Comments (18)
first of all, why do you remove issues template? there is important info that we need to ask over and over, restore issue template, fill the date and then i will check your issue, otherwise i will just ignore
from capev2.
but it looks like your vm is in wrong state or bad permissions
[lib.cuckoo.core.scheduler] ERROR: Timeout hit while for machine Win10x64 to change status
i have feeling that you didn't read the whole docs https://capev2.readthedocs.io/en/latest/installation/guest/index.html
from capev2.
Dear @doomedraven thank you for your support and patience. What do you mean by "why do you remove issues template?"?
I stopped all services, then enabled the log view, then re-enabled all services and via web launched the file analysis. If more info is needed, can you tell me what files, commands, or anything else to provide?
I apologize if the information provided was not complete.
Are the VMs when I launch the analysis turned off, should they be turned on?
I created the VMs using this link: https://www.doomedraven.com/2020/04/how-to-create-virtual-machine-with-virt.html, but I believe I did not perform the steps instead described on this other page: https://www.doomedraven.com/2016/05/kvm.html#modifying-kvm-qemu-kvm-settings-for-malware-analysis.
This could be the problem.
Regards
Engel
from capev2.
issues ->
Having problem/bug/issue
Create a report to help us improve
all this info is critical for us and saves us a lot of time asking each user the same question over and over
## About accounts on [capesandbox.com](https://capesandbox.com/)
* Issues isn't the way to ask for account activation. Ping capesandbox in [Twitter](https://twitter.com/capesandbox) with your username
## This is open source and you are getting __free__ support so be friendly!
# Prerequisites
Please answer the following questions for yourself before submitting an issue.
- [ ] I am running the latest version
- [ ] I did read the README!
- [ ] I checked the documentation and found no answer
- [ ] I checked to make sure that this issue has not already been filed
- [ ] I'm reporting the issue to the correct repository (for multi-repository projects)
- [ ] I have read and checked all configs (with all optional parts)
# Expected Behavior
Please describe the behavior you are expecting. __If your samples(x64) stuck in pending ensure that you set tags=x64 in hypervisor conf for x64 vms__
# Current Behavior
What is the current behavior?
# Failure Information (for bugs)
Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.
## Steps to Reproduce
Please provide detailed steps for reproducing the issue.
1. step 1
2. step 2
3. you get it...
## Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).
| Question | Answer
|------------------|--------------------
| Git commit | Type `$ git log \| head -n1` to find out
| OS version | Ubuntu 16.04, Windows 10, macOS 10.12.3
## Failure Logs
Please include any relevant log snippets or files here.
about vm. my guide is how to create VM not related to CAPE. as CAPE docs says VM should be in running state
when you take snapshot. please go and read WHOLE cape docs. you doing very basic mistakes that are explained in docs
from capev2.
Dear @doomedraven, Thank you for the clarification and information. I updated the first post by including the problem template, I apologize for not filling it out.
I will try to redo the VMs and related snapshots.
If it's not too much trouble, could you help me better understand how CAPE handles virtual machines before and after running a scan? Once the malicious object is launched in the VM and the analysis is provided, is the VM closed and deleted and then restored from the snapshot?
Regards
Engel
from capev2.
not exactly. You prepare a new clean VM, take snapshot in running state, cape restores that snapshot, submit malware, run it and turn off vm. on next sample run it restore clean running snapshot and so on in loop
from capev2.
please reread the documentation, if you have any question feel free to ask here
from capev2.
Dear @doomedraven,
I rebuilt the cape server according to the documentation. Now the VM starts, I can also see on the Gui side that it is switched on, but no action is performed. Afterwards the VM is switched off. On the gui side the system stays running and then after a while it goes to failure. Below is the log of the last analysis test performed:
feb 22 09:42:57 capev2sandbox systemd[1]: cape.service: State 'stop-sigterm' timed out. Killing.
feb 22 09:42:57 capev2sandbox systemd[1]: cape.service: Killing process 11186 (python) with signal SIGKILL.
feb 22 09:42:57 capev2sandbox systemd[1]: cape.service: Killing process 11197 (python) with signal SIGKILL.
feb 22 09:42:57 capev2sandbox systemd[1]: cape.service: Main process exited, code=killed, status=9/KILL
feb 22 09:42:57 capev2sandbox systemd[1]: cape.service: Failed with result 'timeout'.
feb 22 09:42:57 capev2sandbox systemd[1]: Stopped CAPE.
feb 22 09:42:57 capev2sandbox systemd[1]: cape.service: Consumed 5min 12.499s CPU time.
feb 22 09:59:48 capev2sandbox systemd[1]: Started CAPE.
feb 22 09:59:50 capev2sandbox python3[11542]:
feb 22 09:59:50 capev2sandbox python3[11542]: .-----------------.
feb 22 09:59:50 capev2sandbox python3[11542]: | Cuckoo Sandbox? |
feb 22 09:59:50 capev2sandbox python3[11542]: | OH NOES! |\ '-.__.-'
feb 22 09:59:50 capev2sandbox python3[11542]: '-----------------' \ /oo |--.--,--,--.
feb 22 09:59:50 capev2sandbox python3[11542]: _.-'.i__i__i.'
feb 22 09:59:50 capev2sandbox python3[11542]: """""""""
feb 22 09:59:50 capev2sandbox python3[11542]: Cuckoo Sandbox 2.4-CAPE
feb 22 09:59:50 capev2sandbox python3[11542]: www.cuckoosandbox.org
feb 22 09:59:50 capev2sandbox python3[11542]: Copyright (c) 2010-2015
feb 22 09:59:50 capev2sandbox python3[11542]: CAPE: Config and Payload Extraction
feb 22 09:59:50 capev2sandbox python3[11542]: github.com/kevoreilly/CAPEv2
feb 22 09:59:51 capev2sandbox python3[11542]: Unable to import plugin "modules.processing.sysmon": No module named 'xmltodict'
feb 22 09:59:51 capev2sandbox python3[11542]: No module named 'pydantic.functional_validators'
feb 22 09:59:51 capev2sandbox python3[11542]: FLARE-CAPA missed: poetry install
feb 22 09:59:51 capev2sandbox python3[11542]: 2024-02-22 09:59:51,851 [root] INFO: Updated running task ID 1 status to failed_analysis
feb 22 09:59:51 capev2sandbox python3[11569]: /usr/bin/tcpdump
feb 22 09:59:51 capev2sandbox python3[11542]: 2024-02-22 09:59:51,961 [lib.cuckoo.core.scheduler] INFO: Using "kvm" machine manager with max_analysis_count=0, max_machines_count=0, and max_vmstartup_count=0
feb 22 09:59:51 capev2sandbox python3[11542]: 2024-02-22 09:59:51,965 [lib.cuckoo.core.scheduler] INFO: Loaded 2 machine/s
feb 22 09:59:51 capev2sandbox python3[11542]: 2024-02-22 09:59:51,969 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks
feb 22 10:00:53 capev2sandbox python3[11542]: 2024-02-22 10:00:53,816 [lib.cuckoo.core.scheduler] INFO: Task #3: File already exists at '/opt/CAPEv2/storage/binaries/d60df902cea410c6cecc6c0852b1ee001cd89e298b2376288dde406e0ea2c59a'
feb 22 10:00:53 capev2sandbox python3[11542]: 2024-02-22 10:00:53,818 [lib.cuckoo.core.scheduler] INFO: Task #3: Starting analysis of FILE '/tmp/cuckoo-sflock/tmp6hunvt3q/d60df902cea410c6cecc.msi'
feb 22 10:00:54 capev2sandbox python3[11542]: 2024-02-22 10:00:54,057 [lib.cuckoo.core.scheduler] INFO: Task #3: acquired machine win10x64 (label=win10x64, arch=x64, platform=windows)
feb 22 10:01:12 capev2sandbox python3[11542]: 2024-02-22 10:01:12,031 [lib.cuckoo.common.integrations.parse_pe] ERROR: PE type not recognised: 'DOS Header magic not found.'
feb 22 10:01:12 capev2sandbox python3[11542]: 2024-02-22 10:01:12,089 [lib.cuckoo.core.scheduler] INFO: Enabled route 'none'.
feb 22 10:01:12 capev2sandbox python3[11542]: 2024-02-22 10:01:12,152 [lib.cuckoo.core.guest] INFO: Task #3: Starting analysis on guest (id=win10x64, ip=192.168.55.2)
feb 22 10:17:12 capev2sandbox python3[11542]: 2024-02-22 10:17:12,884 [lib.cuckoo.core.scheduler] ERROR: Machine win10x64: the guest initialization hit the critical timeout, analysis aborted
feb 22 10:17:12 capev2sandbox python3[11542]: Traceback (most recent call last):
feb 22 10:17:12 capev2sandbox python3[11542]: File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 526, in launch_analysis
feb 22 10:17:12 capev2sandbox python3[11542]: guest.start_analysis(options)
feb 22 10:17:12 capev2sandbox python3[11542]: File "/opt/CAPEv2/lib/cuckoo/core/guest.py", line 245, in start_analysis
feb 22 10:17:12 capev2sandbox python3[11542]: self.wait_available()
feb 22 10:17:12 capev2sandbox python3[11542]: File "/opt/CAPEv2/lib/cuckoo/core/guest.py", line 154, in wait_available
feb 22 10:17:12 capev2sandbox python3[11542]: raise CuckooGuestCriticalTimeout(
feb 22 10:17:12 capev2sandbox python3[11542]: lib.cuckoo.common.exceptions.CuckooGuestCriticalTimeout: Machine win10x64: the guest initialization hit the critical timeout, analysis aborted
feb 22 10:22:17 capev2sandbox python3[11542]: 2024-02-22 10:22:17,197 [lib.cuckoo.core.scheduler] ERROR:
feb 22 10:22:17 capev2sandbox python3[11542]: Traceback (most recent call last):
feb 22 10:22:17 capev2sandbox python3[11542]: File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 618, in run
feb 22 10:22:17 capev2sandbox python3[11542]: success = self.launch_analysis()
feb 22 10:22:17 capev2sandbox python3[11542]: File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 593, in launch_analysis
feb 22 10:22:17 capev2sandbox python3[11542]: raise CuckooDeadMachine()
feb 22 10:22:17 capev2sandbox python3[11542]: lib.cuckoo.core.scheduler.CuckooDeadMachine
feb 22 10:22:18 capev2sandbox python3[11542]: 2024-02-22 10:22:18,516 [lib.cuckoo.core.scheduler] INFO: Task #3: File already exists at '/opt/CAPEv2/storage/binaries/d60df902cea410c6cecc6c0852b1ee001cd89e298b2376288dde406e0ea2c59a'
feb 22 10:22:18 capev2sandbox python3[11542]: 2024-02-22 10:22:18,662 [lib.cuckoo.core.scheduler] INFO: Task #3: Starting analysis of FILE '/tmp/cuckoo-sflock/tmp6hunvt3q/d60df902cea410c6cecc.msi'
Let me know what other info, logs or captures you need so I can help. Thank you very much.
Note: as execution time I set 900.
Regards
Engel
from capev2.
is your VM is in running state when you take snapshot?
from capev2.
yes I confirm, they were up and running when I ran the snapshot.
from capev2.
did you test this? https://capev2.readthedocs.io/en/latest/installation/guest/agent.html#installing-the-agent
from capev2.
The test fails:
curl: (7) Failed to connect to 192.168.55.2 port 8000 after 0 ms: Connection refused
Going up to the VM, and running the netstat command, I see no open ports on 8000. The agent is saved in the folder "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" and I have also configured the "Task Scheduler" but it doesn't seem to start. Python 3.12 is installed and the file is saved with the extension pyw
Windows FIrewall: disable
Windows Defender: disable
from capev2.
well congrats you found the problem. now is your job to fix that, see docs how we suggest to run agent, and always verify that before taking snapshot
from capev2.
Yeah, too bad it doesn't run. When I launch it, cmd opens and closes again immediately, and it does this with both .pyw and .py extensions. I'll try to find out why.
Can you confirm that the file agent is: https://github.com/kevoreilly/CAPEv2/blob/master/agent/agent.py ?
Thanks :)
from capev2.
yes the file is correct, comment out those line to see the output https://github.com/kevoreilly/CAPEv2/blob/master/agent/agent.py#L58-L59, but later for production uncomment them
from capev2.
I uninstalled python 3.12 and installed the 32bit python 3.10.6 version, the 64bit version gives problems. Now running the command: curl VM_IP:8000 I get:
{"message": "CAPE Agent!", "version": "0.12", "features": ["execpy", "execute", "pinning", "logs", "largefile", "unicodepath"], "is_user_admin": false}admcape@cape
We should be there, right?
from capev2.
I'd say it's working now. I am doing some tests but I should have solved it. Thank you very much for your support and patience
from capev2.
dude you def need to start reading better everything https://github.com/kevoreilly/CAPEv2
from capev2.
Related Issues (20)
- Suricata warning message is output to process.log HOT 3
- [SOLVED] Error run command "poetry run python3 manage.py migrate" HOT 7
- Unable to install CAPE with Poetry HOT 4
- cape2.sh error HOT 3
- Expected query cape2.sh installation HOT 1
- sudo: ./kvm-qemu.sh: command not found HOT 2
- No file/folder found for package cap ev2 HOT 2
- Can't use the aws machinery due to KeyError: 'arch' in ./lib/cuckoo/common/abstracts.py HOT 10
- Couldn't connect to vSphere host HOT 2
- Deprecation of cgi python module does not allow windows-less mode HOT 1
- Autoscaling Windows EC2 does not launch agent HOT 5
- AWS non-autoscale single EC2 guest still relies on an AMI while snapshot is available. HOT 1
- Analysis machine doesn't automatically shutdown if analyzed program exits with non-zero code HOT 1
- Analysis timeout HOT 10
- Processing Failed HOT 13
- about apt to apt-get in installation scripts HOT 5
- Can't enable web interface, django not found HOT 3
- Physical guest is not getting internet during analysis when internet routing is used HOT 5
- Since migrating to wsgi / gunicorn, I lost the webapi, it results in 404 errors. HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from capev2.