new Cerber hungs analysis.

[Nwinternights]

Hi, I was trying to analyze this file MD5:3d57a47f1548dc24d8b27a34981456df and it seems that it hungs cuckoo on networkanalysis . I've noticed houndreds of DNS requests and analysis timeout . does anybody has the same behaviour? regards cuckoo_Pcap_Analysis.zip

[Nwinternights]

update: the analysis terminated here's the statistics: Processing ( 3086.757 seconds )

2664.322 NetworkAnalysis 395.95 Dropped 19.583 BehaviorAnalysis 4.896 Suricata 0.734 VirusTotal 0.478 Static 0.375 TargetInfo 0.251 peid 0.131 AnalysisInfo 0.029 Strings 0.006 Debug 0.002 config_decoder

[Nwinternights]

@doomedraven do you think is it possible to force timeout for processing tasks like the analysis timouts present in cuccko.conf?

[doomedraven]

yup in submision you can specify another one

[KillerInstinct]

Not for processing tasks. :p

Cerber has always sent thousands of UDP requests in search of a C2. The network.py processing module isn't really optimized for it. For cerber however, I just run it with a lower analysis timeout so it doesn't spend 90% of the analysis sending out thousands of requests.

[Nwinternights]

.....I see, so on every submission you suggest to put timeout parameters, right?

[spender-sandbox]

Should perhaps modify the network.py code so that it extracts reduced information (no reverse DNS etc) and clamps the number of results when entire class Cs etc are communicated with.

-Brad

[doomedraven]

xD sorry gaming and answering is not a good idea :D

[Nwinternights]

perfect, as always thanks to all for help, I'll try both solutions!!! regards

[Nwinternights]

instead of disabling reverse DNS on network.py I set a lower value of timeout and lifetime making processing time much faster. "if self.config.processing.reverse_dns: d = dns.resolver.Resolver() d.timeout = 0.3 d.lifetime = 0.3"