search

spender-sandbox / cuckoo-modified

Modified edition of cuckoo
394 stars 178 forks source link

Issue win7: not ready yet #500

Closed usmanm259 closed 6 years ago

usmanm259 commented 6 years ago

Agent does not show any activity when i run cuckoo analysis

both machines cuckoo host and cuckoo guest are reachable using ping

image

config files

File: auxiliary.conf

https://pastebin.com/fCMyBBtf

File: cuckoo.conf

https://pastebin.com/c6ET1PX8

File: virtualbox.conf

https://pastebin.com/LqeSEgjv

sudo ./cuckoo.py -d

2018-02-14 19:35:34,216 [root] DEBUG: Importing modules... 2018-02-14 19:35:34,730 [root] DEBUG: Imported "signatures" modules: 2018-02-14 19:35:34,731 [root] DEBUG: |-- Alphacrypt_APIs 2018-02-14 19:35:34,731 [root] DEBUG: |-- Andromeda_APIs 2018-02-14 19:35:34,731 [root] DEBUG: |-- AntiAnalysisDetectFile 2018-02-14 19:35:34,731 [root] DEBUG: |-- AntiAnalysisDetectReg 2018-02-14 19:35:34,731 [root] DEBUG: |-- AvastDetectLibs 2018-02-14 19:35:34,731 [root] DEBUG: |-- BitdefenderDetectLibs 2018-02-14 19:35:34,731 [root] DEBUG: |-- AntiAVDetectFile 2018-02-14 19:35:34,732 [root] DEBUG: |-- AntiAVDetectReg 2018-02-14 19:35:34,732 [root] DEBUG: |-- AntiAVServiceStop 2018-02-14 19:35:34,732 [root] DEBUG: |-- AntiAVSRP 2018-02-14 19:35:34,732 [root] DEBUG: |-- AntiDBGDevices 2018-02-14 19:35:34,732 [root] DEBUG: |-- AntiDBGWindows 2018-02-14 19:35:34,732 [root] DEBUG: |-- WineDetectReg 2018-02-14 19:35:34,732 [root] DEBUG: |-- WineDetectFunc 2018-02-14 19:35:34,733 [root] DEBUG: |-- AntiCuckoo 2018-02-14 19:35:34,733 [root] DEBUG: |-- CuckooDetectFiles 2018-02-14 19:35:34,733 [root] DEBUG: |-- CuckooCrash 2018-02-14 19:35:34,733 [root] DEBUG: |-- FortinetDetectFiles 2018-02-14 19:35:34,733 [root] DEBUG: |-- SandboxJoeAnubisDetectFiles 2018-02-14 19:35:34,733 [root] DEBUG: |-- HookMouse 2018-02-14 19:35:34,733 [root] DEBUG: |-- AntiSandboxRestart 2018-02-14 19:35:34,734 [root] DEBUG: |-- SandboxieDetectLibs 2018-02-14 19:35:34,734 [root] DEBUG: |-- AntisandboxSboxieMutex 2018-02-14 19:35:34,734 [root] DEBUG: |-- AntiSandboxSboxieObjects 2018-02-14 19:35:34,734 [root] DEBUG: |-- AntiSandboxScriptTimer 2018-02-14 19:35:34,734 [root] DEBUG: |-- AntiSandboxSleep 2018-02-14 19:35:34,734 [root] DEBUG: |-- SunbeltDetectFiles 2018-02-14 19:35:34,734 [root] DEBUG: |-- SunbeltDetectLibs 2018-02-14 19:35:34,735 [root] DEBUG: |-- AntiSandboxSuspend 2018-02-14 19:35:34,735 [root] DEBUG: |-- ThreatTrackDetectFiles 2018-02-14 19:35:34,735 [root] DEBUG: |-- Unhook 2018-02-14 19:35:34,735 [root] DEBUG: |-- KnownVirustotal 2018-02-14 19:35:34,735 [root] DEBUG: |-- BochsDetectKeys 2018-02-14 19:35:34,735 [root] DEBUG: |-- AntiVMDirectoryObjects 2018-02-14 19:35:34,735 [root] DEBUG: |-- AntiVMBios 2018-02-14 19:35:34,736 [root] DEBUG: |-- AntiVMCPU 2018-02-14 19:35:34,736 [root] DEBUG: |-- DiskInformation 2018-02-14 19:35:34,736 [root] DEBUG: |-- SetupAPIDiskInformation 2018-02-14 19:35:34,736 [root] DEBUG: |-- AntiVMDiskReg 2018-02-14 19:35:34,736 [root] DEBUG: |-- AntiVMSCSI 2018-02-14 19:35:34,736 [root] DEBUG: |-- AntiVMServices 2018-02-14 19:35:34,736 [root] DEBUG: |-- AntiVMSystem 2018-02-14 19:35:34,737 [root] DEBUG: |-- HyperVDetectKeys 2018-02-14 19:35:34,737 [root] DEBUG: |-- ParallelsDetectKeys 2018-02-14 19:35:34,737 [root] DEBUG: |-- VBoxDetectDevices 2018-02-14 19:35:34,737 [root] DEBUG: |-- VBoxDetectFiles 2018-02-14 19:35:34,737 [root] DEBUG: |-- VBoxDetectKeys 2018-02-14 19:35:34,737 [root] DEBUG: |-- VBoxDetectLibs 2018-02-14 19:35:34,737 [root] DEBUG: |-- VBoxDetectProvname 2018-02-14 19:35:34,737 [root] DEBUG: |-- VBoxDetectWindow 2018-02-14 19:35:34,738 [root] DEBUG: |-- VMwareDetectDevices 2018-02-14 19:35:34,738 [root] DEBUG: |-- VMwareDetectEvent 2018-02-14 19:35:34,738 [root] DEBUG: |-- VMwareDetectFiles 2018-02-14 19:35:34,738 [root] DEBUG: |-- VMwareDetectKeys 2018-02-14 19:35:34,738 [root] DEBUG: |-- VMwareDetectLibs 2018-02-14 19:35:34,738 [root] DEBUG: |-- VMwareDetectMutexes 2018-02-14 19:35:34,738 [root] DEBUG: |-- VPCDetectFiles 2018-02-14 19:35:34,739 [root] DEBUG: |-- VPCDetectKeys 2018-02-14 19:35:34,739 [root] DEBUG: |-- VPCDetectMutex 2018-02-14 19:35:34,739 [root] DEBUG: |-- XenDetectKeys 2018-02-14 19:35:34,739 [root] DEBUG: |-- APISpamming 2018-02-14 19:35:34,739 [root] DEBUG: |-- BadCerts 2018-02-14 19:35:34,739 [root] DEBUG: |-- BadSSLCerts 2018-02-14 19:35:34,739 [root] DEBUG: |-- Cridex 2018-02-14 19:35:34,739 [root] DEBUG: |-- Geodo 2018-02-14 19:35:34,740 [root] DEBUG: |-- Prinimalka 2018-02-14 19:35:34,740 [root] DEBUG: |-- SpyEyeMutexes 2018-02-14 19:35:34,740 [root] DEBUG: |-- ZeusMutexes 2018-02-14 19:35:34,740 [root] DEBUG: |-- ZeusP2P 2018-02-14 19:35:34,740 [root] DEBUG: |-- ZeusURL 2018-02-14 19:35:34,740 [root] DEBUG: |-- BCDEditCommand 2018-02-14 19:35:34,740 [root] DEBUG: |-- BetaBot_APIs 2018-02-14 19:35:34,741 [root] DEBUG: |-- BitcoinOpenCL 2018-02-14 19:35:34,741 [root] DEBUG: |-- Bootkit 2018-02-14 19:35:34,741 [root] DEBUG: |-- AthenaHttp 2018-02-14 19:35:34,741 [root] DEBUG: |-- DirtJumper 2018-02-14 19:35:34,741 [root] DEBUG: |-- Drive 2018-02-14 19:35:34,741 [root] DEBUG: |-- Drive2 2018-02-14 19:35:34,742 [root] DEBUG: |-- Madness 2018-02-14 19:35:34,742 [root] DEBUG: |-- Ruskill 2018-02-14 19:35:34,742 [root] DEBUG: |-- BrowserAddon 2018-02-14 19:35:34,742 [root] DEBUG: |-- BrowserHelperObject 2018-02-14 19:35:34,742 [root] DEBUG: |-- BrowserNeeded 2018-02-14 19:35:34,742 [root] DEBUG: |-- ModifyProxy 2018-02-14 19:35:34,742 [root] DEBUG: |-- BrowserScanbox 2018-02-14 19:35:34,743 [root] DEBUG: |-- BrowserSecurity 2018-02-14 19:35:34,743 [root] DEBUG: |-- browser_startpage 2018-02-14 19:35:34,743 [root] DEBUG: |-- BypassFirewall 2018-02-14 19:35:34,743 [root] DEBUG: |-- CarberpMutexes 2018-02-14 19:35:34,743 [root] DEBUG: |-- Cerber_APIs 2018-02-14 19:35:34,743 [root] DEBUG: |-- Chimera_APIs 2018-02-14 19:35:34,743 [root] DEBUG: |-- ClamAV 2018-02-14 19:35:34,743 [root] DEBUG: |-- ClickfraudCookies 2018-02-14 19:35:34,744 [root] DEBUG: |-- ClickfraudVolume 2018-02-14 19:35:34,744 [root] DEBUG: |-- CodeLux_APIs 2018-02-14 19:35:34,744 [root] DEBUG: |-- CopiesSelf 2018-02-14 19:35:34,744 [root] DEBUG: |-- CreatesExe 2018-02-14 19:35:34,744 [root] DEBUG: |-- CreatesLargeKey 2018-02-14 19:35:34,744 [root] DEBUG: |-- CreatesNullValue 2018-02-14 19:35:34,744 [root] DEBUG: |-- CriticalProcess 2018-02-14 19:35:34,745 [root] DEBUG: |-- CryptoWall_APIs 2018-02-14 19:35:34,745 [root] DEBUG: |-- CVE_2014_6332 2018-02-14 19:35:34,745 [root] DEBUG: |-- CVE2015_2419_JS 2018-02-14 19:35:34,745 [root] DEBUG: |-- CVE_2016_0189 2018-02-14 19:35:34,745 [root] DEBUG: |-- CVE_2016_7200 2018-02-14 19:35:34,745 [root] DEBUG: |-- DarkCometRegkeys 2018-02-14 19:35:34,745 [root] DEBUG: |-- DeadConnect 2018-02-14 19:35:34,745 [root] DEBUG: |-- DeadLink 2018-02-14 19:35:34,746 [root] DEBUG: |-- DebugsSelf 2018-02-14 19:35:34,746 [root] DEBUG: |-- DecoyDocument 2018-02-14 19:35:34,746 [root] DEBUG: |-- DeepFreezeMutex 2018-02-14 19:35:34,746 [root] DEBUG: |-- DeletesSelf 2018-02-14 19:35:34,746 [root] DEBUG: |-- DeletesShadowCopies 2018-02-14 19:35:34,746 [root] DEBUG: |-- DEPBypass 2018-02-14 19:35:34,746 [root] DEBUG: |-- DEPDisable 2018-02-14 19:35:34,747 [root] DEBUG: |-- DisablesAppLaunch 2018-02-14 19:35:34,747 [root] DEBUG: |-- DisablesBrowserWarn 2018-02-14 19:35:34,747 [root] DEBUG: |-- DisablesSPDY 2018-02-14 19:35:34,747 [root] DEBUG: |-- DisablesSystemRestore 2018-02-14 19:35:34,747 [root] DEBUG: |-- DisablesUAC 2018-02-14 19:35:34,747 [root] DEBUG: |-- DisablesWER 2018-02-14 19:35:34,747 [root] DEBUG: |-- DisablesWFP 2018-02-14 19:35:34,747 [root] DEBUG: |-- DisablesWindowsDefender 2018-02-14 19:35:34,748 [root] DEBUG: |-- DisablesWindowsUpdate 2018-02-14 19:35:34,748 [root] DEBUG: |-- DownloaderCabby 2018-02-14 19:35:34,748 [root] DEBUG: |-- Dridex_APIs 2018-02-14 19:35:34,748 [root] DEBUG: |-- DriverLoad 2018-02-14 19:35:34,748 [root] DEBUG: |-- Dropper 2018-02-14 19:35:34,748 [root] DEBUG: |-- EXEDropper_JS 2018-02-14 19:35:34,748 [root] DEBUG: |-- Dyre_APIs 2018-02-14 19:35:34,749 [root] DEBUG: |-- Angler_JS 2018-02-14 19:35:34,749 [root] DEBUG: |-- Gondad_JS 2018-02-14 19:35:34,749 [root] DEBUG: |-- HeapSpray_JS 2018-02-14 19:35:34,749 [root] DEBUG: |-- Java_JS 2018-02-14 19:35:34,749 [root] DEBUG: |-- Neutrino_JS 2018-02-14 19:35:34,749 [root] DEBUG: |-- Nuclear_JS 2018-02-14 19:35:34,749 [root] DEBUG: |-- RIG_JS 2018-02-14 19:35:34,750 [root] DEBUG: |-- Silverlight_JS 2018-02-14 19:35:34,750 [root] DEBUG: |-- Sundown_JS 2018-02-14 19:35:34,750 [root] DEBUG: |-- Virtualcheck_JS 2018-02-14 19:35:34,750 [root] DEBUG: |-- EncryptedIOC 2018-02-14 19:35:34,750 [root] DEBUG: |-- Crash 2018-02-14 19:35:34,750 [root] DEBUG: |-- FamilyProxyBack 2018-02-14 19:35:34,750 [root] DEBUG: |-- SystemMetrics 2018-02-14 19:35:34,751 [root] DEBUG: |-- Generic_Phish 2018-02-14 19:35:34,751 [root] DEBUG: |-- Gootkit_APIs 2018-02-14 19:35:34,751 [root] DEBUG: |-- H1N1_APIs 2018-02-14 19:35:34,751 [root] DEBUG: |-- Hancitor_APIs 2018-02-14 19:35:34,751 [root] DEBUG: |-- HawkEye_APIs 2018-02-14 19:35:34,751 [root] DEBUG: |-- BitcoinWallet 2018-02-14 19:35:34,751 [root] DEBUG: |-- BrowserStealer 2018-02-14 19:35:34,751 [root] DEBUG: |-- InfostealerBrowserPassword 2018-02-14 19:35:34,752 [root] DEBUG: |-- FTPStealer 2018-02-14 19:35:34,752 [root] DEBUG: |-- IMStealer 2018-02-14 19:35:34,752 [root] DEBUG: |-- KeyLogger 2018-02-14 19:35:34,752 [root] DEBUG: |-- EmailStealer 2018-02-14 19:35:34,752 [root] DEBUG: |-- InjectionCRT 2018-02-14 19:35:34,752 [root] DEBUG: |-- InjectionExplorer 2018-02-14 19:35:34,752 [root] DEBUG: |-- InjectionExtension 2018-02-14 19:35:34,753 [root] DEBUG: |-- InjectionRUNPE 2018-02-14 19:35:34,753 [root] DEBUG: |-- InjectionRWX 2018-02-14 19:35:34,753 [root] DEBUG: |-- Internet_Dropper 2018-02-14 19:35:34,753 [root] DEBUG: |-- IPC_NamedPipe 2018-02-14 19:35:34,753 [root] DEBUG: |-- iSpyKeylogger_APIs 2018-02-14 19:35:34,753 [root] DEBUG: |-- JS_Phish 2018-02-14 19:35:34,753 [root] DEBUG: |-- JS_SuspiciousRedirect 2018-02-14 19:35:34,753 [root] DEBUG: |-- KazyBot_APIs 2018-02-14 19:35:34,754 [root] DEBUG: |-- Kelihos_APIs 2018-02-14 19:35:34,754 [root] DEBUG: |-- Kibex_APIs 2018-02-14 19:35:34,754 [root] DEBUG: |-- Kovter_APIs 2018-02-14 19:35:34,754 [root] DEBUG: |-- KrakenMutexes 2018-02-14 19:35:34,754 [root] DEBUG: |-- DisableRegedit 2018-02-14 19:35:34,754 [root] DEBUG: |-- DisableTaskMgr 2018-02-14 19:35:34,754 [root] DEBUG: |-- Locky_APIs 2018-02-14 19:35:34,754 [root] DEBUG: |-- MartiansIE 2018-02-14 19:35:34,755 [root] DEBUG: |-- MartiansOffice 2018-02-14 19:35:34,755 [root] DEBUG: |-- MimicsAgent 2018-02-14 19:35:34,755 [root] DEBUG: |-- MimicsExtension 2018-02-14 19:35:34,755 [root] DEBUG: |-- MimicsFiletime 2018-02-14 19:35:34,755 [root] DEBUG: |-- MimicsIcon 2018-02-14 19:35:34,755 [root] DEBUG: |-- ModifiesCerts 2018-02-14 19:35:34,755 [root] DEBUG: |-- Modifies_HostFile 2018-02-14 19:35:34,755 [root] DEBUG: |-- ModifySecurityCenterWarnings 2018-02-14 19:35:34,755 [root] DEBUG: |-- ModifiesUACNotify 2018-02-14 19:35:34,756 [root] DEBUG: |-- ModifiesDesktopWallpaper 2018-02-14 19:35:34,756 [root] DEBUG: |-- Multiple_UA 2018-02-14 19:35:34,756 [root] DEBUG: |-- NetworkAnomaly 2018-02-14 19:35:34,756 [root] DEBUG: |-- NetworkBIND 2018-02-14 19:35:34,756 [root] DEBUG: |-- NetworkCnCHTTP 2018-02-14 19:35:34,756 [root] DEBUG: |-- NetworkDGA 2018-02-14 19:35:34,756 [root] DEBUG: |-- NetworkDocumentHTTP 2018-02-14 19:35:34,756 [root] DEBUG: |-- NetworkExcessiveUDP 2018-02-14 19:35:34,757 [root] DEBUG: |-- NetworkHTTP 2018-02-14 19:35:34,757 [root] DEBUG: |-- NetworkICMP 2018-02-14 19:35:34,757 [root] DEBUG: |-- NetworkIRC 2018-02-14 19:35:34,757 [root] DEBUG: |-- NetworkSMTP 2018-02-14 19:35:34,757 [root] DEBUG: |-- Tor 2018-02-14 19:35:34,757 [root] DEBUG: |-- TorHiddenService 2018-02-14 19:35:34,757 [root] DEBUG: |-- TorGateway 2018-02-14 19:35:34,757 [root] DEBUG: |-- Nymaim_APIs 2018-02-14 19:35:34,757 [root] DEBUG: |-- Office_Code_Page 2018-02-14 19:35:34,758 [root] DEBUG: |-- Office_Macro 2018-02-14 19:35:34,758 [root] DEBUG: |-- OfficeSecurity 2018-02-14 19:35:34,758 [root] DEBUG: |-- OfficeWriteEXE 2018-02-14 19:35:34,758 [root] DEBUG: |-- BuildLangID 2018-02-14 19:35:34,758 [root] DEBUG: |-- ResourceLangID 2018-02-14 19:35:34,758 [root] DEBUG: |-- ArmadilloMutex 2018-02-14 19:35:34,758 [root] DEBUG: |-- ArmadilloRegKey 2018-02-14 19:35:34,758 [root] DEBUG: |-- ConfuserPacked 2018-02-14 19:35:34,758 [root] DEBUG: |-- PackerEntropy 2018-02-14 19:35:34,759 [root] DEBUG: |-- SmartAssemblyPacked 2018-02-14 19:35:34,759 [root] DEBUG: |-- ThemidaPacked 2018-02-14 19:35:34,759 [root] DEBUG: |-- UPXCompressed 2018-02-14 19:35:34,759 [root] DEBUG: |-- VMPPacked 2018-02-14 19:35:34,759 [root] DEBUG: |-- PDF_Annot_URLs 2018-02-14 19:35:34,759 [root] DEBUG: |-- ADS 2018-02-14 19:35:34,759 [root] DEBUG: |-- Autorun 2018-02-14 19:35:34,759 [root] DEBUG: |-- PersistenceBootexecute 2018-02-14 19:35:34,759 [root] DEBUG: |-- PersistenceService 2018-02-14 19:35:34,760 [root] DEBUG: |-- Polymorphic 2018-02-14 19:35:34,760 [root] DEBUG: |-- Pony_APIs 2018-02-14 19:35:34,760 [root] DEBUG: |-- PowershellCommand 2018-02-14 19:35:34,760 [root] DEBUG: |-- PunchPlusPlusPCREs 2018-02-14 19:35:34,760 [root] DEBUG: |-- PreventsSafeboot 2018-02-14 19:35:34,760 [root] DEBUG: |-- ProcessInterest 2018-02-14 19:35:34,760 [root] DEBUG: |-- ProcessNeeded 2018-02-14 19:35:34,760 [root] DEBUG: |-- Procmem_Yara 2018-02-14 19:35:34,761 [root] DEBUG: |-- RansomwareDMALocker 2018-02-14 19:35:34,761 [root] DEBUG: |-- RansomwareExtensions 2018-02-14 19:35:34,761 [root] DEBUG: |-- RansomwareFileModifications 2018-02-14 19:35:34,761 [root] DEBUG: |-- RansomwareFiles 2018-02-14 19:35:34,761 [root] DEBUG: |-- RansomwareMessage 2018-02-14 19:35:34,761 [root] DEBUG: |-- RansomwareRadamant 2018-02-14 19:35:34,761 [root] DEBUG: |-- RansomwareRecyclebin 2018-02-14 19:35:34,761 [root] DEBUG: |-- BeebusMutexes 2018-02-14 19:35:34,761 [root] DEBUG: |-- FynloskiMutexes 2018-02-14 19:35:34,762 [root] DEBUG: |-- LuminosityRAT 2018-02-14 19:35:34,762 [root] DEBUG: |-- NanocoreRAT 2018-02-14 19:35:34,762 [root] DEBUG: |-- PcClientMutexes 2018-02-14 19:35:34,762 [root] DEBUG: |-- PlugxMutexes 2018-02-14 19:35:34,762 [root] DEBUG: |-- PoisonIvyMutexes 2018-02-14 19:35:34,762 [root] DEBUG: |-- QuasarMutexes 2018-02-14 19:35:34,762 [root] DEBUG: |-- SpynetRat 2018-02-14 19:35:34,762 [root] DEBUG: |-- XtremeMutexes 2018-02-14 19:35:34,762 [root] DEBUG: |-- ReadsSelf 2018-02-14 19:35:34,763 [root] DEBUG: |-- Recon_Beacon 2018-02-14 19:35:34,763 [root] DEBUG: |-- CheckIP 2018-02-14 19:35:34,763 [root] DEBUG: |-- Fingerprint 2018-02-14 19:35:34,763 [root] DEBUG: |-- InstalledApps 2018-02-14 19:35:34,763 [root] DEBUG: |-- SystemInfo 2018-02-14 19:35:34,763 [root] DEBUG: |-- RemovesZoneIdADS 2018-02-14 19:35:34,763 [root] DEBUG: |-- Secure_Login_Phish 2018-02-14 19:35:34,763 [root] DEBUG: |-- SecurityXploded_Modules 2018-02-14 19:35:34,763 [root] DEBUG: |-- SetsAutoconfigURL 2018-02-14 19:35:34,764 [root] DEBUG: |-- Shifu_APIs 2018-02-14 19:35:34,764 [root] DEBUG: |-- InstallsWinpcap 2018-02-14 19:35:34,764 [root] DEBUG: |-- SpoofsProcname 2018-02-14 19:35:34,764 [root] DEBUG: |-- CreatesAutorunInf 2018-02-14 19:35:34,764 [root] DEBUG: |-- StackPivot 2018-02-14 19:35:34,764 [root] DEBUG: |-- Authenticode 2018-02-14 19:35:34,764 [root] DEBUG: |-- DotNetAnomaly 2018-02-14 19:35:34,764 [root] DEBUG: |-- Static_Java 2018-02-14 19:35:34,764 [root] DEBUG: |-- Static_PDF 2018-02-14 19:35:34,765 [root] DEBUG: |-- PEAnomaly 2018-02-14 19:35:34,765 [root] DEBUG: |-- RATConfig 2018-02-14 19:35:34,765 [root] DEBUG: |-- VersionInfoAnomaly 2018-02-14 19:35:34,765 [root] DEBUG: |-- StealthChildProc 2018-02-14 19:35:34,765 [root] DEBUG: |-- StealthFile 2018-02-14 19:35:34,765 [root] DEBUG: |-- StealthHiddenExtension 2018-02-14 19:35:34,765 [root] DEBUG: |-- StealthHiddenReg 2018-02-14 19:35:34,765 [root] DEBUG: |-- StealthHideNotifications 2018-02-14 19:35:34,765 [root] DEBUG: |-- StealthNetwork 2018-02-14 19:35:34,766 [root] DEBUG: |-- StealthTimeout 2018-02-14 19:35:34,766 [root] DEBUG: |-- StealthWebHistory 2018-02-14 19:35:34,766 [root] DEBUG: |-- Hidden_Window 2018-02-14 19:35:34,766 [root] DEBUG: |-- SuricataAlert 2018-02-14 19:35:34,766 [root] DEBUG: |-- Flame 2018-02-14 19:35:34,766 [root] DEBUG: |-- Tinba_APIs 2018-02-14 19:35:34,766 [root] DEBUG: |-- TrickBotTaskDelete 2018-02-14 19:35:34,766 [root] DEBUG: |-- TrickBotMutexes 2018-02-14 19:35:34,766 [root] DEBUG: |-- FleerCivetMutexes 2018-02-14 19:35:34,767 [root] DEBUG: |-- Troldesh_APIs 2018-02-14 19:35:34,767 [root] DEBUG: |-- Upatre_APIs 2018-02-14 19:35:34,767 [root] DEBUG: |-- Ursnif_APIs 2018-02-14 19:35:34,767 [root] DEBUG: |-- UserEnum 2018-02-14 19:35:34,767 [root] DEBUG: |-- Vawtrak_APIs 2018-02-14 19:35:34,767 [root] DEBUG: |-- Vawtrak_APIs 2018-02-14 19:35:34,767 [root] DEBUG: |-- Virus 2018-02-14 19:35:34,767 [root] DEBUG: |-- VolDevicetree1 2018-02-14 19:35:34,767 [root] DEBUG: |-- VolHandles1 2018-02-14 19:35:34,768 [root] DEBUG: |-- VolLdrModules1 2018-02-14 19:35:34,768 [root] DEBUG: |-- VolLdrModules2 2018-02-14 19:35:34,768 [root] DEBUG: |-- VolMalfind1 2018-02-14 19:35:34,768 [root] DEBUG: |-- VolMalfind2 2018-02-14 19:35:34,768 [root] DEBUG: |-- VolModscan1 2018-02-14 19:35:34,768 [root] DEBUG: |-- VolSvcscan1 2018-02-14 19:35:34,768 [root] DEBUG: |-- VolSvcscan2 2018-02-14 19:35:34,768 [root] DEBUG: |-- VolSvcscan3 2018-02-14 19:35:34,768 [root] DEBUG: |-- Webmail_Phish 2018-02-14 19:35:34,769 [root] DEBUG: |-- WHOIS_Create 2018-02-14 19:35:34,769 [root] DEBUG: -- WscriptDownloaderHTTP 2018-02-14 19:35:34,769 [root] DEBUG: Imported "auxiliary" modules: 2018-02-14 19:35:34,769 [root] DEBUG: |-- Sniffer 2018-02-14 19:35:34,769 [root] DEBUG:-- Tor 2018-02-14 19:35:34,769 [root] DEBUG: Imported "processing" modules: 2018-02-14 19:35:34,769 [root] DEBUG: |-- AnalysisInfo 2018-02-14 19:35:34,769 [root] DEBUG: |-- BehaviorAnalysis 2018-02-14 19:35:34,769 [root] DEBUG: |-- CIF 2018-02-14 19:35:34,769 [root] DEBUG: |-- Debug 2018-02-14 19:35:34,770 [root] DEBUG: |-- Decompression 2018-02-14 19:35:34,770 [root] DEBUG: |-- Dropped 2018-02-14 19:35:34,770 [root] DEBUG: |-- Memory 2018-02-14 19:35:34,770 [root] DEBUG: |-- NetworkAnalysis 2018-02-14 19:35:34,770 [root] DEBUG: |-- ProcessMemory 2018-02-14 19:35:34,770 [root] DEBUG: |-- Static 2018-02-14 19:35:34,770 [root] DEBUG: |-- Strings 2018-02-14 19:35:34,770 [root] DEBUG: |-- Suricata 2018-02-14 19:35:34,770 [root] DEBUG: |-- TargetInfo 2018-02-14 19:35:34,771 [root] DEBUG: |-- Usage 2018-02-14 19:35:34,771 [root] DEBUG: -- VirusTotal 2018-02-14 19:35:34,771 [root] DEBUG: Imported "machinery" modules: 2018-02-14 19:35:34,771 [root] DEBUG:-- VirtualBox 2018-02-14 19:35:34,771 [root] DEBUG: Imported "feeds" modules: 2018-02-14 19:35:34,771 [root] DEBUG: |-- AbuseCH_SSL 2018-02-14 19:35:34,771 [root] DEBUG: -- Punch_Plus_Plus_PCREs 2018-02-14 19:35:34,771 [root] DEBUG: Imported "reporting" modules: 2018-02-14 19:35:34,772 [root] DEBUG: |-- Compression 2018-02-14 19:35:34,772 [root] DEBUG: |-- ElasticsearchDB 2018-02-14 19:35:34,772 [root] DEBUG: |-- JsonDump 2018-02-14 19:35:34,772 [root] DEBUG: |-- MAEC41Report 2018-02-14 19:35:34,772 [root] DEBUG: |-- Malheur 2018-02-14 19:35:34,772 [root] DEBUG: |-- MISP 2018-02-14 19:35:34,772 [root] DEBUG: |-- MMDef 2018-02-14 19:35:34,772 [root] DEBUG: |-- Moloch 2018-02-14 19:35:34,772 [root] DEBUG: |-- MongoDB 2018-02-14 19:35:34,773 [root] DEBUG: |-- ReportHTML 2018-02-14 19:35:34,773 [root] DEBUG: |-- ReportHTMLSummary 2018-02-14 19:35:34,773 [root] DEBUG: |-- ReportPDF 2018-02-14 19:35:34,773 [root] DEBUG: |-- ReSubmitExtractedEXE 2018-02-14 19:35:34,773 [root] DEBUG: |-- Retention 2018-02-14 19:35:34,773 [root] DEBUG:-- Syslog 2018-02-14 19:35:34,775 [root] DEBUG: Checking for locked tasks... 2018-02-14 19:35:34,939 [root] INFO: Updated running task ID 4 status to failed_analysis 2018-02-14 19:35:34,939 [root] DEBUG: Initializing Yara... 2018-02-14 19:35:34,940 [root] DEBUG: |-- index_binaries.yar 2018-02-14 19:35:34,941 [root] DEBUG: |-- index_memory.yar 2018-02-14 19:35:34,941 [root] DEBUG: |-- index_Crypto.yar 2018-02-14 19:35:34,941 [root] DEBUG: |-- index_email.yar 2018-02-14 19:35:34,941 [root] DEBUG: |-- index_Exploit-Kits.yar 2018-02-14 19:35:34,941 [root] DEBUG: |-- index_Malicious_Documents.yar 2018-02-14 19:35:34,941 [root] DEBUG: |-- index_Mobile_Malware.yar 2018-02-14 19:35:34,941 [root] DEBUG: |-- index_Packers.yar 2018-02-14 19:35:34,942 [root] DEBUG: `-- index_Webshells.yar 2018-02-14 19:35:34,943 [lib.cuckoo.core.resultserver] DEBUG: ResultServer running on 192.168.56.1:2042. 2018-02-14 19:35:34,944 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager with max_analysis_count=0, max_machines_count=0, and max_vmstartup_count=10 2018-02-14 19:35:35,627 [modules.machinery.virtualbox] DEBUG: Getting status for win7 2018-02-14 19:35:35,706 [modules.machinery.virtualbox] DEBUG: Machine win7 status saved 2018-02-14 19:35:35,819 [modules.machinery.virtualbox] DEBUG: Stopping vm win7 2018-02-14 19:35:35,819 [modules.machinery.virtualbox] DEBUG: Getting status for win7 2018-02-14 19:35:35,902 [modules.machinery.virtualbox] DEBUG: Machine win7 status saved 2018-02-14 19:35:36,993 [modules.machinery.virtualbox] DEBUG: VBoxManage exited with error powering off the machine 2018-02-14 19:35:36,994 [modules.machinery.virtualbox] DEBUG: Getting status for win7 2018-02-14 19:35:37,083 [modules.machinery.virtualbox] DEBUG: Machine win7 status saved 2018-02-14 19:35:37,186 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s 2018-02-14 19:35:37,195 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks. 2018-02-14 19:35:39,350 [lib.cuckoo.core.scheduler] DEBUG: Task #5: Processing task 2018-02-14 19:35:39,352 [lib.cuckoo.core.scheduler] INFO: Task #5: Starting analysis of FILE '/opt/cuckoo-tmp/upload_pyyr7e/09a18cd7e004ce10b0a6b11f11f3333a.exe' 2018-02-14 19:35:39,356 [lib.cuckoo.core.scheduler] INFO: Task #5: File already exists at '/opt/cuckoo/storage/binaries/77da6a1941ac1971785cc85657bb2301eaa3ca8969ec9dc8c9739e9d9fcb4903' 2018-02-14 19:35:39,435 [lib.cuckoo.core.scheduler] INFO: Task #5: acquired machine win7 (label=win7) 2018-02-14 19:35:39,546 [modules.machinery.virtualbox] DEBUG: Starting vm win7 2018-02-14 19:35:39,546 [modules.machinery.virtualbox] DEBUG: Getting status for win7 2018-02-14 19:35:39,621 [modules.machinery.virtualbox] DEBUG: Machine win7 status saved 2018-02-14 19:35:39,742 [modules.machinery.virtualbox] DEBUG: Using current snapshot for virtual machine win7 2018-02-14 19:35:40,104 [modules.machinery.virtualbox] DEBUG: Getting status for win7 2018-02-14 19:35:40,176 [modules.machinery.virtualbox] DEBUG: Machine win7 status saved 2018-02-14 19:35:44,817 [modules.machinery.virtualbox] DEBUG: Getting status for win7 2018-02-14 19:35:44,953 [modules.machinery.virtualbox] DEBUG: Machine win7 status running 2018-02-14 19:35:45,556 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 15676 (interface=vboxnet0, host=192.168.56.101 snapshot = Snapshot1 interface = vboxnet0, dump path=/opt/cuckoo/storage/analyses/5/dump.pcap) 2018-02-14 19:35:45,557 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer 2018-02-14 19:35:45,557 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Tor 2018-02-14 19:35:45,819 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7, ip=192.168.56.101 snapshot = Snapshot1 interface = vboxnet0) 2018-02-14 19:35:45,821 [lib.cuckoo.core.guest] DEBUG: win7: waiting for status 0x0001 2018-02-14 19:35:45,822 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:46,824 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:47,825 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:48,827 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:49,830 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:50,832 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:51,834 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:52,836 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:53,838 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:54,840 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:55,842 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:56,844 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:57,846 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:58,848 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:35:59,850 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:00,852 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:01,854 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:02,856 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:03,858 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:04,860 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:05,863 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:06,865 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:07,867 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:08,869 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:09,871 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:10,873 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:11,875 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:12,878 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:13,880 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:14,882 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:15,884 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:16,886 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:17,888 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:18,890 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:19,891 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:20,894 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:21,896 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:22,898 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:23,900 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:24,902 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:25,904 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:26,906 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:27,908 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:28,910 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:29,912 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:30,914 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:31,921 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:32,924 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:33,926 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:34,928 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:35,930 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:36,932 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:37,934 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:38,936 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:39,939 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:40,940 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:41,942 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:42,944 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:43,946 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:44,947 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:45,949 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:46,951 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:47,953 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:48,955 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:49,957 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:50,959 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:51,961 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:52,964 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:53,965 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:54,967 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet 2018-02-14 19:36:55,970 [lib.cuckoo.core.guest] DEBUG: win7: not ready yet

doomedraven commented 6 years ago

curl vm_ip:8000 ?

usmanm259 commented 6 years ago

curl vm_ip:8000

Error response

Error response

Error code 501.

Message: Unsupported method ('GET').

Error code explanation: 501 = Server does not support this operation.

usmanm259 commented 6 years ago

image

doomedraven commented 6 years ago

that means what connection between cuckoo and vm agent works fine, no idea where is your fail then. which version of agent do you use?

masifpak commented 6 years ago

I am also facing the same problem. I am using following repo and its agent. https://github.com/spender-sandbox/cuckoo-modified I spent my whole week but no to avail. I even checked by using tcpdump all traffic towards vboxnet0 during analysis. There is no communication between 192.168.56.1 and 192.168.56.101. Both host and analysis machines can telnet their respective ports. I think Cuckoo start the VM but then go somewhere else for communication with agent.

masifpak commented 6 years ago

@doomedraven Please share if you have running and tested repo. May be it may help.

doomedraven commented 6 years ago

the current repo is fine, I think the problem is related to vbox, as you see there was reported issue with vbox in cuckoo v2

masifpak commented 6 years ago

But I am facing the same issue with VMware vspher and esx server as well. I think problem may be with my configuration but there is nothing very tricky in configuration then what i m misconfiguring. IP Address of Analysis Machine IP : 192.168.56.101 Mask: 255.255.255.0 GW: 192.168.56.1 Primary DNS 4.2.2.2 Sec DNS 8.8.8.8

doomedraven commented 6 years ago

why do you use 4.2.2.2 as primary dns? use external dns better for example 8.8.8.8 and 8.8.4.4

no idea guys, im using kvm and never had problems as this so i can't help too much

masifpak commented 6 years ago

4.2.2.2 is also external DNS. Can it be the reason?

doomedraven commented 6 years ago

who knows, without try I cant' say nothing, but anyway that should affect it too much, as that is dns, and you are in local

masifpak80 commented 6 years ago

Can you explain this code snippet in two or three line please?

while True:
            # Check if we've passed the timeout.
            if time.time() > end:
                raise CuckooGuestError("{0}: the guest initialization hit the "
                                       "critical timeout, analysis "
                                       "aborted.".format(self.id))

            try:
                # If the server returns the given status, break the loop
                # and return.
                if self.server.get_status() == status:
                    log.debug("%s: status ready", self.id)
                    break
            except:
                pass

            log.debug("%s: not ready yet", self.id)
            time.sleep(1)

        self.server._set_timeout(None)
        return True
doomedraven commented 6 years ago

that is pretty clear what it does, it's self explanatory

masifpak80 commented 6 years ago

Is there any misconfiguration then,

# Database connection timeout in seconds.
# If empty, default is set to 60 seconds.
timeout =

[timeouts]
# Set the default analysis timeout expressed in seconds. This value will be
# used to define after how many seconds the analysis will terminate unless
# otherwise specified at submission.
default = 420

# Set the critical timeout expressed in (relative!) seconds. It will be added
# to the default timeout above and after this timeout is hit
# Cuckoo will consider the analysis failed and it will shutdown the machine
# no matter what. When this happens the analysis results will most likely
# be lost.
critical = 60

# Maximum time to wait for virtual machine status change. For example when
# shutting down a vm. Default is 300 seconds.
vm_state = 300
doomedraven commented 6 years ago

no

usmanm259 commented 6 years ago

I changed the python from 64 bit to 32 bit on cuckoo guest and the issue was resolved. Thanks