Comments (18)
Sorry to hear you are having troubles. The log above tells us that from the server side, the analysis just failed. To know more we need to know what's going on in the Windows host, and for this there is a separate log which is in the analysis page, top right under 'Show Log'. Let me know what that says and hopefully this will shed some light as to what's going on.
The Windows host should be running the agent.py in order to be able to communicate with the server, which will send it analyzer.py to do the analysis - this is what writes in that log and will launch the submitted sample.
from cape.
When I clicked show log it, it just showed an empty div:
I also have the Wireshark dump of the exchange which basically shows that the analysis started running (get_status RPC call returns with value of 2). Is there any way I can debug this from the VM side?
from cape.
Yes for sure - one thing you might try is to run the agent.py in the guest without hiding the window (i.e. keeping .py instead of .pyw) and see how far it gets. A status value of 1 should tell the server the client is ready to receive the analyzer, this is then transferred to the target along with the sample. Let me know how you go.
from cape.
You can see all that in cuckoo.py -d
from cape.
ah i think this is rooter.py race condition i also started observe it, tomorrow will check it
from cape.
Ran it with the -d flag and got the following output log. It seems like the analyzer was successfully uploaded to the VM, but just hit a timeout when it tried to run the analysis. I tried increasing the analysis timeout from the default 200 to 1000 but still same timeout error. Gonna try remote debugging the analyzer.py file with Visual Studio Code next
2018-10-11 16:42:22,245 [lib.cuckoo.core.resultserver] DEBUG: ResultServer running on 127.0.0.1:2042.
2018-10-11 16:42:22,248 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager with max_analysis_count=0, max_machines_count=2, and max_vmstartup_count=2
2018-10-11 16:42:24,447 [modules.machinery.virtualbox] DEBUG: Getting status for IE11 - Win7
2018-10-11 16:42:24,638 [modules.machinery.virtualbox] DEBUG: Machine IE11 - Win7 status poweroff
2018-10-11 16:42:24,674 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2018-10-11 16:42:24,690 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2018-10-11 16:52:09,864 [lib.cuckoo.core.scheduler] DEBUG: Task #10: Processing task
2018-10-11 16:52:09,867 [lib.cuckoo.core.scheduler] INFO: Task #10: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_wzwfZY/binstall.exe'
2018-10-11 16:52:09,883 [lib.cuckoo.core.scheduler] INFO: Task #10: File already exists at '/mnt/c/Users/john/Documents/cape_dev/CAPE/storage/binaries/1284211e57621f84118ce28a4df024163f663c6891c9f154883df804b592ee08'
2018-10-11 16:52:09,945 [lib.cuckoo.core.scheduler] INFO: Task #10: acquired machine cuckoo1 (label=IE11 - Win7)
2018-10-11 16:52:10,018 [modules.machinery.virtualbox] DEBUG: Starting vm IE11 - Win7
2018-10-11 16:52:10,018 [modules.machinery.virtualbox] DEBUG: Getting status for IE11 - Win7
2018-10-11 16:52:10,621 [modules.machinery.virtualbox] DEBUG: Machine IE11 - Win7 status poweroff
2018-10-11 16:52:10,643 [modules.machinery.virtualbox] DEBUG: Using snapshot cape_snap for virtual machine IE11 - Win7
2018-10-11 16:52:11,153 [modules.machinery.virtualbox] DEBUG: Getting status for IE11 - Win7
2018-10-11 16:52:11,224 [modules.machinery.virtualbox] DEBUG: Machine IE11 - Win7 status saved
2018-10-11 16:52:21,310 [modules.machinery.virtualbox] DEBUG: Getting status for IE11 - Win7
2018-10-11 16:52:21,385 [modules.machinery.virtualbox] DEBUG: Machine IE11 - Win7 status running
2018-10-11 16:52:21,435 [lib.cuckoo.core.scheduler] WARNING: Unknown network routing destination specified, ignoring routing for this analysis: None
2018-10-11 16:52:21,446 [lib.cuckoo.core.scheduler] INFO: Enabled route 'None'
2018-10-11 16:52:21,510 [modules.auxiliary.sniffer] ERROR: Tcpdump is not accessible from this user, network capture aborted
2018-10-11 16:52:21,511 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2018-10-11 16:52:21,580 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=cuckoo1, ip=192.168.56.102)
2018-10-11 16:52:21,582 [lib.cuckoo.core.guest] DEBUG: cuckoo1: waiting for status 0x0001
2018-10-11 16:52:30,679 [lib.cuckoo.core.guest] DEBUG: cuckoo1: status ready
2018-10-11 16:52:37,255 [lib.cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=cuckoo1, ip=192.168.56.102)
2018-10-11 16:52:46,004 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analyzer started with PID 2980
2018-10-11 16:52:46,005 [lib.cuckoo.core.guest] DEBUG: cuckoo1: waiting for completion
2018-10-11 16:52:47,010 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:48,014 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:49,018 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:50,021 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:51,027 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:52,030 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:53,033 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:54,037 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:55,041 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:56,046 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:57,050 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:58,054 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:52:59,058 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:00,061 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:01,065 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:02,067 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:03,073 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:04,079 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:05,083 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:06,089 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:07,094 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:08,097 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:09,100 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:10,103 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:11,106 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:12,109 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:13,113 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:14,116 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:15,120 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:16,124 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:17,128 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:18,134 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:19,139 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:20,144 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:21,149 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:22,152 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:23,155 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:24,159 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:25,163 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 16:53:26,279 [lib.cuckoo.core.guest] DEBUG: cuckoo1: analysis not completed yet (status=2)
2018-10-11 17:01:53,850 [lib.cuckoo.core.scheduler] ERROR: The analysis hit the critical timeout, terminating.
from cape.
thats weird it only happens sometime which is fine, is that happens to you for all samples?
from cape.
yeah that does seem to be the case for now although i've only tried it with 2 or 3 binaries. Do you know of any that has been run through CAPE before and is 100% working without getting a timeout?
from cape.
im running cape, well timeout sometime popup, but that is something normal, its malware, so if malware not exits, it keeps running so process is alive, so when max time of execution reached, timeout is called, that isn't a error, that is more just information
from cape.
Tried on the public CAPE instance and got some results. I even tried switching to windows XP VM still getting the same results. Could this be something to do with the capemon DLL's?
from cape.
Can you share a job number on the public instance so I can see what you mean?
from cape.
19917 working_sample
from cape.
uh just ran a git pull and the timeout went away
from cape.
Sorry I probably should have done that a long time ago
from cape.
Cool so solved?
from cape.
Yep
from cape.
then press close ;)
from cape.
oops
from cape.
Related Issues (20)
- Alembic not updating db properly HOT 5
- Error when installing from requirements.txt HOT 4
- VPN not selectable in Web Interface HOT 36
- x64 DLL Extraction module doesn't work HOT 1
- Which commit was capemon.dll compiled from HOT 4
- Small bug on web UI submission template HOT 1
- File not detected as being in VT HOT 2
- Injection vs Extraction HOT 4
- Agent.py HOT 3
- KeyError: (<weakref at 0x7fbf4a8f5d68; to 'function' at 0x7fbf43b9dd90 (go)>,) HOT 4
- Permission for Scraping https://www.capesandbox.com/analysis/ HOT 2
- [Feature Request] Add support for Unfurl HOT 1
- Invalid URL under C2Server HOT 1
- Memory Dump on proxmox HOT 1
- Samples not analyzed on Linux guest (Ubuntu 18.04 32-bits) HOT 2
- The PCAP file does not exist
- Result Server Binding error HOT 1
- Cape Sandbox linux analysis
- Linux Analysis of Cape Sandbox
- Getting zero mal score in linux analysis
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cape.