gcmoreira commented 3 years ago

Prerequisites

Please answer the following questions for yourself before submitting an issue.

[X] I am running the latest version
[X] I checked the documentation and found no answer
[X] I checked to make sure that this issue has not already been filed
[X] I'm reporting the issue to the correct repository (for multi-repository projects)
[X] I'm have read all configs with all optional parts

Expected Behavior

See calc.exe up and running in the screenshot.
See notepad.exe up and running in the screenshot.
Get the full API call trace for each one.

Current Behavior

None of them seems to work.

The screenshot doesn't show calc/notepad.
They finish almost as soon as they start, within the second.
The API trace doesn't look like the actual .exe was executed.

Failure Information (for bugs)

As per the Behavioral Analysis they finish within the second it was executed. I tested them in a local (updated) environment but also double-checked that the same results happen in your environment, see the following results:

https://capesandbox.com/analysis/174313 (calc.exe on win7x64)
https://capesandbox.com/analysis/174567 (calc.exe on win7x86)
https://capesandbox.com/analysis/174568 (notepad.exe on win7x86)

Steps to Reproduce

Take calc.exe and notepad.exe from c:\windows\sytem32 on the same win7 or win10 guest machine. Both .exe are PE 32 bit so it doesn't matter.
Submit them using the web default settings. I only forced the "Machine" just to make sure it will execute there.

Context

I tested them in a local updated environment but also double-checked that the same results happen in yours.

Local setup

Question	Answer
Git commit	5d5ba06d8788ac561b267b20eec49e437decdf88
Community package	Updated using `$ python3 utils/community.py -waf`
HOST OS version	Ubuntu 20.04.2 LTS
GUEST OS versions	win7x86, win7x64, win10x64

Failure Logs

Please check the result links above.

kevoreilly commented 3 years ago

Thanks for the heads up - will look into it.

doomedraven commented 2 years ago

MUI problem - https://twitter.com/hasherezade/status/1558841246944317441

kevoreilly commented 1 year ago

doomed is right - this is a mui issue not a cape issue. hasherezade offers a nice explanation: https://github.com/hasherezade/libpeconv/issues/44

To prove this, instead of submitting notepad or calc, try submitting a batch file that launches them. Then cape has no problem monitoring these exes run from their proper location:

https://capesandbox.com/analysis/354918 https://capesandbox.com/analysis/354919

kevoreilly / CAPEv2

Calc / Notepad detonation fail #547