Issue with analyzing dropped files & signatures

[satwikbh]

I get the following errors, when I run analysis. Can anyone help me figure out where exactly I am wrong.

ERROR: Failed to run the processing module "Dropped":

ERROR: Failed to run signature "static_pe_anomaly": ERROR: Failed to run signature "polymorphic": ERROR: Failed to run signature "copies_self": ERROR: Failed to run signature "static_pe_anomaly":

My configurations are

Cuckoo.conf:

ip = 192.168.56.1 port = 2042

Virtualbox.conf:

machines = client1,client2,client3,client4,client5

[client1] label = client1 platform = windows ip = 192.168.56.101 snapshot = Snapshot1

[client2] label = client2 platform = windows ip = 192.168.56.102 snapshot = Snapshot1

[client3] label = client3 platform = windows ip = 192.168.56.103 snapshot = Snapshot1

[client4] label = client4 platform = windows ip = 192.168.56.104 snapshot = Snapshot1

[client5] label = client5 platform = windows ip = 192.168.56.105 snapshot = Snapshot1

[doomedraven]

that is pretty common errors, see command line log for the error, but is normal to see them

[satwikbh]

@doomedraven Thanks for the reply.

Even I thought that was common but an error in dropped implies there will be no analysis for the dropped files. Is there any workaround for this error?

[doomedraven]

are you sure there are dropped files? if yes, then post log

[satwikbh]

I am sure there are dropped files, also attaching the logs zip cuckoo.log.zip

[doomedraven]

update the signatures, fixes just was accepted to repo, so you wan't get that erros anymore, let us know if you experience that errors or any others

[satwikbh]

I am not getting the signature errors anymore but the dropped file error persists.

[doomedraven]

is that path exists? as there should be dropped files? you say it exists,but cuckoo says, it doesn't

2016-11-04 02:04:53,495 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "Dropped":
Traceback (most recent call last):
  File "/home/cstar/Documents/cuckoo-modified/lib/cuckoo/core/plugins.py", line 197, in process
    data = current.run()
  File "/home/cstar/Documents/cuckoo-modified/modules/processing/dropped.py", line 26, in run
    file_names = os.listdir(self.dropped_path)
OSError: [Errno 2] No such file or directory: '/home/cstar/Documents/cuckoo-modified/storage/analyses/1/files'

[satwikbh]

Correct me if I am wrong.

In the storage, cuckoo creates the analyses folder which in turn contains files folder. Now if cuckoo is not able to create the files folder then there will be no such path and hence cuckoo throws error.

[doomedraven]

yes, so how you verified the dropped files? from my previous question

[satwikbh]

The samples I am testing are my benchmark samples. I have the analysis reports of these from which I have found that they indeed have dropped files. Also malwr https://malwr.com/analysis/Y2FjYjQxNGVjMzAxNGQ1NGIwZTBkMDJkODJlYWUzYWY/ online sandbox states the same.

[doomedraven]

that not saying nothing related to error, check permission on cuckoo-modified folder and subfolders, that can be issue

[satwikbh]

The malware which I am using for test are sure to drop files. Now, the issue is with an earlier version of the cuckoo-modified I am able to analyze properly (i.e the malware drops files and those are also analyzed).

But with this version the files folder is not created. I think there is a bug in the behavioral analysis module. Also I have checked the permissions of cuckoo-modified folder and subfolders, they are correct permissions.

[doomedraven]

Why you don't use latest cuckoo-mod then?

[satwikbh]

May be I am not clear. With previous version (let us say it be X): I didnt face any issue. With latest version which I have pulled recently (let us say it be Y): I am facing issue.

Now I am not sure if this is because of an update or some mismatch in configuration. Hence, I am asking for some help in identifying it.

[doomedraven]

@spender-sandbox any idea?

[KillerInstinct]

Whats the directory structure look like on something in storage/analyses/1/ ?

Does the files directory exist at all? If it doesn't exist, then there may be a permissions problem in the guest: https://github.com/spender-sandbox/cuckoo-modified/blob/55bafa2a325379418da9c2cdc66530458d827d17/analyzer/windows/lib/core/startup.py#L13 that creates the directory structure in the guest, from PATHS declared here: https://github.com/spender-sandbox/cuckoo-modified/blob/55bafa2a325379418da9c2cdc66530458d827d17/analyzer/windows/lib/common/constants.py#L11

The only other place where the directory is created is in the resultserver: https://github.com/spender-sandbox/cuckoo-modified/blob/55bafa2a325379418da9c2cdc66530458d827d17/lib/cuckoo/core/resultserver.py#L306

But give me a ls -l of one of the analysis dirs.

EDIT: Also for what its worth if you're using 5 VMs you should really not be using SQLite. SQLite is a file based DB which means it has file locks. If you have several analysis finishing at the same time they will want to access the DB at the same time which can causes issues.

[marirs]

After updating the signature; I see these errors: 2016-11-06 02:40:52,041 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ReSubmitExtractedEXE": KeyError: 'dropped'

[spender-sandbox]

Generally the missing directories happen when a VM fails to start for whatever reason, but there should be a log for that as well.

-Brad

[satwikbh]

@spender-sandbox The VM starts perfectly and has no issues because the entire report is being generated except for the behavioral part.

@KillerInstinct Find below the ls -l of the cuckoo-modified. drwxrwxrwx. 2 satwik satwik 4096 Nov 6 01:06 agent drwxrwxrwx. 3 satwik satwik 4096 Nov 6 01:06 analyzer drwxrwxrwx. 2 satwik satwik 4096 Nov 6 01:06 conf -rwxrwxrwx. 1 satwik satwik 5558 Nov 6 01:06 cuckoo.py -rwxrwxrwx. 1 satwik satwik 35345 Nov 6 01:06 cuckoo.pyproj -rwxrwxrwx. 1 satwik satwik 958 Nov 6 01:06 cuckoo.sln drwxrwxrwx. 7 satwik satwik 4096 Nov 6 01:40 data drwxrwxrwx. 3 satwik satwik 4096 Nov 6 01:06 docs drwxrwxrwx. 3 satwik satwik 4096 Nov 6 01:06 extra drwxrwxrwx. 4 satwik satwik 4096 Nov 6 23:25 lib drwxrwxrwx. 8 satwik satwik 4096 Nov 6 23:25 modules -rwxrwxrwx. 1 satwik satwik 1641 Nov 6 01:06 README.md -rwxrwxrwx. 1 satwik satwik 401 Nov 6 01:06 requirements.txt drwxrwxrwx. 2 satwik satwik 4096 Nov 6 01:06 tests drwxrwxrwx. 3 satwik satwik 4096 Nov 6 01:06 utils drwxrwxrwx. 10 satwik satwik 4096 Nov 6 01:06 web

[spender-sandbox]

A report will still be generated even if the VM doesn't start properly (or fails to report back to the resultserver). Does it happen for every analysis?

-Brad

[satwikbh]

Yes. It happens for every analysis and I'm not able to capture the behavioral part.

[spender-sandbox]

Make sure your resultserver is configured correctly and that the guest VMs can communicate to it.

-Brad