Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Submitted files aren't opened in the guest #820

Closed
5 tasks done
derfel1989 opened this issue Apr 12, 2022 · 17 comments
Closed
5 tasks done

Submitted files aren't opened in the guest #820

derfel1989 opened this issue Apr 12, 2022 · 17 comments

Comments

@derfel1989
Copy link

derfel1989 commented Apr 12, 2022
edited
Loading

About accounts on capesandbox.com

  • Issues isn't the way to ask for account acctivation. Ping capesandbox in Twitter with your username

This is opensource and you getting free support so be friendly!

  • Free support from doomedraven ended, no whiskey no support. For something, he updated the documentation :)

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • I am running the latest version
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed
  • I'm reporting the issue to the correct repository (for multi-repository projects)
  • I'm have read all configs with all optional parts

Expected Behavior

Please describe the behavior you are expecting. If your samples(x64) stuck in pending ensure that you set tags=x64 in hypervisor conf for x64 vms

Current Behavior

What is the current behavior?

For every file or URL submitted to the guest nothing happen. On the guest (Win10) were installed, chocolatey(dotnetfx dotnet4.7.2 vcredist-all wixtoolset msxml4.sp3 msxml6.sp1), python 3.7.9, pillow, and pywintrace.

The guest network is configurated as isolated (virbr1 - 192.168.121.0)

As you could see below there is no error evidence during the file upload, but I can't see any result based on the file sent to the guest. I've been working on it for one week without any positive results.

Many thanks for any help provided.

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.

Question Answer
Git commit Type $ git log | head -n1 to find out
OS version Ubuntu Server 20.04 LTS
Guest Win10_1809Oct_v2_English_x64 (https://tb.rg-adguard.net/public.php)
Hypervisor KVM
QEMU 6.2.0
libvirt 8.2.0
nginx_version 1.19.6
prometheus_version 2.20.1
grafana_version 7.1.5
node_exporter_version 1.0.1
guacamole_version 1.2.0

Failure Logs

Please include any relevant log snippets or files here.

Sample of cuckoo.log

berlin@thanos:/opt/CAPEv2$ tail -f log/cuckoo.log | ccze -A
2022-04-12 03:04:58,920 [lib.cuckoo.core.scheduler] INFO: Task #5: Starting analysis of URL 'google.com.br'
2022-04-12 03:04:58,931 [lib.cuckoo.core.scheduler] INFO: Task #5: acquired machine win10_1 (label=win10_1, arch=x64, platform=windows)
2022-04-12 03:05:04,078 [lib.cuckoo.core.scheduler] INFO: Enabled route 'internet'
2022-04-12 03:05:04,095 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 55305 (interface=virbr1, host=192.168.121.71, dump path=/opt/CAPEv2/storage/analyses/5/dump.pcap)
2022-04-12 03:05:04,109 [lib.cuckoo.core.guest] INFO: Starting analysis #5 on guest (id=win10_1, ip=192.168.121.71)
2022-04-12 03:05:04,308 [lib.cuckoo.core.guest] INFO: Guest is running CAPE Agent 0.11 (id=win10_1, ip=192.168.121.71)
2022-04-12 03:05:07,006 [lib.cuckoo.core.guest] INFO: Uploading support files to guest (id=win10_1, ip=192.168.121.71)
2022-04-12 03:09:27,367 [lib.cuckoo.core.guest] INFO: win10_1: end of analysis reached!
2022-04-12 03:09:28,282 [lib.cuckoo.core.scheduler] INFO: Disabled route 'internet'
2022-04-12 03:09:28,297 [lib.cuckoo.core.scheduler] INFO: Task #5: analysis procedure completed
2022-04-12 03:14:31,077 [lib.cuckoo.core.scheduler] INFO: Using "kvm" machine manager with max_analysis_count=1, max_machines_count=2, and max_vmstartup_count=2
2022-04-12 03:14:31,104 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2022-04-12 03:14:31,111 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks

Sample of process.log

data = current.run()
File "/opt/CAPEv2/utils/../modules/processing/sysmon.py", line 49, in run
lastlog = os.listdir(f"{self.analysis_path}/sysmon/")
FileNotFoundError: [Errno 2] No such file or directory: '/opt/CAPEv2/storage/analyses/8/sysmon/'
2022-04-12 03:33:44,710 [lib.cuckoo.core.plugins] INFO: Reporting module malheur not found in configuration file
2022-04-12 03:33:44,711 [modules.reporting.pcap2cert] ERROR: MISSED pcap2cert dependencies
2022-04-12 03:33:44,775 [lib.cuckoo.core.plugins] WARNING: The reporting module "ReportPDF" returned the following error: Unable to open summary HTML report to convert to PDF: Ensure reporthtmlsummary is enabled in reporting.conf
2022-04-12 03:33:44,778 [root] WARNING: PyMongo auto-reconnecting...127.0.0.1:27017: connection pool paused. Waiting 0.5 seconds
2022-04-12 03:33:45,392 [root] INFO: Task #8: reports generation completed
2022-04-12 03:38:47,562 [root] INFO: Processing analysis data

Cuckoo conf files:

https://pastebin.com/2VH4N4Ad
@kevoreilly
Copy link
Owner

As this looks like a problem on the Windows side, the most relevant log is the 'analysis' log which appears top right on the analysis page. If you can copy that log here we might get an idea what's going wrong.

@derfel1989
Copy link
Author

As this looks like a problem on the Windows side, the most relevant log is the 'analysis' log which appears top right on the analysis page. If you can copy that log here we might get an idea what's going wrong.

Many thanks for your quick response.

I've checked the log folder and no analysis.log file was noticed.

image

Is there anything should I do to have this file in place?

Once again, thank you.

@kevoreilly
Copy link
Owner

Are you able to see a web page for the job? If so the link is top right in the job's main page - click 'show log'.

Failing that if you can check on the server, these are located in storage/analyses/X/analysis.log where X is the job number

@derfel1989
Copy link
Author

Nothing showed in the "Show Log".

image

@derfel1989
Copy link
Author

derfel1989 commented Apr 12, 2022
edited
Loading

I made a video on how submitting works in the back-end. Please, speed up the video, it's just for clarification.

https://youtu.be/ELP4UXdbBa4

@derfel1989
Copy link
Author

derfel1989 commented Apr 12, 2022
edited
Loading

I removed Python 3.7 on the Win10 guest and installed Python 3.6 as recommended in the documentation. Windows firewall and other features about security were disabled. However, the result is still the same. Also, I can't have screenshots in the web-gui.

I can see the port 8000 opened on the guest and receive the result when performing the curl request.

@derfel1989
Copy link
Author

derfel1989 commented Apr 13, 2022
edited
Loading

As this looks like a problem on the Windows side, the most relevant log is the 'analysis' log which appears top right on the analysis page. If you can copy that log here we might get an idea what's going wrong.

Should I disable anything on Windows 10 (guest) to communicate correctly with Cuckoo, like firewall, windows defender, etc?

@kevoreilly
Copy link
Owner

What I would do is load the agent with visible console in the vm (rename to agent.py) then you will see on the screen some output that will help in identifying the problem.

@derfel1989
Copy link
Author

What I would do is load the agent with visible console in the vm (rename to agent.py) then you will see on the screen some output that will help in identifying the problem.

Perfect. Many thanks for your time trying to help me.

@derfel1989
Copy link
Author

derfel1989 commented Apr 14, 2022
edited
Loading

Hi @kevoreilly , finally I got the VM communicating with Cuckoo. The issue was the kvm.conf file which I did the mistake to put the same IP for ip= and resultserver_ip=. As shown below, but already fixed.

image

However, I'm still facing an issue to generate a PCAP file. I used the KVM script during the installation and I also checked if the user cape is part of pcap group and it is.

==> ./process.log <==
2022-04-14 01:06:16,821 [root] INFO: Processing analysis data for Task #20
2022-04-14 01:06:16,873 [modules.processing.behavior] INFO: Analysis results folder does not contain any file or injection was disabled
2022-04-14 01:06:16,876 [root] ERROR: Memory dump not found: to run volatility you have to enable memory_dump
2022-04-14 01:06:16,876 [modules.processing.network] WARNING: The PCAP file does not exist at path "/opt/CAPEv2/storage/analyses/20/dump.pcap"
2022-04-14 01:06:16,877 [lib.cuckoo.core.plugins] WARNING: The processing module "Strings" returned the following error: Error opening file [Errno 2] No such file or directory: '/opt/CAPEv2/storage/analyses/20/binary'
2022-04-14 01:06:16,877 [modules.processing.suricata] WARNING: Unable to Run Suricata: Pcap file /opt/CAPEv2/storage/analyses/20/dump.pcap does not exist
2022-04-14 01:06:17,246 [lib.cuckoo.core.plugins] WARNING: The processing module "VirusTotal" returned the following error: Unable to complete connection to VirusTotal. Status code: 404
2022-04-14 01:06:17,315 [lib.cuckoo.core.plugins] INFO: Reporting module malheur not found in configuration file
2022-04-14 01:06:17,443 [root] WARNING: PyMongo auto-reconnecting...127.0.0.1:27017: connection pool paused. Waiting 0.5 seconds
2022-04-14 01:06:18,032 [root] INFO: Task #20: reports generation completed

Analysis Log

2022-04-13 15:51:35,973 [root] INFO: Date set to: 20220414T01:03:20, timeout set to: 200
2022-04-13 15:51:36,078 [root] DEBUG: Starting analyzer from: C:\tmphbfeaofl
2022-04-13 15:51:36,078 [root] DEBUG: Storing results at: C:\ilkazgF
2022-04-13 15:51:36,078 [root] DEBUG: Pipe server name: \.\PIPE\RTTdEFO
2022-04-13 15:51:36,078 [root] DEBUG: Python path: C:\Users\Maria\AppData\Local\Programs\Python\Python37-32
2022-04-13 15:51:36,078 [root] DEBUG: No analysis package specified, trying to detect it automagically
2022-04-13 15:51:36,078 [root] INFO: Automatically selected analysis package "ie"
2022-04-13 15:51:36,078 [root] DEBUG: Importing analysis package "ie"...
2022-04-13 15:51:36,107 [root] DEBUG: Initializing analysis package "ie"...
2022-04-13 15:51:36,107 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2022-04-13 15:51:36,107 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2022-04-13 15:51:36,107 [root] INFO: Analyzer: Package modules.packages.ie does not specify a loader option
2022-04-13 15:51:36,107 [root] INFO: Analyzer: Package modules.packages.ie does not specify a loader_64 option
2022-04-13 15:51:36,583 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2022-04-13 15:51:36,583 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2022-04-13 15:51:36,608 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2022-04-13 15:51:36,639 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2022-04-13 15:51:36,671 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2022-04-13 15:51:36,701 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2022-04-13 15:51:36,733 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2022-04-13 15:51:36,748 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2022-04-13 15:51:36,748 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2022-04-13 15:51:36,770 [lib.api.screenshot] ERROR: No module named 'PIL'
2022-04-13 15:51:36,785 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2022-04-13 15:51:36,785 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2022-04-13 15:51:36,795 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2022-04-13 15:51:36,795 [root] DEBUG: Initializing auxiliary module "Browser"...
2022-04-13 15:51:36,827 [root] DEBUG: Started auxiliary module Browser
2022-04-13 15:51:36,827 [root] DEBUG: Initializing auxiliary module "Curtain"...
2022-04-13 15:51:36,827 [root] DEBUG: Started auxiliary module Curtain
2022-04-13 15:51:36,827 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2022-04-13 15:51:36,827 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file
2022-04-13 15:51:36,827 [root] DEBUG: Started auxiliary module DigiSig
2022-04-13 15:51:36,827 [root] DEBUG: Initializing auxiliary module "Disguise"...
2022-04-13 15:51:36,827 [root] WARNING: Cannot execute auxiliary module Disguise: [WinError 5] Access is denied
2022-04-13 15:51:36,827 [root] DEBUG: Initializing auxiliary module "Evtx"...
2022-04-13 15:51:36,827 [root] DEBUG: Started auxiliary module Evtx
2022-04-13 15:51:36,856 [root] DEBUG: Initializing auxiliary module "Human"...
2022-04-13 15:51:36,857 [root] DEBUG: Started auxiliary module Human
2022-04-13 15:51:36,857 [root] DEBUG: Initializing auxiliary module "Procmon"...
2022-04-13 15:51:36,857 [root] DEBUG: Started auxiliary module Procmon
2022-04-13 15:51:36,857 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2022-04-13 15:51:36,857 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2022-04-13 15:51:36,857 [root] DEBUG: Started auxiliary module Screenshots
2022-04-13 15:51:36,857 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2022-04-13 15:51:36,857 [root] DEBUG: Started auxiliary module Sysmon
2022-04-13 15:51:36,857 [root] DEBUG: Initializing auxiliary module "TLSDumpMasterSecrets"...
2022-04-13 15:51:36,895 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 636
2022-04-13 15:51:37,076 [lib.api.process] INFO: Monitor config for process 636: C:\tmphbfeaofl\dll\636.ini
2022-04-13 15:51:37,202 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2022-04-13 15:51:37,202 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmphbfeaofl\dll\MHpDKUd.dll, loader C:\tmphbfeaofl\bin\LCAksymu.exe
2022-04-13 15:51:37,451 [root] DEBUG: Loader: Injecting process 636 with C:\tmphbfeaofl\dll\MHpDKUd.dll.
2022-04-13 15:51:37,451 [root] DEBUG: Error 5 (0x5) - InjectDll: Failed to open process: Access is denied.
2022-04-13 15:51:37,498 [root] DEBUG: Successfully injected DLL C:\tmphbfeaofl\dll\MHpDKUd.dll.
2022-04-13 15:51:37,531 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2022-04-13 15:51:37,531 [root] DEBUG: Initializing auxiliary module "Usage"...
2022-04-13 15:51:37,565 [root] DEBUG: Started auxiliary module Usage
2022-04-13 15:51:39,623 [root] INFO: Restarting WMI Service
2022-04-13 15:51:40,060 [root] INFO: You probably submitted the job with wrong package
Traceback (most recent call last):
File "C:/tmphbfeaofl/analyzer.py", line 510, in run
pids = self.package.start(self.target)
File "C:\tmphbfeaofl\modules\packages\ie.py", line 16, in start
iexplore = self.get_path("Internet Explorer")
File "C:\tmphbfeaofl\lib\common\abstracts.py", line 80, in get_path
raise CuckooPackageError(f"Unable to find any {application} executable")
lib.common.exceptions.CuckooPackageError: Unable to find any Internet Explorer executable
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "C:/tmphbfeaofl/analyzer.py", line 1378, in
success = analyzer.run()
File "C:/tmphbfeaofl/analyzer.py", line 514, in run
raise CuckooError(f'The package "{package_name}" start function raised an error: {e}') from e
lib.common.exceptions.CuckooError: The package "modules.packages.ie" start function raised an error: Unable to find any Internet Explorer executable
2022-04-13 15:51:40,170 [root] WARNING: Folder at path "C:\ilkazgF\debugger" does not exist, skipping
2022-04-13 15:51:40,193 [root] WARNING: Folder at path "C:\ilkazgF\tlsdump" does not exist, skipping
2022-04-13 15:51:40,201 [root] INFO: Analysis completed

To the problem related to IE11, I have changed to Edge Legacy, I will test it. In case you know browsers versions that are compatible with Cape, please let me know.

image

Thank you so much! =D

@kevoreilly
Copy link
Owner

Glad to hear you solved that problem. I'm sorry to say that browser compatibility is not good in cape - with Chrome, Firefox and Edge all using Chromium with a very complex architecture split across dozens of processes, the model of injecting a monitor dll into each process was stretched to the extreme. But it's the locked-down nature of a lot of the browser processes that really does for the injected monitor's abilities - it was never designed to run within locked-down low privilege 'sandboxed' processes...

So the only good compatibility in cape is with older style browsers like Internet Explorer and Firefox versions from a few years ago!

But cape is not really intended for this use case - when it was conceived of in Cuckoo the idea was to catch browser exploits. These are rarer these days and for reasons mentioned above are not able to be easily monitored. If catching exploits is not your aim then I am afraid to say cape probably isn't designed to do what you want...

What it's really all about is detonating malware...

@derfel1989
Copy link
Author

Thank you so much for being supportive of my question @kevoreilly .

Do you have any idea what might be causing the that I mentioned?

However, I'm still facing an issue generating a PCAP file. I used the KVM script during the installation and I also checked if the user cape is part of the pcap group and it is.

==> ./process.log <==
2022-04-14 01:06:16,876 [modules.processing.network] WARNING: The PCAP file does not exist at path "/opt/CAPEv2/storage/analyses/20/dump.pcap"
2022-04-14 01:06:16,877 [lib.cuckoo.core.plugins] WARNING: The processing module "Strings" returned the following error: Error opening file [Errno 2] No such file or directory: '/opt/CAPEv2/storage/analyses/20/binary'
2022-04-14 01:06:16,877 [modules.processing.suricata] WARNING: Unable to Run Suricata: Pcap file /opt/CAPEv2/storage/analyses/20/dump.pcap does not exist

There is no dump.pcap file in the folder.
image

@kevoreilly
Copy link
Owner

The pcap is captured by the 'sniffer' auxiliary module which is server-side (logs to cuckoo.kog). It might be worth debugging this module or trying to test tcpdump manually (called by sniffer).

@kevoreilly
Copy link
Owner

Since the original issue is solved I will close this.

@derfel1989
Copy link
Author

I noticed that the issue with pcap file was because the command aa-disable /usr/sbin/tcpdump failed during the installation process.

I found a solution here > Cuckoo Network Analysis Failure

What I did?

  1. Performed the command - sudo aa-complain /usr/sbin/tcpdump
  2. Performed the command - sudo aa-disable /usr/sbin/tcpdump
  3. It's recommended to restart the host afterwards.

If the solution above doesn't work we can test only with the first command. In case of persistent issue we can try the commands below.

  1. sudo ln -s /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/disable/
  2. sudo /etc/init.d/apparmor restart

Checking the result

Perform the command sudo aa-status and you'll see a list like below.

image

Possible script update

I also update my script cape2.sh as mentioned below to avoid future issues like that. I hope this can help you.

image

@kevoreilly
Copy link
Owner

Thank you for this feedback - hopefully this will help others in future. I hope your sandbox is now working well.

@doomedraven
Copy link
Collaborator

thanks for feedback, to make everyone's life easier, try to push your updates back to source, as that would help to others get it and for us to have one central place. i have added aa-complain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@doomedraven @kevoreilly @derfel1989