3[4678]:   File "/opt/CAPEv2/utils/process.py", line 129, in process
Jun 07 12:24:33 cape python3[4678]:     RunSignatures(task=task_dict, results=results).run()
Jun 07 12:24:33 cape python3[4678]:   File "/opt/CAPEv2/utils/../lib/cuckoo/core/plugins.py", line 341, in __init__
Jun 07 12:24:33 cape python3[4678]:     self.signatures.append(signature(self.results))
Jun 07 12:24:33 cape python3[4678]:   File "/opt/CAPEv2/utils/../modules/signatures/windows/injection_rwx.py", line 27, in __init__
Jun 07 12:24:33 cape python3[4678]:     if self.results["info"]["package"] not in ["exe", "rar", "zip", "dll", "regsvr"]:
Jun 07 12:24:33 cape python3[4678]: KeyError: 'info'
Jun 07 12:24:33 cape python3[4678]: The above exception was the direct cause of the following exception:
Jun 07 12:24:33 cape python3[4678]: Traceback (most recent call last):
Jun 07 12:24:33 cape python3[4678]:   File "/opt/CAPEv2/utils/process.py", line 277, in processing_finished
Jun 07 12:24:33 cape python3[4678]:     _ = future.result()
Jun 07 12:24:33 cape python3[4678]:   File "/usr/lib/python3.10/concurrent/futures/_base.py", line 451, in result
Jun 07 12:24:33 cape python3[4678]:     return self.__get_result()
Jun 07 12:24:33 cape python3[4678]:   File "/usr/lib/python3.10/concurrent/futures/_base.py", line 403, in __get_result
Jun 07 12:24:33 cape python3[4678]:     raise self._exception
Jun 07 12:24:33 cape python3[4678]: KeyError: 'info'

from $ journalctl -u cape:

Jun 07 12:20:02 cape python3[1576]: 2024-06-07 12:20:02,978 [lib.cuckoo.core.machinery_manager] INFO: Task #9: found useable machine win10 (arch=x86, platform=windows)
Jun 07 12:20:02 cape python3[1576]: 2024-06-07 12:20:02,978 [lib.cuckoo.core.scheduler] INFO: Task #9: Processing task
Jun 07 12:20:03 cape python3[1576]: 2024-06-07 12:20:03,098 [lib.cuckoo.core.analysis_manager] INFO: Task #9: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_pa7rh2t3/a775277953ea0daab3cb.exe'
Jun 07 12:20:29 cape python3[1576]: 2024-06-07 12:20:29,301 [lib.cuckoo.core.analysis_manager] INFO: Task #9: Enabled route 'none'.
Jun 07 12:20:29 cape python3[1576]: 2024-06-07 12:20:29,350 [lib.cuckoo.core.guest] INFO: Task #9: Starting analysis on guest (id=win10, ip=192.168.122.105)
Jun 07 12:20:29 cape python3[1576]: 2024-06-07 12:20:29,391 [lib.cuckoo.core.guest] INFO: Task #9: Guest is running CAPE Agent 0.17 (id=win10, ip=192.168.122.105)
Jun 07 12:20:34 cape python3[1576]: 2024-06-07 12:20:34,677 [lib.cuckoo.core.guest] INFO: Task #9: Uploading script files to guest (id=win10, ip=192.168.122.105)
Jun 07 12:20:57 cape python3[1576]: 2024-06-07 12:20:57,187 [lib.cuckoo.core.resultserver] INFO: Task 9: Process 5400 (parent 5112): a775277953ea0daab3cb.exe, path C:\Users\MaskedBandit\AppData\Local\Temp\a7752>
Jun 07 12:21:18 cape python3[1576]: 2024-06-07 12:21:18,299 [lib.cuckoo.core.resultserver] INFO: Task 9: Process 756 (parent 624): svchost.exe, path C:\Windows\System32\svchost.exe
Jun 07 12:21:21 cape python3[1576]: 2024-06-07 12:21:21,420 [lib.cuckoo.core.resultserver] INFO: Task 9: Process 5932 (parent 5400): powershell.exe, path C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Jun 07 12:21:21 cape python3[1576]: 2024-06-07 12:21:21,555 [lib.cuckoo.core.resultserver] INFO: Task 9: Process 5028 (parent 5400): schtasks.exe, path C:\Windows\SysWOW64\schtasks.exe
Jun 07 12:21:22 cape python3[1576]: 2024-06-07 12:21:22,017 [lib.cuckoo.core.resultserver] INFO: Task 9: Process 1064 (parent 624): svchost.exe, path C:\Windows\System32\svchost.exe
Jun 07 12:21:33 cape python3[1576]: 2024-06-07 12:21:33,149 [lib.cuckoo.core.resultserver] INFO: Task 9: Process 4996 (parent 5400): a775277953ea0daab3cb.exe, path C:\Users\MaskedBandit\AppData\Local\Temp\a7752>
Jun 07 12:22:04 cape python3[1576]: 2024-06-07 12:22:04,744 [lib.cuckoo.core.resultserver] INFO: Task 9: Process 2632 (parent 624): svchost.exe, path C:\Windows\System32\svchost.exe
Jun 07 12:24:31 cape python3[1576]: 2024-06-07 12:24:31,466 [lib.cuckoo.core.guest] INFO: Task #completed successfully: Analysis 9 (id=win10, ip=192.168.122.105)
Jun 07 12:24:32 cape python3[1576]: 2024-06-07 12:24:32,547 [lib.cuckoo.core.analysis_manager] INFO: Task #9: Completed analysis successfully.
Jun 07 12:24:32 cape python3[1576]: 2024-06-07 12:24:32,553 [lib.cuckoo.core.analysis_manager] INFO: Task #9: analysis procedure completed
RebootPhoenix commented 3 weeks ago

Sorry miss clicked the close issue button!

Hopefully I've supplied all the information needed. Thank you in advance for your time! :)

doomedraven commented 3 weeks ago

Try reprocess it by hand in debug mode(see readme )

El vie, 7 jun 2024, 15:00, Phoenix @.***> escribió:

Sorry miss clicked the close issue button!

Hopefully I've supplied all the information needed. Thank you in advance for your time! :)

— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/2159#issuecomment-2154788692, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH36TXB2FSGAIFFDUXGTZGGVGTAVCNFSM6AAAAABI6TZ2Q6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJUG44DQNRZGI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

RebootPhoenix commented 3 weeks ago

Following your request, I ran the command $ poetry run python3 process.py -r 9 -d This successfully processed and generated a report! Great :) (logs are rather large https://pastebin.com/cuYaHGhk )

So I submitted a new sample, and I got the same error that processing failed with the same log message for the error.

This lead me to test running the process.py again on that sample, and it successfully generated the process report when manually called with the command above.

I then tested running the process.py without the -r flag. If I do not include this flag then the processing fails with the same original error from the logs. 

2024-06-07 13:36:47,673 [root] INFO: Processing analysis data for Task #13
Jun 07 13:36:47 cape python3[4678]: 2024-06-07 13:36:47,694 [root] ERROR: [13] Exception when processing task: 'info'
Jun 07 13:36:47 cape python3[4678]: pebble.common.RemoteTraceback: Traceback (most recent call last):
Jun 07 13:36:47 cape python3[4678]:   File "/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/pebble/common.py", line 174, in process_execute
Jun 07 13:36:47 cape python3[4678]:     return function(*args, **kwargs)
Jun 07 13:36:47 cape python3[4678]:   File "/opt/CAPEv2/utils/process.py", line 129, in process
Jun 07 13:36:47 cape python3[4678]:     RunSignatures(task=task_dict, results=results).run()
Jun 07 13:36:47 cape python3[4678]:   File "/opt/CAPEv2/utils/../lib/cuckoo/core/plugins.py", line 341, in __init__
Jun 07 13:36:47 cape python3[4678]:     self.signatures.append(signature(self.results))
Jun 07 13:36:47 cape python3[4678]:   File "/opt/CAPEv2/utils/../modules/signatures/windows/injection_rwx.py", line 27, in __init__
Jun 07 13:36:47 cape python3[4678]:     if self.results["info"]["package"] not in ["exe", "rar", "zip", "dll", "regsvr"]:
Jun 07 13:36:47 cape python3[4678]: KeyError: 'info'
Jun 07 13:36:47 cape python3[4678]: The above exception was the direct cause of the following exception:
Jun 07 13:36:47 cape python3[4678]: Traceback (most recent call last):
Jun 07 13:36:47 cape python3[4678]:   File "/opt/CAPEv2/utils/process.py", line 277, in processing_finished
Jun 07 13:36:47 cape python3[4678]:     _ = future.result()
Jun 07 13:36:47 cape python3[4678]:   File "/usr/lib/python3.10/concurrent/futures/_base.py", line 451, in result
Jun 07 13:36:47 cape python3[4678]:     return self.__get_result()
Jun 07 13:36:47 cape python3[4678]:   File "/usr/lib/python3.10/concurrent/futures/_base.py", line 403, in __get_result
Jun 07 13:36:47 cape python3[4678]:     raise self._exception
Jun 07 13:36:47 cape python3[4678]: KeyError: 'info'

So my guess is that I've not correctly configured something for the cape-process ?

doomedraven commented 3 weeks ago

Process and reprocess uses the same config, did you restar cape processing to try if that fixed?