cuckoosandbox / cuckoo Goto Github PK
View Code? Open in Web Editor NEWCuckoo Sandbox is an automated dynamic malware analysis system
Home Page: http://www.cuckoosandbox.org
License: Other
Cuckoo Sandbox is an automated dynamic malware analysis system
Home Page: http://www.cuckoosandbox.org
License: Other
[2012-01-03 14:57:46,937] [Core.Analyzer] INFO: Cuckoo starting with PID 496.
[2012-01-03 14:57:46,947] [Core.InstallDependencies] INFO: Installing dependency "\VBOXSVR\setup\system\distorm3.dll".
[2012-01-03 14:57:46,976] [Core.InstallDependencies] INFO: Installing dependency "\VBOXSVR\setup\system.gitignore".
[2012-01-03 14:57:46,986] [Core.InstallCuckoo] INFO: Installing "\VBOXSVR\setup\cuckoo\dll".
[2012-01-03 14:57:47,016] [Core.InstallCuckoo] INFO: Installing "\VBOXSVR\setup\cuckoo\logs".
[2012-01-03 14:57:47,026] [Core.InstallCuckoo] INFO: Installing "\VBOXSVR\setup\cuckoo\trace".
[2012-01-03 14:57:47,046] [Core.InstallCuckoo] INFO: Installing "\VBOXSVR\setup\cuckoo\files".
[2012-01-03 14:57:47,056] [Core.InstallCuckoo] INFO: Installing "\VBOXSVR\setup\cuckoo\shots".
[2012-01-03 14:57:47,076] [Core.InstallTarget] INFO: Installing target file from "\VBOXSVR\cuckoo1\malware.exe" to "C:".
[2012-01-03 14:57:47,137] [Core.PipeServer] INFO: Starting Pipe Server.
[2012-01-03 14:57:47,137] [Core.Analyzer] INFO: Analysis package imported from "packages.exe".
[2012-01-04 08:30:40,796] [Core.Analyzer] INFO: Executing analysis package run function.
[2012-01-04 08:30:40,796] [Screenshots.Run] INFO: Started taking screenshots.
[2012-01-04 08:30:40,806] [Execute.Execute] INFO: Launched process "C:\malware.exe" with arguments "None", ID "1544" and thread "0x0000074c".
[2012-01-04 08:30:40,917] [Monitor.Monitor] INFO: Using default Cuckoo DLL "C:\cuckoo\dll\cmonitor.dll".
[2012-01-04 08:30:41,016] [Inject.GrantDebugPrivilege] INFO: Successfully granted debug privileges on Cuckoo process.
[2012-01-04 08:30:41,127] [Inject.Inject] DEBUG: Process with PID 1544 successfully injected with DLL at path "C:\cuckoo\dll\awUuyd.dll".
[2012-01-04 08:30:41,256] [Monitor.Monitor] INFO: Original process with PID "1544" successfully injected.
[2012-01-04 08:30:41,286] [Screenshots.Run] DEBUG: Screenshot saved at "C:\cuckoo\shots\shot_1.jpg".
[2012-01-04 08:30:43,289] [Monitor.ResumeThread] INFO: Resumed thread with handle "0x0000074c".
[2012-01-04 08:30:43,299] [Core.Analyzer] INFO: Analysis package returned following process PID to add to monitor list: 1544.
[2012-01-04 08:30:43,299] [Core.AddFile] INFO: Newly created file path added to list: ÿÿ
[2012-01-04 08:30:43,309] [Core.Analyzer] INFO: Running for a maximum of 150 seconds.
[2012-01-04 08:30:43,329] [Core.AddFile] INFO: Newly created file path added to list: C:\WINDOWS\System32\rs32net.exe
[2012-01-04 08:30:43,329] [Core.PipeHandler] DEBUG: Received request to analyze process with PID 0.
[2012-01-04 08:30:43,339] [Inject.GrantDebugPrivilege] INFO: Successfully granted debug privileges on Cuckoo process.
[2012-01-04 08:30:43,339] [Inject.Inject] ERROR: Unable to obtain handle on process with PID 0 (GLE=87). Abort.
[2012-01-04 08:30:43,339] [Core.PipeHandler] ERROR: Failed injecting process with PID "0" (0x00000000).
[2012-01-04 08:30:43,339] [Core.Analyzer] INFO: Process with PID 1544 terminated.
[2012-01-04 08:30:44,351] [Core.PipeServer] INFO: Stopping Pipe Server.
[2012-01-04 08:30:44,351] [Screenshots.Stop] INFO: Stopping screenshots.
[2012-01-04 08:30:44,351] [Core.Analyzer] INFO: Analysis completed.
[2012-01-04 08:30:44,351] [Core.Analyzer] INFO: Executing analysis package "exe" custom finish function.
[2012-01-04 08:30:44,351] [Core.DumpFiles] DEBUG: Dropped file "ÿÿ" does not exist. Skip.
[2012-01-04 08:30:44,351] [Core.DumpFiles] DEBUG: Dropped file "C:\WINDOWS\System32\rs32net.exe" does not exist. Skip.
[2012-01-04 08:30:44,361] [Core.SaveResults] INFO: Saving analysis results to "\VBOXSVR\cuckoo1".
Here is my error dialogue in python 2.6
_
____ _ _ ____| | _ ___ ___
/ ) | | |/ ) |/ ) _ \ / _ \
( (| || ( (| _ ( || | || |
**)**/ **)_| )**/ ___/ v0.3.1
www.cuckoobox.org
Copyright (C) 2010-2011
[2012-01-04 05:30:16,302] [Core.Init] INFO: Started.
[2012-01-04 05:30:16,860] [VirtualMachine.Check] INFO: Your VirtualBox version is: "4.1.8", good!
[2012-01-04 05:30:16,860] [Core.Init] INFO: Populating virtual machines pool...
[2012-01-04 05:30:17,324] [VirtualMachine.Restore] INFO: Virtual machine "Cuckoo1" successfully restored to current snapshot.
[2012-01-04 05:30:17,379] [VirtualMachine.Infos] INFO: Virtual machine "Cuckoo1" information:
[2012-01-04 05:30:17,380] [VirtualMachine.Infos] INFO: _| Name: Cuckoo1
[2012-01-04 05:30:17,380] [VirtualMachine.Infos] INFO: | ID: 2fe4b559-5886-4897-b1f3-37eeb6a9e207
[2012-01-04 05:30:17,380] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
[2012-01-04 05:30:17,380] [VirtualMachine.Infos] INFO: | Memory Size: 512 MB
[2012-01-04 05:30:17,380] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
[2012-01-04 05:30:17,381] [VirtualMachine.Infos] INFO: | State: Saved
[2012-01-04 05:30:17,381] [VirtualMachine.Infos] INFO: | Current Snapshot: "cuckoo-3"
[2012-01-04 05:30:17,381] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:27:39:8E:14
[2012-01-04 05:30:17,403] [Core.Init] INFO: 1 virtual machine/s added to pool.
[2012-01-04 05:30:26,422] [Core.Dispatcher] INFO: Acquired analysis task for target "../malware.exe".
[2012-01-04 05:30:26,464](Task #13) [Core.Analysis.Run] INFO: Acquired virtual machine "cuckoo1".
[2012-01-04 05:30:26,467] [Sniffer.Start] INFO: Sniffer started monitoring 08:00:27:39:8E:14.
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1515 bytes
[2012-01-04 05:30:26,789] [VirtualMachine.Restore] INFO: Virtual machine "Cuckoo1" successfully restored to current snapshot.
[2012-01-04 05:30:29,261] [VirtualMachine.Start] INFO: Virtual machine "Cuckoo1" starting in "gui" mode.
[2012-01-04 05:30:29,364] [VirtualMachine.Execute] INFO: Cuckoo analyzer running with PID 496 on virtual machine "Cuckoo1".
[2012-01-04 05:30:44,464] [VirtualMachine.Execute] INFO: Cuckoo analyzer exited with code 0 on virtual machine "Cuckoo1".
[2012-01-04 05:30:44,465] [Sniffer.Stop] INFO: Sniffer stopped monitoring 08:00:27:39:8E:14.
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[2012-01-04 05:30:44,670](Task #13) [Core.Analysis.SaveResults] INFO: Analysis results successfully saved to "analysis/13".
[2012-01-04 05:30:44,792](Task #13) [Core.Analysis.Processing] INFO: Analysis results processor started with PID "27141".
Traceback (most recent call last):
File "processor.py", line 35, in
main(sys.argv[1])
File "processor.py", line 28, in main
ReportProcessor().report(CuckooDict(analysis_path).process())
File "/home/malware/cuckoo/cuckoo/cuckoo/reporting/reporter.py", line 58, in report
self._observable.notify(report)
File "/home/malware/cuckoo/cuckoo/cuckoo/reporting/observers.py", line 57, in notify
observer.update(results)
File "/home/malware/cuckoo/cuckoo/cuckoo/reporting/tasks/reporthtml.py", line 56, in update
html = template.render(**results)
File "/usr/lib/pymodules/python2.6/mako/template.py", line 133, in render
return runtime.render(self, self.callable, args, data)
File "/usr/lib/pymodules/python2.6/mako/runtime.py", line 364, in _render
render_context(template, callable, context, _args, *_kwargs_for_callable(callable, data))
File "/usr/lib/pymodules/python2.6/mako/runtime.py", line 381, in _render_context
_exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
File "/usr/lib/pymodules/python2.6/mako/runtime.py", line 414, in exec_template
callable(context, _args, *_kwargs)
File "base_html", line 37, in render_body
File "/usr/lib/pymodules/python2.6/mako/runtime.py", line 255, in
return lambda _args, *kwargs:callable(self.context, _args, *_kwargs)
File "report_html", line 48, in render_content
File "/usr/lib/pymodules/python2.6/mako/runtime.py", line 307, in include_file
callable(ctx, *_kwargs_for_callable(callable, context._orig, *_kwargs))
File "sections_general_information_html", line 64, in render_body
UnicodeDecodeError: 'ascii' codec can't decode byte 0xff in position 2289: ordinal not in range(128)
[2012-01-04 05:30:45,973] [VirtualMachine.Stop] INFO: Virtual machine "Cuckoo1" powered off successfully.
[2012-01-04 05:30:45,975](Task #13) [Core.Analysis.FreeVM] INFO: Virtual machine "cuckoo1" released.
[2012-01-04 05:30:45,975](Task #13) [Core.Analysis.Run] INFO: Analyis completed.
^C[2012-01-04 05:31:02,423] [Core.Init] CRITICAL: Keyboard interrupt catched! Forcing shutdown and restore of all virtual machines before exiting...
[2012-01-04 05:31:02,639] [VirtualMachine.Restore] INFO: Virtual machine "Cuckoo1" successfully restored to current snapshot.
http://www.mediafire.com/?g9li126nhqul91t
^ IS MALWARE...
I've some Excel files that I want to analyse. When I select "Detect Automatically" cuckoo will start MS Word and not Excel!
When I select Excel Filetype manually, cuckoo sandbox will work correctly.
I took a look into the repository, but couldn't find the mistake. it happens with Cuckoo 1.0 and 1.1-dev.
For some days now I cannot get any repot. Cuckoo exists with an error that seems to be related with yara. But I don't know why. I uninstalled and deleted everything related to yara on my system and reinstalled using
sudo pip install yara
That installed Yara 1.7.6 and Yara-Ctypes 1.7.6 successfully.
But I always get that kind of errror at the end of an analysis run:
2014-01-29 15:35:58,051 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "Dropped": Traceback (most recent call last): File "/RAID/cuckoosandbox/cuckoo-development/lib/cuckoo/core/plugins.py", line 184, in process data = current.run() File "/RAID/cuckoosandbox/cuckoo-development/modules/processing/dropped.py", line 23, in run file_info = File(file_path=file_path).get_all() File "/RAID/cuckoosandbox/cuckoo-development/lib/cuckoo/common/objects.py", line 264, in get_all infos["yara"] = self.get_yara() File "/RAID/cuckoosandbox/cuckoo-development/lib/cuckoo/common/objects.py", line 240, in get_yara except yara.Error as e: AttributeError: 'module' object has no attribute 'Error'
What can I do?
I'm getting the following error lines, when I cuckoo is configured to do a memory dump. Whats irritating to me: I can only count 2 arguments:
Should work for my understanding?
2013-12-13 09:57:46,732 [lib.cuckoo.core.scheduler]
ERROR: Failure in AnalysisManager.run
Traceback (most recent call last):
File "/_/__/__/lib/cuckoo/core/scheduler.py", line 367, in run
success = self.launch_analysis()
File "/__/__/*_*//lib/cuckoo/core/scheduler.py", line 276, in launch_analysis
os.path.join(self.storage, "memory.dmp"))
TypeError: dump_memory() takes exactly 2 arguments (3 given)
Migrate Cuckoo to use Python's logging library:
http://docs.python.org/library/logging.html
Hello,
Lately I've seen a lot of IE-injecting malware from Exploit Kit drops. Kaspersky calls them Trojan-Downloader.Win32.Piker.pft. They don't seem to run properly in Cuckoo, I've tried using my own install and also on malwr. Here is the the link to the malwr sample - https://malwr.com/analysis/ZmViNjRjMDc0ZjdkNDUyM2I4NmRmZWFlNWE0NDQ2NGQ/#
And here is a VT link - https://www.virustotal.com/en/file/2d314da07fa74e8b45f1dbb30758b1a7c8d842ad6754885c2d18a3df221c2ade/analysis/1370307028/
Something seems to be going wrong with cuckoomon when it injects into the malware. It unpacks much like typical malware by rewriting the sections, however, ZwMapViewOfSection seems to get hung-up, getting called some 300 times. The injection never actually occurs into IE. When I run the binary with the "free" option, everything works fine, and I can see the DNS requests to the rogue servers.
The analysis always times out. You can find the log at http://pastebin.com/xMHtkRpZ
I've tried running the binary under a WinXP and Win7 sandbox, both with IE8 installed.
I've tried using a different cuckoomon dll. I spoke to Jurriaan Bremer via email earlier and he referred me to the issue at #224 (comment). It wouldn't seem to be a related issue, as the IE injection never occurs here.
If anyone needs samples, I have plenty.
In some cases the malware ends powering off the virtual machine. At current stage, if Cuckoo fails to power it off by itself, it assumes that the machine is corrupted and removes it from the pool.
Need to add a forced attempt to restore virtual machine's snapshot even after a failed power off. In this way we can try to recover the machine and reuse it for other analyses.
Add a simple functionality to blacklist specific paths in order to avoid dumping files of no interest.
I get this 'exceptions.MemoryError' error when tried to upload 160Mo exe.
Where am I wrong ?
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 551, in __bootstrap_inner
self.run()
File "/home/dev/cuckoo/lib/cuckoo/core/scheduler.py", line 309, in run
success = self.launch_analysis()
File "/home/dev/cuckoo/lib/cuckoo/core/scheduler.py", line 220, in launch_analysis
guest.start_analysis(options)
File "/home/dev/cuckoo/lib/cuckoo/core/guest.py", line 150, in start_analysis
self.server.add_malware(data, options["file_name"])
File "/usr/lib/python2.7/xmlrpclib.py", line 1224, in __call__
return self.__send(self.__name, args)
File "/usr/lib/python2.7/xmlrpclib.py", line 1578, in __request
verbose=self.__verbose
File "/usr/lib/python2.7/xmlrpclib.py", line 1264, in request
return self.single_request(host, handler, request_body, verbose)
File "/usr/lib/python2.7/xmlrpclib.py", line 1297, in single_request
return self.parse_response(response)
File "/usr/lib/python2.7/xmlrpclib.py", line 1473, in parse_response
return u.close()
File "/usr/lib/python2.7/xmlrpclib.py", line 793, in close
raise Fault(**self._stack[0])
Fault: <Fault 1: "<type 'exceptions.MemoryError'>:">
Putting empty directories in the source tree is absolutely unnecessary and confusing to the reader. Those can easily be created during runtime where they belong to anyway.
A directory holding only a file does not make much sense as those runtime depended files could all be placed in one directory and if necessary later on copied to a separate directory in the vm.
I am annoyed by the gazillion count of the name of the author everywhere in the code. Just as a suggestion:
http://stackoverflow.com/questions/1497756/declaring-copyright-in-a-foss-project-with-major-and-minor-contributors
We as the people of the world are really thankful for any contribution i.e. to FOSS but it does not shed a good light if the authors (and there have already been more than one) put notes like:
"Cuckoo Sandbox is property of Claudio Guarnieri" (As seen on the html reports)
As FOSS is property of the community and not one entity. What the author(s) can do though is to dual license it to there liking but for this they have to get the consent of all the contributors as small there contribution might have been or not.
No offence Claudio we really appreciate the great work you have done but don't put a shadow on your work with this behaviour. Explicit is not always better then implicit.
In some situations, leftover connections from previous analyses appear in following ones.
In order to prevent this from showing in the reports, we can blacklist non-local IP addresses sending packages to the VM. We assume that every established connection should start outbound.
Add full UDP connections tracking to pcap file processing module.
The number of machines in DB keeps growing upon restart of cuckoo.py when swapping to a different DBMS e.g. MySQL or postgres.
2013-12-16 22:24:45,907 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager
2013-12-16 22:24:48,824 [lib.cuckoo.core.scheduler] INFO: Loaded 9 machine/s
2013-12-16 22:24:48,824 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...
^C
[... snip ...]
2013-12-16 22:25:09,685 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager
2013-12-16 22:25:14,318 [lib.cuckoo.core.scheduler] INFO: Loaded 18 machine/s
2013-12-16 22:25:14,319 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...
^C
[... snip ...]
2013-12-16 22:25:34,033 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager
2013-12-16 22:25:40,111 [lib.cuckoo.core.scheduler] INFO: Loaded 27 machine/s
2013-12-16 22:25:40,112 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...
I get the next error:
Environment:
Request Method: GET
Request URL: http://192.168.200.90:8080/
Django Version: 1.6.1
Python Version: 2.7.3
Installed Applications:
('django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.staticfiles',
'django.contrib.admin',
'analysis')
Installed Middleware:
('django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'web.headers.CuckooHeaders')
Template error:
In template /root/cuckoo/web/templates/header.html, error at line 30
cannot import name ALL_UUID_SUBTYPES
20 :
21 :
22 : Toggle navigation
23 :
24 :
25 :
26 :
27 :
28 :
29 :
30 :
31 :
32 :
33 :
34 :
35 :
36 :
37 :
38 :
39 :
Traceback:
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py" in get_response
response = wrapped_callback(request, _callback_args, *_callback_kwargs)
return func(request, _args, *_kwargs)
context_instance=RequestContext(request))
return HttpResponse(loader.render_to_string(_args, *_kwargs), **httpresponse_kwargs)
return t.render(context_instance)
return self._render(context)
return self.nodelist.render(context)
bit = self.render_node(node, context)
return node.render(context)
return compiled_parent._render(context)
return self.nodelist.render(context)
bit = self.render_node(node, context)
return node.render(context)
return self.render_template(self.template, context)
output = template.render(context)
return self._render(context)
return self.nodelist.render(context)
bit = self.render_node(node, context)
return node.render(context)
url = reverse(view_name, args=args, kwargs=kwargs, current_app=context.current_app)
return iri_to_uri(resolver._reverse_with_prefix(view, prefix, _args, *_kwargs))
possibilities = self.reverse_dict.getlist(lookup_view)
self._populate()
lookups.appendlist(pattern.callback, (bits, p_pattern, pattern.default_args))
self._callback = get_callable(self._callback_str)
result = func(*args)
mod = import_module(mod_name)
**import**(name)
Exception Type: ImportError at /
Exception Value: cannot import name ALL_UUID_SUBTYPES
Hi!
In cuckoo 1.0 the file analysis.conf is not generated in the report folder.
I've tested it in a clear version of cuckoo 1.0. And the file cuckoo1.0/storage/analyses/1/analysis.conf is not generated.
I thing this is a bug.
Best regards!
when trying to pass an url and not a file
2014-01-28 22:31:53,288 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "MAEC40Report":
Traceback (most recent call last):
...
File "/Users/user/Project/cuckoo-dma/modules/reporting/maec40.py", line 704, in createWinExecFileObj
if len(self.results["static"]["pe_exports"]) > 0:
KeyError: 'pe_exports'
the createWinExecFileObj function assumes there is a "pe_exports" and "pe_imports" which seems to not always be the case
Hi!
after submit a binary to cuckoo i get this error, if y try to see the report via web, i have this other error:
Error response
Error code 404.
Message: Not Found.
Error code explanation: 404 = Nothing matches the given URI.
Console error.
[2012-02-06 18:18:01,695] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:02,520] [VirtualMachine.Execute] INFO: Cuckoo analyzer exited with code 0 on virtual machine "Cuckoo2".
[2012-02-06 18:18:02,623](Task #434) [Core.Analysis.SaveResults] INFO: Analysis results successfully saved to "analysis/434".
[2012-02-06 18:18:02,646](Task #434) [Core.Analysis.CleanShare] DEBUG: Shared folder "shares/Cuckoo2" cleaned successfully.
[2012-02-06 18:18:02,697] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:02,769] [Database.Complete] DEBUG: Task with ID 434 updated to status "1".
[2012-02-06 18:18:02,798] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:02,799](Task #434) [Core.Analysis.Processing] INFO: Analysis results processor started with PID "5883".
[2012-02-06 18:18:03,446] [VirtualMachine.Stop] INFO: Virtual machine "Cuckoo2" powered off successfully.
[2012-02-06 18:18:03,458](Task #434) [Core.Analysis.FreeVM] INFO: Virtual machine "Cuckoo2" released.
[2012-02-06 18:18:03,458](Task #434) [Core.Analysis.Run] INFO: Analyis completed.
[2012-02-06 18:18:03,801] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:03,827] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:04,834] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:04,855] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:05,865] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:05,889] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:06,901] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:06,928] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:07,930] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:07,953] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:08,955] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:08,982] [Core.Dispatcher] DEBUG: No tasks pending.
------------------------------------[ERROR]-------------------------------------
Cuckoo stumbled in an unhandled error!
Before reporting the problem, please run with latest release from the development
Git repository at:
http://github.com/cuckoobox/cuckoo
If the exception persists, please send the following traceback to:
[email protected]
The developers will try to reproduce the bug, fix it and get in touch with you.
----------------------------------[TRACEBACK]-----------------------------------
Cuckoo version: v0.3.2
Python version: 2.7.2+ (default, Oct 4 2011, 20:06:09)
[GCC 4.6.1]
OS: linux2
Command line: processor.py analysis/434
Traceback (most recent call last):
File "processor.py", line 67, in
main()
File "processor.py", line 61, in main
ReportProcessor(analysis_path).report(CuckooDict(analysis_path).process())
File "/root/cuckoo/cuckoo/reporting/reporter.py", line 59, in report
self._observable.notify(report)
File "/root/cuckoo/cuckoo/reporting/observers.py", line 68, in notify
observer.update(results)
File "/root/cuckoo/cuckoo/reporting/tasks/reporthtml.py", line 47, in update
html = template.render(**results)
File "/usr/lib/python2.7/dist-packages/mako/template.py", line 296, in render
return runtime.render(self, self.callable, args, data)
File "/usr/lib/python2.7/dist-packages/mako/runtime.py", line 660, in _render
**kwargs_for_callable(callable, data))
File "/usr/lib/python2.7/dist-packages/mako/runtime.py", line 692, in _render_context
_exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
File "/usr/lib/python2.7/dist-packages/mako/runtime.py", line 718, in exec_template
callable(context, _args, *_kwargs)
File "base_html", line 37, in render_body
File "report_html", line 48, in render_content
File "/usr/lib/python2.7/dist-packages/mako/runtime.py", line 587, in include_file
callable(ctx, *_kwargs_for_include(callable, context._data, *_kwargs))
File "sections_general_information_html", line 94, in render_body
[2012-02-06 18:18:09,762] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:09,776] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:10,778] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:10,799] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:11,802] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:11,822] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:12,824] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:12,839] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:13,845] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:13,860] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:14,867] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:14,881] [Core.Dispatcher] DEBUG: No tasks pending.
Thanks.
In order to lower generated reports size, make the postprocessing skip repeated actions (e.g. looped API calls) and add a repetition counter to a unique entry.
According to the The Zen of Python (http://www.python.org/dev/peps/pep-0020/) explicit is better than implicit and according to http://docs.python.org/tutorial/modules.html#importing-from-a-package and many other suggestions implicit importing is a bad habit and can cause problems. And in the code there are many places where there is only a small amount of things to import thus an explicit approach would be easier.
Under category "recent" in django webinterface you can see all recent analysis task. I'm sorry, but after some days and 100 analysis tasks I don't know which hash corresponds with the analysis report I'm currently looking for.
I wish I could see more details! For example the machine that the analysis was run on. Maybe the filename of the file that was tested.
Or, much better: own tags!
I would suggest adding a feature that allows passing a password for Office and PDF Documents from Host to Guest!
Something like this has been implemented for Zip files already!
thx
Need to properly fix the lock of sessions on virtual machines in virtualbox.py.
When trying to log events, it might happen that under certain circumstances the script is not able to handle some characters properly.
That might happen for example with not-standard file names.
Certain names are being used in multiple places and thus are misleading, examples are cuckoo, config, tracer. Better would be better description not only of the function but also the use case like for example processtracer for tracer e.g.
When you take a look on virustotal results that come from cuckoo, you will notice that they are very clean. Systems standard behaviour (file system/registry activities of MS Office for example) are not part of virus total reports.
Is there any simple way to mask those activities? I would want to make some kind of baseline for word, excel, internet explorer and adobe reader to generate a filter.
In cuckoo/lib/cuckoo/common/irc.py
, I think the two lines 57 and 64, should be inside the if
clauses. This might be messing with the output of isthereIRC()
.
Can someone verify this?
Since Cuckoo's analysis packages provide the possibility to not actually inject and monitor any process, it's necessary to adapt the main checking procedure and disable the check for active processes.
By not injecting, Cuckoo is not able to follow newly spawned processes, so such check is not functional.
Yesterday I tried to setup a new cuckoo box using the newest development branch. I played around with reporting.conf using enablehtml = yes/no/on/off ... but what I don't get is a html-report.
Do you see any reason what could be wrong?
thx,
Crashman
Some malware samples check for known product's identifiers which are used by default in VirtualBox's virtual machines.
For more information on how to modify such data visit:
http://www.virtualbox.org/manual/ch09.html#changevpd
Need to complete and include updated setup and usage documentation.
By default Cuckoo doesn't capture any traffic to/from the sandbox VM on port 8000. This makes cuckoo totally blind to attacks/infections that occur over port 8000 (which just happens to be the default port Neutrino exploit kit uses these days.)
I think this change fixes that problem while keeping XMLRPC traffic out of the dump:
diff --git a/modules/auxiliary/sniffer.py b/modules/auxiliary/sniffer.py
index 3f0d6cd..9d491de 100644
--- a/modules/auxiliary/sniffer.py
+++ b/modules/auxiliary/sniffer.py
@@ -49,13 +49,8 @@ class Sniffer(Auxiliary):
pargs.extend(["-w", file_path])
pargs.extend(["host", host])
- # Do not capture XMLRPC agent traffic.
- pargs.extend(["and", "not", "(", "host", host, "and", "port",
- str(CUCKOO_GUEST_PORT), ")"])
- # Do not capture ResultServer traffic.
- pargs.extend(["and", "not", "(", "host",
- str(Config().resultserver.ip), "and", "port",
- str(Config().resultserver.port), ")"])
+ # Don't capture any traffic to/from the result server
+ pargs.extend(["and", "not", "host", Config().resultserver.ip])
if bpf:
pargs.extend(["and", bpf])
Often I find that the code is too modular as in f.e. the logging module is made up of four files which could be easily put into the init.py file and thus be available with a simple "from cuckoo import logging" . Why splitting logic to that extend. It is not a bad programming practice to define two/more classes/functions in the same file unless they are huge and/or have a completely different purpose which is not the case in the above example. The reason to put them together is much better readability of the code for example if it would be only a logging.py file in the cuckoo directory.
Often the copyright notes are longer than the code ?!
Enhance logging for cuckoovm.py and its dependencies.
Include GetLastError() value for every failed Windows-related action.
Windows VM generally takes about 3-4 seconds to fix and set up the network connection.
As malwares execute straight away, sometimes they're not able to perform their requests in time and they just terminate before the link is up.
In these situations the execution lasts for just few seconds and the analysis terminates, actually not providing any useful data.
I got an Error when non-ascii char exists in the path:
dev@L670:~/Téléchargements$ ~/cuckoo/utils/submit.py monbin.exe Traceback (most recent call last): File "/home/dev/cuckoo/utils/submit.py", line 96, in <module> main() File "/home/dev/cuckoo/utils/submit.py", line 91, in main print(bold(green("Success")) + ": File \"{0}\" added as task with ID {1}".format(file_path, task_id)) UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 11: ordinal not in range(128)
Low priority for this issue
I've to analyse some Documents with passwords. It is hard to put in the right password during a hot analysis.
I couldn't find an option to pass a password from host to guest, except for zip files.
Maybe this could be implemented.
thx
Some malware samples show network activity after reboot.
An option to reboot a system after a defined amount of time would be helpful. After reboot the analysis could go an for some time.
I am currently using a developement version of cuckoomon.dll. It is from last week and includes latest fixes. It is working better than 1.0 version, but I could notive some strange behaviour.
When cuckoomon.dll is injected, starting samples (in this case PDF Files) leads to error messages (e.g. Font missing) that I cannot observe when starting the file manually in a vmware environment.
After the popup of the error message cuckoo will try to click okay and this will restart Acrobat Reader. In my analysis case Reader restartes 30times during analysis and reports were messed up with loads of non-information.
Main question is: Why do I get an error message, that I do not get when doing "a run" manually?
Hi everyone,
I've find an error in the cuckoo versions 0.5 and 1.0. I hoped that in the version 1.0 it'll be fixed but not, it remains.
I'm analizyng an exe, a hesperbot sample. This sample makes requests to yahoo.com, google.com, wikipedia.org and the real C&C, ***gement.biz.
When I send the sample to cuckoo 1.0 the exe doesn't make the requests. But when I send the sample to cuckoo with the option free=yes (to avoid the injection of cuckoomon.dll) the sample works good and make the http requests.
I use this line:
utils/submit.py --timeout 60 hesperbot.exe --options free=yes
I think that there is a problem between the sample analyzed and the dll injected by cuckoo (cuckoomon.dll).
Anyone knows what is wrong? I can send the sample to test it. (https://www.virustotal.com/es/file/7e45f248f2e64cf5c8a6f996f0281a1876f06d4e69c4d21033b4c2f721383e85/analysis/)
Best regards!
As reported in some old ticket on dev cuckoo and at http://community.cuckoosandbox.org/posts/show/any-update-on-using-ie6-on-windows-xp-for-url-analysis/
"I could manually go to any site using IE6 but whenever Cuckoo submits a URL analysis it always shows Page not Found.I searched the forum and looks like there are some bugs in the code to prevent IE6 from visiting URLs properly. Is this issue fixed now? "
While doing mass analysis sometimes VirtualBox hangs and needs TLC to get started again. Although this is probably a VirtualBOX problem, I do not like the manual intervention.
Surely my implementations s*cks, but this is how it works:
If the restore fails, it tries to find the corresponding process and kill's it...
it does a second attempt to restore before throwing its normal exception.
Good luck with your project.
modules/machinemanagers/virtualbox.py
Additional function:
def findVBoxInstance(name):
for pid in psutil.get_pid_list():
p = psutil.Process(pid)
if p.name=="VirtualBox" and len(p.cmdline)>2:
if p.cmdline[2]==name:
print p.cmdline[2]
return pid
return None
if self._status(label) == self.RUNNING:
raise CuckooMachineError("Trying to start an already started vm %s" % label)
try:
if subprocess.call([self.options.virtualbox.path, "snapshot", label, "restorecurrent"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE):
pid=findVBoxInstance(label)
if (pid>0):
os.kill(pid,9)
time.sleep(1)
if subprocess.call([self.options.virtualbox.path, "snapshot", label, "restorecurrent"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE):
raise CuckooMachineError("VBoxManage exited with error restoring the machine's snapshot")
Sometime in the last 30 days, a process tracing regression has occurred in the development branch. The process tables in the HTML report are empty.
Add support for URL submission in submit.py script to make it able to download URLs, fetch the file and add it to the tasks queue.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.