MSIX not detonating due to a Powershell error

[kubota83895398]

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [ ] I am running the latest version
  • I'm using the commit 9f2525cae22e25dec20d3761181acdd74df80e4c (Nov 6 15:27:25 2024)
• [x] I did read the README!
• [x] I checked the documentation and found no answer
• [x] I checked to make sure that this issue has not already been filed
• [x] I'm reporting the issue to the correct repository (for multi-repository projects)
• [ ] I have read and checked all configs (with all optional parts)

Expected Behavior

CAPE analyzes a MSIX file without an error.

Current Behavior

When I submit a MSIX file (without startScript (whose presence changes how the file is detonated, as I see in msix.py)), agent.py on the guest VM tries to run msix.ps1 (which is responsible for installing and running the msix file being analyzed), but it fails without actually running msix.ps1.

Failure Information (for bugs)

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. launch agent.py via Task Scheduler (I don't know if this matters)
2. submit a MSIX file (example: 00009d3e7ac4c77a31be26d5d989822cd622d5e3f95d485b6f65fc31ab27c507 virustotal)

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

Question	Answer
Git commit	commit 9f2525cae22e25dec20d3761181acdd74df80e4c
OS version	Ubuntu 22.04.5 LTS, Windows 10 (VirtualBox)
auxiliary.conf	permissions = no
Defender real-time protection	turned off via Group Policy
Windows OS Language	en-US

Failure Logs

error (source: Powershell transcript file collected by CAPE as "dropped file")

PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="Access to the path 'C:\tmpmb9dnw8c\data\msix.ps1' is denied."
C:\tmpmb9dnw8c\data\msix.ps1 : Access to the path 'C:\tmpmb9dnw8c\data\msix.ps1' is denied.
At line:1 char:1
+ C:\tmpmb9dnw8c\data\msix.ps1 C:\Users\john\AppData\Local\Temp\00009d3 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
C:\tmpmb9dnw8c\data\msix.ps1 : Access to the path 'C:\tmpmb9dnw8c\data\msix.ps1' is denied.
At line:1 char:1
+ C:\tmpmb9dnw8c\data\msix.ps1 C:\Users\john\AppData\Local\Temp\00009d3 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
C:\tmpmb9dnw8c\data\msix.ps1 : Access to the path 'C:\tmpmb9dnw8c\data\msix.ps1' is denied.
At line:1 char:1
+ C:\tmpmb9dnw8c\data\msix.ps1 C:\Users\john\AppData\Local\Temp\00009d3 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

I made sure agent.py was running as admin. As you can see in the screenshot below, the CAPE processes are elevated. The powershell process is the one running msix.ps1.

Related?

I'm not sure if this is related but when the windows VM's OS language was set to Japanese, the powershell process running msix.ps1 crashed due to heap corruption (before actually running the script). I'm not sure why but changing the language to en-US fixed this.

I would really appreciate help. Thank you.

[kubota83895398]

Oddly enough, when I manually run msix.ps1, it runs just fine.

Steps:

• Edit virtualbox.py so CAPE doesn't revert the guest VM to a snapshot
• On the guest VM, after a msix was analyzed there, launch a powershell with admin privilege
• Open python REPL (32 bit)
• type import subprocess and hit enter
• type subprocess.run(r'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy bypass C:\tmp___\data\msix.ps1 path/to/sample.msix') and hit enter

(The reason I'm using python here is to imitate how CAPE runs msix.ps1.)

I wonder how CAPE's way of running powershell is different from this.

[doomedraven]

https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/modules/packages/msix.py

hello, well is something to do with permissions more than other thing, at least looks like C:\tmpmb9dnw8c\data\msix.ps1 : Access to the path 'C:\tmpmb9dnw8c\data\msix.ps1' is denied. <-

[doomedraven]

i just tested on my side, it runs fine, so i would suggest review the permission, maybe your agent.py doesn't have system right, you can restore snapshot and run curl <vm_ip>:8000 and it will return if is admin or not

[kubota83895398]

@doomedraven

Thanks for the reply.

you can restore snapshot and run curl :8000 and it will return if is admin or not

Here's the response. It seems to be running as admin.

{"message": "CAPE Agent!", "version": "0.18", "features": ["execpy", "execute", "pinning", "logs", "largefile", "unicodepath", "mutex", "browser_extension"], "is_user_admin": true}

[kubota83895398]

Here's the permissions of the folders/file if it helps.

PS C:\Windows\system32> (Get-Acl C:\tmpcq_2dtwl\).Access

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : OWNER RIGHTS
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

PS C:\Windows\system32> (Get-Acl C:\tmpcq_2dtwl\data\).Access

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : OWNER RIGHTS
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

PS C:\Windows\system32> (Get-Acl C:\tmpcq_2dtwl\data\msix.ps1).Access

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : OWNER RIGHTS
IsInherited       : True
InheritanceFlags  : None
PropagationFlags  : None

[kubota83895398]

Is there anything else I should check?

[doomedraven]

hm no, it looks correct, sorry i have no clue why you getting access denied

[kubota83895398]

It's fine, thank you.

If anyone else has any ideas, I'd really appreciate it if you could let me know.