Unable to Communicate with Inetsim after Merging #2216

[t-mtsmt]

About accounts on capesandbox.com

• Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [x] I am running the latest version
• [x] I did read the README!
• [x] I checked the documentation and found no answer
• [x] I checked to make sure that this issue has not already been filed
• [x] I'm reporting the issue to the correct repository (for multi-repository projects)
• [x] I have read and checked all configs (with all optional parts)

Expected Behavior

I expect to be able to communicate normally with the Inetsim server.

Current Behavior

After applying commit 23d325675040fea3fab27f416208d0d90c7a0de0, communication is no longer working properly. For example, when running a sample program that attempts to communicate with https://www.example.com, it results in a "The remote could not be resolved" error.

Failure Information (for bugs)

Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.

Steps to Reproduce

Reproduction Steps:

1. Apply the commits after 23d325675040fea3fab27f416208d0d90c7a0de0.
2. Enable the Inetsim configuration.
3. Submit a sample program that performs HTTP communication.
4. Check the analysis results and confirm that HTTP communication is not occurring.

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

Question	Answer
Git commit	9a61f5cf549abfdadc67cfb0106c1e1b48a14889 >= 23d325675040fea3fab27f416208d0d90c7a0de0
OS version	Ubuntu 22.04, Windows 10 20H2

Sample Program:

using System;
using System.Collections.Generic;
using System.Net;

namespace MalwareAnalysisSample
{
    internal class Program
    {
        static void Main(string[] args)
        {
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
            ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
            WebClient wc = new WebClient();

            var urls = new List<string>() {
                "https://www.example.com/evil1.html",
                "https://www.google.com/evil3.html",
                "https://www.yahoo.com/evil4.html",
            };

            foreach (var url in urls)
            {
                Console.WriteLine($"connect to {url}");
                wc.OpenRead(url);
            }
        }
    }
}

Failure Logs

cape log

$ sudo journalctl -u cape
Jul 14 12:41:08 ubuntu2204.localdomain systemd[1]: Stopping CAPE...
Jul 14 12:41:08 ubuntu2204.localdomain python3[6126]: 2024-07-14 12:41:08,646 [lib.cuckoo.core.scheduler] INFO: received signal 'SIGTERM', waiting for remaining analysis to finish before stopping
Jul 14 12:41:09 ubuntu2204.localdomain python3[6126]: 2024-07-14 12:41:09,047 [lib.cuckoo.core.scheduler] INFO: Waiting for running analyses to finish.
Jul 14 12:41:09 ubuntu2204.localdomain python3[6126]: Missing machinery-required libraries.
Jul 14 12:41:09 ubuntu2204.localdomain python3[6126]: poetry run python -m pip install azure-identity msrest msrestazure azure-mgmt-compute azure-mgmt-network azure-mgmt-storage azure-storage-blob
Jul 14 12:41:09 ubuntu2204.localdomain python3[6126]: XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
Jul 14 12:41:10 ubuntu2204.localdomain systemd[1]: cape.service: Deactivated successfully.
Jul 14 12:41:10 ubuntu2204.localdomain systemd[1]: Stopped CAPE.
Jul 14 12:41:10 ubuntu2204.localdomain systemd[1]: cape.service: Consumed 12.788s CPU time.
Jul 14 12:41:10 ubuntu2204.localdomain systemd[1]: Started CAPE.
Jul 14 12:41:14 ubuntu2204.localdomain python3[6765]: 
Jul 14 12:41:14 ubuntu2204.localdomain python3[6765]:                                ),-.     /
Jul 14 12:41:14 ubuntu2204.localdomain python3[6765]:   Cuckoo Sandbox              <(a  `---','
Jul 14 12:41:14 ubuntu2204.localdomain python3[6765]:      no chance for malwares!  ( `-, ._> )
Jul 14 12:41:14 ubuntu2204.localdomain python3[6765]:                                ) _>.___/
Jul 14 12:41:14 ubuntu2204.localdomain python3[6765]:                                    _/
Jul 14 12:41:14 ubuntu2204.localdomain python3[6765]:  Cuckoo Sandbox 2.4-CAPE
Jul 14 12:41:14 ubuntu2204.localdomain python3[6765]:  www.cuckoosandbox.org
Jul 14 12:41:14 ubuntu2204.localdomain python3[6765]:  Copyright (c) 2010-2015
Jul 14 12:41:14 ubuntu2204.localdomain python3[6765]:  CAPE: Config and Payload Extraction
Jul 14 12:41:14 ubuntu2204.localdomain python3[6765]:  github.com/kevoreilly/CAPEv2
Jul 14 12:41:17 ubuntu2204.localdomain python3[6917]: /usr/bin/tcpdump
Jul 14 12:41:17 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:17,873 [lib.cuckoo.core.machinery_manager] INFO: Using MachineryManager[vmwarerest] with max_machines_count=10
Jul 14 12:41:17 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:17,874 [lib.cuckoo.core.scheduler] INFO: Creating scheduler with max_analysis_count=unlimited
Jul 14 12:41:17 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:17,878 [modules.machinery.vmwarerest] INFO: VMwareREST machinery module initialised (192.168.136.1:8697)
Jul 14 12:41:17 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:17,912 [lib.cuckoo.core.machinery_manager] INFO: Loaded 1 machine
Jul 14 12:41:17 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:17,991 [lib.cuckoo.core.machinery_manager] INFO: max_vmstartup_count for BoundedSemaphore = 5
Jul 14 12:41:17 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:17,993 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks
Jul 14 12:41:37 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:37,200 [lib.cuckoo.core.machinery_manager] INFO: Task #5: found useable machine sandbox1 (arch=x64, platform=windows)
Jul 14 12:41:37 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:37,201 [lib.cuckoo.core.scheduler] INFO: Task #5: Processing task
Jul 14 12:41:37 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:37,258 [lib.cuckoo.core.analysis_manager] INFO: Task #5: File already exists at '/opt/CAPEv2/storage/binaries/7304c9a23f334dbfd47bc19a45fc66358eea35f1aea1788ee971e6fceef68eed'
Jul 14 12:41:37 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:37,258 [lib.cuckoo.core.analysis_manager] INFO: Task #5: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_vq5hbyij/MalwareAnalysisSample.exe'
Jul 14 12:41:37 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:37,259 [modules.machinery.vmwarerest] INFO: Starting vm flarevm
Jul 14 12:41:37 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:37,259 [modules.machinery.vmwarerest] INFO: Checking vm flarevm
Jul 14 12:41:37 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:37,276 [modules.machinery.vmwarerest] INFO: Vm flarevm is not running
Jul 14 12:41:37 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:37,293 [modules.machinery.vmwarerest] INFO: Powering on vm flarevm
Jul 14 12:41:38 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:38,219 [lib.cuckoo.core.analysis_manager] INFO: Task #5: Enabled route 'false'.
Jul 14 12:41:38 ubuntu2204.localdomain python3[6987]: /usr/bin/tcpdump
Jul 14 12:41:38 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:38,236 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 6988 (interface=eth3, host=10.20.20.2, dump path=/opt/CAPEv2/storage/analyses/5/dump.pcap)
Jul 14 12:41:38 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:38,238 [lib.cuckoo.common.objects] INFO: file type set using basic heuristics for: /tmp/cuckoo-tmp/upload_vq5hbyij/MalwareAnalysisSample.exe
Jul 14 12:41:38 ubuntu2204.localdomain sudo[6988]:     cape : PWD=/opt/CAPEv2 ; USER=root ; COMMAND=/usr/bin/tcpdump -U -q -s 0 -i eth3 -n -Z cape -w /opt/CAPEv2/storage/analyses/5/dump.pcap host 10.20.20.2 and not ( dst host 10.20.20.2 and dst port 8000 ) and not ( src host 10.20.20.2 and src port 8000 ) and not ( dst host 10.20.20.1 and dst port 2042 ) and not ( src host 10.20.20.1 and src port 2042 ) and ( 'not arp' )
Jul 14 12:41:38 ubuntu2204.localdomain sudo[6988]: pam_limits(sudo:session): unknown limit item 'hard'
Jul 14 12:41:38 ubuntu2204.localdomain sudo[6988]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=998)
Jul 14 12:41:38 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:41:38,263 [lib.cuckoo.core.guest] INFO: Task #5: Starting analysis on guest (id=sandbox1, ip=10.20.20.2)
Jul 14 12:42:16 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:42:16,965 [lib.cuckoo.core.guest] INFO: Task #5: Guest is running CAPE Agent 0.17 (id=sandbox1, ip=10.20.20.2)
Jul 14 12:42:19 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:42:19,102 [lib.cuckoo.core.guest] INFO: Task #5: Uploading script files to guest (id=sandbox1, ip=10.20.20.2)
Jul 14 12:42:31 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:42:31,888 [lib.cuckoo.core.resultserver] INFO: Task 5: Process 7964 (parent 6616): MalwareAnalysisSample.exe, path C:\Users\vagrant\AppData\Local\Temp\MalwareAnalysisSample.exe
Jul 14 12:43:13 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:43:13,768 [lib.cuckoo.core.guest] INFO: Task #completed successfully: Analysis 5 (id=sandbox1, ip=10.20.20.2)
Jul 14 12:43:13 ubuntu2204.localdomain sudo[6988]: pam_unix(sudo:session): session closed for user root
Jul 14 12:43:13 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:43:13,929 [modules.machinery.vmwarerest] INFO: Checking vm flarevm
Jul 14 12:43:14 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:43:14,086 [modules.machinery.vmwarerest] INFO: Vm flarevm is running
Jul 14 12:43:14 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:43:14,088 [modules.machinery.vmwarerest] INFO: Stopping vm flarevm
Jul 14 12:43:14 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:43:14,098 [modules.machinery.vmwarerest] INFO: Powering off vm flarevm
Jul 14 12:43:15 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:43:15,689 [lib.cuckoo.core.analysis_manager] INFO: Task #5: Completed analysis successfully.
Jul 14 12:43:15 ubuntu2204.localdomain python3[6765]: 2024-07-14 12:43:15,694 [lib.cuckoo.core.analysis_manager] INFO: Task #5: analysis procedure completed

cape-processor log

$ sudo journalctl -u cape-processor
Jul 14 12:41:08 ubuntu2204.localdomain systemd[1]: Stopping CAPE report processor...
Jul 14 12:41:08 ubuntu2204.localdomain systemd[1]: cape-processor.service: Deactivated successfully.
Jul 14 12:41:08 ubuntu2204.localdomain systemd[1]: Stopped CAPE report processor.
Jul 14 12:41:08 ubuntu2204.localdomain systemd[1]: cape-processor.service: Consumed 16.380s CPU time.
Jul 14 12:41:10 ubuntu2204.localdomain systemd[1]: Started CAPE report processor.
Jul 14 12:41:17 ubuntu2204.localdomain python3[6763]: 2024-07-14 12:41:17,880 [root] INFO: Processing analysis data
Jul 14 12:43:19 ubuntu2204.localdomain python3[6763]: 2024-07-14 12:43:19,118 [root] INFO: Processing analysis data for Task #5
Jul 14 12:43:19 ubuntu2204.localdomain python3[6763]: Missing machinery-required libraries.
Jul 14 12:43:19 ubuntu2204.localdomain python3[6763]: poetry run python -m pip install azure-identity msrest msrestazure azure-mgmt-compute azure-mgmt-network azure-mgmt-storage azure-storage-blob
Jul 14 12:43:19 ubuntu2204.localdomain python3[6763]: XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
Jul 14 12:43:19 ubuntu2204.localdomain python3[7076]: 2024-07-14 12:43:19,364 [Task 5] [lib.cuckoo.common.objects] INFO: file type set using basic heuristics for: /opt/CAPEv2/storage/binaries/7304c9a23f334dbfd47bc19a45fc66358eea35f1aea1788ee971e6fceef68eed
Jul 14 12:43:21 ubuntu2204.localdomain python3[7076]: 2024-07-14 12:43:21,086 [Task 5] [lib.cuckoo.common.objects] INFO: file type set using basic heuristics for: /tmp/cape-external/de4dot_48eef1d6/7304c9a23f334dbfd47bc19a45fc66358eea35f1aea1788ee971e6fceef68eed
Jul 14 12:43:21 ubuntu2204.localdomain python3[7076]: 2024-07-14 12:43:21,245 [Task 5] [lib.cuckoo.common.integrations.file_extra_info] ERROR: DIE error: name 'die' is not defined
Jul 14 12:43:21 ubuntu2204.localdomain python3[7076]: 2024-07-14 12:43:21,246 [Task 5] [lib.cuckoo.common.integrations.file_extra_info] ERROR: DIE error: local variable 'result_json' referenced before assignment
Jul 14 12:43:23 ubuntu2204.localdomain python3[7076]: 2024-07-14 12:43:23,811 [Task 5] [lib.cuckoo.common.objects] INFO: file type set using basic heuristics for: /opt/CAPEv2/storage/analyses/5/procdump/16cb6d904a71f6fbda1a9bf1e96813c58e7bdb6f6e77e04a2c1aa65ce327d3e3
Jul 14 12:43:23 ubuntu2204.localdomain python3[7156]: Error while trying to process /opt/CAPEv2/storage/analyses/5/procdump/16cb6d904a71f6fbda1a9bf1e96813c58e7bdb6f6e77e04a2c1aa65ce327d3e3
Jul 14 12:43:23 ubuntu2204.localdomain python3[7076]: 2024-07-14 12:43:23,837 [Task 5] [lib.cuckoo.common.integrations.parse_dotnet] ERROR: Monodis: Command '['/usr/bin/monodis', '--typeref', '/opt/CAPEv2/storage/analyses/5/procdump/16cb6d904a71f6fbda1a9bf1e96813c58e7bdb6f6e77e04a2c1aa65ce327d3e3']' returned non-zero exit status 1.
Jul 14 12:43:23 ubuntu2204.localdomain python3[7158]: Error while trying to process /opt/CAPEv2/storage/analyses/5/procdump/16cb6d904a71f6fbda1a9bf1e96813c58e7bdb6f6e77e04a2c1aa65ce327d3e3
Jul 14 12:43:23 ubuntu2204.localdomain python3[7076]: 2024-07-14 12:43:23,845 [Task 5] [lib.cuckoo.common.integrations.parse_dotnet] ERROR: Monodis: Command '['/usr/bin/monodis', '--assemblyref', '/opt/CAPEv2/storage/analyses/5/procdump/16cb6d904a71f6fbda1a9bf1e96813c58e7bdb6f6e77e04a2c1aa65ce327d3e3']' returned non-zero exit status 1.
Jul 14 12:43:23 ubuntu2204.localdomain python3[7160]: Error while trying to process /opt/CAPEv2/storage/analyses/5/procdump/16cb6d904a71f6fbda1a9bf1e96813c58e7bdb6f6e77e04a2c1aa65ce327d3e3
Jul 14 12:43:23 ubuntu2204.localdomain python3[7076]: 2024-07-14 12:43:23,853 [Task 5] [lib.cuckoo.common.integrations.parse_dotnet] ERROR: Monodis: Command '['/usr/bin/monodis', '--assembly', '/opt/CAPEv2/storage/analyses/5/procdump/16cb6d904a71f6fbda1a9bf1e96813c58e7bdb6f6e77e04a2c1aa65ce327d3e3']' returned non-zero exit status 1.
Jul 14 12:43:23 ubuntu2204.localdomain python3[7162]: Error while trying to process /opt/CAPEv2/storage/analyses/5/procdump/16cb6d904a71f6fbda1a9bf1e96813c58e7bdb6f6e77e04a2c1aa65ce327d3e3
Jul 14 12:43:23 ubuntu2204.localdomain python3[7076]: 2024-07-14 12:43:23,860 [Task 5] [lib.cuckoo.common.integrations.parse_dotnet] ERROR: Monodis: Command '['/usr/bin/monodis', '--customattr', '/opt/CAPEv2/storage/analyses/5/procdump/16cb6d904a71f6fbda1a9bf1e96813c58e7bdb6f6e77e04a2c1aa65ce327d3e3']' returned non-zero exit status 1.
Jul 14 12:43:32 ubuntu2204.localdomain python3[7076]: 2024-07-14 12:43:32,494 [Task 5] [lib.cuckoo.common.integrations.capa] ERROR: CAPA ValidationError 1 validation error for CapeReport
Jul 14 12:43:32 ubuntu2204.localdomain python3[7076]: behavior.processes.0.file_activities
Jul 14 12:43:32 ubuntu2204.localdomain python3[7076]:   Extra inputs are not permitted [type=extra_forbidden, input_value={'read_files': [], 'write... [], 'delete_files': []}, input_type=dict]
Jul 14 12:43:32 ubuntu2204.localdomain python3[7076]:     For further information visit https://errors.pydantic.dev/2.6/v/extra_forbidden
Jul 14 12:43:33 ubuntu2204.localdomain python3[6763]: 2024-07-14 12:43:33,449 [root] INFO: Reports generation completed for Task #5

cape-rooter log

$ sudo journalctl -u cape-rooter
Jul 14 12:41:10 ubuntu2204.localdomain systemd[1]: Stopping CAPE rooter...
Jul 14 12:41:10 ubuntu2204.localdomain systemd[1]: cape-rooter.service: Deactivated successfully.
Jul 14 12:41:10 ubuntu2204.localdomain systemd[1]: Stopped CAPE rooter.

cape-web log

$ sudo journalctl -u cape-web
Jul 14 12:41:08 ubuntu2204.localdomain systemd[1]: Stopping CAPE WSGI app...
Jul 14 12:41:09 ubuntu2204.localdomain systemd[1]: cape-web.service: Deactivated successfully.
Jul 14 12:41:09 ubuntu2204.localdomain systemd[1]: Stopped CAPE WSGI app.
Jul 14 12:41:09 ubuntu2204.localdomain systemd[1]: cape-web.service: Consumed 2min 43.491s CPU time.
Jul 14 12:41:10 ubuntu2204.localdomain systemd[1]: Started CAPE WSGI app.
Jul 14 12:41:16 ubuntu2204.localdomain python3[6764]: XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
Jul 14 12:41:18 ubuntu2204.localdomain python3[6764]: You have 33 unapplied migration(s). Your project may not work properly until you apply the migrations for app(s): account, admin, auth, authtoken, contenttypes, openid, sessions, sites, socialaccount, users.
Jul 14 12:41:18 ubuntu2204.localdomain python3[6764]: Run 'python manage.py migrate' to apply them.
Jul 14 12:41:18 ubuntu2204.localdomain python3[6764]: WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
Jul 14 12:41:18 ubuntu2204.localdomain python3[6764]:  * Running on all addresses (0.0.0.0)
Jul 14 12:41:18 ubuntu2204.localdomain python3[6764]:  * Running on http://127.0.0.1:8000
Jul 14 12:41:18 ubuntu2204.localdomain python3[6764]:  * Running on http://192.168.5.145:8000
Jul 14 12:41:18 ubuntu2204.localdomain python3[6764]: Press CTRL+C to quit
Jul 14 12:41:18 ubuntu2204.localdomain python3[6764]:  * Restarting with stat
Jul 14 12:41:20 ubuntu2204.localdomain python3[6933]: Performing system checks...
Jul 14 12:41:21 ubuntu2204.localdomain python3[6933]: XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
Jul 14 12:41:22 ubuntu2204.localdomain python3[6933]: System check identified no issues (3 silenced).
Jul 14 12:41:22 ubuntu2204.localdomain python3[6933]: You have 33 unapplied migration(s). Your project may not work properly until you apply the migrations for app(s): account, admin, auth, authtoken, contenttypes, openid, sessions, sites, socialaccount, users.
Jul 14 12:41:22 ubuntu2204.localdomain python3[6933]: Run 'python manage.py migrate' to apply them.
Jul 14 12:41:22 ubuntu2204.localdomain python3[6933]: Django version 4.2.11, using settings 'web.settings'
Jul 14 12:41:22 ubuntu2204.localdomain python3[6933]: Development server is running at http://0.0.0.0:8000/
Jul 14 12:41:22 ubuntu2204.localdomain python3[6933]: Using the Werkzeug debugger (http://werkzeug.pocoo.org/)
Jul 14 12:41:22 ubuntu2204.localdomain python3[6933]: Quit the server with CONTROL-C.
Jul 14 12:41:22 ubuntu2204.localdomain python3[6933]:  * Debugger is active!
Jul 14 12:41:22 ubuntu2204.localdomain python3[6933]:  * Debugger PIN: 783-821-993
Jul 14 12:41:23 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:41:23] "GET /submit/ HTTP/1.1" 200 -
Jul 14 12:41:36 ubuntu2204.localdomain python3[6933]: INFO:lib.cuckoo.common.objects:file type set using basic heuristics for: b'/tmp/cuckoo-tmp/upload_vq5hbyij/MalwareAnalysisSample.exe'
Jul 14 12:41:36 ubuntu2204.localdomain python3[6933]: INFO:lib.cuckoo.common.objects:file type set using basic heuristics for: /tmp/cuckoo-tmp/upload_vq5hbyij/MalwareAnalysisSample.exe
Jul 14 12:41:36 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:41:36] "POST /submit/ HTTP/1.1" 200 -
Jul 14 12:43:31 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:43:31] "GET /analysis/ HTTP/1.1" 200 -
Jul 14 12:43:33 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:43:33] "GET /submit/status/5/ HTTP/1.1" 302 -
Jul 14 12:43:33 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:43:33] "GET /analysis/5/ HTTP/1.1" 200 -
Jul 14 12:43:33 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:43:33] "GET /analysis/file_nl/screenshot/5/0001/ HTTP/1.1" 200 -
Jul 14 12:43:33 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:43:33] "GET /analysis/file_nl/screenshot/5/0002/ HTTP/1.1" 200 -
Jul 14 12:43:33 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:43:33] "GET /analysis/file_nl/screenshot/5/0003/ HTTP/1.1" 200 -
Jul 14 12:43:33 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:43:33] "GET /analysis/file_nl/screenshot/5/0005/ HTTP/1.1" 200 -
Jul 14 12:43:33 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:43:33] "GET /analysis/file_nl/screenshot/5/0006/ HTTP/1.1" 200 -
Jul 14 12:43:33 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:43:33] "GET /analysis/file_nl/screenshot/5/0004/ HTTP/1.1" 200 -
Jul 14 12:43:33 ubuntu2204.localdomain python3[6933]: 127.0.0.1 - - [14/Jul/2024 12:43:33] "GET /analysis/file_nl/screenshot/5/0007/ HTTP/1.1" 200 -

Analysis log

2024-07-14 21:42:18,331 [root] INFO: Date set to: 20240714T12:41:38, timeout set to: 200
2024-07-14 12:41:38,007 [root] DEBUG: Starting analyzer from: C:\tmppldvx8e6
2024-07-14 12:41:38,007 [root] DEBUG: Storing results at: C:\DFGlfijioB
2024-07-14 12:41:38,007 [root] DEBUG: Pipe server name: \\.\PIPE\EKzqVPDafI
2024-07-14 12:41:38,007 [root] DEBUG: Python path: C:\Program Files (x86)\Python312-32
2024-07-14 12:41:38,007 [root] INFO: analysis running as an admin
2024-07-14 12:41:38,007 [root] INFO: analysis package specified: "exe"
2024-07-14 12:41:38,007 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2024-07-14 12:41:38,023 [root] DEBUG: imported analysis package "exe"
2024-07-14 12:41:38,023 [root] DEBUG: initializing analysis package "exe"...
2024-07-14 12:41:38,023 [lib.common.common] INFO: wrapping
2024-07-14 12:41:38,023 [lib.core.compound] INFO: C:\Users\vagrant\AppData\Local\Temp already exists, skipping creation
2024-07-14 12:41:38,023 [root] DEBUG: New location of moved file: C:\Users\vagrant\AppData\Local\Temp\MalwareAnalysisSample.exe
2024-07-14 12:41:38,023 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2024-07-14 12:41:38,023 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2024-07-14 12:41:38,023 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2024-07-14 12:41:38,023 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2024-07-14 12:41:38,070 [root] DEBUG: Importing auxiliary module "modules.auxiliary.amsi"...
2024-07-14 12:41:38,133 [root] DEBUG: Importing auxiliary module "modules.auxiliary.amsi_collector"...
2024-07-14 12:41:38,133 [root] DEBUG: Importing auxiliary module "modules.auxiliary.autoruns"...
2024-07-14 12:41:38,148 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2024-07-14 12:41:38,164 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2024-07-14 12:41:38,164 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2024-07-14 12:41:38,164 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2024-07-14 12:41:38,179 [root] DEBUG: Importing auxiliary module "modules.auxiliary.during_script"...
2024-07-14 12:41:38,195 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2024-07-14 12:41:38,195 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"...
2024-07-14 12:41:38,195 [root] DEBUG: Importing auxiliary module "modules.auxiliary.html_scraper"...
2024-07-14 12:41:38,210 [modules.auxiliary.html_scraper] ERROR: No module named 'selenium'
2024-07-14 12:41:38,210 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2024-07-14 12:41:38,226 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"...
2024-07-14 12:41:38,226 [root] DEBUG: Importing auxiliary module "modules.auxiliary.pre_script"...
2024-07-14 12:41:38,226 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2024-07-14 12:41:38,242 [root] DEBUG: Importing auxiliary module "modules.auxiliary.recentfiles"...
2024-07-14 12:41:38,242 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2024-07-14 12:41:38,242 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2024-07-14 12:41:38,305 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2024-07-14 12:41:38,305 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2024-07-14 12:41:38,305 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2024-07-14 12:41:38,305 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2024-07-14 12:41:38,320 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2024-07-14 12:41:38,320 [root] DEBUG: Initialized auxiliary module "AMSICollector"
2024-07-14 12:41:38,320 [root] DEBUG: Trying to start auxiliary module "AMSICollector"...
2024-07-14 12:41:38,320 [root] DEBUG: Started auxiliary module AMSICollector
2024-07-14 12:41:38,320 [root] WARNING: Auxiliary module Autoruns was not implemented: 'Config' object has no attribute 'autoruns'
2024-07-14 12:41:38,320 [root] DEBUG: Initialized auxiliary module "Browser"
2024-07-14 12:41:38,320 [root] DEBUG: Trying to start auxiliary module "Browser"...
2024-07-14 12:41:38,320 [root] DEBUG: Started auxiliary module Browser
2024-07-14 12:41:38,320 [root] DEBUG: Initialized auxiliary module "Curtain"
2024-07-14 12:41:38,320 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2024-07-14 12:41:38,320 [root] DEBUG: Started auxiliary module Curtain
2024-07-14 12:41:38,320 [root] DEBUG: Initialized auxiliary module "DigiSig"
2024-07-14 12:41:38,320 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2024-07-14 12:41:38,320 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2024-07-14 12:41:38,570 [modules.auxiliary.digisig] DEBUG: File is not signed
2024-07-14 12:41:38,570 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2024-07-14 12:41:38,585 [root] DEBUG: Started auxiliary module DigiSig
2024-07-14 12:41:38,585 [root] DEBUG: Initialized auxiliary module "Disguise"
2024-07-14 12:41:38,585 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2024-07-14 12:41:38,585 [modules.auxiliary.disguise] INFO: Disguising GUID to 5b81a9de-632b-43cf-9178-4e4c27c582ae
2024-07-14 12:41:38,585 [root] DEBUG: Started auxiliary module Disguise
2024-07-14 12:41:38,585 [root] DEBUG: Initialized auxiliary module "Evtx"
2024-07-14 12:41:38,585 [root] DEBUG: Trying to start auxiliary module "Evtx"...
2024-07-14 12:41:38,585 [root] DEBUG: Started auxiliary module Evtx
2024-07-14 12:41:38,585 [root] DEBUG: Initialized auxiliary module "FilePickup"
2024-07-14 12:41:38,585 [root] DEBUG: Trying to start auxiliary module "FilePickup"...
2024-07-14 12:41:38,585 [root] DEBUG: Started auxiliary module FilePickup
2024-07-14 12:41:38,585 [root] DEBUG: Initialized auxiliary module "HtmlScraper"
2024-07-14 12:41:38,585 [root] DEBUG: Trying to start auxiliary module "HtmlScraper"...
2024-07-14 12:41:38,585 [root] DEBUG: Started auxiliary module HtmlScraper
2024-07-14 12:41:38,601 [root] DEBUG: Initialized auxiliary module "Human"
2024-07-14 12:41:38,601 [root] DEBUG: Trying to start auxiliary module "Human"...
2024-07-14 12:41:38,601 [root] DEBUG: Started auxiliary module Human
2024-07-14 12:41:38,601 [root] DEBUG: Initialized auxiliary module "Permissions"
2024-07-14 12:41:38,601 [root] DEBUG: Trying to start auxiliary module "Permissions"...
2024-07-14 12:41:38,601 [root] DEBUG: Started auxiliary module Permissions
2024-07-14 12:41:38,617 [root] DEBUG: Initialized auxiliary module "Pre_script"
2024-07-14 12:41:38,617 [root] DEBUG: Trying to start auxiliary module "Pre_script"...
2024-07-14 12:41:38,617 [root] DEBUG: Started auxiliary module Pre_script
2024-07-14 12:41:38,617 [root] DEBUG: Initialized auxiliary module "Procmon"
2024-07-14 12:41:38,617 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2024-07-14 12:41:38,617 [root] DEBUG: Started auxiliary module Procmon
2024-07-14 12:41:38,617 [root] DEBUG: Initialized auxiliary module "RecentFiles"
2024-07-14 12:41:38,617 [root] DEBUG: Trying to start auxiliary module "RecentFiles"...
2024-07-14 12:41:38,617 [root] DEBUG: Started auxiliary module RecentFiles
2024-07-14 12:41:38,617 [root] DEBUG: Initialized auxiliary module "Screenshots"
2024-07-14 12:41:38,617 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2024-07-14 12:41:38,617 [root] DEBUG: Started auxiliary module Screenshots
2024-07-14 12:41:38,617 [root] DEBUG: Initialized auxiliary module "Sysmon"
2024-07-14 12:41:38,617 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2024-07-14 12:41:38,617 [root] DEBUG: Started auxiliary module Sysmon
2024-07-14 12:41:38,617 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2024-07-14 12:41:38,617 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"...
2024-07-14 12:41:38,633 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 652
2024-07-14 12:41:38,773 [lib.api.process] INFO: Monitor config for <Process 652 lsass.exe>: C:\tmppldvx8e6\dll\652.ini
2024-07-14 12:41:38,773 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2024-07-14 12:41:38,773 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmppldvx8e6\dll\BkuHUjh.dll, loader C:\tmppldvx8e6\bin\ZvtPHbcJ.exe
2024-07-14 12:41:38,789 [root] DEBUG: Loader: Injecting process 652 with C:\tmppldvx8e6\dll\BkuHUjh.dll.
2024-07-14 12:41:38,804 [root] DEBUG: 652: Python path set to 'C:\Program Files (x86)\Python312-32'.
2024-07-14 12:41:38,820 [root] DEBUG: 652: TLS secret dump mode enabled.
2024-07-14 12:41:38,820 [root] INFO: Disabling sleep skipping.
2024-07-14 12:41:38,835 [root] DEBUG: 652: InternalYaraScan: Scanning 0x00007FFA830B0000, size 0x1f553e
2024-07-14 12:41:38,851 [root] DEBUG: 652: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2024-07-14 12:41:38,851 [root] DEBUG: 652: RtlInsertInvertedFunctionTable 0x00007FFA830E2F8A, LdrpInvertedFunctionTableSRWLock 0x00007FFA8321C4E0
2024-07-14 12:41:38,851 [root] DEBUG: 652: Monitor initialised: 64-bit capemon loaded in process 652 at 0x00007FFA58810000, thread 6844, image base 0x00007FF7A6FF0000, stack from 0x0000006748374000-0x0000006748380000
2024-07-14 12:41:38,851 [root] DEBUG: 652: Commandline: C:\Windows\system32\lsass.exe
2024-07-14 12:41:38,867 [root] DEBUG: 652: Hooked 5 functions
2024-07-14 12:41:38,867 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2024-07-14 12:41:38,867 [root] DEBUG: Successfully injected DLL C:\tmppldvx8e6\dll\BkuHUjh.dll.
2024-07-14 12:41:38,882 [lib.api.process] INFO: Injected into 64-bit <Process 652 lsass.exe>
2024-07-14 12:41:38,882 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2024-07-14 12:41:38,882 [root] DEBUG: Initialized auxiliary module "Usage"
2024-07-14 12:41:38,882 [root] DEBUG: Trying to start auxiliary module "Usage"...
2024-07-14 12:41:38,882 [root] DEBUG: Started auxiliary module Usage
2024-07-14 12:41:38,882 [root] DEBUG: Initialized auxiliary module "During_script"
2024-07-14 12:41:38,882 [root] DEBUG: Trying to start auxiliary module "During_script"...
2024-07-14 12:41:38,882 [root] DEBUG: Started auxiliary module During_script
2024-07-14 12:41:45,638 [root] INFO: Restarting WMI Service
2024-07-14 12:41:47,740 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2024-07-14 12:41:47,740 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2024-07-14 12:41:47,740 [lib.core.compound] INFO: C:\Users\vagrant\AppData\Local\Temp already exists, skipping creation
2024-07-14 12:41:47,740 [lib.api.process] INFO: Successfully executed process from path "C:\Users\vagrant\AppData\Local\Temp\MalwareAnalysisSample.exe" with arguments "" with pid 7964
2024-07-14 12:41:47,740 [lib.api.process] INFO: Monitor config for <Process 7964 MalwareAnalysisSample.exe>: C:\tmppldvx8e6\dll\7964.ini
2024-07-14 12:41:47,755 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmppldvx8e6\dll\vAwqnp.dll, loader C:\tmppldvx8e6\bin\zrPsDgK.exe
2024-07-14 12:41:47,771 [root] DEBUG: Loader: Injecting process 7964 (thread 7968) with C:\tmppldvx8e6\dll\vAwqnp.dll.
2024-07-14 12:41:47,771 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2024-07-14 12:41:47,771 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2024-07-14 12:41:47,771 [root] DEBUG: Successfully injected DLL C:\tmppldvx8e6\dll\vAwqnp.dll.
2024-07-14 12:41:47,771 [lib.api.process] INFO: Injected into 32-bit <Process 7964 MalwareAnalysisSample.exe>
2024-07-14 12:41:49,797 [lib.api.process] INFO: Successfully resumed <Process 7964 MalwareAnalysisSample.exe>
2024-07-14 12:41:50,015 [root] DEBUG: 7964: Python path set to 'C:\Program Files (x86)\Python312-32'.
2024-07-14 12:41:50,015 [root] DEBUG: 7964: Dropped file limit defaulting to 100.
2024-07-14 12:41:50,047 [root] DEBUG: 7964: YaraInit: Compiled 39 rule files
2024-07-14 12:41:50,078 [root] DEBUG: 7964: YaraInit: Compiled rules saved to file C:\tmppldvx8e6\data\yara\capemon.yac
2024-07-14 12:41:50,078 [root] DEBUG: 7964: InternalYaraScan: Scanning 0x779C0000, size 0x1a21b8
2024-07-14 12:41:50,125 [root] DEBUG: 7964: YaraScan: Scanning 0x00B50000, size 0x1f0
2024-07-14 12:41:50,125 [root] DEBUG: 7964: AmsiDumper initialised.
2024-07-14 12:41:50,125 [root] DEBUG: 7964: Monitor initialised: 32-bit capemon loaded in process 7964 at 0x73040000, thread 7968, image base 0xb50000, stack from 0xef5000-0xf00000
2024-07-14 12:41:50,125 [root] DEBUG: 7964: Commandline: "C:\Users\vagrant\AppData\Local\Temp\MalwareAnalysisSample.exe"
2024-07-14 12:41:50,156 [root] DEBUG: 7964: hook_api: Warning - CreateRemoteThreadEx export address 0x76458442 differs from GetProcAddress -> 0x767A4340 (KERNELBASE.dll::0x124340)
2024-07-14 12:41:50,156 [root] DEBUG: 7964: hook_api: Warning - CoCreateInstance export address 0x766456BD differs from GetProcAddress -> 0x7766E3D0 (combase.dll::0xbe3d0)
2024-07-14 12:41:50,156 [root] DEBUG: 7964: hook_api: Warning - CoCreateInstanceEx export address 0x766456FC differs from GetProcAddress -> 0x776425F0 (combase.dll::0x925f0)
2024-07-14 12:41:50,156 [root] DEBUG: 7964: hook_api: Warning - CoGetClassObject export address 0x76645C8C differs from GetProcAddress -> 0x776426F0 (combase.dll::0x926f0)
2024-07-14 12:41:50,156 [root] DEBUG: 7964: hook_api: Warning - UpdateProcThreadAttribute export address 0x7645FD66 differs from GetProcAddress -> 0x7677C340 (KERNELBASE.dll::0xfc340)
2024-07-14 12:41:50,172 [root] DEBUG: 7964: hook_api: Warning - SetWindowLongW export address 0x760E3760 differs from GetProcAddress -> 0x74BD5740 (apphelp.dll::0x35740)
2024-07-14 12:41:50,172 [root] DEBUG: 7964: hook_api: Warning - EnumDisplayDevicesA export address 0x760D7890 differs from GetProcAddress -> 0x74BD64E0 (apphelp.dll::0x364e0)
2024-07-14 12:41:50,172 [root] DEBUG: 7964: hook_api: Warning - EnumDisplayDevicesW export address 0x760EDF00 differs from GetProcAddress -> 0x74BFE230 (apphelp.dll::0x5e230)
2024-07-14 12:41:50,172 [root] DEBUG: 7964: hook_api: Warning - CLSIDFromProgID export address 0x76644EF6 differs from GetProcAddress -> 0x776B78D0 (combase.dll::0x1078d0)
2024-07-14 12:41:50,172 [root] DEBUG: 7964: hook_api: Warning - CLSIDFromProgIDEx export address 0x76644F33 differs from GetProcAddress -> 0x776E60B0 (combase.dll::0x1360b0)
2024-07-14 12:41:50,188 [root] DEBUG: 7964: Hooked 490 functions
2024-07-14 12:41:50,188 [root] DEBUG: 7964: Syscall hook installed, syscall logging level 1
2024-07-14 12:41:50,188 [root] DEBUG: 7964: WoW64fix: Windows version 6.2 not supported.
2024-07-14 12:41:50,203 [root] INFO: Loaded monitor into process with pid 7964
2024-07-14 12:41:50,219 [root] DEBUG: 7964: DLL loaded at 0x72FB0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2024-07-14 12:41:50,250 [root] DEBUG: 7964: DLL loaded at 0x74B90000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2024-07-14 12:41:50,250 [root] DEBUG: 7964: DLL loaded at 0x752E0000: C:\Windows\SYSTEM32\VERSION (0x8000 bytes).
2024-07-14 12:41:50,312 [root] DEBUG: 7964: DLL loaded at 0x72690000: C:\Windows\SYSTEM32\ucrtbase_clr0400 (0xab000 bytes).
2024-07-14 12:41:50,312 [root] DEBUG: 7964: DLL loaded at 0x72740000: C:\Windows\SYSTEM32\VCRUNTIME140_CLR0400 (0x14000 bytes).
2024-07-14 12:41:50,312 [root] DEBUG: 7964: DLL loaded at 0x72760000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x847000 bytes).
2024-07-14 12:41:50,390 [root] INFO: Disabling sleep skipping.
2024-07-14 12:41:50,390 [root] DEBUG: 7964: AllocationHandler: Adding allocation to tracked region list: 0x02D23000, size: 0x1000.
2024-07-14 12:41:50,390 [root] DEBUG: 7964: GetEntropy: Error - Supplied address inaccessible: 0x02D20000
2024-07-14 12:41:50,390 [root] DEBUG: 7964: AddTrackedRegion: GetEntropy failed.
2024-07-14 12:41:50,406 [root] DEBUG: 7964: DLL loaded at 0x77240000: C:\Windows\System32\psapi (0x6000 bytes).
2024-07-14 12:41:50,468 [root] DEBUG: 7964: InstrumentationCallback: Added region at 0x76680000 to tracked regions list (thread 7968).
2024-07-14 12:41:50,468 [root] DEBUG: 7964: ProcessTrackedRegion: Region at 0x76680000 mapped as \Device\HarddiskVolume3\Windows\SysWOW64\KernelBase.dll, skipping
2024-07-14 12:41:50,515 [root] DEBUG: 7964: DLL loaded at 0x71280000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\01f6936167b38afa142d4ec8a8e5fb01\mscorlib.ni (0x140e000 bytes).
2024-07-14 12:41:50,546 [root] DEBUG: 7964: AllocationHandler: Adding allocation to tracked region list: 0x055B0000, size: 0x1000.
2024-07-14 12:41:50,546 [root] DEBUG: 7964: AddTrackedRegion: GetEntropy failed.
2024-07-14 12:41:50,546 [root] DEBUG: 7964: AllocationHandler: Processing previous tracked region at: 0x02D20000.
2024-07-14 12:41:50,546 [root] DEBUG: 7964: DumpPEsInRange: Scanning range 0x02D20000 - 0x02D20015.
2024-07-14 12:41:50,546 [root] DEBUG: 7964: ScanForDisguisedPE: Size too small: 0x15 bytes
2024-07-14 12:41:50,562 [lib.common.results] INFO: Uploading file C:\DFGlfijioB\CAPE\7964_109598585041314072024 to CAPE\9a6c30da35e9c09372ab3f1dab08fc1d5d6842ebeff7c07b4d17eff66bbc2338; Size is 21; Max size: 100000000
2024-07-14 12:41:50,562 [root] DEBUG: 7964: DumpMemory: Payload successfully created: C:\DFGlfijioB\CAPE\7964_109598585041314072024 (size 21 bytes)
2024-07-14 12:41:50,562 [root] DEBUG: 7964: DumpRegion: Dumped entire allocation from 0x02D20000, size 4096 bytes.
2024-07-14 12:41:50,562 [root] DEBUG: 7964: ProcessTrackedRegion: Dumped region at 0x02D20000.
2024-07-14 12:41:50,562 [root] DEBUG: 7964: YaraScan: Scanning 0x02D20000, size 0x15
2024-07-14 12:41:50,578 [root] DEBUG: 7964: DLL loaded at 0x75880000: C:\Windows\System32\bcryptPrimitives (0x5d000 bytes).
2024-07-14 12:41:50,594 [root] DEBUG: 7964: AllocationHandler: Adding allocation to tracked region list: 0x02D55000, size: 0x1000.
2024-07-14 12:41:50,594 [root] DEBUG: 7964: GetEntropy: Error - Supplied address inaccessible: 0x02D50000
2024-07-14 12:41:50,594 [root] DEBUG: 7964: AddTrackedRegion: GetEntropy failed.
2024-07-14 12:41:50,594 [root] DEBUG: 7964: AllocationHandler: Processing previous tracked region at: 0x055B0000.
2024-07-14 12:41:50,594 [root] DEBUG: 7964: DumpPEsInRange: Scanning range 0x055B0000 - 0x055B0112.
2024-07-14 12:41:50,594 [root] DEBUG: 7964: ScanForDisguisedPE: Size too small: 0x112 bytes
2024-07-14 12:41:50,594 [lib.common.results] INFO: Uploading file C:\DFGlfijioB\CAPE\7964_79685105041314072024 to CAPE\f02f88cfa24cbfb287e9c30e37dc5360f21b0f97ddd22fc58c9d6eedbbb1321f; Size is 274; Max size: 100000000
2024-07-14 12:41:50,609 [root] DEBUG: 7964: DumpMemory: Payload successfully created: C:\DFGlfijioB\CAPE\7964_79685105041314072024 (size 274 bytes)
2024-07-14 12:41:50,609 [root] DEBUG: 7964: DumpRegion: Dumped entire allocation from 0x055B0000, size 4096 bytes.
2024-07-14 12:41:50,609 [root] DEBUG: 7964: ProcessTrackedRegion: Dumped region at 0x055B0000.
2024-07-14 12:41:50,609 [root] DEBUG: 7964: YaraScan: Scanning 0x055B0000, size 0x112
2024-07-14 12:41:50,609 [root] DEBUG: 7964: AllocationHandler: Allocation already in tracked region list: 0x02D50000.
2024-07-14 12:41:50,609 [root] DEBUG: 7964: AllocationHandler: Allocation already in tracked region list: 0x02D50000.
2024-07-14 12:41:50,625 [root] DEBUG: 7964: DLL loaded at 0x774F0000: C:\Windows\System32\OLEAUT32 (0x96000 bytes).
2024-07-14 12:41:50,625 [root] DEBUG: 7964: hook_api: clrjit::compileMethod export address 0x711F3700 obtained via GetExportAddress
2024-07-14 12:41:50,625 [root] DEBUG: 7964: DLL loaded at 0x711F0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x8a000 bytes).
2024-07-14 12:41:50,672 [root] DEBUG: 7964: DLL loaded at 0x70790000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni (0xa56000 bytes).
2024-07-14 12:41:50,703 [root] DEBUG: 7964: .NET JIT native cache at 0x055B0000: scans and dumps active.
2024-07-14 12:41:50,750 [root] DEBUG: 7964: AllocationHandler: Allocation already in tracked region list: 0x02D20000.
2024-07-14 12:41:50,804 [root] DEBUG: 7964: AllocationHandler: Adding allocation to tracked region list: 0x02D4A000, size: 0x1000.
2024-07-14 12:41:50,804 [root] DEBUG: 7964: GetEntropy: Error - Supplied address inaccessible: 0x02D40000
2024-07-14 12:41:50,804 [root] DEBUG: 7964: AddTrackedRegion: GetEntropy failed.
2024-07-14 12:41:50,804 [root] DEBUG: 7964: AllocationHandler: Processing previous tracked region at: 0x02D50000.
2024-07-14 12:41:50,804 [root] DEBUG: 7964: DumpPEsInRange: Scanning range 0x02D50000 - 0x02D5008C.
2024-07-14 12:41:50,819 [root] DEBUG: 7964: ScanForDisguisedPE: Size too small: 0x8c bytes
2024-07-14 12:41:50,835 [lib.common.results] INFO: Uploading file C:\DFGlfijioB\CAPE\7964_196175075041314072024 to CAPE\bb0ac6361cd09fc6e569ad8a9adea713b94765f4cb2654ccef30d0bb395d6a3e; Size is 140; Max size: 100000000
2024-07-14 12:41:50,851 [root] DEBUG: 7964: DumpMemory: Payload successfully created: C:\DFGlfijioB\CAPE\7964_196175075041314072024 (size 140 bytes)
2024-07-14 12:41:50,851 [root] DEBUG: 7964: DumpRegion: Dumped entire allocation from 0x02D50000, size 4096 bytes.
2024-07-14 12:41:50,851 [root] DEBUG: 7964: ProcessTrackedRegion: Dumped region at 0x02D50000.
2024-07-14 12:41:50,851 [root] DEBUG: 7964: YaraScan: Scanning 0x02D50000, size 0x8c
2024-07-14 12:41:50,851 [root] DEBUG: 7964: AllocationHandler: Allocation already in tracked region list: 0x02D40000.
2024-07-14 12:41:50,913 [root] DEBUG: 7964: DLL loaded at 0x6FF70000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni (0x818000 bytes).
2024-07-14 12:41:50,913 [root] DEBUG: 7964: DLL loaded at 0x6FE60000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\b863adc9d550931e279ac7e2ee517d1f\System.Configuration.ni (0x106000 bytes).
2024-07-14 12:41:50,944 [root] DEBUG: 7964: AllocationHandler: Allocation already in tracked region list: 0x02D40000.
2024-07-14 12:41:50,960 [root] DEBUG: 7964: DLL loaded at 0x6F6E0000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\10879c5bddb2dd2399e2098d5ca5c9d1\System.Xml.ni (0x774000 bytes).
2024-07-14 12:41:50,991 [root] DEBUG: 7964: DLL loaded at 0x769A0000: C:\Windows\System32\shell32 (0x5b4000 bytes).
2024-07-14 12:41:50,991 [root] DEBUG: 7964: DLL loaded at 0x74C70000: C:\Windows\SYSTEM32\Wldp (0x24000 bytes).
2024-07-14 12:41:51,007 [root] DEBUG: 7964: DLL loaded at 0x74CA0000: C:\Windows\SYSTEM32\windows.storage (0x609000 bytes).
2024-07-14 12:41:51,007 [root] DEBUG: 7964: DLL loaded at 0x76FD0000: C:\Windows\System32\SHCORE (0x87000 bytes).
2024-07-14 12:41:51,022 [root] DEBUG: 7964: DLL loaded at 0x746D0000: C:\Windows\SYSTEM32\profapi (0x1d000 bytes).
2024-07-14 12:41:51,054 [root] DEBUG: 7964: DLL loaded at 0x746F0000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2024-07-14 12:41:51,069 [root] DEBUG: 7964: DLL loaded at 0x6F6B0000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2024-07-14 12:41:51,116 [root] DEBUG: 7964: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2024-07-14 12:41:51,163 [root] DEBUG: 7964: DLL loaded at 0x6F5A0000: C:\Windows\SYSTEM32\rasman (0x2b000 bytes).
2024-07-14 12:41:51,163 [root] DEBUG: 7964: DLL loaded at 0x6F5D0000: C:\Windows\SYSTEM32\rasapi32 (0xdb000 bytes).
2024-07-14 12:41:51,178 [root] DEBUG: 7964: DLL loaded at 0x6F580000: C:\Windows\SYSTEM32\rtutils (0x11000 bytes).
2024-07-14 12:41:51,210 [root] DEBUG: 7964: DLL loaded at 0x74620000: C:\Windows\system32\mswsock (0x52000 bytes).
2024-07-14 12:41:51,225 [root] DEBUG: 7964: DLL loaded at 0x753A0000: C:\Windows\SYSTEM32\winhttp (0xc2000 bytes).
2024-07-14 12:41:51,225 [root] DEBUG: 7964: DLL loaded at 0x6F560000: C:\Windows\system32\OnDemandConnRouteHelper (0x12000 bytes).
2024-07-14 12:41:51,225 [root] DEBUG: 7964: DLL loaded at 0x745E0000: C:\Windows\SYSTEM32\IPHLPAPI (0x32000 bytes).
2024-07-14 12:41:51,241 [root] DEBUG: 7964: DLL loaded at 0x76FC0000: C:\Windows\System32\NSI (0x7000 bytes).
2024-07-14 12:41:51,241 [root] DEBUG: 7964: DLL loaded at 0x74520000: C:\Windows\SYSTEM32\dhcpcsvc6 (0x14000 bytes).
2024-07-14 12:41:51,257 [root] DEBUG: 7964: DLL loaded at 0x74500000: C:\Windows\SYSTEM32\dhcpcsvc (0x16000 bytes).
2024-07-14 12:41:51,272 [root] DEBUG: 7964: AllocationHandler: Allocation already in tracked region list: 0x055B0000.
2024-07-14 12:41:51,288 [root] DEBUG: 7964: DLL loaded at 0x6F4E0000: C:\Windows\SYSTEM32\DNSAPI (0x92000 bytes).
2024-07-14 12:41:51,350 [root] DEBUG: 7964: DLL loaded at 0x745D0000: C:\Windows\SYSTEM32\WINNSI (0x8000 bytes).
2024-07-14 12:41:51,429 [root] DEBUG: 7964: DLL loaded at 0x6F4D0000: C:\Windows\System32\rasadhlp (0x8000 bytes).
2024-07-14 12:42:03,682 [root] DEBUG: 7964: DLL loaded at 0x6F3C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader (0x105000 bytes).
2024-07-14 12:42:05,206 [root] DEBUG: 652: DLL loaded at 0x00007FFA81490000: C:\Windows\System32\OLEAUT32 (0xcd000 bytes).
2024-07-14 12:42:05,206 [root] DEBUG: 652: DLL loaded at 0x00007FFA80AC0000: C:\Windows\System32\cfgmgr32 (0x4e000 bytes).
2024-07-14 12:42:05,206 [root] DEBUG: 652: DLL loaded at 0x00007FFA804C0000: C:\Windows\system32\DEVOBJ (0x2c000 bytes).
2024-07-14 12:42:05,206 [root] DEBUG: 652: DLL loaded at 0x00007FFA71FD0000: C:\Windows\System32\ngcpopkeysrv (0x42000 bytes).
2024-07-14 12:42:05,221 [root] DEBUG: 652: DLL loaded at 0x00007FFA7F530000: C:\Windows\SYSTEM32\ntmarta (0x33000 bytes).
2024-07-14 12:42:05,221 [root] DEBUG: 652: DLL loaded at 0x00007FFA603B0000: C:\Windows\system32\PCPKsp (0x118000 bytes).
2024-07-14 12:42:05,237 [root] DEBUG: 652: DLL loaded at 0x00007FFA81470000: C:\Windows\System32\imagehlp (0x1d000 bytes).
2024-07-14 12:42:05,237 [root] DEBUG: 652: DLL loaded at 0x00007FFA73520000: C:\Windows\system32\tbs (0x1b000 bytes).
2024-07-14 12:42:17,446 [root] INFO: Process with pid 7964 has terminated
2024-07-14 12:42:17,446 [root] DEBUG: 7964: NtTerminateProcess hook: Attempting to dump process 7964
2024-07-14 12:42:17,478 [root] DEBUG: 7964: VerifyCodeSection: Executable code does not match, 0xd46 of 0xd47 matching
2024-07-14 12:42:17,509 [root] DEBUG: 7964: DoProcessDump: Code modification detected, dumping Imagebase at 0x00B50000.
2024-07-14 12:42:17,509 [root] DEBUG: 7964: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2024-07-14 12:42:17,524 [root] DEBUG: 7964: DumpProcess: Instantiating PeParser with address: 0x00B50000.
2024-07-14 12:42:17,540 [root] DEBUG: 7964: DumpProcess: Module entry point VA is 0x00002D42.
2024-07-14 12:42:17,540 [root] DEBUG: 7964: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed offset 0xb52000, section 1
2024-07-14 12:42:17,540 [root] DEBUG: 7964: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed offset 0xb54000, section 2
2024-07-14 12:42:17,556 [root] DEBUG: 7964: CAPEExceptionFilter: Exception 0xc0000005 accessing 0xd44 caught at RVA 0x1468e in capemon (expected in memory scans), passing to next handler.
2024-07-14 12:42:17,556 [root] DEBUG: 7964: reBasePEImage: Exception rebasing image from 0x00B50000 to 0x00400000.
2024-07-14 12:42:17,571 [root] DEBUG: 7964: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x00400000.
2024-07-14 12:42:17,587 [lib.common.results] INFO: Uploading file C:\DFGlfijioB\CAPE\7964_75628951722814072024 to procdump\16cb6d904a71f6fbda1a9bf1e96813c58e7bdb6f6e77e04a2c1aa65ce327d3e3; Size is 1536; Max size: 100000000
2024-07-14 12:42:17,587 [root] DEBUG: 7964: DumpProcess: Module image dump success - dump size 0x600.
2024-07-14 12:42:17,602 [root] DEBUG: 7964: DumpInterestingRegions: Dumping .NET JIT native cache at 0x055B0000.
2024-07-14 12:42:17,602 [lib.common.results] INFO: Uploading file C:\DFGlfijioB\CAPE\7964_145196381722814072024 to CAPE\72a9dc93913007f3e63b9efdb8ad19f3854b6fc1057f4dc81ebb120cfc08045e; Size is 4138; Max size: 100000000
2024-07-14 12:42:17,618 [root] DEBUG: 7964: DumpMemory: Payload successfully created: C:\DFGlfijioB\CAPE\7964_145196381722814072024 (size 4138 bytes)
2024-07-14 12:42:17,618 [root] DEBUG: 7964: DumpPEsInRange: Scanning range 0x02D40000 - 0x02D4008C.
2024-07-14 12:42:17,618 [root] DEBUG: 7964: ScanForDisguisedPE: Size too small: 0x8c bytes
2024-07-14 12:42:17,634 [lib.common.results] INFO: Uploading file C:\DFGlfijioB\CAPE\7964_15038481722814072024 to CAPE\b4c15aa1b5332bb2e9a30f55f16af3469c8641951b6e1b462086601c4e4763bf; Size is 140; Max size: 100000000
2024-07-14 12:42:17,634 [root] DEBUG: 7964: DumpMemory: Payload successfully created: C:\DFGlfijioB\CAPE\7964_15038481722814072024 (size 140 bytes)
2024-07-14 12:42:17,634 [root] DEBUG: 7964: DumpRegion: Dumped entire allocation from 0x02D40000, size 4096 bytes.
2024-07-14 12:42:17,649 [root] DEBUG: 7964: ProcessTrackedRegion: Dumped region at 0x02D40000.
2024-07-14 12:42:17,649 [root] DEBUG: 7964: YaraScan: Scanning 0x02D40000, size 0x8c
2024-07-14 12:42:23,239 [root] INFO: Process list is empty, terminating analysis
2024-07-14 12:42:24,241 [root] INFO: Created shutdown mutex
2024-07-14 12:42:25,253 [root] INFO: Shutting down package
2024-07-14 12:42:25,253 [root] INFO: Stopping auxiliary modules
2024-07-14 12:42:25,253 [root] INFO: Stopping auxiliary module: AMSICollector
2024-07-14 12:42:25,253 [root] INFO: Stopping auxiliary module: Browser
2024-07-14 12:42:25,253 [root] INFO: Stopping auxiliary module: Curtain
2024-07-14 12:42:25,834 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1720928545.834706.curtain.log; Size is 12752012; Max size: 100000000
2024-07-14 12:42:25,959 [root] INFO: Stopping auxiliary module: Evtx
2024-07-14 12:42:25,959 [root] INFO: Stopping auxiliary module: FilePickup
2024-07-14 12:42:25,959 [root] INFO: Stopping auxiliary module: HtmlScraper
2024-07-14 12:42:25,959 [root] INFO: Stopping auxiliary module: Human
2024-07-14 12:42:30,996 [root] INFO: Stopping auxiliary module: Pre_script
2024-07-14 12:42:30,996 [root] INFO: Stopping auxiliary module: Procmon
2024-07-14 12:42:30,996 [root] INFO: Stopping auxiliary module: Screenshots
2024-07-14 12:42:31,289 [root] INFO: Stopping auxiliary module: Sysmon
2024-07-14 12:42:31,304 [root] WARNING: Cannot terminate auxiliary module Sysmon: Thread.__init__() not called
2024-07-14 12:42:31,304 [root] INFO: Stopping auxiliary module: Usage
2024-07-14 12:42:31,304 [root] INFO: Stopping auxiliary module: During_script
2024-07-14 12:42:31,304 [root] INFO: Finishing auxiliary modules
2024-07-14 12:42:31,304 [root] INFO: Shutting down pipe server and dumping dropped files
2024-07-14 12:42:31,304 [root] WARNING: Folder at path "C:\DFGlfijioB\debugger" does not exist, skipping
2024-07-14 12:42:31,304 [root] WARNING: Folder at path "C:\DFGlfijioB\tlsdump" does not exist, skipping
2024-07-14 12:42:31,304 [root] INFO: Analysis completed

[doomedraven]

ups, thanks for headups, fixed here https://github.com/kevoreilly/CAPEv2/pull/2227

[t-mtsmt]

This issue has not yet been resolved. When I submitted a sample program, I selected "inetsim", but when I look at the analysis results, I see "false" instead of "inetsim".

[doomedraven]

ok, do git pull again, sorry there was many expected args, so i have moved it to kwargs instad of args, and did a test

[t-mtsmt]

Thank you very much. It is now working correctly.

[doomedraven]

thanks for headups, those new "features" :D