cuckoosandbox / community Goto Github PK

How do I fix it?

• behavior analysis
  

• compare analysis
  

Hi,

I am very new to Cuckoo Sandbox and still learning its features and process. I am working on a project and want to customise Cuckoo by modifying configuration file to run a third party tool along with Cuckoo. How can I customise Cuckoo configuration to run a third party tool?
Your help is much appreciated!
Thank you.

Does Cuckoo have a way to run a check before it runs? I have a URL that will return file reputation and I would like cuckoo to stand down if the reputation is known good. I was looking for a configuration option prior to building a wrapper or modifying code.

Getting a error with this signature.

2016-05-31 18:32:34,541 [lib.cuckoo.core.plugins] ERROR: Failed to run 'on_complete' of the antivm_generic_cpu signature
Traceback (most recent call last):
File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 378, in call_signature
if handler(_args, *_kwargs):
File "/opt/cuckoo/modules/signatures/windows/antivm_generic_cpu.py", line 32, in on_complete
for regkey in self.check_key(pattern=indicator, regex=True, all=True):
File "/opt/cuckoo/lib/cuckoo/common/abstracts.py", line 903, in check_key
all=all)
File "/opt/cuckoo/lib/cuckoo/common/abstracts.py", line 731, in _check_value
exp = re.compile(pattern, re.IGNORECASE)
File "/usr/lib/python2.7/re.py", line 190, in compile
return _compile(pattern, flags)
File "/usr/lib/python2.7/re.py", line 244, in _compile
raise error, v # invalid expression
error: unexpected end of regular expression

Hi,

For this sig it needs to determine the initial process. There is a check "initialproc = self.get_initial_process()" which is used. Is this possible to determine in cuckoo-2.0 for use in the sig either through same or similar call or an other way? This is an important sig as it is common for malware during its execution following code injection or child processes to delete the original binary which is a giveaway it is malicious.

The sig I want to convert is this:
https://github.com/spender-sandbox/community-modified/blob/master/modules/signatures/deletes_self.py

Hi Team,

I have tried Multiple flavours of VM like Win7 in 32-bit & 64-bit and Win 8 in 32 & 64-bit.

I have configured virtuallbox.conf for each VMs successfully. But issue is on memory.conf as guest profile will be different for different flavours. i.e., for Win 7 32-bit, guest profile = Win7SP0x86, but for Win 8 32-bit, guest profile = Win8SP0x86. So, I didn't know how to configure guest profile for each and every VMs.

_Note:_ Volatility is running fine in Single VMs for Single guest profile in memory.conf.

Request to help on configuring memory.conf(guest profile for multiple VMs)

Specifications:

Cuckoo v2.0
Volatility 2.5.1
Oracle Virtualbox v5.1

Thanks & Regards,
Satheesh

This signature keeps crashing on my cuckoo-setup. The signature tries to access the "process_identifier" key, which is not there.

I also printed the call-dictionary just before it tried to access call["arguments"]["process_identifier"]:

{'category': u'process', 'status': 1, 'stacktrace': [], 'api': u'NtAllocateVirtualMemory', 'return_value': 0L, 'arguments': {u'region_size': 65536, u'protection': 4, u'process_handle': '0xffffffff', u'allocation_type': 4096, u'base_address': '0x0a020000'}, 'time': datetime.datetime(2016, 11, 8, 6, 16, 12, 625010), 'tid': 1496, 'flags': {u'protection': u'PAGE_READWRITE', u'allocation_type': u'MEM_COMMIT'}}

traceback:

ERROR:lib.cuckoo.core.plugins:Failed to run 'on_call' of the exploit_heapspray signature
Traceback (most recent call last):
File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 378, in call_signature
if handler(_args, *_kwargs):
File "/opt/cuckoo/utils/../modules/signatures/windows/exploitation.py", line 23, in on_call
pid = call["arguments"]["process_identifier"]
KeyError: 'process_identifier'

Any idea what is wrong ?

I'm getting a bunch of cuckoo signature hits on a basically empty PDF.

Sample: empty_pdf.pdf

Cuckoo report.json with adobe reader 11: report_reader11.json.txt

Cuckoo report.json with adobe reader DC: report_readerdc.json.txt

I believe it may have something to do with this section from the logs (from reader DC):

...
            "2018-06-13 17:07:24,046 [lib.api.process] INFO: Successfully executed process from path 'C:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroRd32.exe' with arguments [u'C:\\\\Users\\\\johnny\\\\AppData\\\\Local\\\\Temp\\\\bfc393f3018779e9f6e63b5bafdc6ab6d02b3135eb344aafc3b7c37697494943.pdf'] and pid 1984\n", 
            "2018-06-13 17:07:24,187 [analyzer] DEBUG: Loaded monitor into process with pid 1984\n", 
            "2018-06-13 17:07:24,530 [analyzer] INFO: Injected into process with pid 1712 and name u'\\uc280\\u01e2'\n", 
            "2018-06-13 17:07:24,562 [analyzer] DEBUG: Received request to inject pid=1712, but we are already injected there.\n"
...

It looks like cuckoo isn't resolving the name for process 1712 properly, which breaks the various whitelists used in the signature definitions.

Can this signature also try to use re2? i have few samples stuck at searching this pattern

• Line: https://github.com/cuckoosandbox/community/blob/master/modules/signatures/windows/banker_zeus_url.py#L43

Traceback (most recent call last): File "~/cuckoo/lib/cuckoo/core/plugins.py", line 378, in call_signature if handler(*args, **kwargs): File "~/cuckoo/modules/signatures/windows/banker_zeus_url.py", line 43, in on_complete self.match(None, "url", url=url) AttributeError: 'ZeusURL' object has no attribute 'match'

• Based on other samples, this one seems to be using functions no longer supported.

how can I customize the cuckoo result juat to make a single result if it malware or not ?

I have Cuckoo 2.0.3 and have the majority of yara/powershell signatures coming up with this error: ...Cuckoo version that's not compatible with this signature.

I have ran the cuckoo community -b 2.0 and just cuckoo community to update the signatures. Should I wait for the next update or just remove the signatures?

Hi All,

I just installed Cuckoo using the pip command as instructed in the documentation. Cuckoo is running correctly and I am able to submit and run executables for analysis. However, I can only see the basic info and the signatures sections in the report. I would like to see other information such as the behavior summary, processes, networking, etc. I have tried the following:

• I ran the command "cuckoo community" and managed to download and extract community scripts.
• I enabled the "singlefile" and "behavior" modules in reporting.conf and processing.conf, respectively.

I can see that that the behavior analysis has been executed in cuckko log, something like
2017-12-05 14:01:48,524 [cuckoo.core.plugins] DEBUG: Executed processing module "BehaviorAnalysis" for task #5
cuckoo.log
analysis.log

but no behavior info in my log.

I am wondering if I am missing something or there is some other configuration required to enable this. I am attaching sample logs.

Thanks

Hi, have this error when I run the command "cuckoo community"

(cuckoo) cuckoo@ubuntu:~$ cuckoo community
2018-08-09 12:19:22,350 [cuckoo.apps.apps] INFO: Downloading.. https://github.com/cuckoosandbox/community/archive/master.tar.gz
Traceback (most recent call last):
File "/home/cuckoo/cuckoo/bin/cuckoo", line 11, in
sys.exit(main())
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/click/core.py", line 716, in call
return self.main(*args, **kwargs)
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/click/core.py", line 696, in main
rv = self.invoke(ctx)
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/click/core.py", line 1060, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/click/core.py", line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/click/core.py", line 534, in invoke
return callback(*args, **kwargs)
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/click/decorators.py", line 17, in
new_func
return f(get_current_context(), *args, **kwargs)
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/cuckoo/main.py", line 273, in community
fetch_community(force=force, branch=branch, filepath=filepath)
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/cuckoo/apps/apps.py", line 46, in fetch_community
r = requests.get(URL % branch)
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/requests/api.py", line 70, in get
return request('get', url, params=params, **kwargs)
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/requests/api.py", line 56, in request
return session.request(method=method, url=url, **kwargs)
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/home/cuckoo/cuckoo/local/lib/python2.7/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

Can you help me please?

regards

Hi,

I want to execute elf's on centos 7 and want to analyze the sample using cuckoo sandbox. I have installed cuckoo 2.0.5 on Ubuntu host and Centos 7 as guest. Followed all the instructions mentioned at https://github.com/cuckoosandbox/cuckoo/blob/master/docs/book/installation/guest/linux.rst . When i submit an elf sample it gets executed on client but no activity is reported for dynamic analysis. The sample creates some files then execute these files. None of the activity is reported in Behavioral analysis, dropped files section. No error/warning appears in logs.
Installed all of systemtap dependencies for centos using yum.
Any help would be grateful.

For example, I can pass the call param to the on_call function, therefor, I can get a lot of information from that.

What confuse me is that I don't that exactly information I can get.

all I can do is review others Signature Code.

Is there some API reference??

The signature community/modules/signatures/network/network_bind.py (which was apparently copied from https://github.com/brad-accuvant/community-modified/blob/master/modules/signatures/network_bind.py) misses to replace the format specifier in the description.

Moreover the "accept" call is not necessary for a socket to be in a listening state.

I have installed cuckoo version 2.0 rc2. started web interface using "sudo ./manage.py runserver 0.0.0.0:80" command. Page opened but some elements (pictures) are missing. In the meantime have the following errors from the manage.py after opening the web interface.

[08/Apr/2017 08:27:58] "GET / HTTP/1.1" 200 4475
[08/Apr/2017 08:27:59] "GET /static/css/style.css HTTP/1.1" 404 94
[08/Apr/2017 08:27:59] "GET /static/css/bootstrap.min.css HTTP/1.1" 404 102
[08/Apr/2017 08:27:59] "GET /static/css/lightbox.css HTTP/1.1" 404 97
[08/Apr/2017 08:27:59] "GET /static/js/jquery.js HTTP/1.1" 404 93
[08/Apr/2017 08:27:59] "GET /static/js/bootstrap.min.js HTTP/1.1" 404 100
[08/Apr/2017 08:27:59] "GET /static/js/bootstrap-fileupload.js HTTP/1.1" 404 107
[08/Apr/2017 08:27:59] "GET /static/js/lightbox.js HTTP/1.1" 404 95
[08/Apr/2017 08:27:59] "GET /static/js/app.js HTTP/1.1" 404 90
[08/Apr/2017 08:27:59] "GET /static/graphic/cuckoo_inverse.png HTTP/1.1" 404 107
[08/Apr/2017 08:27:59] "GET /static/js/bootstrap.min.js HTTP/1.1" 404 100
[08/Apr/2017 08:27:59] "GET /static/js/bootstrap-fileupload.js HTTP/1.1" 404 107
[08/Apr/2017 08:27:59] "GET /static/js/lightbox.js HTTP/1.1" 404 95
[08/Apr/2017 08:27:59] "GET /static/js/app.js HTTP/1.1" 404 90

Is there any way to solve the issue?

Thank you in advance

Hi,

Looking at the delete_self signature I converted I think I have found why it sometimes does not work. On the cuckoo-modified one there is check for initial process which is used to get the intial process and then check for it being deleted.

Now in cuckoo 2.0 such a check doesn't exist so I used a dictionary so you would have like procs = ["proc1", "proc2" etc and then check proc[0] to get the initial process. The issue however is I don't think python dictionaries are ordered when being checked from how they went in which resuls in a false negative. Not sure how this can be fixed without adding in get initial process but maybe there is a python way to ensure ordering?

Hello,
can you tell me if exists a tutorial for signatures porting from 1.x to 2.0 Cuckoo versions?
Thanks.

I am trying to configure Cuckoo to counter common anti-analysis tricks. Is there anyway to modify the return values of hooked API calls that might allow me to bypass some of those anti-analysis tricks?

I wrote a signature and a test program. when Cuckoo finished analysis,I didn't see any information about Reg Written under the Signatures section of the Report.

here is my Signature:

from lib.cuckoo.common.abstracts import Signature

class ATBroker(Signature):
    name = "atbroker"
    description = "Using ATBroker for AutoRun"
    severity = 7
    categories = ["AutoRun"]
    authors = ["Danyang.Wang"]
    minimum = "2.0"

    indicator = ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\.*"

    def on_complete(self):
        for regkey in self.check_key(pattern=self.indicator, regex=True, actions=["regkey_written"], all=True):
            self.mark_ioc("registry", regkey)
        return self.has_marks()

Below the source code that I wrote a example for test it.

#include "stdafx.h"
#include <wtypes.h>

void SetConfiguration()
{
	HKEY hKey = NULL;
	TCHAR *lpSubKey = _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion");
	if (RegOpenKeyEx(HKEY_CURRENT_USER, lpSubKey, 0, KEY_WRITE | KEY_READ, &hKey) != ERROR_SUCCESS)
	{
		printf("Open CurrentVersion Failed \n");
	}
	
	HKEY hKeyAccessibility = NULL;
	DWORD dw = 0;
	if (RegCreateKeyEx(hKey, L"Accessibility", 0, REG_NONE, REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, &hKeyAccessibility, &dw) != ERROR_SUCCESS)
	{
		printf("Open Accessibility Failed \n");
	}

	if (RegSetValueExA(hKeyAccessibility, "Configuration", 0, REG_SZ, (const byte*)"wdy", strlen("wdy")) != ERROR_SUCCESS)
	{
		printf("Set KeyValue Failed \n");
	}


}
int _tmain(int argc, _TCHAR* argv[])
{

	HKEY hKey = NULL;
	TCHAR *lpSubKey = _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs");
	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,lpSubKey,0,KEY_WRITE|KEY_READ,&hKey) == ERROR_SUCCESS)
	{
		printf("Open Ats Success\n");

		HKEY hKeyWdy = NULL;
		DWORD dw = 0;
		if (RegCreateKeyEx(hKey, L"wdy", 0, REG_NONE, REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, &hKeyWdy,&dw) == ERROR_SUCCESS)
		{
			
			if (dw == REG_CREATED_NEW_KEY)
			{
				printf("Create wdy Key Success\n");
				char * lpData = "c:\\Windows\\System32\\calc.exe";
				if (RegSetValueExA(hKeyWdy, "StartExe", 0, REG_SZ, (const byte *)lpData, strlen(lpData)) == ERROR_SUCCESS)
				{
					printf("Set KeyValue Success\n");
					SetConfiguration();
				}
			}

			if (dw == REG_OPENED_EXISTING_KEY)
			{
				printf("Open wdy Success\n");

				char * lpData = "c:\\Windows\\System32\\calc.exe";
				if (RegSetValueExA(hKeyWdy, "StartExe", 0, REG_SZ, (const byte *)lpData, strlen(lpData)) == ERROR_SUCCESS)
				{
					RegCloseKey(hKey);
					RegCloseKey(hKeyWdy);
					printf("Set StartExe KeyValue Success\n");
					SetConfiguration();
				}
			}

		}

	}


	return 0;
}

In https://github.com/cuckoosandbox/community/blob/master/modules/signatures/windows/antivm_bochs_keys.py
THe name should be "antivm_bochs_keys", not "antivm_xen_keys".

I saw some code using self.add_match and self.has_matchs

Hello,

As far as I know, many signatures manage their false positives inside their code.
In my opinion, false positive management should be seen as a configuration matter and not as code modification.

That would be usefull to have a unique central file to reference that information.
As a consequence, that will avoid to have to change the python code.
That will make it easier to manage versionning.

That could be done inside that kind of json file :
{ "mysignature": { "domains" : [ "domain1", "domain2], "ips" : ["IP1","IP2"] }, "another_sig" : {....

I dont really know how it can be implemented. But I will be happy to help if I can find a way.

Thank you

Hi,
I submitted this js md5(106398258b338bb9a0cbadebb99a7a8) with obfuscated code.
the analysis ends with no special warnings (no http get for payload) because seems that jsbeautifier makes some mess or the JS contains invalid characters that wscript cannot parse .
So after manually deobfuscated the js md5(5abc907b092c6c28f5455777b3304d66) i resubmitted to cuckoo and the analysis gives me more warnings even the payload and URL
regards
before: https://www.reverse.it/sample/77f8919ca00d0aae72f8c0ba41f406ec9f21b47d07e0f460585beab53e72f9e1?environmentId=100
after: https://www.reverse.it/sample/0b78fbc00e5ca1f9113d90edc4e1a05577168bc2d561e0c111914daa8bcae6b6?environmentId=100

An html page without or with a fake extension makes cuckoo to crash.
here is the code I used:

<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 Port 80</address>
</body></html>

here is the md5: d901676729e2af7f58987d4e20d2bf5e ( I uploaded on malwr just for downloading)
here the traceback:
INFO: Guest is running Cuckoo Agent 0.7 (id=matrix02, ip=192.168.56.102)
2017-07-29 15:13:31,787 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=matrix02, ip=192.168.56.102, monitor=latest, size=3819928)
2017-07-29 15:13:32,123 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2017-07-29 15:13:32,124 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm matrix02
2017-07-29 15:13:33,618 [cuckoo.core.scheduler] ERROR: Failure in AnalysisManager.run
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/scheduler.py", line 698, in run
self.launch_analysis()
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/scheduler.py", line 499, in launch_analysis
self.guest_manage(options)
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/scheduler.py", line 394, in guest_manage
self.guest_manager.start_analysis(options, monitor)
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/guest.py", line 480, in start_analysis
self.post("/store", files=files, data=data)
File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/guest.py", line 309, in post
r.raise_for_status()
File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 909, in raise_for_status
raise HTTPError(http_error_msg, response=self)
HTTPError: 500 Server Error: Internal Server Error for url: http://192.168.56.102:8000/store

Hi,

I have some working signatures and cannot seem to make it so when the signature is clicked, on the web page, that the extra bit of information is expanded below and displayed. I am assuming self.data.append is the way to do this, if anyone could help me out that would get great, cheers.

Below is my code I am trying to do it with:

from lib.cuckoo.common.abstracts import Signature

class rundll32(Signature):
    name = "rundll32 loaded"
    description = "Rundll32.exe has been executed"
    severity = 1
    categories = ["DLLs"]
    authors = ["Daniel Perrie"]
    minimum = "1.2"
    evented = True

    def __init__(self, *args, **kwargs):
        Signature.__init__(self, *args, **kwargs)
        self.dll = False

    filter_apinames = set(["CreateProcessInternalW"])

    def on_call(self, call, process):
        if call["api"] == "CreateProcessInternalW":
            funcName = self.get_argument(call, "ApplicationName")
            if r"C:\Users\admin\AppData\Local\Temp\Cerber3.exe" in funcName:
                processName = self.get_argument(call, "Process")
                commandLineParameter = self.get_argument(call, "CommandLine")
                self.data.append({"Process" : "%s executed rundll32.exe with the command line: %s" % (processName, commandLineParameter)})
                self.dll = True
        return self.dll

Hi,
I am trying to make a commit after a pull request but when I go to my fork I see the message *This branch is 1 commit ahead, 3 commits behind cuckoosandbox:master. *
These are the steps I did:

1. pull request
2. download the fork
3. add the file to the fork
4. commit the entire fork
   I made some mistakes?

Hi team , so after 1 month of system shutdown i try to launch cuckoo again and i get the following error when trying to run web server

cuckoo@ubuntu:~$ cuckoo web runserver 192.168.32.140:5000
Performing system checks...

System check identified no issues (0 silenced).
January 15, 2018 - 00:19:01
Django version 1.8.4, using settings 'cuckoo.web.web.settings'
Starting development server at http://192.168.32.140:5000/
Quit the server with CONTROL-C.
Error: That IP address can't be assigned-to.

Please advise help me

The code in question is here:

class P2PCnC(Signature):
    name = "p2p_cnc"
    description = "Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol"
    severity = 2
    categories = ["p2p", "cnc"]
    authors = ["Kevin Ross"]
    minimum = "2.0"

    filter_analysistypes = set(["file"])

    servers = []

The servers variable is class level. Once I see a report with the P2P description added, all following job reports have it as well, until I restart Cuckoo.

chinmay@chinmay-Precision-T1650:$ cd .cuckoo/
chinmay@chinmay-Precision-T1650:/.cuckoo$ ls
agent cuckoo.db_old log storage web
analyzer distributed monitor stuff whitelist
conf elasticsearch pidfiles supervisord yara
cuckoo.db init.py signatures supervisord.conf
chinmay@chinmay-Precision-T1650:/.cuckoo$ cd web
chinmay@chinmay-Precision-T1650:/.cuckoo/web$ mkdir /tmp/cuckoo-tmp-root
chinmay@chinmay-Precision-T1650:/.cuckoo/web$ cd ..
chinmay@chinmay-Precision-T1650:/.cuckoo$ sudo service mongodb start
[sudo] password for chinmay:
chinmay@chinmay-Precision-T1650:~/.cuckoo$ sudo cuckoo web runserver
Performing system checks...

System check identified no issues (0 silenced).
June 11, 2019 - 10:50:07
Django version 1.8.4, using settings 'cuckoo.web.web.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[11/Jun/2019 10:51:44] "GET / HTTP/1.1" 200 22337
[11/Jun/2019 10:51:44] "GET /static/css/vendor.css HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/css/main.css HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/vendor.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/handlebars-templates.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/hexdump.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/cuckoo/loader.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/cuckoo/sticky.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/cuckoo/analysis_sidebar.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/cuckoo/analysis_feedback.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/cuckoo/submission.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/cuckoo/process_tree.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/cuckoo/recent.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/cuckoo/analysis_network.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/cuckoo/rdp.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:44] "GET /static/js/cuckoo/app.js HTTP/1.1" 304 0
[11/Jun/2019 10:51:45] "GET /static/graphic/cuckoo-coffee-cup.png HTTP/1.1" 200 35356
[11/Jun/2019 10:51:45] "GET /static/graphic/cuckoo_inverse.png HTTP/1.1" 200 8158
[11/Jun/2019 10:51:45] "GET /static/images/close.png HTTP/1.1" 304 0
[11/Jun/2019 10:51:45] "GET /static/fonts/Roboto_normal_500_default.woff HTTP/1.1" 304 0
[11/Jun/2019 10:51:45] "GET /static/favicon-32x32.png HTTP/1.1" 200 1153

• Broken pipe from ('127.0.0.1', 50710)
  [11/Jun/2019 10:51:45] "GET /static/images/next.png HTTP/1.1" 200 1350
  [11/Jun/2019 10:51:45] "GET /static/images/prev.png HTTP/1.1" 200 1360
  [11/Jun/2019 10:51:45] "GET /static/images/loading.gif HTTP/1.1" 200 8476
  [11/Jun/2019 10:51:45] "GET /static/fonts/Roboto_normal_700_default.woff HTTP/1.1" 304 0
  [11/Jun/2019 10:51:45] "GET /static/fonts/Roboto_normal_400_default.woff HTTP/1.1" 304 0
  [11/Jun/2019 10:51:45] "GET /static/fonts/Roboto_normal_400_default.woff HTTP/1.1" 304 0
  [11/Jun/2019 10:51:45] "GET /static/fonts/fontawesome-webfont.woff2?v=4.7.0 HTTP/1.1" 304 0
  Checking for updates...
  [11/Jun/2019 10:51:45] "POST /analysis/api/tasks/recent/ HTTP/1.1" 200 438
  You're good to go!

Our latest blogposts:

• IQY malspam campaign, October 15, 2018.
  Analysis of a malspam campaign leveraging .IQY (Excel Web Query) files containing DDE to achieve code execution.
  More at https://hatching.io/blog/iqy-malspam

• Hooking VBScript execution in Cuckoo, October 03, 2018.
  Details on implementation of Visual Basic Script instrumentation for Cuckoo Monitor for extraction of dynamically executed VBScript.
  More at https://hatching.io/blog/vbscript-hooking

• Cuckoo Sandbox 2.0.6 pentest, September 18, 2018.
  Cuckoo Sandbox 2.0.6 public pentest performed by Cure53 and sponsored by PolySwarm!
  More at https://hatching.io/blog/cuckoo-206-pentest

• Cuckoo Sandbox 2.0.6, June 07, 2018.
  Interim release awaiting the big release.
  More at https://cuckoosandbox.org/blog/206-interim-release

• Cuckoo Sandbox 2.0.5: Office DDE, December 03, 2017.
  Brand new release based on a DDE case study.
  More at https://cuckoosandbox.org/blog/205-office-dde

[11/Jun/2019 10:51:46] "GET /cuckoo/api/status HTTP/1.1" 200 1832
[11/Jun/2019 10:51:46] "GET /static/fonts/Roboto_italic_400_default.woff HTTP/1.1" 304 0
Traceback (most recent call last):
File "/usr/local/bin/cuckoo", line 10, in
sys.exit(main())
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 716, in call
return self.main(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 696, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 1060, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 889, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 534, in invoke
return callback(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/decorators.py", line 17, in new_func
return f(get_current_context(), *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/cuckoo/main.py", line 579, in web
("cuckoo",) + args
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 338, in execute_from_command_line
utility.execute()
File "/usr/local/lib/python2.7/dist-packages/django/core/management/init.py", line 330, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 393, in run_from_argv
self.execute(*args, **cmd_options)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/commands/runserver.py", line 49, in execute
super(Command, self).execute(*args, **options)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 444, in execute
output = self.handle(*args, **options)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/commands/runserver.py", line 88, in handle
self.run(**options)
File "/usr/local/lib/python2.7/dist-packages/django/core/management/commands/runserver.py", line 97, in run
autoreload.main(self.inner_run, None, options)
File "/usr/local/lib/python2.7/dist-packages/django/utils/autoreload.py", line 325, in main
reloader(wrapped_main_func, args, kwargs)
File "/usr/local/lib/python2.7/dist-packages/django/utils/autoreload.py", line 296, in python_reloader
exit_code = restart_with_reloader()
File "/usr/local/lib/python2.7/dist-packages/django/utils/autoreload.py", line 282, in restart_with_reloader
exit_code = os.spawnve(os.P_WAIT, sys.executable, args, new_environ)
File "/usr/lib/python2.7/os.py", line 575, in spawnve
return _spawnvef(mode, file, args, env, execve)
File "/usr/lib/python2.7/os.py", line 548, in _spawnvef
wpid, sts = waitpid(pid, 0)
OSError: [Errno 4] Interrupted system call
chinmay@chinmay-Precision-T1650:~/.cuckoo$ sudo cuckoo

                  __

.----..--.--..----.| |--..-----..-----.
| || | || || < | _ || _ |
|____||||____|||||||_|

Cuckoo Sandbox 2.0.6
www.cuckoosandbox.org
Copyright (c) 2010-2018

Checking for updates...
You're good to go!

Our latest blogposts:

• IQY malspam campaign, October 15, 2018.
  Analysis of a malspam campaign leveraging .IQY (Excel Web Query) files containing DDE to achieve code execution.
  More at https://hatching.io/blog/iqy-malspam

• Hooking VBScript execution in Cuckoo, October 03, 2018.
  Details on implementation of Visual Basic Script instrumentation for Cuckoo Monitor for extraction of dynamically executed VBScript.
  More at https://hatching.io/blog/vbscript-hooking

• Cuckoo Sandbox 2.0.6 pentest, September 18, 2018.
  Cuckoo Sandbox 2.0.6 public pentest performed by Cure53 and sponsored by PolySwarm!
  More at https://hatching.io/blog/cuckoo-206-pentest

• Cuckoo Sandbox 2.0.6, June 07, 2018.
  Interim release awaiting the big release.
  More at https://cuckoosandbox.org/blog/206-interim-release

• Cuckoo Sandbox 2.0.5: Office DDE, December 03, 2017.
  Brand new release based on a DDE case study.
  More at https://cuckoosandbox.org/blog/205-office-dde

2019-06-11 10:52:21,460 [cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2019-06-11 10:52:24,342 [cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2019-06-11 10:52:24,353 [cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2019-06-11 10:52:25,484 [cuckoo.core.scheduler] INFO: Starting analysis of FILE "dumped.exe" (task #3, options "procmemdump=yes,route=none")
2019-06-11 10:52:25,500 [cuckoo.core.scheduler] ERROR: Unable to access target file, please check if we have permissions to access the file: "/tmp/cuckoo-tmp-root/tmplfwNJZ/dumped.exe"
2019-06-11 10:52:25,631 [cuckoo.processing.behavior] WARNING: Analysis results folder does not exist at path '/home/chinmay/.cuckoo/storage/analyses/3/logs'.
2019-06-11 10:52:25,632 [cuckoo.processing.memory] ERROR: VM memory dump not found: to create VM memory dumps you have to enable memory_dump in cuckoo.conf!
2019-06-11 10:52:25,634 [cuckoo.core.plugins] WARNING: The processing module "Strings" returned the following error: Sample file doesn't exist: "/home/chinmay/.cuckoo/storage/analyses/3/binary"
2019-06-11 10:52:25,634 [cuckoo.processing.network] WARNING: The PCAP file does not exist at path "/home/chinmay/.cuckoo/storage/analyses/3/dump.pcap".
2019-06-11 10:52:25,635 [cuckoo.processing.debug] ERROR: Error processing task #3: it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host. There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration
2019-06-11 10:52:25,905 [cuckoo.core.scheduler] INFO: Task #3: reports generation completed
2019-06-11 10:52:25,916 [cuckoo.core.scheduler] INFO: Task #3: analysis procedure completed
2019-06-11 10:52:26,628 [cuckoo.core.scheduler] INFO: Starting analysis of FILE "Locky" (task #4, options "procmemdump=yes,route=none")
2019-06-11 10:52:26,638 [cuckoo.core.scheduler] ERROR: Unable to access target file, please check if we have permissions to access the file: "/tmp/cuckoo-tmp-root/tmp5hpo7x/Locky"
2019-06-11 10:52:26,757 [cuckoo.processing.behavior] WARNING: Analysis results folder does not exist at path '/home/chinmay/.cuckoo/storage/analyses/4/logs'.
2019-06-11 10:52:26,757 [cuckoo.processing.memory] ERROR: VM memory dump not found: to create VM memory dumps you have to enable memory_dump in cuckoo.conf!
2019-06-11 10:52:26,758 [cuckoo.core.plugins] WARNING: The processing module "Strings" returned the following error: Sample file doesn't exist: "/home/chinmay/.cuckoo/storage/analyses/4/binary"
2019-06-11 10:52:26,758 [cuckoo.processing.network] WARNING: The PCAP file does not exist at path "/home/chinmay/.cuckoo/storage/analyses/4/dump.pcap".
2019-06-11 10:52:26,759 [cuckoo.processing.debug] ERROR: Error processing task #4: it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host. There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration
2019-06-11 10:52:26,991 [cuckoo.core.scheduler] INFO: Task #4: reports generation completed
2019-06-11 10:52:26,998 [cuckoo.core.scheduler] INFO: Task #4: analysis procedure completed
2019-06-11 10:52:27,793 [cuckoo.core.scheduler] INFO: Starting analysis of FILE "Locky" (task #5, options "procmemdump=yes,route=none")
2019-06-11 10:52:27,800 [cuckoo.core.scheduler] ERROR: Unable to access target file, please check if we have permissions to access the file: "/tmp/cuckoo-tmp-root/tmpRs5qU9/Locky"
2019-06-11 10:52:27,924 [cuckoo.processing.behavior] WARNING: Analysis results folder does not exist at path '/home/chinmay/.cuckoo/storage/analyses/5/logs'.
2019-06-11 10:52:27,925 [cuckoo.processing.memory] ERROR: VM memory dump not found: to create VM memory dumps you have to enable memory_dump in cuckoo.conf!
2019-06-11 10:52:27,925 [cuckoo.core.plugins] WARNING: The processing module "Strings" returned the following error: Sample file doesn't exist: "/home/chinmay/.cuckoo/storage/analyses/5/binary"
2019-06-11 10:52:27,926 [cuckoo.processing.network] WARNING: The PCAP file does not exist at path "/home/chinmay/.cuckoo/storage/analyses/5/dump.pcap".
2019-06-11 10:52:27,926 [cuckoo.processing.debug] ERROR: Error processing task #5: it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host. There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration
2019-06-11 10:52:28,147 [cuckoo.core.scheduler] INFO: Task #5: reports generation completed
2019-06-11 10:52:28,155 [cuckoo.core.scheduler] INFO: Task #5: analysis procedure completed

I'm using Cuckoo Sandbox 2.0-rc2 stable and in the analysis of the signatures step the system raised the following exception with packer_upx signature:

WARNING: The reporting module "ElasticSearch" returned the following error: Failed to save results in ElasticSearch for task #5: TransportError(400, u'mapper_parsing_exception', u'object mapping for [signatures.marks.section] tried to parse field [section] as object, but found a concrete value')

Furthermore the analysis process was aborted, leave the status of analysis in "complited".

How can fix it? For fast resolution I deleted the signature files in order to Cuckoo can generate the full report.

Actually it's not an issue but I don't know where I can search
I would like to know how cuckoo evaluate and score network behaviors
If there is any documentation for this topic, it will be highly appreciated
Thanks in advace

Hello
is there a way to use Cuckoo as a malware repository database without using the sandbox capabilities?

The signature infostealer_browser.py raises way too many false positives and it's causing considerable issues, needs to be fixed.

In the Recon Fingerprint signature, there is a generic reference to "".*\DigitalProductId$"" which is being incorrectly violated when Office documents are analyzed. Microsoft in of itself validates the version when executing and the Value read is DigitalProductId within the Office keys.
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration{FDF3ECB9-B56F-43B2-A9B8-1B48B6BAE1A7}\DigitalProductID
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration{191301D3-A579-428C-B0C7-D7988500F9E3}\DigitalProductID
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration{90140000-0011-0000-1000-0000000FF1CE}\DigitalProductID
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration{90140000-0011-0000-0000-0000000FF1CE}\DigitalProductID
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration{6F327760-8C5C-417C-9B61-836A98287E0C}\DigitalProductID

Perhaps specifically calling out the locations vs wild carding them at the Value would help?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate

Hi.
I noticed that every single analysis, even on an "empty sample" (like http://nonexistent-domain.local/) returns scores of about 5.6 in my setup. I started digging a bit into configuration as well as the test machinery and found that signatures/windows/volatility_sig.py contains three volatility_svcscan tests which check for specific services states. The problem is that Shared Access service does not normally work if you have only one network interface. And even then it's a service which as far as I remember is not present in more modern windows. The Application Layer Gateway service on the other hand is by default installed with manual start mode so it's quite common that it's stopped and it's not an indicator of any malicious behaviour.
I've yet to verify the security center service check.

I have created one cuckoo machinery module for openstack and want to contribute it in community.
There is one machinery module directory in community repo but where i should keep the conf file for that machinery module.

The signature persistence_autorun.py raises way too many false positives and it's causing considerable issues, needs to be fixed.

The following error seems to be on windows/url_file.py:
2018-05-23 19:36:23,515 [cuckoo.core.plugins] ERROR: Failed to run 'on_complete' of the url_file signature
Traceback (most recent call last):
File "/home/cuckoo/venv/local/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 413, in call_signature
if not signature.matched and handler(*args, **kwargs):
File "/home/cuckoo/.cuckoo/signatures/windows/url_file.py", line 21, in on_complete
if "Internet shortcut" not in self.file.get("type", ""):
AttributeError: 'URLFile' object has no attribute 'file'
2018-05-23 19:36:24,093 [cuckoo.core.scheduler] INFO: Task #22: reports generation completed

What am I missing?
Thanks,
Ojas

Hello,

I created some kind of ransomware that is appending .w to the current filename. So just renaming

I was told that there is the ransomware_filemodications.py signature for it. But I couldn't get it to trigger yet.

As far as I understand the code, the signature is triggered when 50 and above files are renamed?
There were 60 files renamed in my test.

Also those new files like 45.txt.w are not listed in the report.json in any kind.

Do I something wrong or misunderstood the code?

@kevross33

(Not sure if this is the right section but i'm driving myself mad trying to fix this so any help would receive my eternal love)

My issue is:

Cuckoo signatures do not appear to be loading. That is, upon cuckoo startup I receive the message:
WARNING: It appears that you haven't loaded any Cuckoo Signatures. Signatures are highly recommended and improve & enrich the information extracted during an analysis. They also make up for the analysis score that you see in the Web Interface - so, pretty important! 2019-04-03 13:43:37,168 [cuckoo] WARNING: You'll be able to fetch all the latest Cuckoo Signaturs, Yara rules, and more goodies by running the following command: 2019-04-03 13:43:37,168 [cuckoo] INFO: $ cuckoo community

However, I have run cuckoo community multiple times, and I have verified that the signatures are being loaded in my ~/.cuckoo/signatures/ directory. Additionally, this causes my analysis to report all my samples as false negatives with respect to my analysis scores.

My Cuckoo version and operating system are:

Cuckoo: Version 2.0.6
OS: Ubuntu 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

This can be reproduced by:

For me at least, this happens every time I start up cuckoo, which I do by running /root/cuckoo-start.sh - which contains the code:
#!/bin/bash ##Cuckoo run script killall cuckoo pkill -f 'cuckoo web runserver' vboxmanage dhcpserver modify --ifname vboxnet0 --disable vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.87.1 --netmask 255.255.255.0 iptables -A FORWARD -o enp3s0 -i vboxnet0 -s 192.168.87.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE sysctl -w net.ipv4.ip_forward=1 runuser -l cuckoo -c 'cuckoo --debug' & runuser -l cuckoo -c 'cuckoo web runserver 0.0.0.0:8000' & runuser -l cuckoo -c 'cuckoo api --host 0.0.0.0 --port 8090' &

Any help or guidance would be greatly appreciated, I'm quite new to using cuckoo sandbox.

Hi!

Is it possible to change the logic of the cuckoo so that the virustotal is at the beginning, and if viruses are not detected, cuckoo begins to perform other actions?
i want to built automatic system, because sandboxing takes a long time. Expected about 300 analyzes per hour :)

I couldn't find anywhere else to pose the question. If there is a place for this, please let me know and I'll repost there. I apologize in advance.

Can cuckoo do interactive analysis? As in, we received a tech scam call and we wanted a safe way to follow their instructions but to also include the reporting we get like cuckoo does with analysis. We used a snapshotted vm to follow their prompts, but having the analysis to pickup anything that might be done in the background would be great. If cuckoo can't do this, is there anything out there that might?

Thanks.

In the following code in injection_memorymodify.py:

def on_call(self, call, process):
        if call["arguments"]["process_handle"] != "0xffffffff" and call["arguments"]["process_handle"] != "0xffffffffffffffff":
            injected_pid = call["arguments"]["process_identifier"]
            call_process = self.get_process_by_pid(injected_pid)
            if not call_process or call_process["ppid"] != process["pid"]:
                self.mark_ioc(
                    "Process injection",
                    "Process %s manipulating memory of non-child process %s" % (process["pid"],
                                                               injected_pid)
                )
                self.mark_call()

The bottom two bits in the handle are used internally by Windows. These two bits should be ignored when comparing the handle value. This is causing the Manipulates memory of a non-child process indicative of process injection warning to appear when a process manipulates 0xFFFFFFFC.

I believe the correct behavior is to first mask the handle with 0xFFFFFFFFFFFFFFFC, then to check for 0xFFFFFFFC or 0xFFFFFFFFFFFFFFFC.

I want to get the ProcessID of the example when Cuckoo invoke the on_call function.

assuming the variable filter_apinames contaions NtOpenProcess.

I want know whether the NtOpenProcess invocation is from the analysis example or from other process.

Can Anyone help me How should I do ?