About accounts on capesandbox.com

Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

[ x] I am running the latest version
[ x] I did read the README!
[ x] I checked the documentation and found no answer
[ x] I checked to make sure that this issue has not already been filed
[ x I'm reporting the issue to the correct repository (for multi-repository projects)
[x ] I have read and checked all configs (with all optional parts)

Expected Behavior

I am trying to submit some .exe files to my windows 10 vm for analysis. I am expecting the analysis to finish without exceptions being thrown.

Current Behavior

I get some analysis information back, for example some network traffic and some signatures that were detected, but looking at the analysis log I can see that the package exe fails to execute. The log file is attached.

I have ensured I am running 32 bit python and the task set up to run the agent is running with the highest privileges. If it is any consequence, figure it might be. I am using Windows 10 22H2, but after reading this issue figured it wasn't a big issue:

https://github.com/kevoreilly/CAPEv2/issues/1376

Failure Information (for bugs)

Steps to Reproduce

install CAPE and windows 10 22H2 vm and follow the setup documented on the capev2 docs
submit an exe sample from malware bazaar (one I have used for my testing: https://bazaar.abuse.ch/sample/e80d50169fc57630d4b0c5c53a321ccd86797779bababefff31268224f1a4163/)
Look at analysis log in the CAPE UI

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

Question	Answer
Git commit	8727513a8c0494bd567ebddb9a5ca2874812ba0d
OS version	Windows 10 vm on Ubuntu 22 server

Failure Logs

analysis log:

2024-07-01 14:07:21,558 [root] INFO: Date set to: 20240701T16:52:26, timeout set to: 200
2024-07-01 16:52:30,009 [root] DEBUG: Target: C:\Users\joe\AppData\Local\Temp\e80d50169fc57630d4b0.exe
2024-07-01 16:52:30,009 [root] DEBUG: Starting analyzer from: C:\tmp5vef11xa
2024-07-01 16:52:30,009 [root] DEBUG: Storing results at: C:\VtdkEWY
2024-07-01 16:52:30,017 [root] DEBUG: Pipe server name: \\.\PIPE\OLTdzfgwB
2024-07-01 16:52:30,017 [root] DEBUG: Python path: C:\Users\joe\AppData\Local\Programs\Python\Python310-32
2024-07-01 16:52:30,017 [root] INFO: analysis running as an admin
2024-07-01 16:52:30,020 [root] INFO: analysis package specified: "exe"
2024-07-01 16:52:30,020 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2024-07-01 16:52:33,502 [root] DEBUG: imported analysis package "exe"
2024-07-01 16:52:33,502 [root] DEBUG: initializing analysis package "exe"...
2024-07-01 16:52:33,505 [root] DEBUG: Created directory C:\Users\joe\AppData\Local\Temp\e80d50169fc57630d4b0.exe
2024-07-01 16:52:33,505 [lib.common.common] INFO: wrapping
2024-07-01 16:52:33,505 [lib.core.compound] INFO: C:\Users\joe\AppData\Local\Temp already exists, skipping creation
2024-07-01 16:52:33,505 [lib.common.abstracts] DEBUG: new curdir: C:\Users\joe\AppData\Local\Temp
2024-07-01 16:52:33,505 [lib.common.abstracts] DEBUG: newpath: C:\Users\joe\AppData\Local\Temp\e80d50169fc57630d4b0.exe
2024-07-01 16:52:33,514 [root] DEBUG: New location of moved file: C:\Users\joe\AppData\Local\Temp\e80d50169fc57630d4b0.exe
2024-07-01 16:52:33,526 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2024-07-01 16:52:33,529 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2024-07-01 16:52:33,529 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2024-07-01 16:52:33,529 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2024-07-01 16:52:34,722 [root] DEBUG: Importing auxiliary module "modules.auxiliary.amsi"...
2024-07-01 16:52:43,769 [root] DEBUG: Importing auxiliary module "modules.auxiliary.amsi_collector"...
2024-07-01 16:52:43,941 [root] DEBUG: Importing auxiliary module "modules.auxiliary.autoruns"...
2024-07-01 16:52:45,222 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2024-07-01 16:52:45,300 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2024-07-01 16:52:45,410 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2024-07-01 16:52:45,503 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2024-07-01 16:52:45,613 [root] DEBUG: Importing auxiliary module "modules.auxiliary.during_script"...
2024-07-01 16:52:45,628 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2024-07-01 16:52:45,644 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"...
2024-07-01 16:52:45,644 [root] DEBUG: Importing auxiliary module "modules.auxiliary.html_scraper"...
2024-07-01 16:52:49,160 [modules.auxiliary.html_scraper] ERROR: No module named 'selenium'
2024-07-01 16:52:49,160 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2024-07-01 16:52:49,239 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"...
2024-07-01 16:52:49,271 [root] DEBUG: Importing auxiliary module "modules.auxiliary.pre_script"...
2024-07-01 16:52:49,271 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2024-07-01 16:52:49,284 [root] DEBUG: Importing auxiliary module "modules.auxiliary.recentfiles"...
2024-07-01 16:52:49,363 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2024-07-01 16:52:49,378 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2024-07-01 16:52:49,378 [lib.api.screenshot] ERROR: No module named 'PIL'
2024-07-01 16:52:49,378 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2024-07-01 16:52:49,456 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2024-07-01 16:52:49,456 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2024-07-01 16:52:49,504 [root] DEBUG: Initialized auxiliary module "AMSICollector"
2024-07-01 16:52:49,504 [root] DEBUG: Trying to start auxiliary module "AMSICollector"...
2024-07-01 16:52:49,738 [root] DEBUG: Started auxiliary module AMSICollector
2024-07-01 16:52:49,738 [root] WARNING: Auxiliary module Autoruns was not implemented: 'Config' object has no attribute 'autoruns'
2024-07-01 16:52:49,753 [root] DEBUG: Initialized auxiliary module "Browser"
2024-07-01 16:52:49,753 [root] DEBUG: Trying to start auxiliary module "Browser"...
2024-07-01 16:52:49,880 [root] DEBUG: Started auxiliary module Browser
2024-07-01 16:52:49,880 [root] DEBUG: Initialized auxiliary module "Curtain"
2024-07-01 16:52:49,880 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2024-07-01 16:52:50,144 [root] DEBUG: Started auxiliary module Curtain
2024-07-01 16:52:50,144 [root] DEBUG: Initialized auxiliary module "DigiSig"
2024-07-01 16:52:50,144 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2024-07-01 16:52:50,144 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2024-07-01 16:52:55,566 [modules.auxiliary.digisig] ERROR: Traceback (most recent call last):
  File "C:\tmp5vef11xa\modules\auxiliary\digisig.py", line 134, in start
    errmsg = b" ".join(err.split(b":", 1)[1].split())
IndexError: list index out of range
Traceback (most recent call last):
  File "C:\tmp5vef11xa\modules\auxiliary\digisig.py", line 134, in start
    errmsg = b" ".join(err.split(b":", 1)[1].split())
IndexError: list index out of range
2024-07-01 16:52:55,581 [root] DEBUG: Started auxiliary module DigiSig
2024-07-01 16:52:55,581 [root] DEBUG: Initialized auxiliary module "Disguise"
2024-07-01 16:52:55,581 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2024-07-01 16:52:56,785 [modules.auxiliary.disguise] INFO: Disguising GUID to bf890013-f5ea-4abb-9b7f-6e31f139269f
2024-07-01 16:52:56,785 [root] DEBUG: Started auxiliary module Disguise
2024-07-01 16:52:56,785 [root] DEBUG: Initialized auxiliary module "Evtx"
2024-07-01 16:52:56,785 [root] DEBUG: Trying to start auxiliary module "Evtx"...
2024-07-01 16:52:56,956 [root] DEBUG: Started auxiliary module Evtx
2024-07-01 16:52:56,956 [root] DEBUG: Initialized auxiliary module "FilePickup"
2024-07-01 16:52:56,956 [root] DEBUG: Trying to start auxiliary module "FilePickup"...
2024-07-01 16:52:56,956 [root] DEBUG: Started auxiliary module FilePickup
2024-07-01 16:52:56,956 [root] DEBUG: Initialized auxiliary module "HtmlScraper"
2024-07-01 16:52:56,956 [root] DEBUG: Trying to start auxiliary module "HtmlScraper"...
2024-07-01 16:52:57,082 [root] DEBUG: Started auxiliary module HtmlScraper
2024-07-01 16:52:58,268 [root] DEBUG: Initialized auxiliary module "Human"
2024-07-01 16:52:58,268 [root] DEBUG: Trying to start auxiliary module "Human"...
2024-07-01 16:52:58,440 [root] DEBUG: Started auxiliary module Human
2024-07-01 16:52:58,440 [root] DEBUG: Initialized auxiliary module "Permissions"
2024-07-01 16:52:58,440 [root] DEBUG: Trying to start auxiliary module "Permissions"...
2024-07-01 16:52:58,440 [root] DEBUG: Started auxiliary module Permissions
2024-07-01 16:52:58,440 [root] DEBUG: Initialized auxiliary module "Pre_script"
2024-07-01 16:52:58,440 [root] DEBUG: Trying to start auxiliary module "Pre_script"...
2024-07-01 16:52:58,440 [root] DEBUG: Started auxiliary module Pre_script
2024-07-01 16:52:58,440 [root] DEBUG: Initialized auxiliary module "Procmon"
2024-07-01 16:52:58,440 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2024-07-01 16:52:58,815 [root] DEBUG: Started auxiliary module Procmon
2024-07-01 16:52:58,815 [root] DEBUG: Initialized auxiliary module "RecentFiles"
2024-07-01 16:52:58,815 [root] DEBUG: Trying to start auxiliary module "RecentFiles"...
2024-07-01 16:52:58,815 [root] DEBUG: Started auxiliary module RecentFiles
2024-07-01 16:52:58,815 [root] DEBUG: Initialized auxiliary module "Screenshots"
2024-07-01 16:52:58,815 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2024-07-01 16:52:58,956 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2024-07-01 16:52:58,956 [root] DEBUG: Started auxiliary module Screenshots
2024-07-01 16:52:58,956 [root] DEBUG: Initialized auxiliary module "Sysmon"
2024-07-01 16:52:58,956 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2024-07-01 16:52:58,956 [root] DEBUG: Started auxiliary module Sysmon
2024-07-01 16:52:58,972 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2024-07-01 16:52:58,972 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"...
2024-07-01 16:52:58,972 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 592
2024-07-01 16:53:18,831 [lib.api.process] INFO: Monitor config for <Process 592 lsass.exe>: C:\tmp5vef11xa\dll\592.ini
2024-07-01 16:53:18,988 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2024-07-01 16:53:18,988 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp5vef11xa\dll\sqNcbRKb.dll, loader C:\tmp5vef11xa\bin\DbbZopaS.exe
2024-07-01 16:53:19,769 [root] DEBUG: Loader: Injecting process 592 with C:\tmp5vef11xa\dll\sqNcbRKb.dll.
2024-07-01 16:53:20,347 [root] DEBUG: 592: Python path set to 'C:\Users\joe\AppData\Local\Programs\Python\Python310-32'.
2024-07-01 16:53:20,956 [root] DEBUG: 592: TLS secret dump mode enabled.
2024-07-01 16:53:22,472 [root] INFO: Disabling sleep skipping.
2024-07-01 16:53:22,612 [root] DEBUG: 592: InternalYaraScan: Scanning 0x00007FFC844B0000, size 0x1f754e
2024-07-01 16:53:22,863 [root] DEBUG: 592: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2024-07-01 16:53:23,003 [root] DEBUG: 592: RtlInsertInvertedFunctionTable 0x00007FFC844C090E, LdrpInvertedFunctionTableSRWLock 0x00007FFC8461D500
2024-07-01 16:53:23,159 [root] DEBUG: 592: Monitor initialised: 64-bit capemon loaded in process 592 at 0x00007FFC487A0000, thread 2796, image base 0x00007FF746550000, stack from 0x000000CA28474000-0x000000CA28480000
2024-07-01 16:53:23,302 [root] DEBUG: 592: Commandline: C:\Windows\system32\lsass.exe
2024-07-01 16:53:23,691 [root] DEBUG: 592: Hooked 5 functions
2024-07-01 16:53:23,784 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2024-07-01 16:53:23,878 [root] DEBUG: Successfully injected DLL C:\tmp5vef11xa\dll\sqNcbRKb.dll.
2024-07-01 16:53:24,646 [lib.api.process] INFO: Injected into 64-bit <Process 592 lsass.exe>
2024-07-01 16:53:24,646 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2024-07-01 16:53:24,646 [root] DEBUG: Initialized auxiliary module "Usage"
2024-07-01 16:53:24,646 [root] DEBUG: Trying to start auxiliary module "Usage"...
2024-07-01 16:53:25,706 [root] DEBUG: Started auxiliary module Usage
2024-07-01 16:53:25,706 [root] DEBUG: Initialized auxiliary module "During_script"
2024-07-01 16:53:25,706 [root] DEBUG: Trying to start auxiliary module "During_script"...
2024-07-01 16:53:25,972 [root] DEBUG: 592: TLS 1.2 secrets logged to: C:\VtdkEWY\tlsdump\tlsdump.log
2024-07-01 16:53:26,082 [root] DEBUG: Started auxiliary module During_script
2024-07-01 16:53:53,050 [root] INFO: Restarting WMI Service
2024-07-01 16:54:04,316 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2024-07-01 16:54:04,347 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2024-07-01 16:54:04,347 [lib.core.compound] INFO: C:\Users\joe\AppData\Local\Temp already exists, skipping creation
2024-07-01 16:54:04,347 [lib.api.process] ERROR: Failed to execute process from path "C:\Users\joe\AppData\Local\Temp\e80d50169fc57630d4b0.exe" with arguments "None" (Error: Access is denied (ERROR_ACCESS_DENIED))
2024-07-01 16:54:04,347 [root] INFO: You probably submitted the job with wrong package
Traceback (most recent call last):
  File "C:\tmp5vef11xa\analyzer.py", line 616, in run
    pids = self.package.start(self.target)
  File "C:\tmp5vef11xa\modules\packages\exe.py", line 37, in start
    return self.execute(path, args, path)
  File "C:\tmp5vef11xa\lib\common\abstracts.py", line 170, in execute
    raise CuckooPackageError("Unable to execute the initial process, analysis aborted")
lib.common.exceptions.CuckooPackageError: Unable to execute the initial process, analysis aborted

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\tmp5vef11xa\analyzer.py", line 1526, in <module>
    success = analyzer.run()
  File "C:\tmp5vef11xa\analyzer.py", line 620, in run
    raise CuckooError(f'The package "{self.package_name}" start function raised an error: {e}') from e
lib.common.exceptions.CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted
2024-07-01 16:54:04,425 [root] WARNING: Folder at path "C:\VtdkEWY\debugger" does not exist, skipping
2024-07-01 16:54:04,425 [root] INFO: Uploading files at path "C:\VtdkEWY\tlsdump"
2024-07-01 16:54:04,425 [lib.common.results] INFO: Uploading file C:\VtdkEWY\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 2192; Max size: 100000000
2024-07-01 16:54:04,487 [root] INFO: Analysis completed

kevoreilly / CAPEv2

modules.packages.exe unable to execute initial process #2202