DL&Exec Submit 'NoneType' object has no attribute 'platform'

[lillypad]

This is opensource and you getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [X] I am running the latest version
• [X] I checked the documentation and found no answer
• [X] I checked to make sure that this issue has not already been filed
• [X] I'm reporting the issue to the correct repository (for multi-repository projects)

Expected Behavior

Download and execute samples using DL&Exec feature.

Current Behavior

Throws error in web ui.

Failure Information (for bugs)

Request Method: | POST
-- | --
http://127.0.0.1:8000/submit/
3.1.1
AttributeError
'NoneType' object has no attribute 'platform'
/opt/CAPEv2/web/submission/views.py, line 593, in index
/usr/bin/python3
3.8.2
['/opt/CAPEv2/web',  '/usr/lib/python38.zip',  '/usr/lib/python3.8',  '/usr/lib/python3.8/lib-dynload',  '/usr/local/lib/python3.8/dist-packages',  '/usr/lib/python3/dist-packages',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2/modules/processing/parsers/CAPE',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2',  '/opt/CAPEv2/web',  '/opt/CAPEv2/web/..']
Fri, 04 Sep 2020 13:44:19 +0000

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. enable dlexec in web.conf
2. submit url in DL&Exec tab
3. error from above

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.

Question	Answer
Git commit	9b045366ebfcab678c202290dc194ee10bedf673
OS version	Linux cape 5.4.0-45-generic #49-Ubuntu SMP Wed Aug 26 13:38:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Failure Logs

Request Method: | POST
-- | --
http://127.0.0.1:8000/submit/
3.1.1
AttributeError
'NoneType' object has no attribute 'platform'
/opt/CAPEv2/web/submission/views.py, line 593, in index
/usr/bin/python3
3.8.2
['/opt/CAPEv2/web',  '/usr/lib/python38.zip',  '/usr/lib/python3.8',  '/usr/lib/python3.8/lib-dynload',  '/usr/local/lib/python3.8/dist-packages',  '/usr/lib/python3/dist-packages',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2/modules/processing/parsers/CAPE',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2/web/..',  '/opt/CAPEv2',  '/opt/CAPEv2/web',  '/opt/CAPEv2/web/..']
Fri, 04 Sep 2020 13:47:30 +0000

[doomedraven]

hello thank you, i just tried to reproduce that on publica capesandbox.com and wasn't able, can you please provide more info about your setup, are those are linux vms? need a bit more details

[doomedraven]

i have pushed small check there, please do git pull but still would like to hear about your setup as it never happend to me before, maybe you removed platform = X in your machinery config?

[lillypad]

@doomedraven It could very well be the fact I'm using proxmox.conf. If you are using different machinery it maybe why you cannot reproduce.

I can confirm that the platform = x is there and that the regular submit works just fine.

[proxmox]
hostname = <redacted>
username = <redacted>
password = <redacted>
interface = ens19
machines = win7_x64_0, win7_x64_1, win10_x64_0, linux_x64_0

[win7_x64_0]
label = cape-win7-x64-0
platform = windows
ip = <redacted>
snapshot = cape
interface = ens19
resultserver_ip = <redacted>
resultserver_port = 2042
tags = win7, x64
mem_profile=Win7SP1x64_23418

[win7_x64_1]
label = cape-win7-x64-1
platform = windows
ip = <redacted>
snapshot = cape
interface = ens19
resultserver_ip = <redacted>
resultserver_port = 2042
tags = win7, x64
mem_profile=Win7SP1x64_23418

[win10_x64_0]
label = cape-win10-x64-0
platform = windows
ip = <redacted>
snapshot = cape
interface = ens19
resultserver_ip = <redacted>
resultserver_port = 2042
tags = win10, x64
mem_profile=Win10x64_10586

[linux_x64_0]
label = cape-linux-x64-0
platform = linux
ip = <redacted>
snapshot = cape
interface = ens19
resultserver_ip = <redacted>
resultserver_port = 2042
tags = linux, x64

I also noticed on line 593 it has the following code:

machine_details = db.view_machine(machine[0])

Though other instances this is used to obtain machine_details it looks like this:

machine_details = db.view_machine(machine)

I did try changing this to match the others but it didn't work out, could be something with proxmox machinery further back in the code.

I'll try a git pull and see if that works out.

[doomedraven]

well for start the proxmon is not supported by us, we only and strongly suggest kvm, but well this doesn't look like case of the root problem. It should be related to windows/linux platform, that code was done by another person, and it works for kvm(our favorite hypervisor).

Can you please maybe do next to try help with hunting the root cause, just after here https://github.com/kevoreilly/CAPEv2/blob/master/web/submission/views.py#L587

print(magic_type, platform, machine) that should give some details, i suspect that is the problem with file format recon, was it PE or ELF or that is an script?

and huge thanks for code escape formatting <3

[lillypad]

Looks like the change you have made does indeed seem to fix the problem.

Yeah I'm not sure what the root cause was exactly to be honest.

The analysis also did complete just fine now, i'll try rolling back one commit and seeing if I can determine the root cause.

Yeah, I know proxmox isn't "officially" supported though it does make deployment and management of VMs much faster and the interface is great.

There are also a lot of good reasons to use KVM such as CPU emulation for arm, mips etc though all the decent opensource projects using kvm for a decent web ui either or don't support the cpu emulation which is really strange to me. This includes proxmox.

If you have any suggestions of a really good KVM web ui let me know, I'm all ears!

I do use and have KVM configured on my malware analysis laptop using libvirt, spice but that's all local and not on actual server hardware.

[doomedraven]

can you check please the fileformat of that downloaded file? i suppouse it a script and wasn't recognized

so by parts

1. https://www.doomedraven.com/2016/05/kvm.html
2. https://github.com/doomedraven/Tools/blob/master/Virtualization/kvm-qemu.sh

check https://retspen.github.io/ if you want webgui to manage many kvm servers, my script should install but it can be a bit outdated for that part as i can't check frequently if they change that, i just check the core components like libvirt/qemu/etc

[lillypad]

@doomedraven yeah, I'm very familiar with setting up the initial install of libvirt, and KVM I did my libvirt install completely on Gentoo making sure the kernel was compiled and optimized for it.

Yeah, I did also have a look at WebVirtMgr it's unfortunate it hasn't been given some love in 2 years, I'm trying to stick with what is currently maintained. Looks like this one is maintained and is what they moved to now: https://github.com/retspen/webvirtcloud. I have another server I'm building, I may give the webvirtcloud thing a shot and see how it goes and if it supports the all the architectures qemu can emulate as well.

I started playing around with CAPE because Cuckoo is in quite the state of disrepair, I contributed to it once for a simple registry change, it didn't get merged for six months, once it did he didn't merge my code and simply put it in himself, I wasn't even added to the contributor list. :sob:

I also have some research on extracting C2 data and decrypting all strings from KPot stealer if you want to use it https://github.com/lillypad/fkks. I also have it setup so you can decrypt the stolen data by intercepting the C2 request using your own C2 server.

So the file type is a PE file and not a script oddly enough, i think you parse mime-types but not certain, here you go!

# Download link source is from VxVault
$ wget hxxp[:]//45.139.236.14/wotsuper2[.]exe
$ file wotsuper2.exe
wotsuper2.exe: PE32 executable (GUI) Intel 80386, for MS Windows
$ file --mime-type wotsuper2.exe
wotsuper2.exe: application/x-dosexec

[doomedraven]

nice tool thanks i need to check if my private kpot extractor still works with the samples that you have in your repo. hm is weird about the sample, but well at least it fixed now yes is why i abondoned cuckoo to, i was doing support and code PRs for years but then it just "a dead PRs" as i call them

ah yes they moved that to webvirtcloud. let us know if you have some ideas/features/bugs findings

[lillypad]

One of the things I was hoping to start contributing to is better Linux support.

I was thinking of starting with some basic static analysis work that can be done in Python and put into JSON format or something simple that can be parsed and put in the web ui.

I'm not a great web developer (as in I can't design a UI to save my life), but I wouldn't mind helping out a little regarding some of the other code.

A few features I would like suggest and help with maybe (time permitting, I can do small things as I'm usually very busy):

• Linux Static Analysis (basic python static analysis)
• Linux Behavioral Analysis Tab populated using ProcMon (parse the traces for bad stuff) https://github.com/microsoft/ProcMon-for-Linux or perhaps SystemTap, (this is completely broken in Cuckoo ATM)
• Interactive analysis support using noVNC, doesn't look too bad to setup, just need the analyzer to send over the a VNC client (platform specific), to connect back. Would be quite a fun addition much like Any Run.

[doomedraven]

• for linux static analysis you can enrich this https://github.com/kevoreilly/CAPEv2/blob/master/modules/processing/static.py#L1647
• the procmon would be pretty interesting as systemtap is syper easy to bypass, never tried it, i will need to check it
• one of the guy was working on the interactive mode but he lost the code :( but yes that would be neat

[doomedraven]

closing this as solved, let us know if we can help more, thanks again for reporting it