search

kevoreilly / CAPEv2

Malware Configuration And Payload Extraction
https://capesandbox.com/analysis/
Other
2.02k stars 427 forks source link

Analysis still in "processing" status, no report generated #223

Closed quentains closed 4 years ago

quentains commented 4 years ago

Expected Behavior

The task is in "reported" status with a viewable report in the web interface.

Current Behavior

The analysis runs good according to the logs (I think ?), but no report is generated (even in the /storage folder). The task status is always set to "processing" after the analysis.

Logs

Cuckoo command


   _______ _     _ _______ _     _  _____   _____
   |       |     | |       |____/  |     | |     |
   |_____  |_____| |_____  |    \_ |_____| |_____|

 Cuckoo Sandbox 2.1-CAPE
 www.cuckoosandbox.org
 Copyright (c) 2010-2015

 CAPE: Config and Payload Extraction
 github.com/kevoreilly/CAPEv2

2020-07-06 08:52:53,728 [root] DEBUG: Importing modules...
2020-07-06 08:52:53,761 [volatility.framework.interfaces.layers] DEBUG: Imported python-magic, autodetecting compressed files based on content
2020-07-06 08:52:54,648 [root] DEBUG: Imported "auxiliary" modules:
2020-07-06 08:52:54,648 [root] DEBUG:    `-- Sniffer
2020-07-06 08:52:54,648 [root] DEBUG: Imported "processing" modules:
2020-07-06 08:52:54,648 [root] DEBUG:    |-- CAPE
2020-07-06 08:52:54,648 [root] DEBUG:    |-- AnalysisInfo
2020-07-06 08:52:54,649 [root] DEBUG:    |-- BehaviorAnalysis
2020-07-06 08:52:54,649 [root] DEBUG:    |-- Curtain
2020-07-06 08:52:54,649 [root] DEBUG:    |-- Debug
2020-07-06 08:52:54,649 [root] DEBUG:    |-- Decompression
2020-07-06 08:52:54,649 [root] DEBUG:    |-- Deduplicate
2020-07-06 08:52:54,649 [root] DEBUG:    |-- Dropped
2020-07-06 08:52:54,649 [root] DEBUG:    |-- MMBot
2020-07-06 08:52:54,649 [root] DEBUG:    |-- Memory
2020-07-06 08:52:54,650 [root] DEBUG:    |-- NetworkAnalysis
2020-07-06 08:52:54,650 [root] DEBUG:    |-- ProcDump
2020-07-06 08:52:54,650 [root] DEBUG:    |-- ProcessMemory
2020-07-06 08:52:54,650 [root] DEBUG:    |-- Procmon
2020-07-06 08:52:54,650 [root] DEBUG:    |-- Static
2020-07-06 08:52:54,650 [root] DEBUG:    |-- Strings
2020-07-06 08:52:54,650 [root] DEBUG:    |-- Suricata
2020-07-06 08:52:54,650 [root] DEBUG:    |-- Sysmon
2020-07-06 08:52:54,650 [root] DEBUG:    |-- TargetInfo
2020-07-06 08:52:54,651 [root] DEBUG:    |-- TrID
2020-07-06 08:52:54,651 [root] DEBUG:    |-- Usage
2020-07-06 08:52:54,651 [root] DEBUG:    `-- VirusTotal
2020-07-06 08:52:54,651 [root] DEBUG: Imported "signatures" modules:
2020-07-06 08:52:54,651 [root] DEBUG:    |-- CAPEDetectedThreat
2020-07-06 08:52:54,651 [root] DEBUG:    |-- CAPE_Compression
2020-07-06 08:52:54,651 [root] DEBUG:    |-- CAPE_Decryption
2020-07-06 08:52:54,651 [root] DEBUG:    |-- CAPE_Doppelganging
2020-07-06 08:52:54,651 [root] DEBUG:    |-- CAPE_EvilGrab
2020-07-06 08:52:54,652 [root] DEBUG:    |-- CAPE_Injection
2020-07-06 08:52:54,652 [root] DEBUG:    |-- CAPE_InjectionCreateRemoteThread
2020-07-06 08:52:54,652 [root] DEBUG:    |-- CAPE_InjectionProcessHollowing
2020-07-06 08:52:54,652 [root] DEBUG:    |-- CAPE_InjectionSetWindowLong
2020-07-06 08:52:54,652 [root] DEBUG:    |-- CAPE_PlugX
2020-07-06 08:52:54,652 [root] DEBUG:    |-- CAPE_RegBinary
2020-07-06 08:52:54,652 [root] DEBUG:    |-- CAPE_TransactedHollowing
2020-07-06 08:52:54,652 [root] DEBUG:    |-- CAPE_Unpacker
2020-07-06 08:52:54,653 [root] DEBUG:    |-- CAPEExtractedContent
2020-07-06 08:52:54,653 [root] DEBUG:    `-- NetworkHTTPS
2020-07-06 08:52:54,653 [root] DEBUG: Imported "reporting" modules:
2020-07-06 08:52:54,653 [root] DEBUG:    |-- BinGraph
2020-07-06 08:52:54,653 [root] DEBUG:    |-- CALLBACKHOME
2020-07-06 08:52:54,653 [root] DEBUG:    |-- Compression
2020-07-06 08:52:54,653 [root] DEBUG:    |-- CompressResults
2020-07-06 08:52:54,653 [root] DEBUG:    |-- JsonDump
2020-07-06 08:52:54,653 [root] DEBUG:    |-- MAEC41Report
2020-07-06 08:52:54,654 [root] DEBUG:    |-- MaecReport
2020-07-06 08:52:54,654 [root] DEBUG:    |-- MISP
2020-07-06 08:52:54,654 [root] DEBUG:    |-- MITRE_TTPS
2020-07-06 08:52:54,654 [root] DEBUG:    |-- MongoDB
2020-07-06 08:52:54,654 [root] DEBUG:    |-- RAMFSCLEAN
2020-07-06 08:52:54,654 [root] DEBUG:    |-- ReportHTML
2020-07-06 08:52:54,654 [root] DEBUG:    |-- ReportHTMLSummary
2020-07-06 08:52:54,654 [root] DEBUG:    |-- ReportPDF
2020-07-06 08:52:54,654 [root] DEBUG:    |-- ReSubmitExtractedEXE
2020-07-06 08:52:54,655 [root] DEBUG:    |-- Retention
2020-07-06 08:52:54,655 [root] DEBUG:    |-- SubmitCAPE
2020-07-06 08:52:54,655 [root] DEBUG:    `-- Syslog
2020-07-06 08:52:54,655 [root] DEBUG: Imported "machinery" modules:
2020-07-06 08:52:54,655 [root] DEBUG:    `-- KVM
2020-07-06 08:52:54,655 [root] DEBUG: Checking for locked tasks...
2020-07-06 08:52:54,909 [root] DEBUG: Initializing Yara...
2020-07-06 08:52:54,915 [root] DEBUG:    |-- binaries HeavensGate.yar
2020-07-06 08:52:54,930 [root] DEBUG:    |-- CAPE AgentTesla.yar
2020-07-06 08:52:54,930 [root] DEBUG:    |-- CAPE Arkei.yar
2020-07-06 08:52:54,930 [root] DEBUG:    |-- CAPE AsyncRat.yar
2020-07-06 08:52:54,930 [root] DEBUG:    |-- CAPE Atlas.yar
2020-07-06 08:52:54,930 [root] DEBUG:    |-- CAPE Azer.yar
2020-07-06 08:52:54,930 [root] DEBUG:    |-- CAPE Azorult.yar
2020-07-06 08:52:54,930 [root] DEBUG:    |-- CAPE BadRabbit.yar
2020-07-06 08:52:54,931 [root] DEBUG:    |-- CAPE BitPaymer.yar
2020-07-06 08:52:54,931 [root] DEBUG:    |-- CAPE Cerber.yar
2020-07-06 08:52:54,931 [root] DEBUG:    |-- CAPE Clop.yar
2020-07-06 08:52:54,931 [root] DEBUG:    |-- CAPE CobaltStrikeBeacon.yar
2020-07-06 08:52:54,931 [root] DEBUG:    |-- CAPE Codoso.yar
2020-07-06 08:52:54,931 [root] DEBUG:    |-- CAPE Cryptoshield.yar
2020-07-06 08:52:54,931 [root] DEBUG:    |-- CAPE DoppelPaymer.yar
2020-07-06 08:52:54,931 [root] DEBUG:    |-- CAPE Dreambot.yar
2020-07-06 08:52:54,932 [root] DEBUG:    |-- CAPE DridexLoader.yar
2020-07-06 08:52:54,932 [root] DEBUG:    |-- CAPE DridexV4.yar
2020-07-06 08:52:54,932 [root] DEBUG:    |-- CAPE Emotet.yar
2020-07-06 08:52:54,932 [root] DEBUG:    |-- CAPE Emotet_Loader.yar
2020-07-06 08:52:54,932 [root] DEBUG:    |-- CAPE EternalRomance.yar
2020-07-06 08:52:54,932 [root] DEBUG:    |-- CAPE Fareit.yar
2020-07-06 08:52:54,932 [root] DEBUG:    |-- CAPE Gandcrab.yar
2020-07-06 08:52:54,932 [root] DEBUG:    |-- CAPE Gootkit.yar
2020-07-06 08:52:54,932 [root] DEBUG:    |-- CAPE Hancitor.yar
2020-07-06 08:52:54,933 [root] DEBUG:    |-- CAPE Hermes.yar
2020-07-06 08:52:54,933 [root] DEBUG:    |-- CAPE IcedID.yar
2020-07-06 08:52:54,933 [root] DEBUG:    |-- CAPE Imminent.yar
2020-07-06 08:52:54,933 [root] DEBUG:    |-- CAPE Jaff.yar
2020-07-06 08:52:54,933 [root] DEBUG:    |-- CAPE Kovter.yar
2020-07-06 08:52:54,933 [root] DEBUG:    |-- CAPE Kronos.yar
2020-07-06 08:52:54,933 [root] DEBUG:    |-- CAPE Lockbit.yar
2020-07-06 08:52:54,933 [root] DEBUG:    |-- CAPE Locky.yar
2020-07-06 08:52:54,933 [root] DEBUG:    |-- CAPE Loki.yar
2020-07-06 08:52:54,934 [root] DEBUG:    |-- CAPE Magniber.yar
2020-07-06 08:52:54,934 [root] DEBUG:    |-- CAPE MegaCortex.yar
2020-07-06 08:52:54,934 [root] DEBUG:    |-- CAPE Mole.yar
2020-07-06 08:52:54,934 [root] DEBUG:    |-- CAPE NanoLocker.yar
2020-07-06 08:52:54,934 [root] DEBUG:    |-- CAPE Nemty.yar
2020-07-06 08:52:54,934 [root] DEBUG:    |-- CAPE NetTraveler.yar
2020-07-06 08:52:54,934 [root] DEBUG:    |-- CAPE OlympicDestroyer.yar
2020-07-06 08:52:54,934 [root] DEBUG:    |-- CAPE PetrWrap.yar
2020-07-06 08:52:54,934 [root] DEBUG:    |-- CAPE Petya.yar
2020-07-06 08:52:54,935 [root] DEBUG:    |-- CAPE Phorpiex.yar
2020-07-06 08:52:54,935 [root] DEBUG:    |-- CAPE QakBot.yar
2020-07-06 08:52:54,935 [root] DEBUG:    |-- CAPE RCSession.yar
2020-07-06 08:52:54,935 [root] DEBUG:    |-- CAPE Ramnit.yar
2020-07-06 08:52:54,935 [root] DEBUG:    |-- CAPE Remcos.yar
2020-07-06 08:52:54,935 [root] DEBUG:    |-- CAPE RokRat.yar
2020-07-06 08:52:54,935 [root] DEBUG:    |-- CAPE Ryuk.yar
2020-07-06 08:52:54,935 [root] DEBUG:    |-- CAPE Scarab.yar
2020-07-06 08:52:54,935 [root] DEBUG:    |-- CAPE Sedreco.yar
2020-07-06 08:52:54,936 [root] DEBUG:    |-- CAPE Seduploader.yar
2020-07-06 08:52:54,936 [root] DEBUG:    |-- CAPE TClient.yar
2020-07-06 08:52:54,936 [root] DEBUG:    |-- CAPE TSCookie.yar
2020-07-06 08:52:54,936 [root] DEBUG:    |-- CAPE TrickBot.yar
2020-07-06 08:52:54,936 [root] DEBUG:    |-- CAPE Ursnif.yar
2020-07-06 08:52:54,936 [root] DEBUG:    |-- CAPE Ursnif3.yar
2020-07-06 08:52:54,936 [root] DEBUG:    |-- CAPE Varenyky.yar
2020-07-06 08:52:54,936 [root] DEBUG:    |-- CAPE Vidar.yar
2020-07-06 08:52:54,936 [root] DEBUG:    |-- CAPE WanaCry.yar
2020-07-06 08:52:54,937 [root] DEBUG:    |-- CAPE ZeroT.yar
2020-07-06 08:52:54,937 [root] DEBUG:    |-- CAPE ZeusPanda.yar
2020-07-06 08:52:54,937 [root] DEBUG:    |-- CAPE Zloader.yar
2020-07-06 08:52:54,937 [root] DEBUG:    |-- CAPE tRat.yar
2020-07-06 08:52:54,940 [lib.cuckoo.core.scheduler] INFO: Using "kvm" machine manager with max_analysis_count=0, max_machines_count=10, and max_vmstartup_count=5
2020-07-06 08:52:54,961 [lib.cuckoo.common.abstracts] DEBUG: Getting status for cuckoo1
2020-07-06 08:52:54,976 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2020-07-06 08:52:54,983 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2020-07-06 08:53:13,611 [lib.cuckoo.core.scheduler] DEBUG: Task #37: Processing task
2020-07-06 08:53:13,615 [lib.cuckoo.core.scheduler] INFO: Task #37: Starting analysis of FILE '/tmp/cuckoo-tmp/upload__imo768y/sample1.exe'
2020-07-06 08:53:13,636 [lib.cuckoo.core.scheduler] INFO: Task #37: File already exists at '/home/cape/CAPEv2/storage/binaries/7ff651aa9581a2cb706e1aeb7957f06a70a6718abd0a6449a039006e9eff06dc'
2020-07-06 08:53:13,654 [lib.cuckoo.core.scheduler] INFO: Task #37: acquired machine cuckoo1 (label=cuckoo1, platform=windows)
2020-07-06 08:53:14,288 [root] DEBUG: Now tracking machine 192.168.100.100 for task #37
2020-07-06 08:53:14,304 [lib.cuckoo.common.abstracts] DEBUG: Starting machine cuckoo1
2020-07-06 08:53:14,304 [lib.cuckoo.common.abstracts] DEBUG: Getting status for cuckoo1
2020-07-06 08:53:14,330 [lib.cuckoo.common.abstracts] DEBUG: Using snapshot snapshot1 for virtual machine cuckoo1
2020-07-06 08:53:22,486 [lib.cuckoo.common.abstracts] DEBUG: Getting status for cuckoo1
2020-07-06 08:53:22,562 [lib.cuckoo.core.scheduler] INFO: Enabled route 'none'
2020-07-06 08:53:22,586 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 22325 (interface=virbr1, host=192.168.100.100, dump path=/home/cape/CAPEv2/storage/analyses/37/dump.pcap)
2020-07-06 08:53:22,587 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2020-07-06 08:53:22,606 [lib.cuckoo.core.guest] INFO: Starting analysis #37 on guest (id=cuckoo1, ip=192.168.100.100)
2020-07-06 08:53:22,749 [lib.cuckoo.core.guest] INFO: Guest is running CAPE Agent 0.11 (id=cuckoo1, ip=192.168.100.100)
2020-07-06 08:53:22,920 [lib.cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.100.100, size=17049934)
2020-07-06 08:53:28,001 [lib.cuckoo.core.guest] INFO: Uploading support files to guest (id=cuckoo1, ip=192.168.100.100)
2020-07-06 08:53:31,385 [root] DEBUG: Task #37: live log analysis.log initialized.
2020-07-06 08:53:33,234 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis #37 is still running
2020-07-06 08:53:38,345 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis #37 is still running
2020-07-06 08:53:43,452 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis #37 is still running
2020-07-06 08:53:46,193 [root] DEBUG: Task #37: File upload for b'aux/DigiSig.json'
2020-07-06 08:53:46,196 [root] DEBUG: Task #37 uploaded file length: 198
2020-07-06 08:53:46,479 [root] DEBUG: Task #37: File upload for b'aux/usage.log'
2020-07-06 08:53:48,335 [root] DEBUG: Task #37: File upload for b'shots/0001.jpg'
2020-07-06 08:53:48,357 [root] DEBUG: Task #37 uploaded file length: 37000
2020-07-06 08:53:48,546 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis #37 is still running
2020-07-06 08:53:53,683 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis #37 is still running
2020-07-06 08:53:57,138 [root] DEBUG: Task #37 is sending a BSON stream. For pid 2104
2020-07-06 08:53:58,781 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis #37 is still running
2020-07-06 08:54:02,479 [root] DEBUG: Task #37: File upload for b'procdump/759cb7ef868b6289a5a8c89929feac52b8fa39bd1a483d44b7767655e90da228'
2020-07-06 08:54:02,525 [root] DEBUG: Task #37 uploaded file length: 800768
2020-07-06 08:54:03,864 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis #37 is still running
2020-07-06 08:54:08,939 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis #37 is still running
2020-07-06 08:54:14,093 [lib.cuckoo.core.guest] INFO: cuckoo1: analysis completed successfully
2020-07-06 08:54:14,124 [lib.cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2020-07-06 08:54:14,132 [lib.cuckoo.common.abstracts] DEBUG: Stopping machine cuckoo1
2020-07-06 08:54:14,133 [lib.cuckoo.common.abstracts] DEBUG: Getting status for cuckoo1
2020-07-06 08:54:15,018 [lib.cuckoo.common.abstracts] DEBUG: Getting status for cuckoo1
2020-07-06 08:54:15,057 [root] DEBUG: Stopped tracking machine 192.168.100.100 for task #37
2020-07-06 08:54:15,058 [root] DEBUG: Cancel <Context for b'BSON'> for task 37
2020-07-06 08:54:15,058 [root] DEBUG: Cancel <Context for b'LOG'> for task 37
2020-07-06 08:54:15,058 [root] DEBUG: Cancel <Context for b'FILE'> for task 37
2020-07-06 08:54:15,059 [root] DEBUG: Task #37 uploaded file length: 60
2020-07-06 08:54:15,134 [lib.cuckoo.core.scheduler] DEBUG: Task #37: Released database task with status True
2020-07-06 08:54:15,134 [lib.cuckoo.core.scheduler] INFO: Task #37: analysis procedure completed

Agent analysis.log

2020-07-03 11:40:35,976 [root] INFO: Date set to: 20200706T08:53:12, timeout set to: 200
2020-07-06 08:53:13,221 [root] DEBUG: Starting analyzer from: C:\tmp4ch12i9a
2020-07-06 08:53:13,595 [root] DEBUG: Storing results at: C:\qiWkDPrmMb
2020-07-06 08:53:13,922 [root] DEBUG: Pipe server name: \\.\PIPE\nbnoNjykF
2020-07-06 08:53:14,364 [root] DEBUG: Python path: C:\Program Files (x86)\Python38-32
2020-07-06 08:53:14,505 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-07-06 08:53:17,672 [root] INFO: Automatically selected analysis package "exe"
2020-07-06 08:53:17,719 [root] DEBUG: Trying to import analysis package "exe"...
2020-07-06 08:53:20,063 [root] DEBUG: Imported analysis package "exe".
2020-07-06 08:53:20,182 [root] DEBUG: Trying to initialize analysis package "exe"...
2020-07-06 08:53:20,375 [root] DEBUG: Initialized analysis package "exe".
2020-07-06 08:53:20,947 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-07-06 08:53:21,032 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-07-06 08:53:21,102 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-07-06 08:53:21,224 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-07-06 08:53:21,241 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-07-06 08:53:21,333 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-07-06 08:53:21,473 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-07-06 08:53:22,047 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-07-06 08:53:22,110 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-07-06 08:53:22,266 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-07-06 08:53:22,320 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-07-06 08:53:22,376 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-07-06 08:53:22,408 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-07-06 08:53:22,408 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-07-06 08:53:22,442 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-07-06 08:53:22,462 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-07-06 08:53:22,469 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-07-06 08:53:22,532 [lib.api.screenshot] DEBUG: Importing 'math'
2020-07-06 08:53:22,563 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-07-06 08:53:22,774 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-07-06 08:53:22,860 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-07-06 08:53:22,926 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-07-06 08:53:23,043 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-07-06 08:53:23,047 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-07-06 08:53:23,176 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-07-06 08:53:23,235 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-07-06 08:53:23,298 [root] DEBUG: Initialized auxiliary module "Browser".
2020-07-06 08:53:23,328 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-07-06 08:53:23,438 [root] DEBUG: Started auxiliary module Browser
2020-07-06 08:53:23,508 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-07-06 08:53:23,577 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-07-06 08:53:23,667 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-07-06 08:53:23,713 [root] DEBUG: Started auxiliary module Curtain
2020-07-06 08:53:23,719 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-07-06 08:53:23,719 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-07-06 08:53:23,719 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-07-06 08:53:23,719 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-07-06 08:53:26,672 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-07-06 08:53:26,672 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-07-06 08:53:26,707 [root] DEBUG: Started auxiliary module DigiSig
2020-07-06 08:53:26,707 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-07-06 08:53:26,707 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-07-06 08:53:26,707 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-07-06 08:53:26,707 [root] DEBUG: Started auxiliary module Disguise
2020-07-06 08:53:26,707 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-07-06 08:53:26,707 [root] DEBUG: Initialized auxiliary module "Human".
2020-07-06 08:53:26,707 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-07-06 08:53:26,707 [root] DEBUG: Started auxiliary module Human
2020-07-06 08:53:26,707 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-07-06 08:53:26,902 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-07-06 08:53:26,913 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-07-06 08:53:26,928 [root] DEBUG: Started auxiliary module Screenshots
2020-07-06 08:53:26,928 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-07-06 08:53:26,944 [root] DEBUG: Initialized auxiliary module "Usage".
2020-07-06 08:53:26,944 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-07-06 08:53:26,975 [root] DEBUG: Started auxiliary module Usage
2020-07-06 08:53:26,975 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-07-06 08:53:27,001 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-07-06 08:53:27,051 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-07-06 08:53:27,082 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-07-06 08:53:29,425 [lib.api.process] INFO: Successfully executed process from path "C:\Users\capev2\AppData\Local\Temp\sample1.exe" with arguments "" with pid 2104
2020-07-06 08:53:29,425 [lib.api.process] INFO: Monitor config for process 2104: C:\tmp4ch12i9a\dll\2104.ini
2020-07-06 08:53:29,454 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp4ch12i9a\dll\UWlirCU.dll, loader C:\tmp4ch12i9a\bin\ZjvjGfU.exe
2020-07-06 08:53:30,192 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nbnoNjykF.
2020-07-06 08:53:30,333 [root] DEBUG: Loader: Injecting process 2104 (thread 6348) with C:\tmp4ch12i9a\dll\UWlirCU.dll.
2020-07-06 08:53:30,351 [root] DEBUG: Process image base: 0x00400000
2020-07-06 08:53:30,364 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp4ch12i9a\dll\UWlirCU.dll.
2020-07-06 08:53:30,392 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-07-06 08:53:30,392 [root] DEBUG: Successfully injected DLL C:\tmp4ch12i9a\dll\UWlirCU.dll.
2020-07-06 08:53:30,454 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2104
2020-07-06 08:53:32,520 [lib.api.process] INFO: Successfully resumed process with pid 2104
2020-07-06 08:53:36,061 [root] DEBUG: Python path set to 'C:\Program Files (x86)\Python38-32'.
2020-07-06 08:53:37,022 [root] DEBUG: Dropped file limit defaulting to 100.
2020-07-06 08:53:37,892 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-07-06 08:53:38,470 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2104 at 0x6f860000, image base 0x400000, stack from 0x196000-0x1a0000
2020-07-06 08:53:38,770 [root] DEBUG: Commandline: C:\Users\capev2\AppData\Local\Temp\"C:\Users\capev2\AppData\Local\Temp\sample1.exe".
2020-07-06 08:53:39,392 [root] INFO: Loaded monitor into process with pid 2104
2020-07-06 08:53:40,023 [root] DEBUG: DLL loaded at 0x74590000: C:\Windows\system32\uxtheme (0x74000 bytes).
2020-07-06 08:53:40,455 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x248 amd local view 0x77320000 to global list.
2020-07-06 08:53:40,785 [root] DEBUG: DLL loaded at 0x77320000: C:\Windows\System32\MSCTF (0xd2000 bytes).
2020-07-06 08:53:41,058 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x250 amd local view 0x03B30000 to global list.
2020-07-06 08:53:41,535 [root] INFO: Disabling sleep skipping.
2020-07-06 08:53:41,556 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2104
2020-07-06 08:53:41,752 [root] DEBUG: GetHookCallerBase: thread 2592 (handle 0x0), return address 0x004752ED, allocation base 0x00400000.
2020-07-06 08:53:41,948 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-07-06 08:53:42,101 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-07-06 08:53:42,240 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-07-06 08:53:42,331 [root] DEBUG: DumpProcess: Module entry point VA is 0x000782BC.
2020-07-06 08:53:42,674 [root] DEBUG: DLL loaded at 0x76DD0000: C:\Windows\System32\bcryptPrimitives (0x5c000 bytes).
2020-07-06 08:53:43,111 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xc3800.
2020-07-06 08:53:43,242 [root] DEBUG: DLL unloaded from 0x762B0000.
2020-07-06 08:53:43,869 [root] INFO: Process with pid 2104 has terminated
2020-07-06 08:53:50,167 [root] INFO: Process list is empty, terminating analysis.
2020-07-06 08:53:51,362 [root] INFO: Created shutdown mutex.
2020-07-06 08:53:52,596 [root] INFO: Shutting down package.
2020-07-06 08:53:52,790 [root] INFO: Stopping auxiliary modules.
2020-07-06 08:53:52,966 [root] INFO: Finishing auxiliary modules.
2020-07-06 08:53:53,153 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-07-06 08:53:53,506 [root] WARNING: Folder at path "C:\qiWkDPrmMb\debugger" does not exist, skip.
2020-07-06 08:53:53,862 [root] INFO: Analysis completed.
doomedraven commented 4 years ago

did you start process.py?

quentains commented 4 years ago

Ìf I run process.py with the id 37 (my latest task), I get this :

pywin32 is not installed (only is required if you want to use MS Excel)
2020-07-06 09:08:31,509 [modules.processing.suricata] WARNING: Failed to connect to socket and send command /var/run/suricata/suricata-command.socket: [Errno 2] No such file or directory
[]
doomedraven commented 4 years ago

ya thats is fine, 1 line is from xlmdeobfuscator, second tellyou that suricata isn't running and empty list probably an print missed somewhere in code, but you run it incorrectly so far see in cape2.sh you have systemds for that and it runs as python3 process.py -p X auto where X is desired number of parallel processing

quentains commented 4 years ago

Damn ! I've just had a revelation ! Thanks a lot !

I didn't enable the services :/ My bad.

Thank you again !

doomedraven commented 4 years ago

you are welcome, service should be enabled bydefault, i will check, let us knowo if you see any bugs

doomedraven commented 4 years ago

done, https://github.com/doomedraven/Tools/commit/1ffa92f22ea42d960053363964826b357ba519b8 thanks