keyError = ttd modules.packages.exe encountered the unhandled exception exe.py

[lockroz]

About accounts on capesandbox.com

• Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [Y] I am running the latest version
• [Y] I did read the README!
• [Y] I checked the documentation and found no answer
• [Y] I checked to make sure that this issue has not already been filed
• [Y] I'm reporting the issue to the correct repository (for multi-repository projects)
• [Y] I have read and checked all configs (with all optional parts)

Expected Behavior

The analysis should complete successfully, gathering all the required data.

Current Behavior

Currently, the analysis fails with the following error:

2024-08-18 18:21:19,822 [root] INFO: You probably submitted the job with wrong package
Traceback (most recent call last):
File "C:\tmp8jgunaps\analyzer.py", line 385, in choose_package
pkg_module = importlib.import_module(package_name)
File "C:\Users\cape\AppData\Local\Programs\Python\Python310-32\lib\importlib_init_.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 879, in exec_module
File "", line 1017, in get_code
File "", line 947, in source_to_code
File "", line 241, in _call_with_frames_removed
File "C:\tmp8jgunaps\modules\packages\exe.py", line 29
ttd = self.options.get("ttd",0)
^
TabError: inconsistent use of tabs and spaces in indentation

The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "C:\tmp8jgunaps\analyzer.py", line 1524, in
success = analyzer.run()
File "C:\tmp8jgunaps\analyzer.py", line 424, in run
self.package_name, self.package = self.choose_package()
File "C:\tmp8jgunaps\analyzer.py", line 390, in choose_package
raise CuckooError(f'Unable to import package "{self.package_name}", does not exist') from e
lib.common.exceptions.CuckooError: Unable to import package "None", does not exist

I attempted to fix this by adding:

ttd = self.options.get("ttd", 0)

so a null is always available for ttd but it made it worse

I assume that since this error occurs, the rest of the analysis process does not proceed correctly, leading to an incomplete analysis.

package

/analyser/windows/modules/packages/exe.py

Failure Information (for bugs)

I've reinstalled multiple times, but each time I upload a PE file, I get this error, and the analysis doesn't proceed past this point. I've reviewed all the configurations, and everything appears to be in order.

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

Question	Answer
Git commit	Type $ git log | head -n1 to find out
OS version	Ubuntu 22.04, Windows 10

Failure Logs

The core CAPE service logs appear fine, but the processor logs show no FLARE CAPA hits. Below are some key excerpts:

Aug 18 09:32:46 cape-virtual-machine python3[7805]: 2024-08-18 09:32:46,323 [root] INFO: Processing analysis data
Aug 18 09:46:19 cape-virtual-machine python3[7805]: 2024-08-18 09:46:19,048 [root] INFO: Processing analysis data for Task #1
Aug 18 09:46:19 cape-virtual-machine python3[7805]: Missing machinery-required libraries.
Aug 18 09:46:19 cape-virtual-machine python3[7805]: poetry run python -m pip install azure-identity msrest msrestazure azure-mgmt-compute azure-mgmt-network azure-mgmt-storage azure-storage-blob
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,062 [Task 1] [vivisect.parsers.pe] INFO: loadPeIntoWorkspace: loading '/opt/CAPEv2/storage/binaries/fffbd78bb2682da5b60d2cb6173c1b8354ff47fa5ff95b22fd2847dc92a9f47d' (size: 0x26200c) at 0x400000
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,115 [Task 1] [vivisect.parsers.pe] INFO: PE loader: Arch: 'i386' Format: pe Platform: 'windows' Filename: '/opt/CAPEv2/storage/binaries/fffbd78bb2682da5b60d2cb6173c1b8354ff47fa5ff95b22fd2847dc92a9f47d' BaseAddr: 0x400000
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,115 [Task 1] [vivisect.parsers.pe] INFO: PE Imagebase: 0x400000 entry: 0x65f67e codebase: 0x2000 codesize: 0x25d800
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,120 [Task 1] [vivisect.parsers.pe] INFO: PE dllname: None fvivname: '/opt/CAPEv2/storage/binaries/fffbd78bb2682da5b60d2cb6173c1b8354ff47fa5ff95b22fd2847dc92a9f47d' md5: '17a825e38324e6efc7261122a5bd3330' sha256: 'FFFBD78BB2682DA5B60D2CB6173C1B8354FF47FA5FF95B22FD2847DC92A9F47D'
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,134 [Task 1] [vivisect.parsers.pe] INFO: PE relocation: 0x65f680 -> 'fffbd78bb2682da5b60d2cb6173c1b8354ff47fa5ff95b22fd2847dc92a9f47d'+0x2000
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,134 [Task 1] [vivisect.parsers.pe] INFO: Skipping PE Relocation type: 0 at 2486272 (no handler)
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,857 [Task 1] [vivisect.analysis] INFO: Vivisect Analysis Setup Hooks Complete
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,859 [Task 1] [vivisect] INFO: Beginning analysis...
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,859 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.generic.linker
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,859 [Task 1] [vivisect.analysis.generic.linker] INFO: linking Imports with Exports
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,859 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.generic.entrypoints
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,864 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.pe
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,864 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.generic.relocations
Aug 18 09:46:21 cape-virtual-machine python3[8836]: 2024-08-18 09:46:21,864 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.ms.vftables
Aug 18 09:46:25 cape-virtual-machine python3[8836]: 2024-08-18 09:46:25,347 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.generic.emucode
Aug 18 09:46:25 cape-virtual-machine python3[8836]: 2024-08-18 09:46:25,349 [Task 1] [vivisect] INFO: emucode: 0 new functions defined (now total: 1)
Aug 18 09:46:25 cape-virtual-machine python3[8836]: 2024-08-18 09:46:25,349 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.i386.importcalls
Aug 18 09:46:25 cape-virtual-machine python3[8836]: 2024-08-18 09:46:25,354 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.i386.golang
Aug 18 09:46:25 cape-virtual-machine python3[8836]: 2024-08-18 09:46:25,355 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.ms.localhints
Aug 18 09:46:25 cape-virtual-machine python3[8836]: 2024-08-18 09:46:25,355 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.generic.funcentries
Aug 18 09:46:32 cape-virtual-machine python3[8836]: 2024-08-18 09:46:32,071 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.ms.msvcfunc
Aug 18 09:46:32 cape-virtual-machine python3[8836]: 2024-08-18 09:46:32,071 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.generic.thunks
Aug 18 09:46:32 cape-virtual-machine python3[8836]: 2024-08-18 09:46:32,071 [Task 1] [vivisect] INFO: Extended Analysis: vivisect.analysis.generic.strconst
Aug 18 09:46:32 cape-virtual-machine python3[8836]: 2024-08-18 09:46:32,071 [Task 1] [vivisect] INFO: ...analysis complete! (10 sec)
Aug 18 09:46:33 cape-virtual-machine python3[8836]: 2024-08-18 09:46:33,203 [Task 1] [vivisect] INFO: Percentage of discovered executable surface area: 0.0% (10 / 2480128)
Aug 18 09:46:33 cape-virtual-machine python3[8836]: 2024-08-18 09:46:33,204 [Task 1] [vivisect] INFO: Xrefs/Blocks/Funcs: (2 / 1 / 1)
Aug 18 09:46:33 cape-virtual-machine python3[8836]: 2024-08-18 09:46:33,204 [Task 1] [vivisect] INFO: Locs, Ops/Strings/Unicode/Nums/Ptrs/Vtables: (15: 1 / 0 / 0 / 6 / 0 / 0)
Aug 18 09:46:39 cape-virtual-machine python3[8836]: 2024-08-18 09:46:39,812 [Task 1] [lib.cuckoo.common.integrations.capa] INFO: FLARE CAPA -> No process data available
Aug 18 09:46:40 cape-virtual-machine python3[7805]: 2024-08-18 09:46:40,096 [root] INFO: Reports generation completed for Task #1

It seems that the analysis is failing due to missing process data as indicated by this log:

Aug 18 09:46:39 cape-virtual-machine python3[8836]: 2024-08-18 09:46:39,812 [Task 1] [lib.cuckoo.common.integrations.capa] INFO: FLARE CAPA -> No process data available

[nbyt3]

ttd=0 in options fixed the issue for me

[doomedraven]

hello, thanks for reporting it, when you have a fix it would be appreciated that you directly submit pull request with suggested fix, will fix it

[kevoreilly]

This should be fixed in 5ae84cc - apologies that was my fault - I am still unsure why no exception was produced on my dev instance, and why a key error is returned from get() dictionary method - but this will fix it.