CuckooDroid Android 5.1 not_ready yet

[cirrus528]

Hi waqarrashid33,

I have read your report on the enhancement of CuckooDroid. I really appreciated this report, it helped me to gain an in-depth understanding on how CuckooDroid and mobile malware analysis works.

Currently, I'm facing issue with the use of Android 5.1 emulator during an analysis. I have followed every step in your report on configuring for Android 5.1, and it is responding well.

However, during each analysis, it seems that the configuration of the Android 5.1 was not saved, where the emulator will load the changes in Section 3.4.1, but all the changes from Section 3.4.2 onward was not saved when the emulator loads during analysis.

Is there any solution to this, or is this my configuration error at some part? I have double-checked the configurations, and that even after shutting down the emulator and open it, the emulator still has the configured python agent script, but not during analysis.

Hope to hear from you soon. By the way, huge fan of your work :)

[wickywaka]

Hey thanks. I hadn't had a look at this stuff in a while. Let me have a look at it.

[wickywaka]

I don't really understands what you are trying to say but are you sure that you are making those changes in the base image.

[cirrus528]

Yes, I start the emulator with -writable-system, and done my configuration on it.

Maybe I didn't express myself clearly.... What I meant was during analysis through CuckooDroid, the CuckooDroid gave an error of "not ready yet". I went to inspect the emulator, and realize that all the workings from Section 3.4.2, from the part of compiling python, was not there. That means there was no python running in that "emulator", therefore there was no way for the emulator to communicate back to Cuckoo Server.

If i run the emulator through this command "emulator @aosx -verbose -writable-system", the emulator will load with all the configurations, including the compiled python and modified agent.sh, as mentioned in your report section 3.4.2.

I don't understand how during CuckooDroid analysis when it load the emulator, it does not load the full configuration (where python and agent.sh have been configured).

Hope it answer your queries, and maybe offer a solution. During your analysis with CuckooDroid Android 5.1 emulator, does it manage to work perfectly?

[wickywaka]

Yeah. for me it was working but emualtor was too slow.

[cirrus528]

Yes, the emulator was also slow for mine, but it can't start the modified agent.sh, because python was not "there". What did you think could be the problem?

[wickywaka]

Did you managed to run some python scripts just one the base image using the new python? "not ready yet" is because the agent is not running.

[wickywaka]

I am not sure if termux comes with python pre-installed.

[wickywaka]

Have a look at logcat, there may be something there that can help.

[cirrus528]

After running logcat, I realized that upon each analysis, when the emulator is starting up it prompts this warning "cold boot snapshot failed to load". Should I remove the snapshots folder in ~/.android/avd/nexus.avd/snapshots ?

[wickywaka]

I don't know. May be remove it and see if its works.

[cirrus528]

I tried removing, but it always prompt this error that it can't load snapshot. If I'm not wrong, quitting the emulator does the saving of the snapshot. I suspect there is something wrong the moment Cuckoo starts to bring up the emulator, since it takes the reference from one emulator to another. Maybe could be the copying issue?

[cirrus528]

Just a quick question, on your bash script when installing the apps to emulator, I realize at the bottom there are 2 files "get_terminal.sh" and "run_agent.sh" that I do not have. Did you create those scripts by yourself? I can't find these 2 files on the repository.

[cirrus528]

Manage to fix the "not_ready" issue, through adding "-writable-system" parameter in avd.py

However, now the error shows "analysis not completed yet (status=2)". Tried to troubleshoot but no result. Dynamic analysis does not work, it seems as if the payload (malware) cannot be sent to the emulator. Any suggestions?

[wickywaka]

Make sure your payload size is less than 10MB.

[wickywaka]

Also use the wireshark to troubleshoot, from there you can see the response from agent and can figure out which step is failing.