ERROR: Failed to run the reporting module "MongoDB"

[albertososa95]

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [x] I am running the latest version
• [X] I did read the README!
• [X] I checked the documentation and found no answer
• [X] I checked to make sure that this issue has not already been filed
• [X] I'm reporting the issue to the correct repository (for multi-repository projects)
• [X] I have read and checked all configs (with all optional parts)

Expected Behavior

Finished analysis with reports.

Current Behavior

When I submit a sample to analize, an unhandled exception is throwed. See Failure Logs section. I've installed Volatility3 to full memory dump analysis.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. Submit a sample via web interface.
2. Boom!

Context

Question	Answer
Git commit	8727513a8c0494bd567ebddb9a5ca2874812ba0d
OS version	Ubuntu 22.04.4 LTS, Windows 10 (VM guest)

Config files:

cuckoo.conf

[cuckoo]
machinery_screenshots = on
memory_dump = on
freespace = 0

[resultserver]
ip = 192.168.2.1

auxiliary.conf

[auxiliary_modules]
procmon = yes
sysmon_windows = yes

[sniffer]
interface = virbr1

kvm.conf

[kvm]
machines = vm01

[vm01]
label = win10_msoffice
ip = 192.168.2.10
platform = windows
tags = win10,msoffice
snapshot = snapshot1
arch = x64

memory.conf

[basic]
guest_profile = Win10x64
delete_memdump = no

[malfind]
enabled = yes

[pslist]
enabled = yes

[psscan]
enabled = yes

[callbacks]
enabled = yes

[svcscan]
enabled = yes

processing.conf

[flare_capa]
enabled = yes
static = yes
cape = yes
procdump = yes

[detections]
virustotal = yes

[procmon]
enabled = yes

[memory]
enabled = yes

[virustotal]
enabled = yes
# API Key omitida por confidencialidad en este documento.
key = 697P45....a59

[deduplication]
enabled = yes

[xlsdeobf]
enabled = yes

reporting.conf

[mitre]
enabled = yes

[reporthtml]
enabled = yes
screenshots = yes
apicalls = yes

[reporthtmlsummary]
enabled = yes
screenshots = yes

[reportpdf]
enabled = yes

web.conf

[malscore]
enabled = yes

Failure Logs

[doomedraven]

Try to disable capa in processing and reprocess a job just as test

[albertososa95]

CAPA disabled in processing and submited new sample with default options. Now it has a timeout:

I think that CAPA is not the problem, since my sample is a .doc, so this error message is correct from CAPA. Anyway, I'm working with snapshots (CAPE-host is a VM) and I notice that this error starts since I installed Volatility3 and flare-floss via poetry:

$ sudo -u cape poetry run pip install -U volatility3 flare-floss

Will be it related?

[doomedraven]

could be, i don't use capa, floss neither volatility integrations so idk in which state those plugins are

[albertososa95]

So, if I understand the memory analysis with Volatility should be done outside CAPE-host, right?

[doomedraven]

well you can use that in cape, but the thing here is that i don't maintain things that i don't use, is just unreal, so sometime community or other people must help support updated version of those libraries, it should works with the versions that is in pyproject, but if you install newer, then that's not ensured by us.

[albertososa95]

Ok perfect. I confirm that if I install Volatility, the cape-processor crashes.

[albertososa95]

Hi again! I setup tmpfs for memory dump analysis with Volatility and it doesn't crash due to timeout now.

[albertososa95]

News... I check that some Volatility modules configured in memory.conf are crashing MongoDB reports (first log error in this issue).

[doomedraven]

what modules crashing it? yes tmpfs speedup a lot processing of memdumps, but bear in mind as much plugins you enable, you might need to consider increase timeout from 900 to higher value

[albertososa95]

malfind is the first module that causes the crash. If you see the first screenshot in the issue, the exception is throwed at deepcopy function. Maybe there is a mismatch between libraries versions and expected data structures (?)

[doomedraven]

Probably it returns something that wasn't converted to json

[albertososa95]

Mm, not sure about that. I tried to replace the deepcopy with a JSON dump and load (only for test purposes) and it doesn't throw exceptions - errors. I've all modules enabled in memory.conf and it shows all information in web interface.

[doomedraven]

That's interesting, hm would need to investigate once I have some spare time

El jue, 27 jun 2024, 14:35, Alberto Sosa @.***> escribió:

Mm, not sure about that. I tried to replace the deepcopy with a JSON dump and load (only for test purposes) and it doesn't throw exceptions - errors. I've all modules enabled in memory.conf and it shows all information in web interface.

— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/2188#issuecomment-2194565285, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH3YYYGPLGMAVSWL47CTZJQBHTAVCNFSM6AAAAABJ5XJYRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJUGU3DKMRYGU . You are receiving this because you commented.Message ID: @.***>