search

spender-sandbox / cuckoo-modified

Modified edition of cuckoo
395 stars 178 forks source link

Quick yarascan question #404

Closed DigiAngel closed 7 years ago

DigiAngel commented 7 years ago

Not sure if these is new or not, but with volatility 2.6, here's what I get:

[12:03:22 cuckoo:/opt/cuckoo/storage/analyses/latest$] vol.py -f memory.dmp --profile=Win7SP0x64 yarascan
Volatility Foundation Volatility Framework 2.6
ERROR   : volatility.debug    : You must specify a string (-Y) or a rules file (-y)
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 192, in <module>
    main()
  File "/usr/local/bin/vol.py", line 183, in main
    command.execute()
  File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 147, in execute
    func(outfd, data)
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py", line 342, in render_text
    for o, addr, hit, content in data:
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py", line 292, in calculate
    rules = self._compile_rules()
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py", line 238, in _compile_rules
    except yara.SyntaxError, why:
AttributeError: 'module' object has no attribute 'SyntaxError'

I see the same things in my cuckoo logs..is there an option somewhere that I need to look at? Thank you.

spender-sandbox commented 7 years ago

What yara version are you using?

-Brad

DigiAngel commented 7 years ago

3.5.0

DigiAngel commented 7 years ago

Opened: https://github.com/volatilityfoundation/volatility/issues/360

doomedraven commented 7 years ago

did you try scan that directly with yara first? as syntax error probably can be related to some mistake in yara rule, just thoughts

DigiAngel commented 7 years ago

I did..works like a champ. I'll close this and start with Volatility, who is telling me it's a yara issue ;) Thank you.

doomedraven commented 7 years ago

Thats weird when yara works and vol imported yarab nops %)

DigiAngel commented 7 years ago

Indeed: 2017-01-12 15_37_22-zone

DigiAngel commented 7 years ago

Looks like the issue might be these rules:

include "/media/cuckoo/opt/cuckoo/data/yara/binaries/vmdetect.yar"
include "/media/cuckoo/opt/cuckoo/data/yara/binaries/shellcodes.yar"
include "/media/cuckoo/opt/cuckoo/data/yara/binaries/embedded.yar"

I get that error above, but a newer rule, say rig.yar in memory created in 2016 runs just fine. Still working with the Volatility folks.

DigiAngel commented 7 years ago

Conflict with versions yara installed via pip and yara-python installed via apt.