doomedraven
commented
1 month ago Hello, did you configure proper static IP inside of the windows guest? The same as in KVM.conf?
Closed Parithmos424 closed 1 month ago
doomedraven
commented
1 month ago Hello, did you configure proper static IP inside of the windows guest? The same as in KVM.conf?
Parithmos424
commented
1 month ago Hi @doomedraven thank you very much for your swift reply, really appreciate it
Yes, it is all good there, all of them have static IPs from the correct IP range (same as in the config for kvm) and it is saved in the clear snapshot for all of them (they also ping properly with the host).
The crazy thing here is that it worked perfectly a week ago (just after I saved all of these guests), but as they are not fresh anymore there is something broken and I really have no any idea what could cause these issues and how to fix this. Firstly I thought it is about the virtualization software and I had same errors in the VirtualBox setup but now I have literally zero ideas what could I check and verify besides creating whole guest environment from scratch.
doomedraven
commented
1 month ago so if that was working and now doesn't if i understand correctly, the unique thing is do yo uhave unattended-updates enabled? did you update OS ? did you install docker? if that was working and now doesn't is hard to know what is wrong, but something on the host cuts the connection
Parithmos424
commented
1 month ago Besides standard updates there was nothing new added, however I think it might be related to the reboot that was after. Sorry that I didn't share it before but I thought initially that it is not anyhow related to this issue but actually looks like this is the problem.
So, I have a very small basic disc drive so I am storing all the VMs and snapshot on the external drive that is mounted to the machine. The problem is that after the reboot happens this drive is being unmounted and wile I login it ask me for my credentials for cape. Then the drive is unlocked and I have back all my guest VMs. However it looks like it happens then CAPE is not able to communicate with these machines properly (it is opening session and trying to analyze files but at the end the submitted file is not run). Just for testing this I have opened one of the guest, created a new snapshot and run an analysis on (while external drive was already mounted and everything was fine) and 5 analysis one by one were ok - CAPE was able to actually run the submitted sample.
I am a new in KVM/QEMU but I think it might be the root cause here, still I am not sure how to permanently resolve it. I can save all the guest snapshot once again and they will work normally but after the reboot of the machine most likely all of them will have same issue.
So far I just run sudo chmod 777 -R /media/cape/Extra_Space (my external drive) to provide all user access but it didnt resolve the issue (after the reboot it is failing the analysis once again). I know that this case is most likely not strictly related to CAPE itself but do you have any recommendations to make this external drive space always accessible/visible to the virt-manager/CAPE. Normally after the reboot I open the virt-manger just from typing it in the terminal (using sudo virt-manager does nothing and GUI is not opened).
*Also from the virt-manager view I cannot delete the snapshots it says access is denied: Error deleting snapshot 'BASIC-1': internal error: unable to execute QEMU command 'block-commit': Could not open '/media/cape/Extra_Space/VMs-KVM/Win10-16wrz.qcow2': Permission denied
doomedraven
commented
1 month ago yes this doesn't nothing to do with cape at all
run: sudo chown root:libvirt /media/cape/Extra_Space/ -R this should fix your permission, but is just permission error that you need to fix, but this all is specific to your setup
im gonna close this issue as this is not real issue for cape, but you can ask question here, but i can't really help more apart of saying fix your VM's disks permissions with comamnd that i shared
Parithmos424
commented
1 month ago Sure, thank you for your comments and sorry for this Issue. Was struggling for a long time with it and was thinking that something in the CAPE is broken as it once works and the other day not. Thanks a lot!
doomedraven
commented
1 month ago That's fine to ask :) we can give direction, but when is not cape related and not something specific is hard to suggest proper solution
El mié, 25 sept 2024, 14:15, Parithmos424 @.***> escribió:
Sure, thank you for your comments and sorry for this Issue. Was struggling for a long time with it and was thinking that something in the CAPE is broken as it once works and the other day not. Thanks a lot!
— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/2326#issuecomment-2373919490, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH3ZZYO4D3BPTE5C3QMDZYKSPVAVCNFSM6AAAAABOWNZTBSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZTHEYTSNBZGA . You are receiving this because you modified the open/close state.Message ID: @.***>
About accounts on capesandbox.com
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
Hi Team, I wanted to have a stable instance of a CAPEv2 box to run some malware samples on and was almost about reaching this point but since few weeks I am constantly having a very specific issue with the CAPE/agent after I run a sample analysis.
Current Behavior
Some time ago I have opened the issue about the very same problem #2253 (Machine status failed. This can indicate the guest losing network connectivity). I have received there some recommendations to move to the recommended virtualization software setup as KVM/QEMU instead of using VirtualBox. I have done that and it was working for almost a week, even if submitting the analysis one by one without any long delays CAPE was able to properly handle the submission an the analysis was fine (it was able to actually open the suspected file and in the report I had an option for seeing procdumps and pcaps). Unfortunately since few days I am constantly receiving some warnings during the analysis, after these the analysis summary report is every time missing some parts like procdumps,pcaps and the submitted file sample is not opened by agent even. More or less CAPE is not working but I have no any idea why it has changed - since the last week I did not do any changes in the CAPE config and test files are the same as previously.
I am looking for any tips or comments that could narrow me to the resolution of this weird issue, any reboots of the machine or restart of all services of CAPE does nothing and the analysis are having the same warning in the logs and submitted files are not run by the agent. (snapshot of the Win10 guest machines also the same as week ago while all was working fine, agent is running there and all noisy services of Win10 are disabled like FW and so on)
Also to add more context I have 3 different Win10 machines all saved properly with a clear snapshots, all of them were properly working with CAPE and the summary reports were great and files were run properly - now none of them is able to run properly the analysis, each of them is getting the same warning/error "Machine status failed. This can indicate the guest losing network connectivity"
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).
host Ubuntu 22.04.4 LTS virt soft: Virtual Machine Manager 4.1.0 guests: Win10 x64 21H2
Failure Logs
` Sep 23 15:23:52 cape-vm1 python3[2992]: Cuckoo Sandbox 2.4-CAPE Sep 23 15:23:52 cape-vm1 python3[2992]: www.cuckoosandbox.org Sep 23 15:23:52 cape-vm1 python3[2992]: Copyright (c) 2010-2015 Sep 23 15:23:52 cape-vm1 python3[2992]: CAPE: Config and Payload Extraction Sep 23 15:23:52 cape-vm1 python3[2992]: github.com/kevoreilly/CAPEv2 Sep 23 15:23:53 cape-vm1 python3[3036]: /usr/bin/tcpdump Sep 23 15:23:53 cape-vm1 python3[2992]: 2024-09-23 15:23:53,849 [lib.cuckoo.core.scheduler] INFO: Using "kvm" machine manager with max_analysis_count=0, max_machines_count=10, and max_vmstartup_count=5 Sep 23 15:23:53 cape-vm1 python3[2992]: 2024-09-23 15:23:53,853 [lib.cuckoo.core.scheduler] INFO: Loaded 4 machine/s Sep 23 15:23:53 cape-vm1 python3[2992]: 2024-09-23 15:23:53,892 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks Sep 23 15:24:20 cape-vm1 python3[2992]: 2024-09-23 15:24:20,131 [lib.cuckoo.core.scheduler] INFO: Task #9: File already exists at '/opt/CAPEv2/storage/binaries/15b66f254cc0d0054d5654fa09a644e15e0d7d1cf0cc1162bccde2599027b6a9' Sep 23 15:24:20 cape-vm1 python3[2992]: 2024-09-23 15:24:20,132 [lib.cuckoo.core.scheduler] INFO: Task #9: Starting analysis of FILE '/tmp/cuckoo-tmp/uploadgap14lx/Macros_BENIGN_TESTv5.docm' Sep 23 15:24:20 cape-vm1 python3[2992]: 2024-09-23 15:24:20,388 [lib.cuckoo.core.scheduler] INFO: Task #9: acquired machine Win10_Office_4p_10r_16wrz (label=Win10_Office_4p_10r_16wrz, arch=x64, platform=windows) Sep 23 15:25:03 cape-vm1 python3[2992]: 2024-09-23 15:25:03,560 [lib.cuckoo.common.integrations.parse_pe] ERROR: PE type not recognised: 'DOS Header magic not found.' Sep 23 15:25:03 cape-vm1 python3[2992]: 2024-09-23 15:25:03,576 [lib.cuckoo.core.scheduler] INFO: Enabled route 'internet'. Sep 23 15:25:03 cape-vm1 python3[3150]: /usr/bin/tcpdump Sep 23 15:25:03 cape-vm1 python3[2992]: 2024-09-23 15:25:03,617 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 3151 (interface=virbr1, host=192.168.56.105, dump path=/opt/CAPEv2/storage/analyses/9/dump.pcap) Sep 23 15:25:03 cape-vm1 sudo[3151]: cape : PWD=/opt/CAPEv2 ; USER=root ; COMMAND=/usr/bin/tcpdump -U -q -s 0 -i virbr1 -n -Z cape -w /opt/CAPEv2/storage/analyses/9/dump.pcap host 192.168.56.105 and not ( dst host 192.168.56.105 and dst port 8000 ) and not ( src host 192.168.56.105 and src port 8000 ) and not ( dst host 192.168.56.1 and dst port 2043 ) and not ( src host 192.168.56.1 and src port 2043 ) and ( 'not arp' ) Sep 23 15:25:03 cape-vm1 sudo[3151]: pam_limits(sudo:session): unknown limit item 'hard' Sep 23 15:25:03 cape-vm1 sudo[3151]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1001) Sep 23 15:25:03 cape-vm1 python3[2992]: 2024-09-23 15:25:03,643 [lib.cuckoo.core.guest] INFO: Task #9: Starting analysis on guest (id=Win10_Office_4p_10r_16wrz, ip=192.168.56.105) Sep 23 15:25:03 cape-vm1 python3[2992]: 2024-09-23 15:25:03,740 [lib.cuckoo.core.guest] INFO: Task #9: Guest is running CAPE Agent 0.17 (id=Win10_Office_4p_10r_16wrz, ip=192.168.56.105) Sep 23 15:25:10 cape-vm1 python3[2992]: 2024-09-23 15:25:10,838 [lib.cuckoo.core.guest] INFO: Task #9: Uploading script files to guest (id=Win10_Office_4p_10r_16wrz, ip=192.168.56.105) Sep 23 15:25:25 cape-vm1 python3[2992]: 2024-09-23 15:25:25,168 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:26:08 cape-vm1 python3[2992]: 2024-09-23 15:26:08,450 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:26:14 cape-vm1 python3[2992]: 2024-09-23 15:26:14,464 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:26:20 cape-vm1 python3[2992]: 2024-09-23 15:26:20,493 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:26:26 cape-vm1 python3[2992]: 2024-09-23 15:26:26,506 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:26:32 cape-vm1 python3[2992]: 2024-09-23 15:26:32,522 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:27:19 cape-vm1 python3[2992]: 2024-09-23 15:27:19,146 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:27:25 cape-vm1 python3[2992]: 2024-09-23 15:27:25,162 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:27:31 cape-vm1 python3[2992]: 2024-09-23 15:27:31,175 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:27:39 cape-vm1 python3[2992]: 2024-09-23 15:27:39,775 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:27:53 cape-vm1 python3[2992]: 2024-09-23 15:27:53,637 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:28:02 cape-vm1 python3[2992]: 2024-09-23 15:28:02,275 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:28:08 cape-vm1 python3[2992]: 2024-09-23 15:28:08,288 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:28:22 cape-vm1 python3[2992]: 2024-09-23 15:28:22,470 [lib.cuckoo.core.guest] WARNING: Task #9: Virtual Machine Win10_Office_4p_10r_16wrz /status failed. This can indicate the guest losing network connectivity Sep 23 15:29:35 cape-vm1 python3[2992]: 2024-09-23 15:29:35,318 [lib.cuckoo.core.guest] INFO: Task #9: End of analysis reached! (id=Win10_Office_4p_10r_16wrz, ip=192.168.56.105) Sep 23 15:29:35 cape-vm1 sudo[3151]: pam_unix(sudo:session): session closed for user root Sep 23 15:29:36 cape-vm1 python3[2992]: 2024-09-23 15:29:36,209 [lib.cuckoo.core.scheduler] INFO: Disabled route 'internet' Sep 23 15:29:36 cape-vm1 python3[2992]: 2024-09-23 15:29:36,239 [lib.cuckoo.core.scheduler] INFO: Task #9: analysis procedure completed
2024-09-16 15:14:23,018 [root] INFO: Date set to: 20240923T15:24:19, timeout set to: 200 2024-09-23 15:24:24,699 [root] DEBUG: kernel.OpenProcess failed for PID: 0 2024-09-23 15:24:24,699 [root] DEBUG: psapi.GetProcessImageFileNameA failed for PID: 4 2024-09-23 15:24:24,814 [root] DEBUG: kernel.OpenProcess failed for PID: 0 2024-09-23 15:24:24,824 [root] DEBUG: psapi.GetProcessImageFileNameA failed for PID: 4 2024-09-23 15:24:25,965 [root] DEBUG: Starting analyzer from: C:\tmphwb_ppti 2024-09-23 15:24:25,965 [root] DEBUG: Storing results at: C:\YqEftSOnx 2024-09-23 15:24:25,965 [root] DEBUG: Pipe server name: \.\PIPE\uCXHyMmzyB 2024-09-23 15:24:25,965 [root] DEBUG: Python path: C:\Users\Lenny-B\AppData\Local\Programs\Python\Python310-32 2024-09-23 15:24:25,965 [root] INFO: analysis running as an admin 2024-09-23 15:24:25,965 [root] INFO: Analysis package "doc" has been specified 2024-09-23 15:24:25,965 [root] DEBUG: Importing analysis package "doc"... 2024-09-23 15:24:26,058 [root] DEBUG: Initializing analysis package "doc"... 2024-09-23 15:24:26,089 [root] DEBUG: New location of moved file: C:\Users\Lenny-B\AppData\Local\Temp\Macros_BENIGN_TESTv5.docm 2024-09-23 15:24:26,089 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL option 2024-09-23 15:24:26,089 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL_64 option 2024-09-23 15:24:26,089 [root] INFO: Analyzer: Package modules.packages.doc does not specify a loader option 2024-09-23 15:24:26,089 [root] INFO: Analyzer: Package modules.packages.doc does not specify a loader_64 option 2024-09-23 15:24:37,296 [root] DEBUG: Importing auxiliary module "modules.auxiliary.autoruns"... 2024-09-23 15:24:39,870 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"... 2024-09-23 15:24:39,870 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"... 2024-09-23 15:24:39,933 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"... 2024-09-23 15:24:40,079 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"... 2024-09-23 15:24:41,073 [root] DEBUG: Importing auxiliary module "modules.auxiliary.during_script"... 2024-09-23 15:24:41,123 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"... 2024-09-23 15:24:41,388 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"... 2024-09-23 15:24:41,433 [root] DEBUG: Importing auxiliary module "modules.auxiliary.html_scraper"... 2024-09-23 15:24:46,870 [modules.auxiliary.html_scraper] ERROR: No module named 'selenium' 2024-09-23 15:24:46,870 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"... 2024-09-23 15:24:46,933 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"... 2024-09-23 15:24:47,027 [root] DEBUG: Importing auxiliary module "modules.auxiliary.pre_script"... 2024-09-23 15:24:48,126 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"... 2024-09-23 15:24:48,420 [root] DEBUG: Importing auxiliary module "modules.auxiliary.recentfiles"... 2024-09-23 15:24:48,435 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"... 2024-09-23 15:24:48,730 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2024-09-23 15:25:43,126 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab' 2024-09-23 15:25:45,917 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw' 2024-09-23 15:25:51,168 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"... 2024-09-23 15:25:51,282 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"... 2024-09-23 15:25:51,512 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"... 2024-09-23 15:25:52,167 [root] WARNING: Auxiliary module Autoruns was not implemented: 'Config' object has no attribute 'autoruns' 2024-09-23 15:25:52,167 [root] DEBUG: Initialized auxiliary module "Browser" 2024-09-23 15:25:52,167 [root] DEBUG: Trying to start auxiliary module "Browser"... 2024-09-23 15:25:52,949 [root] DEBUG: Started auxiliary module "Browser" 2024-09-23 15:25:52,949 [root] DEBUG: Started auxiliary module Browser 2024-09-23 15:25:52,949 [root] DEBUG: Initialized auxiliary module "Curtain" 2024-09-23 15:25:52,949 [root] DEBUG: Trying to start auxiliary module "Curtain"... 2024-09-23 15:25:53,699 [root] DEBUG: Started auxiliary module "Curtain" 2024-09-23 15:25:53,735 [root] DEBUG: Started auxiliary module Curtain 2024-09-23 15:25:53,735 [root] DEBUG: Initialized auxiliary module "DigiSig" 2024-09-23 15:25:53,735 [root] DEBUG: Trying to start auxiliary module "DigiSig"... 2024-09-23 15:25:53,735 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2024-09-23 15:27:31,464 [modules.auxiliary.digisig] DEBUG: File format not recognized 2024-09-23 15:27:31,464 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2024-09-23 15:27:31,464 [root] DEBUG: Started auxiliary module "DigiSig" 2024-09-23 15:27:31,527 [root] DEBUG: Started auxiliary module DigiSig 2024-09-23 15:27:31,527 [root] DEBUG: Initialized auxiliary module "Disguise" 2024-09-23 15:27:31,527 [root] DEBUG: Trying to start auxiliary module "Disguise"... 2024-09-23 15:27:31,589 [modules.auxiliary.disguise] INFO: Disguising GUID to 76f0cf56-0edd-4e7a-ac21-49a2d97d8e5f 2024-09-23 15:27:31,589 [root] DEBUG: Started auxiliary module "Disguise" 2024-09-23 15:27:31,589 [root] DEBUG: Started auxiliary module Disguise 2024-09-23 15:27:31,589 [root] DEBUG: Initialized auxiliary module "Evtx" 2024-09-23 15:27:31,611 [root] DEBUG: Trying to start auxiliary module "Evtx"... 2024-09-23 15:27:31,621 [root] DEBUG: Started auxiliary module "Evtx" 2024-09-23 15:27:31,621 [root] DEBUG: Started auxiliary module Evtx 2024-09-23 15:27:31,621 [root] DEBUG: Initialized auxiliary module "FilePickup" 2024-09-23 15:27:31,621 [root] DEBUG: Trying to start auxiliary module "FilePickup"... 2024-09-23 15:27:31,621 [root] DEBUG: Started auxiliary module "FilePickup" 2024-09-23 15:27:31,621 [root] DEBUG: Started auxiliary module FilePickup 2024-09-23 15:27:31,621 [root] DEBUG: Initialized auxiliary module "HtmlScraper" 2024-09-23 15:27:31,621 [root] DEBUG: Trying to start auxiliary module "HtmlScraper"... 2024-09-23 15:27:31,621 [root] DEBUG: Started auxiliary module "HtmlScraper" 2024-09-23 15:27:33,027 [root] DEBUG: Started auxiliary module HtmlScraper 2024-09-23 15:27:33,027 [root] DEBUG: Initialized auxiliary module "Human" 2024-09-23 15:27:33,027 [root] DEBUG: Trying to start auxiliary module "Human"... 2024-09-23 15:27:33,121 [root] DEBUG: Started auxiliary module "Human" 2024-09-23 15:27:33,121 [root] DEBUG: Started auxiliary module Human 2024-09-23 15:27:33,121 [root] DEBUG: Initialized auxiliary module "Permissions" 2024-09-23 15:27:33,121 [root] DEBUG: Trying to start auxiliary module "Permissions"... 2024-09-23 15:27:33,121 [root] DEBUG: Started auxiliary module "Permissions" 2024-09-23 15:27:33,121 [root] DEBUG: Started auxiliary module Permissions 2024-09-23 15:27:33,121 [root] DEBUG: Initialized auxiliary module "Pre_script" 2024-09-23 15:27:33,121 [root] DEBUG: Trying to start auxiliary module "Pre_script"... 2024-09-23 15:27:33,121 [root] DEBUG: Started auxiliary module "Pre_script" 2024-09-23 15:27:33,121 [root] DEBUG: Started auxiliary module Pre_script 2024-09-23 15:27:33,121 [root] DEBUG: Initialized auxiliary module "Procmon" 2024-09-23 15:27:33,121 [root] DEBUG: Trying to start auxiliary module "Procmon"... 2024-09-23 15:27:33,152 [root] DEBUG: Started auxiliary module "Procmon" 2024-09-23 15:27:33,152 [root] DEBUG: Started auxiliary module Procmon 2024-09-23 15:27:33,152 [root] DEBUG: Initialized auxiliary module "RecentFiles" 2024-09-23 15:27:33,152 [root] DEBUG: Trying to start auxiliary module "RecentFiles"... 2024-09-23 15:27:33,152 [root] DEBUG: Started auxiliary module "RecentFiles" 2024-09-23 15:27:33,152 [root] DEBUG: Started auxiliary module RecentFiles 2024-09-23 15:27:33,152 [root] DEBUG: Initialized auxiliary module "Screenshots" 2024-09-23 15:27:33,152 [root] DEBUG: Trying to start auxiliary module "Screenshots"... 2024-09-23 15:27:33,152 [root] DEBUG: Started auxiliary module "Screenshots" 2024-09-23 15:27:33,152 [root] DEBUG: Started auxiliary module Screenshots 2024-09-23 15:27:33,152 [root] DEBUG: Initialized auxiliary module "Sysmon" 2024-09-23 15:27:33,152 [root] DEBUG: Trying to start auxiliary module "Sysmon"... 2024-09-23 15:27:33,152 [root] DEBUG: Started auxiliary module "Sysmon" 2024-09-23 15:27:33,152 [root] DEBUG: Started auxiliary module Sysmon 2024-09-23 15:27:33,152 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2024-09-23 15:27:33,152 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"... 2024-09-23 15:27:33,183 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 680 2024-09-22 11:06:08,904 [lib.api.process] INFO: Monitor config for process 680: C:\tmphwb_ppti\dll\680.ini 2024-09-22 11:06:08,971 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2024-09-22 11:06:08,971 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmphwb_ppti\dll\EJVXAGZ.dll, loader C:\tmphwb_ppti\bin\WwGaAlBh.exe 2024-09-22 11:06:11,609 [root] DEBUG: Loader: Injecting process 680 with C:\tmphwb_ppti\dll\EJVXAGZ.dll. 2024-09-22 11:06:11,873 [root] DEBUG: 680: Python path set to 'C:\Users\Lenny-B\AppData\Local\Programs\Python\Python310-32'. 2024-09-22 11:06:11,998 [root] DEBUG: 680: TLS secret dump mode enabled. 2024-09-22 11:06:12,486 [root] INFO: Disabling sleep skipping. 2024-09-22 11:06:13,268 [root] DEBUG: 680: InternalYaraScan: Scanning 0x00007FFB850F0000, size 0x1f4542 2024-09-22 11:06:14,264 [root] DEBUG: 680: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2024-09-22 11:06:15,138 [root] DEBUG: 680: RtlInsertInvertedFunctionTable 0x00007FFB8510090E, LdrpInvertedFunctionTableSRWLock 0x00007FFB8525B4F0 2024-09-22 11:06:15,158 [root] DEBUG: 680: Monitor initialised: 64-bit capemon loaded in process 680 at 0x00007FFB44F00000, thread 1732, image base 0x00007FF7CC150000, stack from 0x000000B9A98F4000-0x000000B9A9900000 2024-09-22 11:06:15,169 [root] DEBUG: 680: Commandline: C:\Windows\system32\lsass.exe 2024-09-22 11:06:15,283 [root] DEBUG: 680: Syscall hook installed, syscall logging level 1 2024-09-22 11:06:15,283 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2024-09-22 11:06:15,294 [root] DEBUG: Successfully injected DLL C:\tmphwb_ppti\dll\EJVXAGZ.dll. 2024-09-22 11:06:16,044 [lib.api.process] INFO: Injected into 64-bit process with pid 680 2024-09-22 11:06:16,044 [root] DEBUG: Started auxiliary module "TLSDumpMasterSecrets" 2024-09-22 11:06:16,044 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets 2024-09-22 11:06:16,044 [root] DEBUG: Initialized auxiliary module "Usage" 2024-09-22 11:06:16,044 [root] DEBUG: Trying to start auxiliary module "Usage"... 2024-09-22 11:06:16,044 [root] DEBUG: Started auxiliary module "Usage" 2024-09-22 11:06:16,044 [root] DEBUG: Started auxiliary module Usage 2024-09-22 11:06:16,107 [root] DEBUG: Initialized auxiliary module "During_script" 2024-09-22 11:06:16,107 [root] DEBUG: Trying to start auxiliary module "During_script"... 2024-09-22 11:06:16,107 [root] DEBUG: Started auxiliary module "During_script" 2024-09-22 11:06:16,107 [root] DEBUG: Started auxiliary module During_script 2024-09-22 11:06:32,596 [root] DEBUG: 680: TLS 1.2 secrets logged to: C:\YqEftSOnx\tlsdump\tlsdump.log 2024-09-22 11:06:36,763 [root] INFO: Restarting WMI Service 2024-09-22 11:06:41,294 [lib.common.common] INFO: Submitted file is missing extension, adding .doc 2024-09-22 11:06:41,294 [lib.core.compound] INFO: C:\Users\Lenny-B\AppData\Local\Temp already exists, skipping creation 2024-09-22 11:06:41,514 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" with arguments ""C:\Users\Lenny-B\AppData\Local\Temp\Macros_BENIGN_TESTv5.docm.doc" /q" with pid 3552 2024-09-22 11:06:41,514 [lib.api.process] INFO: Monitor config for process 3552: C:\tmphwb_ppti\dll\3552.ini 2024-09-22 11:06:41,559 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmphwb_ppti\dll\EIcafY.dll, loader C:\tmphwb_ppti\bin\aLYSNeb.exe 2024-09-22 11:06:44,431 [root] DEBUG: Loader: Injecting process 3552 (thread 3264) with C:\tmphwb_ppti\dll\EIcafY.dll. 2024-09-22 11:06:44,810 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2024-09-22 11:06:45,095 [root] DEBUG: Successfully injected DLL C:\tmphwb_ppti\dll\EIcafY.dll. 2024-09-22 11:06:45,653 [lib.api.process] INFO: Injected into 32-bit process with pid 3552 2024-09-22 11:06:47,997 [lib.api.process] INFO: Successfully resumed process with pid 3552 2024-09-22 11:06:50,488 [root] DEBUG: 3552: Python path set to 'C:\Users\Lenny-B\AppData\Local\Programs\Python\Python310-32'. 2024-09-22 11:06:50,497 [root] DEBUG: 3552: Dropped file limit defaulting to 100. 2024-09-22 11:06:50,560 [root] DEBUG: 3552: Microsoft Office settings enabled. 2024-09-22 11:06:50,653 [root] DEBUG: 3552: InternalYaraScan: Scanning 0x776A0000, size 0x1a21a4 2024-09-22 11:06:53,579 [root] DEBUG: 3552: Yara error: Scanning timed out 2024-09-22 11:06:55,669 [root] DEBUG: 3552: AmsiDumper initialised. 2024-09-22 11:06:55,732 [root] DEBUG: 3552: Monitor initialised: 32-bit capemon loaded in process 3552 at 0x6a190000, thread 3264, image base 0x390000, stack from 0x8f6000-0x900000 2024-09-22 11:06:55,732 [root] DEBUG: 3552: Commandline: "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\Lenny-B\AppData\Local\Temp\Macros_BENIGN_TESTv5.docm.doc" /q 2024-09-22 11:06:55,800 [root] DEBUG: 3552: hook_api: Warning - CoCreateInstance export address 0x769B56BD differs from GetProcAddress -> 0x76ACC970 (combase.dll::0xdc970) 2024-09-22 11:06:55,810 [root] DEBUG: 3552: hook_api: Warning - CoCreateInstanceEx export address 0x769B56FC differs from GetProcAddress -> 0x76AAC2B0 (combase.dll::0xbc2b0) 2024-09-22 11:06:55,810 [root] DEBUG: 3552: hook_api: Warning - CoGetClassObject export address 0x769B5C8C differs from GetProcAddress -> 0x76A95040 (combase.dll::0xa5040) 2024-09-22 11:06:56,403 [root] DEBUG: 3552: hook_api: Warning - CLSIDFromProgID export address 0x769B4EF6 differs from GetProcAddress -> 0x76A889F0 (combase.dll::0x989f0) 2024-09-22 11:06:57,037 [root] DEBUG: 3552: Syscall hook installed, syscall logging level 1 2024-09-22 11:06:57,235 [root] DEBUG: 3552: WoW64fix: Windows version 6.2 not supported. 2024-09-22 11:06:57,341 [root] DEBUG: 3552: RestoreHeaders: Restored original import table. 2024-09-22 11:06:57,341 [root] INFO: Loaded monitor into process with pid 3552 `