Open c3luong opened 8 years ago
c3luong
commented
8 years ago Just noticed that the windows 7 system clock never moves in the sandbox when started by cuckoo. I can confirm that the clock does work properly in the snapshot though, so there's something different happening in the sandbox.
spender-sandbox
commented
8 years ago Was there a previous version that worked? Do you have anything else in the VM that might affect the time?
-Brad
c3luong
commented
8 years ago Nope, it's a fresh install.
I followed these instructions almost exactly: https://infosecspeakeasy.org/t/howto-build-a-cuckoo-sandbox/27
I don't think there's anything in the VM that should affect the time, but not 100% sure that there's nothing that could be interacting.
c3luong
commented
8 years ago Note that I tried spinning up a Win XP VM and encountered the same issue. (VM starts up and analysis starts going, but the system time is frozen and pauses never end.)
spender-sandbox
commented
8 years ago Can you try with daydelta in conf/cuckoo.conf set to 0?
-Brad
c3luong
commented
8 years ago Yep, I'll do it right now.
c3luong
commented
8 years ago Same result (notice the timestamp never moves):
2016-09-18 23:34:49,780 [root] INFO: Date set to: 09-21-16, time set to: 18:17:52 2016-09-18 23:34:49,780 [root] DEBUG: Starting analyzer from: C:\scyfrcw 2016-09-18 23:34:49,780 [root] DEBUG: Storing results at: C:\DzdDwSuOn 2016-09-18 23:34:49,780 [root] DEBUG: Pipe server name: .\PIPE\APwoaSFjz 2016-09-18 23:34:49,780 [root] DEBUG: No analysis package specified, trying to detect it automagically. 2016-09-18 23:34:49,780 [root] INFO: Automatically selected analysis package "exe" 2016-09-18 23:34:49,780 [root] DEBUG: Started auxiliary module Browser 2016-09-18 23:34:49,780 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/ 2016-09-18 23:34:49,780 [root] DEBUG: Started auxiliary module DigiSig 2016-09-18 23:34:49,780 [root] DEBUG: Started auxiliary module Disguise 2016-09-18 23:34:49,780 [root] DEBUG: Started auxiliary module Human 2016-09-18 23:34:49,780 [root] DEBUG: Started auxiliary module Screenshots 2016-09-18 23:34:49,780 [root] DEBUG: Started auxiliary module Usage 2016-09-18 23:34:49,780 [lib.api.process] INFO: Successfully executed process from path "C:\DOCUME~1\c3luong\LOCALS~1\Temp\putty.exe" with arguments "" with pid 1532 2016-09-18 23:34:49,780 [lib.api.process] DEBUG: Using QueueUserAPC injection. 2016-09-18 23:34:49,780 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1532
c3luong
commented
8 years ago So I put a snapshot without agent.py into kvm.conf so that nothing is actually run in the client. But when I start the job the time is still frozen (although instead of being frozen at 23:34:49, it is frozen at the current local time).
Do you think the problem is with my kvm install?
spender-sandbox
commented
8 years ago Must be, there's nothing in Cuckoo that would cause a guest's clock to stop completely -- I didn't notice that from the initial post.
-Brad
c3luong
commented
8 years ago Yeah, it's weird because the time works perfectly when I start the snapshot using virt-manager. It's just frozen when it's started through Cuckoo. Might be an issue with the KVM interface, not sure.
I think I might try virtualbox next.
doomedraven
commented
8 years ago i use cuckoo with kvm and i never had this issue
When I run an exe in the sandbox using KVM and win7-sp1, it hangs after the "Injected into suspended 32-bit process with pid 2280" log:
After some debugging in the python files, I found that the problematic line is L395 of process.py:
KERNEL32.Sleep(2000)The program gets to this line, and waits forever.
Anyone know how to fix this?