search

spender-sandbox / cuckoo-modified

Modified edition of cuckoo
392 stars 178 forks source link

analysis hit critical timeout, Agent freezes #369

Open Meow-ops opened 7 years ago

Meow-ops commented 7 years ago

Using cuckoo in a Windows 7 32bits environment with the following sample: 34510ceb373808c65949cbbe111bf2e3 The error 2016-11-21 17:41:13,178 [lib.cuckoo.core.scheduler] ERROR: The analysis hit the critical timeout, terminating. appears in red.

The results are not complete, some process are empty, dropped files too, and process memory cannot be accessed.

With debug log:

 Cuckoo Sandbox 1.3-NG
 www.cuckoosandbox.org
 Copyright (c) 2010-2015

2016-11-21 17:35:12,851 [root] DEBUG: Importing modules...
2016-11-21 17:35:13,285 [root] DEBUG: Imported "signatures" modules:
2016-11-21 17:35:13,285 [root] DEBUG:    |-- Alphacrypt_APIs
2016-11-21 17:35:13,285 [root] DEBUG:    |-- Andromeda_APIs
2016-11-21 17:35:13,285 [root] DEBUG:    |-- AntiAnalysisDetectFile
2016-11-21 17:35:13,285 [root] DEBUG:    |-- AntiAnalysisDetectReg
2016-11-21 17:35:13,285 [root] DEBUG:    |-- AvastDetectLibs
2016-11-21 17:35:13,285 [root] DEBUG:    |-- BitdefenderDetectLibs
2016-11-21 17:35:13,285 [root] DEBUG:    |-- AntiAVDetectFile
2016-11-21 17:35:13,286 [root] DEBUG:    |-- AntiAVDetectReg
2016-11-21 17:35:13,286 [root] DEBUG:    |-- AntiAVServiceStop
2016-11-21 17:35:13,286 [root] DEBUG:    |-- AntiAVSRP
2016-11-21 17:35:13,286 [root] DEBUG:    |-- AntiDBGDevices
2016-11-21 17:35:13,286 [root] DEBUG:    |-- AntiDBGWindows
2016-11-21 17:35:13,286 [root] DEBUG:    |-- WineDetectReg
2016-11-21 17:35:13,286 [root] DEBUG:    |-- WineDetectFunc
2016-11-21 17:35:13,286 [root] DEBUG:    |-- AntiCuckoo
2016-11-21 17:35:13,286 [root] DEBUG:    |-- SandboxJoeAnubisDetectFiles
2016-11-21 17:35:13,286 [root] DEBUG:    |-- HookMouse
2016-11-21 17:35:13,286 [root] DEBUG:    |-- GetProductID
2016-11-21 17:35:13,286 [root] DEBUG:    |-- SandboxieDetectLibs
2016-11-21 17:35:13,287 [root] DEBUG:    |-- AntisandboxSboxieMutex
2016-11-21 17:35:13,287 [root] DEBUG:    |-- AntiSandboxSboxieObjects
2016-11-21 17:35:13,287 [root] DEBUG:    |-- AntiSandboxSleep
2016-11-21 17:35:13,287 [root] DEBUG:    |-- SunbeltDetectFiles
2016-11-21 17:35:13,287 [root] DEBUG:    |-- SunbeltDetectLibs
2016-11-21 17:35:13,287 [root] DEBUG:    |-- AntiSandboxSuspend
2016-11-21 17:35:13,287 [root] DEBUG:    |-- Unhook
2016-11-21 17:35:13,287 [root] DEBUG:    |-- KnownVirustotal
2016-11-21 17:35:13,287 [root] DEBUG:    |-- AntiVMDirectoryObjects
2016-11-21 17:35:13,287 [root] DEBUG:    |-- AntiVMBios
2016-11-21 17:35:13,287 [root] DEBUG:    |-- AntiVMCPU
2016-11-21 17:35:13,288 [root] DEBUG:    |-- DiskInformation
2016-11-21 17:35:13,288 [root] DEBUG:    |-- SetupAPIDiskInformation
2016-11-21 17:35:13,288 [root] DEBUG:    |-- AntiVMDiskReg
2016-11-21 17:35:13,288 [root] DEBUG:    |-- AntiVMSCSI
2016-11-21 17:35:13,288 [root] DEBUG:    |-- AntiVMServices
2016-11-21 17:35:13,288 [root] DEBUG:    |-- AntiVMSystem
2016-11-21 17:35:13,288 [root] DEBUG:    |-- VBoxDetectACPI
2016-11-21 17:35:13,288 [root] DEBUG:    |-- VBoxDetectDevices
2016-11-21 17:35:13,288 [root] DEBUG:    |-- VBoxDetectFiles
2016-11-21 17:35:13,288 [root] DEBUG:    |-- VBoxDetectKeys
2016-11-21 17:35:13,288 [root] DEBUG:    |-- VBoxDetectLibs
2016-11-21 17:35:13,288 [root] DEBUG:    |-- VBoxDetectProvname
2016-11-21 17:35:13,288 [root] DEBUG:    |-- VBoxDetectWindow
2016-11-21 17:35:13,289 [root] DEBUG:    |-- VMwareDetectDevices
2016-11-21 17:35:13,289 [root] DEBUG:    |-- VMwareDetectEvent
2016-11-21 17:35:13,289 [root] DEBUG:    |-- VMwareDetectFiles
2016-11-21 17:35:13,289 [root] DEBUG:    |-- VMwareDetectKeys
2016-11-21 17:35:13,289 [root] DEBUG:    |-- VMwareDetectLibs
2016-11-21 17:35:13,289 [root] DEBUG:    |-- VMwareDetectMutexes
2016-11-21 17:35:13,289 [root] DEBUG:    |-- VPCDetectFiles
2016-11-21 17:35:13,289 [root] DEBUG:    |-- VPCDetectKeys
2016-11-21 17:35:13,289 [root] DEBUG:    |-- VPCDetectMutex
2016-11-21 17:35:13,289 [root] DEBUG:    |-- BadCerts
2016-11-21 17:35:13,289 [root] DEBUG:    |-- BadSSLCerts
2016-11-21 17:35:13,290 [root] DEBUG:    |-- Cridex
2016-11-21 17:35:13,290 [root] DEBUG:    |-- Geodo
2016-11-21 17:35:13,290 [root] DEBUG:    |-- Prinimalka
2016-11-21 17:35:13,290 [root] DEBUG:    |-- SpyEyeMutexes
2016-11-21 17:35:13,290 [root] DEBUG:    |-- ZeusMutexes
2016-11-21 17:35:13,290 [root] DEBUG:    |-- ZeusP2P
2016-11-21 17:35:13,290 [root] DEBUG:    |-- ZeusURL
2016-11-21 17:35:13,290 [root] DEBUG:    |-- BetaBot_APIs
2016-11-21 17:35:13,290 [root] DEBUG:    |-- BitcoinOpenCL
2016-11-21 17:35:13,290 [root] DEBUG:    |-- Bootkit
2016-11-21 17:35:13,290 [root] DEBUG:    |-- AthenaHttp
2016-11-21 17:35:13,290 [root] DEBUG:    |-- DirtJumper
2016-11-21 17:35:13,290 [root] DEBUG:    |-- Drive
2016-11-21 17:35:13,291 [root] DEBUG:    |-- Drive2
2016-11-21 17:35:13,291 [root] DEBUG:    |-- Madness
2016-11-21 17:35:13,291 [root] DEBUG:    |-- Ruskill
2016-11-21 17:35:13,291 [root] DEBUG:    |-- BrowserAddon
2016-11-21 17:35:13,291 [root] DEBUG:    |-- BrowserHelperObject
2016-11-21 17:35:13,291 [root] DEBUG:    |-- ModifyProxy
2016-11-21 17:35:13,291 [root] DEBUG:    |-- BrowserScanbox
2016-11-21 17:35:13,291 [root] DEBUG:    |-- BrowserSecurity
2016-11-21 17:35:13,291 [root] DEBUG:    |-- browser_startpage
2016-11-21 17:35:13,291 [root] DEBUG:    |-- BypassFirewall
2016-11-21 17:35:13,292 [root] DEBUG:    |-- CarberpMutexes
2016-11-21 17:35:13,292 [root] DEBUG:    |-- Chimera_APIs
2016-11-21 17:35:13,292 [root] DEBUG:    |-- ClamAV
2016-11-21 17:35:13,292 [root] DEBUG:    |-- ClickfraudCookies
2016-11-21 17:35:13,292 [root] DEBUG:    |-- ClickfraudVolume
2016-11-21 17:35:13,292 [root] DEBUG:    |-- CodeLux_APIs
2016-11-21 17:35:13,292 [root] DEBUG:    |-- CopiesSelf
2016-11-21 17:35:13,292 [root] DEBUG:    |-- CreatesExe
2016-11-21 17:35:13,293 [root] DEBUG:    |-- CreatesLargeKey
2016-11-21 17:35:13,293 [root] DEBUG:    |-- CreatesNullValue
2016-11-21 17:35:13,293 [root] DEBUG:    |-- CriticalProcess
2016-11-21 17:35:13,293 [root] DEBUG:    |-- CryptoWall_APIs
2016-11-21 17:35:13,293 [root] DEBUG:    |-- DarkCometRegkeys
2016-11-21 17:35:13,293 [root] DEBUG:    |-- DeadLink
2016-11-21 17:35:13,293 [root] DEBUG:    |-- DebugsSelf
2016-11-21 17:35:13,293 [root] DEBUG:    |-- DeepFreezeMutex
2016-11-21 17:35:13,293 [root] DEBUG:    |-- DeletesSelf
2016-11-21 17:35:13,293 [root] DEBUG:    |-- DeletesShadowCopies
2016-11-21 17:35:13,293 [root] DEBUG:    |-- DEPBypass
2016-11-21 17:35:13,293 [root] DEBUG:    |-- DEPDisable
2016-11-21 17:35:13,293 [root] DEBUG:    |-- DisablesAppLaunch
2016-11-21 17:35:13,294 [root] DEBUG:    |-- DisablesBrowserWarn
2016-11-21 17:35:13,294 [root] DEBUG:    |-- DisablesSPDY
2016-11-21 17:35:13,294 [root] DEBUG:    |-- DisablesSystemRestore
2016-11-21 17:35:13,294 [root] DEBUG:    |-- DisablesUAC
2016-11-21 17:35:13,294 [root] DEBUG:    |-- DisablesWER
2016-11-21 17:35:13,294 [root] DEBUG:    |-- DisablesWFP
2016-11-21 17:35:13,294 [root] DEBUG:    |-- DisablesWindowsUpdate
2016-11-21 17:35:13,294 [root] DEBUG:    |-- DownloaderCabby
2016-11-21 17:35:13,294 [root] DEBUG:    |-- Dridex_APIs
2016-11-21 17:35:13,294 [root] DEBUG:    |-- DriverLoad
2016-11-21 17:35:13,294 [root] DEBUG:    |-- Dropper
2016-11-21 17:35:13,294 [root] DEBUG:    |-- EXEDropper_JS
2016-11-21 17:35:13,294 [root] DEBUG:    |-- Dyre_APIs
2016-11-21 17:35:13,294 [root] DEBUG:    |-- Angler_JS
2016-11-21 17:35:13,295 [root] DEBUG:    |-- Gondad_JS
2016-11-21 17:35:13,295 [root] DEBUG:    |-- HeapSpray_JS
2016-11-21 17:35:13,295 [root] DEBUG:    |-- Java_JS
2016-11-21 17:35:13,295 [root] DEBUG:    |-- Neutrino_JS
2016-11-21 17:35:13,295 [root] DEBUG:    |-- Nuclear_JS
2016-11-21 17:35:13,295 [root] DEBUG:    |-- RIG_JS
2016-11-21 17:35:13,295 [root] DEBUG:    |-- Silverlight_JS
2016-11-21 17:35:13,295 [root] DEBUG:    |-- Virtualcheck_JS
2016-11-21 17:35:13,295 [root] DEBUG:    |-- EncryptedIOC
2016-11-21 17:35:13,295 [root] DEBUG:    |-- Crash
2016-11-21 17:35:13,295 [root] DEBUG:    |-- FamilyProxyBack
2016-11-21 17:35:13,295 [root] DEBUG:    |-- FamilyRadamant
2016-11-21 17:35:13,295 [root] DEBUG:    |-- SystemMetrics
2016-11-21 17:35:13,295 [root] DEBUG:    |-- Generic_Phish
2016-11-21 17:35:13,295 [root] DEBUG:    |-- Gootkit_APIs
2016-11-21 17:35:13,296 [root] DEBUG:    |-- HawkEye_APIs
2016-11-21 17:35:13,296 [root] DEBUG:    |-- BitcoinWallet
2016-11-21 17:35:13,296 [root] DEBUG:    |-- BrowserStealer
2016-11-21 17:35:13,296 [root] DEBUG:    |-- FTPStealer
2016-11-21 17:35:13,296 [root] DEBUG:    |-- IMStealer
2016-11-21 17:35:13,296 [root] DEBUG:    |-- KeyLogger
2016-11-21 17:35:13,296 [root] DEBUG:    |-- EmailStealer
2016-11-21 17:35:13,296 [root] DEBUG:    |-- InjectionCRT
2016-11-21 17:35:13,296 [root] DEBUG:    |-- InjectionExplorer
2016-11-21 17:35:13,296 [root] DEBUG:    |-- InjectionExtension
2016-11-21 17:35:13,296 [root] DEBUG:    |-- InjectionRUNPE
2016-11-21 17:35:13,296 [root] DEBUG:    |-- InjectionRWX
2016-11-21 17:35:13,297 [root] DEBUG:    |-- Internet_Dropper
2016-11-21 17:35:13,297 [root] DEBUG:    |-- JS_Phish
2016-11-21 17:35:13,297 [root] DEBUG:    |-- JS_SuspiciousRedirect
2016-11-21 17:35:13,297 [root] DEBUG:    |-- KazyBot_APIs
2016-11-21 17:35:13,297 [root] DEBUG:    |-- Kibex_APIs
2016-11-21 17:35:13,297 [root] DEBUG:    |-- KrakenMutexes
2016-11-21 17:35:13,297 [root] DEBUG:    |-- DisableRegedit
2016-11-21 17:35:13,297 [root] DEBUG:    |-- DisableTaskMgr
2016-11-21 17:35:13,297 [root] DEBUG:    |-- MartiansIE
2016-11-21 17:35:13,297 [root] DEBUG:    |-- MimicsAgent
2016-11-21 17:35:13,297 [root] DEBUG:    |-- MimicsExtension
2016-11-21 17:35:13,297 [root] DEBUG:    |-- MimicsFiletime
2016-11-21 17:35:13,297 [root] DEBUG:    |-- MimicsIcon
2016-11-21 17:35:13,297 [root] DEBUG:    |-- ModifiesCerts
2016-11-21 17:35:13,297 [root] DEBUG:    |-- Modifies_HostFile
2016-11-21 17:35:13,298 [root] DEBUG:    |-- ModifySecurityCenterWarnings
2016-11-21 17:35:13,298 [root] DEBUG:    |-- ModifiesUACNotify
2016-11-21 17:35:13,298 [root] DEBUG:    |-- Multiple_UA
2016-11-21 17:35:13,298 [root] DEBUG:    |-- NetworkAnomaly
2016-11-21 17:35:13,298 [root] DEBUG:    |-- NetworkBIND
2016-11-21 17:35:13,298 [root] DEBUG:    |-- NetworkCnCHTTP
2016-11-21 17:35:13,298 [root] DEBUG:    |-- NetworkDGA
2016-11-21 17:35:13,298 [root] DEBUG:    |-- NetworkHTTP
2016-11-21 17:35:13,298 [root] DEBUG:    |-- NetworkICMP
2016-11-21 17:35:13,298 [root] DEBUG:    |-- NetworkIRC
2016-11-21 17:35:13,298 [root] DEBUG:    |-- NetworkSMTP
2016-11-21 17:35:13,298 [root] DEBUG:    |-- Tor
2016-11-21 17:35:13,298 [root] DEBUG:    |-- TorHiddenService
2016-11-21 17:35:13,298 [root] DEBUG:    |-- TorGateway
2016-11-21 17:35:13,298 [root] DEBUG:    |-- Nymaim_APIs
2016-11-21 17:35:13,299 [root] DEBUG:    |-- OfficeDLWritesEXE
2016-11-21 17:35:13,299 [root] DEBUG:    |-- Office_Macro
2016-11-21 17:35:13,299 [root] DEBUG:    |-- OfficeSecurity
2016-11-21 17:35:13,299 [root] DEBUG:    |-- Office_Suspicious
2016-11-21 17:35:13,299 [root] DEBUG:    |-- BuildLangID
2016-11-21 17:35:13,299 [root] DEBUG:    |-- ResourceLangID
2016-11-21 17:35:13,299 [root] DEBUG:    |-- ArmadilloMutex
2016-11-21 17:35:13,299 [root] DEBUG:    |-- ArmadilloRegKey
2016-11-21 17:35:13,299 [root] DEBUG:    |-- ConfuserPacked
2016-11-21 17:35:13,299 [root] DEBUG:    |-- PackerEntropy
2016-11-21 17:35:13,299 [root] DEBUG:    |-- SmartAssemblyPacked
2016-11-21 17:35:13,299 [root] DEBUG:    |-- ThemidaPacked
2016-11-21 17:35:13,299 [root] DEBUG:    |-- UPXCompressed
2016-11-21 17:35:13,299 [root] DEBUG:    |-- VMPPacked
2016-11-21 17:35:13,299 [root] DEBUG:    |-- PDF_Annot_URLs
2016-11-21 17:35:13,300 [root] DEBUG:    |-- ADS
2016-11-21 17:35:13,300 [root] DEBUG:    |-- Autorun
2016-11-21 17:35:13,300 [root] DEBUG:    |-- PersistenceService
2016-11-21 17:35:13,300 [root] DEBUG:    |-- Polymorphic
2016-11-21 17:35:13,300 [root] DEBUG:    |-- Pony_APIs
2016-11-21 17:35:13,300 [root] DEBUG:    |-- PowershellCommand
2016-11-21 17:35:13,300 [root] DEBUG:    |-- PunchPlusPlusPCREs
2016-11-21 17:35:13,300 [root] DEBUG:    |-- PreventsSafeboot
2016-11-21 17:35:13,300 [root] DEBUG:    |-- ProcessInterest
2016-11-21 17:35:13,300 [root] DEBUG:    |-- ProcessNeeded
2016-11-21 17:35:13,300 [root] DEBUG:    |-- Procmem_Yara
2016-11-21 17:35:13,300 [root] DEBUG:    |-- RansomwareExtensions
2016-11-21 17:35:13,300 [root] DEBUG:    |-- RansomwareFiles
2016-11-21 17:35:13,300 [root] DEBUG:    |-- RansomwareRecyclebin
2016-11-21 17:35:13,300 [root] DEBUG:    |-- BeebusMutexes
2016-11-21 17:35:13,301 [root] DEBUG:    |-- FynloskiMutexes
2016-11-21 17:35:13,301 [root] DEBUG:    |-- LuminosityRAT
2016-11-21 17:35:13,301 [root] DEBUG:    |-- NanocoreRAT
2016-11-21 17:35:13,301 [root] DEBUG:    |-- PcClientMutexes
2016-11-21 17:35:13,301 [root] DEBUG:    |-- PlugxMutexes
2016-11-21 17:35:13,301 [root] DEBUG:    |-- PoisonIvyMutexes
2016-11-21 17:35:13,301 [root] DEBUG:    |-- SpynetRat
2016-11-21 17:35:13,301 [root] DEBUG:    |-- XtremeMutexes
2016-11-21 17:35:13,301 [root] DEBUG:    |-- ReadsSelf
2016-11-21 17:35:13,301 [root] DEBUG:    |-- Recon_Beacon
2016-11-21 17:35:13,301 [root] DEBUG:    |-- CheckIP
2016-11-21 17:35:13,301 [root] DEBUG:    |-- Fingerprint
2016-11-21 17:35:13,301 [root] DEBUG:    |-- InstalledApps
2016-11-21 17:35:13,301 [root] DEBUG:    |-- SystemInfo
2016-11-21 17:35:13,301 [root] DEBUG:    |-- RemovesZoneIdADS
2016-11-21 17:35:13,302 [root] DEBUG:    |-- Secure_Login_Phish
2016-11-21 17:35:13,302 [root] DEBUG:    |-- SecurityXploded_Modules
2016-11-21 17:35:13,302 [root] DEBUG:    |-- SetsAutoconfigURL
2016-11-21 17:35:13,302 [root] DEBUG:    |-- Shifu_APIs
2016-11-21 17:35:13,302 [root] DEBUG:    |-- InstallsWinpcap
2016-11-21 17:35:13,302 [root] DEBUG:    |-- SpoofsProcname
2016-11-21 17:35:13,302 [root] DEBUG:    |-- CreatesAutorunInf
2016-11-21 17:35:13,302 [root] DEBUG:    |-- StackPivot
2016-11-21 17:35:13,302 [root] DEBUG:    |-- Authenticode
2016-11-21 17:35:13,302 [root] DEBUG:    |-- DotNetAnomaly
2016-11-21 17:35:13,302 [root] DEBUG:    |-- Static_Java
2016-11-21 17:35:13,302 [root] DEBUG:    |-- Static_PDF
2016-11-21 17:35:13,302 [root] DEBUG:    |-- PEAnomaly
2016-11-21 17:35:13,302 [root] DEBUG:    |-- RATConfig
2016-11-21 17:35:13,302 [root] DEBUG:    |-- VersionInfoAnomaly
2016-11-21 17:35:13,303 [root] DEBUG:    |-- StealthChildProc
2016-11-21 17:35:13,303 [root] DEBUG:    |-- StealthFile
2016-11-21 17:35:13,303 [root] DEBUG:    |-- StealthHiddenReg
2016-11-21 17:35:13,303 [root] DEBUG:    |-- StealthHideNotifications
2016-11-21 17:35:13,303 [root] DEBUG:    |-- StealthNetwork
2016-11-21 17:35:13,304 [root] DEBUG:    |-- StealthTimeout
2016-11-21 17:35:13,304 [root] DEBUG:    |-- StealthWebHistory
2016-11-21 17:35:13,304 [root] DEBUG:    |-- Hidden_Window
2016-11-21 17:35:13,304 [root] DEBUG:    |-- SuricataAlert
2016-11-21 17:35:13,304 [root] DEBUG:    |-- Flame
2016-11-21 17:35:13,304 [root] DEBUG:    |-- Tinba_APIs
2016-11-21 17:35:13,305 [root] DEBUG:    |-- FleerCivetMutexes
2016-11-21 17:35:13,305 [root] DEBUG:    |-- Troldesh_APIs
2016-11-21 17:35:13,305 [root] DEBUG:    |-- Upatre_APIs
2016-11-21 17:35:13,305 [root] DEBUG:    |-- Vawtrak_APIs
2016-11-21 17:35:13,305 [root] DEBUG:    |-- Vawtrak_APIs
2016-11-21 17:35:13,305 [root] DEBUG:    |-- Virus
2016-11-21 17:35:13,305 [root] DEBUG:    |-- VolDevicetree1
2016-11-21 17:35:13,305 [root] DEBUG:    |-- VolHandles1
2016-11-21 17:35:13,306 [root] DEBUG:    |-- VolLdrModules1
2016-11-21 17:35:13,306 [root] DEBUG:    |-- VolLdrModules2
2016-11-21 17:35:13,306 [root] DEBUG:    |-- VolMalfind1
2016-11-21 17:35:13,306 [root] DEBUG:    |-- VolMalfind2
2016-11-21 17:35:13,306 [root] DEBUG:    |-- VolModscan1
2016-11-21 17:35:13,306 [root] DEBUG:    |-- VolSvcscan1
2016-11-21 17:35:13,306 [root] DEBUG:    |-- VolSvcscan2
2016-11-21 17:35:13,306 [root] DEBUG:    |-- VolSvcscan3
2016-11-21 17:35:13,307 [root] DEBUG:    |-- Webmail_Phish
2016-11-21 17:35:13,307 [root] DEBUG:    `-- WHOIS_Create
2016-11-21 17:35:13,307 [root] DEBUG: Imported "auxiliary" modules:
2016-11-21 17:35:13,307 [root] DEBUG:    |-- Sniffer
2016-11-21 17:35:13,307 [root] DEBUG:    `-- Tor
2016-11-21 17:35:13,307 [root] DEBUG: Imported "processing" modules:
2016-11-21 17:35:13,307 [root] DEBUG:    |-- AnalysisInfo
2016-11-21 17:35:13,307 [root] DEBUG:    |-- BehaviorAnalysis
2016-11-21 17:35:13,308 [root] DEBUG:    |-- CIF
2016-11-21 17:35:13,308 [root] DEBUG:    |-- Debug
2016-11-21 17:35:13,308 [root] DEBUG:    |-- Decompression
2016-11-21 17:35:13,308 [root] DEBUG:    |-- Dropped
2016-11-21 17:35:13,308 [root] DEBUG:    |-- Memory
2016-11-21 17:35:13,308 [root] DEBUG:    |-- NetworkAnalysis
2016-11-21 17:35:13,308 [root] DEBUG:    |-- ProcessMemory
2016-11-21 17:35:13,308 [root] DEBUG:    |-- Static
2016-11-21 17:35:13,308 [root] DEBUG:    |-- Strings
2016-11-21 17:35:13,308 [root] DEBUG:    |-- Suricata
2016-11-21 17:35:13,308 [root] DEBUG:    |-- TargetInfo
2016-11-21 17:35:13,308 [root] DEBUG:    |-- Usage
2016-11-21 17:35:13,308 [root] DEBUG:    `-- VirusTotal
2016-11-21 17:35:13,308 [root] DEBUG: Imported "machinery" modules:
2016-11-21 17:35:13,309 [root] DEBUG:    `-- VirtualBox
2016-11-21 17:35:13,309 [root] DEBUG: Imported "feeds" modules:
2016-11-21 17:35:13,309 [root] DEBUG:    `-- AbuseCH_SSL
2016-11-21 17:35:13,309 [root] DEBUG: Imported "reporting" modules:
2016-11-21 17:35:13,309 [root] DEBUG:    |-- Compression
2016-11-21 17:35:13,309 [root] DEBUG:    |-- ElasticsearchDB
2016-11-21 17:35:13,309 [root] DEBUG:    |-- JsonDump
2016-11-21 17:35:13,309 [root] DEBUG:    |-- MAEC41Report
2016-11-21 17:35:13,309 [root] DEBUG:    |-- Malheur
2016-11-21 17:35:13,309 [root] DEBUG:    |-- MISP
2016-11-21 17:35:13,309 [root] DEBUG:    |-- MMDef
2016-11-21 17:35:13,309 [root] DEBUG:    |-- Moloch
2016-11-21 17:35:13,309 [root] DEBUG:    |-- MongoDB
2016-11-21 17:35:13,309 [root] DEBUG:    |-- ReportHTML
2016-11-21 17:35:13,309 [root] DEBUG:    |-- ReportHTMLSummary
2016-11-21 17:35:13,310 [root] DEBUG:    |-- ReportPDF
2016-11-21 17:35:13,310 [root] DEBUG:    |-- ReSubmitExtractedEXE
2016-11-21 17:35:13,310 [root] DEBUG:    |-- Retention
2016-11-21 17:35:13,310 [root] DEBUG:    `-- Syslog
2016-11-21 17:35:13,311 [root] DEBUG: Checking for locked tasks...
2016-11-21 17:35:13,374 [root] DEBUG: Initializing Yara...
2016-11-21 17:35:13,374 [root] DEBUG:    |-- index_binaries.yar
2016-11-21 17:35:13,374 [root] DEBUG:    `-- index_memory.yar
2016-11-21 17:35:13,375 [lib.cuckoo.core.resultserver] DEBUG: ResultServer running on 192.168.56.1:2042.
2016-11-21 17:35:13,376 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager with max_analysis_count=1, max_machines_count=1, and max_vmstartup_count=1
2016-11-21 17:35:13,657 [modules.machinery.virtualbox] DEBUG: Getting status for win732bit
2016-11-21 17:35:13,719 [modules.machinery.virtualbox] DEBUG: Machine win732bit status saved
2016-11-21 17:35:13,777 [modules.machinery.virtualbox] DEBUG: Stopping vm win732bit
2016-11-21 17:35:13,777 [modules.machinery.virtualbox] DEBUG: Getting status for win732bit
2016-11-21 17:35:13,846 [modules.machinery.virtualbox] DEBUG: Machine win732bit status saved
2016-11-21 17:35:14,924 [modules.machinery.virtualbox] DEBUG: VBoxManage exited with error powering off the machine
2016-11-21 17:35:14,925 [modules.machinery.virtualbox] DEBUG: Getting status for win732bit
2016-11-21 17:35:14,997 [modules.machinery.virtualbox] DEBUG: Machine win732bit status saved
2016-11-21 17:35:15,123 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2016-11-21 17:35:15,130 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2016-11-21 17:35:23,606 [lib.cuckoo.core.scheduler] DEBUG: Task #2: Processing task
2016-11-21 17:35:23,607 [lib.cuckoo.core.scheduler] INFO: Task #2: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_cvN4lk/zeus.exe'
2016-11-21 17:35:23,613 [lib.cuckoo.core.scheduler] INFO: Task #2: File already exists at '/home/sarcarx/cuckoo_brad/cuckoo-modified/storage/binaries/591be7d2050cd4f7946b22b42575f108ea8b3299519774118fe4abb8051c5cf5'
2016-11-21 17:35:23,712 [lib.cuckoo.core.scheduler] INFO: Task #2: acquired machine cuckoo1 (label=win732bit)
2016-11-21 17:35:24,441 [modules.machinery.virtualbox] DEBUG: Starting vm win732bit
2016-11-21 17:35:24,442 [modules.machinery.virtualbox] DEBUG: Getting status for win732bit
2016-11-21 17:35:24,509 [modules.machinery.virtualbox] DEBUG: Machine win732bit status saved
2016-11-21 17:35:24,564 [modules.machinery.virtualbox] DEBUG: Using snapshot cuckoo_zeus for virtual machine win732bit
2016-11-21 17:35:25,102 [modules.machinery.virtualbox] DEBUG: Getting status for win732bit
2016-11-21 17:35:25,200 [modules.machinery.virtualbox] DEBUG: Machine win732bit status saved
2016-11-21 17:35:38,650 [modules.machinery.virtualbox] DEBUG: Getting status for win732bit
2016-11-21 17:35:38,728 [modules.machinery.virtualbox] DEBUG: Machine win732bit status running
2016-11-21 17:35:38,902 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 12938 (interface=vboxnet0, host=192.168.56.12, dump path=/home/sarcarx/cuckoo_brad/cuckoo-modified/storage/analyses/2/dump.pcap)
2016-11-21 17:35:38,902 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2016-11-21 17:35:38,902 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Tor
2016-11-21 17:35:39,072 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.12)
2016-11-21 17:35:39,072 [lib.cuckoo.core.guest] DEBUG: cuckoo1: waiting for status 0x0001
2016-11-21 17:35:46,082 [lib.cuckoo.core.guest] DEBUG: cuckoo1: status ready
2016-11-21 17:35:46,813 [lib.cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.12)
2016-11-21 17:35:47,003 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analyzer started with PID 3856
2016-11-21 17:35:47,003 [lib.cuckoo.core.guest] DEBUG: cuckoo1: waiting for completion
2016-11-21 17:35:48,006 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:35:48,896 [lib.cuckoo.core.resultserver] DEBUG: New connection from: 192.168.56.12:49375
2016-11-21 17:35:48,897 [lib.cuckoo.core.resultserver] DEBUG: LogHandler for live analysis.log initialized.
2016-11-21 17:35:49,009 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:35:49,726 [lib.cuckoo.core.resultserver] DEBUG: New connection from: 192.168.56.12:49377
2016-11-21 17:35:50,012 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:35:50,501 [lib.cuckoo.core.resultserver] DEBUG: New connection from: 192.168.56.12:49378
2016-11-21 17:35:50,501 [lib.cuckoo.core.resultserver] DEBUG: File upload request for aux/usage.log
2016-11-21 17:35:51,015 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:35:52,019 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:35:53,021 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:35:53,046 [lib.cuckoo.core.resultserver] DEBUG: New process (pid=1428, ppid=3856, name=zeus.exe, path=C:\Users\Administrateur\AppData\Local\Temp\zeus.exe)
2016-11-21 17:35:53,047 [lib.cuckoo.core.resultserver] DEBUG: New thread (tid=0, pid=1428)
2016-11-21 17:35:53,047 [lib.cuckoo.core.resultserver] DEBUG: Environ received for pid 1428
2016-11-21 17:35:54,024 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:35:55,027 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:35:56,030 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:35:56,384 [lib.cuckoo.core.resultserver] DEBUG: New connection from: 192.168.56.12:49380
2016-11-21 17:35:56,398 [lib.cuckoo.core.resultserver] DEBUG: New process (pid=2700, ppid=1428, name=lesyk.exe, path=C:\Users\Administrateur\AppData\Roaming\Iqyde\lesyk.exe)
2016-11-21 17:35:56,398 [lib.cuckoo.core.resultserver] DEBUG: New thread (tid=0, pid=2700)
2016-11-21 17:35:56,398 [lib.cuckoo.core.resultserver] DEBUG: Environ received for pid 2700
2016-11-21 17:35:56,433 [lib.cuckoo.core.resultserver] DEBUG: New connection from: 192.168.56.12:49381
2016-11-21 17:35:56,442 [lib.cuckoo.core.resultserver] DEBUG: New process (pid=2436, ppid=884, name=dwm.exe, path=C:\Windows\System32\dwm.exe)
2016-11-21 17:35:56,443 [lib.cuckoo.core.resultserver] DEBUG: New thread (tid=0, pid=2436)
2016-11-21 17:35:56,443 [lib.cuckoo.core.resultserver] DEBUG: Environ received for pid 2436
2016-11-21 17:35:57,033 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:35:58,037 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:35:59,040 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:00,043 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:01,047 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:02,008 [lib.cuckoo.core.resultserver] DEBUG: New connection from: 192.168.56.12:49382
2016-11-21 17:36:02,016 [lib.cuckoo.core.resultserver] DEBUG: New process (pid=2204, ppid=492, name=taskhost.exe, path=C:\Windows\System32\taskhost.exe)
2016-11-21 17:36:02,017 [lib.cuckoo.core.resultserver] DEBUG: New thread (tid=0, pid=2204)
2016-11-21 17:36:02,017 [lib.cuckoo.core.resultserver] DEBUG: Environ received for pid 2204
2016-11-21 17:36:02,049 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:03,052 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:04,055 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:05,058 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:06,061 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:06,462 [lib.cuckoo.core.resultserver] DEBUG: New connection from: 192.168.56.12:49385
2016-11-21 17:36:06,475 [lib.cuckoo.core.resultserver] DEBUG: New process (pid=2676, ppid=2472, name=explorer.exe, path=C:\Windows\explorer.exe)
2016-11-21 17:36:06,475 [lib.cuckoo.core.resultserver] DEBUG: New thread (tid=0, pid=2676)
2016-11-21 17:36:06,475 [lib.cuckoo.core.resultserver] DEBUG: Environ received for pid 2676
2016-11-21 17:36:07,065 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:08,067 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:09,070 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:10,073 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:11,077 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2016-11-21 17:36:11,846 [lib.cuckoo.core.resultserver] DEBUG: New connection from: 192.168.56.12:49388
2016-11-21 17:36:11,855 [lib.cuckoo.core.resultserver] DEBUG: New process (pid=1896, ppid=4020, name=notepad.exe, path=C:\Windows\System32\notepad.exe)
2016-11-21 17:36:11,856 [lib.cuckoo.core.resultserver] DEBUG: New thread (tid=0, pid=1896)
2016-11-21 17:36:11,856 [lib.cuckoo.core.resultserver] DEBUG: Environ received for pid 1896
2016-11-21 17:36:11,888 [lib.cuckoo.core.resultserver] DEBUG: New connection from: 192.168.56.12:49389
2016-11-21 17:36:11,898 [lib.cuckoo.core.resultserver] DEBUG: New process (pid=2556, ppid=2676, name=cmd.exe, path=C:\Windows\System32\cmd.exe)
2016-11-21 17:36:11,898 [lib.cuckoo.core.resultserver] DEBUG: New thread (tid=0, pid=2556)
2016-11-21 17:36:11,898 [lib.cuckoo.core.resultserver] DEBUG: Environ received for pid 2556
2016-11-21 17:36:11,933 [lib.cuckoo.core.resultserver] DEBUG: New connection from: 192.168.56.12:49390
2016-11-21 17:36:11,946 [lib.cuckoo.core.resultserver] DEBUG: New process (pid=2572, ppid=3900, name=conhost.exe, path=C:\Windows\System32\conhost.exe)
2016-11-21 17:36:11,946 [lib.cuckoo.core.resultserver] DEBUG: New thread (tid=0, pid=2572)
2016-11-21 17:36:11,946 [lib.cuckoo.core.resultserver] DEBUG: Environ received for pid 2572
2016-11-21 17:41:12,177 [lib.cuckoo.core.guest] DEBUG: cuckoo1: error retrieving status: timed out
2016-11-21 17:41:13,178 [lib.cuckoo.core.scheduler] ERROR: The analysis hit the critical timeout, terminating.
2016-11-21 17:41:13,314 [lib.cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2016-11-21 17:41:13,314 [lib.cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Tor
2016-11-21 17:41:42,670 [modules.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win732bit to path /home/sarcarx/cuckoo_brad/cuckoo-modified/storage/analyses/2/memory.dmp
2016-11-21 17:41:42,689 [modules.machinery.virtualbox] DEBUG: Stopping vm win732bit
2016-11-21 17:41:42,689 [modules.machinery.virtualbox] DEBUG: Getting status for win732bit
2016-11-21 17:41:42,924 [modules.machinery.virtualbox] DEBUG: Machine win732bit status running
2016-11-21 17:41:47,087 [modules.machinery.virtualbox] DEBUG: Getting status for win732bit
2016-11-21 17:41:47,152 [modules.machinery.virtualbox] DEBUG: Machine win732bit status poweroff
2016-11-21 17:41:48,270 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.56.12:49375
2016-11-21 17:41:49,153 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.56.12:49377
2016-11-21 17:41:49,821 [lib.cuckoo.core.resultserver] DEBUG: Uploaded file length: 50
2016-11-21 17:41:49,821 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.56.12:49378
2016-11-21 17:41:50,259 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.56.12:49380
2016-11-21 17:41:50,287 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.56.12:49381
2016-11-21 17:41:51,063 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.56.12:49382
2016-11-21 17:41:51,779 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.56.12:49385
2016-11-21 17:41:52,162 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.56.12:49388
2016-11-21 17:41:52,240 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.56.12:49389
2016-11-21 17:41:52,240 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.56.12:49390
2016-11-21 17:41:52,376 [lib.cuckoo.core.scheduler] DEBUG: Task #2: Released database task with status False
2016-11-21 17:41:52,396 [lib.cuckoo.core.plugins] DEBUG: Executing processing module "Decompression" on analysis at "/home/sarcarx/cuckoo_brad/cuckoo-modified/storage/analyses/2"

In the vm, the agent seems to freeze. I cannot move the window anymore.

Meow-ops commented 7 years ago

I wonder why 2016-11-21 17:41:12,177 [lib.cuckoo.core.guest] DEBUG: cuckoo1: error retrieving status: timed out happens. It seems it cannot contact the agent anymore so maybe the agent did freeze.

benrau87 commented 7 years ago

I have the same issue with the same guest (Win7x86), did you by chance use VMCloak to create the VM?

KillerInstinct commented 7 years ago

Did the VM reboot? 9 times out of 10 in my environment I get that error because some program caused the VM to reboot. Once that happens we cant contact the agent anymore and the agent also can't tell us the analysis is over so it continues until the critical timeout is reached.

Meow-ops commented 7 years ago

The vm didn't reboot, but the cuckoo agent froze.

spender-sandbox commented 7 years ago

If it's just happening with some particular sample, it could also be that it's disabling networking somehow, which would prevent the agent from communicating. I would like to start using libguestfs actually instead of networking for transferring files and logs between the guest and host.

-Brad