Add a simple functionality to blacklist specific paths in order to avoid dumping files of no interest.

I get the next error:

Environment:

Request Method: GET
Request URL: http://192.168.200.90:8080/

Django Version: 1.6.1
Python Version: 2.7.3
Installed Applications:
('django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.staticfiles',
'django.contrib.admin',
'analysis')
Installed Middleware:
('django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'web.headers.CuckooHeaders')

Template error:
In template /root/cuckoo/web/templates/header.html, error at line 30
cannot import name ALL_UUID_SUBTYPES
20 :

28 :

29 :

30 :

• <a href=" {% url "dashboard.views.index" %} "> Dashboard

31 :

• <a href="{% url "analysis.views.index" %}"> Recent

32 :

• <a href="{% url "analysis.views.pending" %}"> Pending

33 :

• <a href="{% url "analysis.views.search" %}"> Search

34 :

• <a href="{% url "submission.views.index" %}"> Submit

35 :

36 :

37 :

38 :

39 :

Traceback:
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py" in get_response

1.                 response = wrapped_callback(request, _callback_args, *_callback_kwargs)
   

   File "/usr/local/lib/python2.7/dist-packages/django/views/decorators/http.py" in inner

2.         return func(request, _args, *_kwargs)
   

   File "/root/cuckoo/web/dashboard/views.py" in index

3.                           context_instance=RequestContext(request))
   

   File "/usr/local/lib/python2.7/dist-packages/django/shortcuts/init.py" in render_to_response

4. return HttpResponse(loader.render_to_string(_args, *_kwargs), **httpresponse_kwargs)
   

   File "/usr/local/lib/python2.7/dist-packages/django/template/loader.py" in render_to_string

5.     return t.render(context_instance)
   

   File "/usr/local/lib/python2.7/dist-packages/django/template/base.py" in render

6.         return self._render(context)
   

   File "/usr/local/lib/python2.7/dist-packages/django/template/base.py" in _render

7.     return self.nodelist.render(context)
   

   File "/usr/local/lib/python2.7/dist-packages/django/template/base.py" in render

8.             bit = self.render_node(node, context)
   

   File "/usr/local/lib/python2.7/dist-packages/django/template/debug.py" in render_node

9.         return node.render(context)
   

   File "/usr/local/lib/python2.7/dist-packages/django/template/loader_tags.py" in render

10.     return compiled_parent._render(context)
    

    File "/usr/local/lib/python2.7/dist-packages/django/template/base.py" in _render

11.     return self.nodelist.render(context)
    

    File "/usr/local/lib/python2.7/dist-packages/django/template/base.py" in render

12.             bit = self.render_node(node, context)
    

    File "/usr/local/lib/python2.7/dist-packages/django/template/debug.py" in render_node

13.         return node.render(context)
    

    File "/usr/local/lib/python2.7/dist-packages/django/template/loader_tags.py" in render

14.     return self.render_template(self.template, context)
    

    File "/usr/local/lib/python2.7/dist-packages/django/template/loader_tags.py" in render_template

15.     output = template.render(context)
    

    File "/usr/local/lib/python2.7/dist-packages/django/template/base.py" in render

16.         return self._render(context)
    

    File "/usr/local/lib/python2.7/dist-packages/django/template/base.py" in _render

17.     return self.nodelist.render(context)
    

    File "/usr/local/lib/python2.7/dist-packages/django/template/base.py" in render

18.             bit = self.render_node(node, context)
    

    File "/usr/local/lib/python2.7/dist-packages/django/template/debug.py" in render_node

19.         return node.render(context)
    

    File "/usr/local/lib/python2.7/dist-packages/django/template/defaulttags.py" in render

20.         url = reverse(view_name, args=args, kwargs=kwargs, current_app=context.current_app)
    

    File "/usr/local/lib/python2.7/dist-packages/django/core/urlresolvers.py" in reverse

21. return iri_to_uri(resolver._reverse_with_prefix(view, prefix, _args, *_kwargs))
    

    File "/usr/local/lib/python2.7/dist-packages/django/core/urlresolvers.py" in _reverse_with_prefix

22.     possibilities = self.reverse_dict.getlist(lookup_view)
    

    File "/usr/local/lib/python2.7/dist-packages/django/core/urlresolvers.py" in reverse_dict

23.         self._populate()
    

    File "/usr/local/lib/python2.7/dist-packages/django/core/urlresolvers.py" in _populate

24.             lookups.appendlist(pattern.callback, (bits, p_pattern, pattern.default_args))
    

    File "/usr/local/lib/python2.7/dist-packages/django/core/urlresolvers.py" in callback

25.     self._callback = get_callable(self._callback_str)
    

    File "/usr/local/lib/python2.7/dist-packages/django/utils/functional.py" in wrapper

26.     result = func(*args)
    

    File "/usr/local/lib/python2.7/dist-packages/django/core/urlresolvers.py" in get_callable

27.         mod = import_module(mod_name)
    

    File "/usr/local/lib/python2.7/dist-packages/django/utils/importlib.py" in import_module

28.     **import**(name)
    

    File "/root/cuckoo/web/analysis/views.py" in
29. import pymongo
    File "build/bdist.linux-x86_64/egg/pymongo/init.py" in
30. from pymongo.connection import Connection

Exception Type: ImportError at /
Exception Value: cannot import name ALL_UUID_SUBTYPES

Add support for URL submission in submit.py script to make it able to download URLs, fetch the file and add it to the tasks queue.

Enhance logging for cuckoovm.py and its dependencies.
Include GetLastError() value for every failed Windows-related action.

When you take a look on virustotal results that come from cuckoo, you will notice that they are very clean. Systems standard behaviour (file system/registry activities of MS Office for example) are not part of virus total reports.

Is there any simple way to mask those activities? I would want to make some kind of baseline for word, excel, internet explorer and adobe reader to generate a filter.

Putting empty directories in the source tree is absolutely unnecessary and confusing to the reader. Those can easily be created during runtime where they belong to anyway.

A directory holding only a file does not make much sense as those runtime depended files could all be placed in one directory and if necessary later on copied to a separate directory in the vm.

Add full UDP connections tracking to pcap file processing module.

In cuckoo/lib/cuckoo/common/irc.py, I think the two lines 57 and 64, should be inside the if clauses. This might be messing with the output of isthereIRC().

Can someone verify this?

Here is the analysis.log

[2012-01-03 14:57:46,937] [Core.Analyzer] INFO: Cuckoo starting with PID 496.

[2012-01-03 14:57:46,947] [Core.InstallDependencies] INFO: Installing dependency "\VBOXSVR\setup\system\distorm3.dll".

[2012-01-03 14:57:46,976] [Core.InstallDependencies] INFO: Installing dependency "\VBOXSVR\setup\system.gitignore".

[2012-01-03 14:57:46,986] [Core.InstallCuckoo] INFO: Installing "\VBOXSVR\setup\cuckoo\dll".

[2012-01-03 14:57:47,016] [Core.InstallCuckoo] INFO: Installing "\VBOXSVR\setup\cuckoo\logs".

[2012-01-03 14:57:47,026] [Core.InstallCuckoo] INFO: Installing "\VBOXSVR\setup\cuckoo\trace".

[2012-01-03 14:57:47,046] [Core.InstallCuckoo] INFO: Installing "\VBOXSVR\setup\cuckoo\files".

[2012-01-03 14:57:47,056] [Core.InstallCuckoo] INFO: Installing "\VBOXSVR\setup\cuckoo\shots".

[2012-01-03 14:57:47,076] [Core.InstallTarget] INFO: Installing target file from "\VBOXSVR\cuckoo1\malware.exe" to "C:".

[2012-01-03 14:57:47,137] [Core.PipeServer] INFO: Starting Pipe Server.

[2012-01-03 14:57:47,137] [Core.Analyzer] INFO: Analysis package imported from "packages.exe".

[2012-01-04 08:30:40,796] [Core.Analyzer] INFO: Executing analysis package run function.

[2012-01-04 08:30:40,796] [Screenshots.Run] INFO: Started taking screenshots.

[2012-01-04 08:30:40,806] [Execute.Execute] INFO: Launched process "C:\malware.exe" with arguments "None", ID "1544" and thread "0x0000074c".

[2012-01-04 08:30:40,917] [Monitor.Monitor] INFO: Using default Cuckoo DLL "C:\cuckoo\dll\cmonitor.dll".

[2012-01-04 08:30:41,016] [Inject.GrantDebugPrivilege] INFO: Successfully granted debug privileges on Cuckoo process.

[2012-01-04 08:30:41,127] [Inject.Inject] DEBUG: Process with PID 1544 successfully injected with DLL at path "C:\cuckoo\dll\awUuyd.dll".

[2012-01-04 08:30:41,256] [Monitor.Monitor] INFO: Original process with PID "1544" successfully injected.

[2012-01-04 08:30:41,286] [Screenshots.Run] DEBUG: Screenshot saved at "C:\cuckoo\shots\shot_1.jpg".

[2012-01-04 08:30:43,289] [Monitor.ResumeThread] INFO: Resumed thread with handle "0x0000074c".

[2012-01-04 08:30:43,299] [Core.Analyzer] INFO: Analysis package returned following process PID to add to monitor list: 1544.

[2012-01-04 08:30:43,299] [Core.AddFile] INFO: Newly created file path added to list: ÿÿ

[2012-01-04 08:30:43,309] [Core.Analyzer] INFO: Running for a maximum of 150 seconds.

[2012-01-04 08:30:43,329] [Core.AddFile] INFO: Newly created file path added to list: C:\WINDOWS\System32\rs32net.exe

[2012-01-04 08:30:43,329] [Core.PipeHandler] DEBUG: Received request to analyze process with PID 0.

[2012-01-04 08:30:43,339] [Inject.GrantDebugPrivilege] INFO: Successfully granted debug privileges on Cuckoo process.

[2012-01-04 08:30:43,339] [Inject.Inject] ERROR: Unable to obtain handle on process with PID 0 (GLE=87). Abort.

[2012-01-04 08:30:43,339] [Core.PipeHandler] ERROR: Failed injecting process with PID "0" (0x00000000).

[2012-01-04 08:30:43,339] [Core.Analyzer] INFO: Process with PID 1544 terminated.

[2012-01-04 08:30:44,351] [Core.PipeServer] INFO: Stopping Pipe Server.

[2012-01-04 08:30:44,351] [Screenshots.Stop] INFO: Stopping screenshots.

[2012-01-04 08:30:44,351] [Core.Analyzer] INFO: Analysis completed.

[2012-01-04 08:30:44,351] [Core.Analyzer] INFO: Executing analysis package "exe" custom finish function.

[2012-01-04 08:30:44,351] [Core.DumpFiles] DEBUG: Dropped file "ÿÿ" does not exist. Skip.

[2012-01-04 08:30:44,351] [Core.DumpFiles] DEBUG: Dropped file "C:\WINDOWS\System32\rs32net.exe" does not exist. Skip.

[2012-01-04 08:30:44,361] [Core.SaveResults] INFO: Saving analysis results to "\VBOXSVR\cuckoo1".

Here is my error dialogue in python 2.6

                 _                  
____ _   _  ____| |  _ ___   ___    

/ ) | | |/ ) |/ ) _ \ / _ \
( (| || ( (| _ ( || | || |
**)**/ **)_| )**/ ___/ v0.3.1

www.cuckoobox.org
Copyright (C) 2010-2011

[2012-01-04 05:30:16,302] [Core.Init] INFO: Started.
[2012-01-04 05:30:16,860] [VirtualMachine.Check] INFO: Your VirtualBox version is: "4.1.8", good!
[2012-01-04 05:30:16,860] [Core.Init] INFO: Populating virtual machines pool...
[2012-01-04 05:30:17,324] [VirtualMachine.Restore] INFO: Virtual machine "Cuckoo1" successfully restored to current snapshot.
[2012-01-04 05:30:17,379] [VirtualMachine.Infos] INFO: Virtual machine "Cuckoo1" information:
[2012-01-04 05:30:17,380] [VirtualMachine.Infos] INFO: _| Name: Cuckoo1
[2012-01-04 05:30:17,380] [VirtualMachine.Infos] INFO: | ID: 2fe4b559-5886-4897-b1f3-37eeb6a9e207
[2012-01-04 05:30:17,380] [VirtualMachine.Infos] INFO: | CPU Count: 1 Core/s
[2012-01-04 05:30:17,380] [VirtualMachine.Infos] INFO: | Memory Size: 512 MB
[2012-01-04 05:30:17,380] [VirtualMachine.Infos] INFO: | VRAM Size: 16 MB
[2012-01-04 05:30:17,381] [VirtualMachine.Infos] INFO: | State: Saved
[2012-01-04 05:30:17,381] [VirtualMachine.Infos] INFO: | Current Snapshot: "cuckoo-3"
[2012-01-04 05:30:17,381] [VirtualMachine.Infos] INFO: | MAC Address: 08:00:27:39:8E:14
[2012-01-04 05:30:17,403] [Core.Init] INFO: 1 virtual machine/s added to pool.
[2012-01-04 05:30:26,422] [Core.Dispatcher] INFO: Acquired analysis task for target "../malware.exe".
[2012-01-04 05:30:26,464](Task #13) [Core.Analysis.Run] INFO: Acquired virtual machine "cuckoo1".
[2012-01-04 05:30:26,467] [Sniffer.Start] INFO: Sniffer started monitoring 08:00:27:39:8E:14.
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1515 bytes
[2012-01-04 05:30:26,789] [VirtualMachine.Restore] INFO: Virtual machine "Cuckoo1" successfully restored to current snapshot.
[2012-01-04 05:30:29,261] [VirtualMachine.Start] INFO: Virtual machine "Cuckoo1" starting in "gui" mode.
[2012-01-04 05:30:29,364] [VirtualMachine.Execute] INFO: Cuckoo analyzer running with PID 496 on virtual machine "Cuckoo1".
[2012-01-04 05:30:44,464] [VirtualMachine.Execute] INFO: Cuckoo analyzer exited with code 0 on virtual machine "Cuckoo1".
[2012-01-04 05:30:44,465] [Sniffer.Stop] INFO: Sniffer stopped monitoring 08:00:27:39:8E:14.
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[2012-01-04 05:30:44,670](Task #13) [Core.Analysis.SaveResults] INFO: Analysis results successfully saved to "analysis/13".
[2012-01-04 05:30:44,792](Task #13) [Core.Analysis.Processing] INFO: Analysis results processor started with PID "27141".
Traceback (most recent call last):
File "processor.py", line 35, in
main(sys.argv[1])
File "processor.py", line 28, in main
ReportProcessor().report(CuckooDict(analysis_path).process())
File "/home/malware/cuckoo/cuckoo/cuckoo/reporting/reporter.py", line 58, in report
self._observable.notify(report)
File "/home/malware/cuckoo/cuckoo/cuckoo/reporting/observers.py", line 57, in notify
observer.update(results)
File "/home/malware/cuckoo/cuckoo/cuckoo/reporting/tasks/reporthtml.py", line 56, in update
html = template.render(**results)
File "/usr/lib/pymodules/python2.6/mako/template.py", line 133, in render
return runtime.render(self, self.callable, args, data)
File "/usr/lib/pymodules/python2.6/mako/runtime.py", line 364, in _render
render_context(template, callable, context, _args, *_kwargs_for_callable(callable, data))
File "/usr/lib/pymodules/python2.6/mako/runtime.py", line 381, in _render_context
_exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
File "/usr/lib/pymodules/python2.6/mako/runtime.py", line 414, in exec_template
callable(context, _args, *_kwargs)
File "base_html", line 37, in render_body
File "/usr/lib/pymodules/python2.6/mako/runtime.py", line 255, in
return lambda _args, *kwargs:callable(self.context, _args, *_kwargs)
File "report_html", line 48, in render_content
File "/usr/lib/pymodules/python2.6/mako/runtime.py", line 307, in include_file
callable(ctx, *_kwargs_for_callable(callable, context._orig, *_kwargs))
File "sections_general_information_html", line 64, in render_body
UnicodeDecodeError: 'ascii' codec can't decode byte 0xff in position 2289: ordinal not in range(128)
[2012-01-04 05:30:45,973] [VirtualMachine.Stop] INFO: Virtual machine "Cuckoo1" powered off successfully.
[2012-01-04 05:30:45,975](Task #13) [Core.Analysis.FreeVM] INFO: Virtual machine "cuckoo1" released.
[2012-01-04 05:30:45,975](Task #13) [Core.Analysis.Run] INFO: Analyis completed.
^C[2012-01-04 05:31:02,423] [Core.Init] CRITICAL: Keyboard interrupt catched! Forcing shutdown and restore of all virtual machines before exiting...
[2012-01-04 05:31:02,639] [VirtualMachine.Restore] INFO: Virtual machine "Cuckoo1" successfully restored to current snapshot.

MALWARE ZIP THAT CAUSES BUG

http://www.mediafire.com/?g9li126nhqul91t

^ IS MALWARE...

Hi!
In cuckoo 1.0 the file analysis.conf is not generated in the report folder.

I've tested it in a clear version of cuckoo 1.0. And the file cuckoo1.0/storage/analyses/1/analysis.conf is not generated.

I thing this is a bug.
Best regards!

Certain names are being used in multiple places and thus are misleading, examples are cuckoo, config, tracer. Better would be better description not only of the function but also the use case like for example processtracer for tracer e.g.

Some malware samples check for known product's identifiers which are used by default in VirtualBox's virtual machines.
For more information on how to modify such data visit:
http://www.virtualbox.org/manual/ch09.html#changevpd

While doing mass analysis sometimes VirtualBox hangs and needs TLC to get started again. Although this is probably a VirtualBOX problem, I do not like the manual intervention.

Surely my implementations s*cks, but this is how it works:

If the restore fails, it tries to find the corresponding process and kill's it...
it does a second attempt to restore before throwing its normal exception.

Good luck with your project.

modules/machinemanagers/virtualbox.py

Additional function:
def findVBoxInstance(name):
for pid in psutil.get_pid_list():
p = psutil.Process(pid)
if p.name=="VirtualBox" and len(p.cmdline)>2:
if p.cmdline[2]==name:
print p.cmdline[2]
return pid
return None

    if self._status(label) == self.RUNNING:
        raise CuckooMachineError("Trying to start an already started vm %s" % label)

    try:
        if subprocess.call([self.options.virtualbox.path, "snapshot", label, "restorecurrent"],
                           stdout=subprocess.PIPE,
                           stderr=subprocess.PIPE):
            pid=findVBoxInstance(label)
            if (pid>0):
                    os.kill(pid,9)
            time.sleep(1)
            if subprocess.call([self.options.virtualbox.path, "snapshot", label, "restorecurrent"],
                           stdout=subprocess.PIPE,
                           stderr=subprocess.PIPE):
                    raise CuckooMachineError("VBoxManage exited with error restoring the machine's snapshot")

As reported in some old ticket on dev cuckoo and at http://community.cuckoosandbox.org/posts/show/any-update-on-using-ie6-on-windows-xp-for-url-analysis/

"I could manually go to any site using IE6 but whenever Cuckoo submits a URL analysis it always shows Page not Found.I searched the forum and looks like there are some bugs in the code to prevent IE6 from visiting URLs properly. Is this issue fixed now? "

Some malware samples show network activity after reboot.

An option to reboot a system after a defined amount of time would be helpful. After reboot the analysis could go an for some time.

Windows VM generally takes about 3-4 seconds to fix and set up the network connection.
As malwares execute straight away, sometimes they're not able to perform their requests in time and they just terminate before the link is up.

In these situations the execution lasts for just few seconds and the analysis terminates, actually not providing any useful data.

I've to analyse some Documents with passwords. It is hard to put in the right password during a hot analysis.

I couldn't find an option to pass a password from host to guest, except for zip files.

Maybe this could be implemented.

thx

I am currently using a developement version of cuckoomon.dll. It is from last week and includes latest fixes. It is working better than 1.0 version, but I could notive some strange behaviour.

When cuckoomon.dll is injected, starting samples (in this case PDF Files) leads to error messages (e.g. Font missing) that I cannot observe when starting the file manually in a vmware environment.

After the popup of the error message cuckoo will try to click okay and this will restart Acrobat Reader. In my analysis case Reader restartes 30times during analysis and reports were messed up with loads of non-information.

Main question is: Why do I get an error message, that I do not get when doing "a run" manually?

In order to lower generated reports size, make the postprocessing skip repeated actions (e.g. looped API calls) and add a repetition counter to a unique entry.

Need to properly fix the lock of sessions on virtual machines in virtualbox.py.

I get this 'exceptions.MemoryError' error when tried to upload 160Mo exe.

Where am I wrong ?

Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 551, in __bootstrap_inner
    self.run()
  File "/home/dev/cuckoo/lib/cuckoo/core/scheduler.py", line 309, in run
    success = self.launch_analysis()
  File "/home/dev/cuckoo/lib/cuckoo/core/scheduler.py", line 220, in launch_analysis
    guest.start_analysis(options)
  File "/home/dev/cuckoo/lib/cuckoo/core/guest.py", line 150, in start_analysis
    self.server.add_malware(data, options["file_name"])
  File "/usr/lib/python2.7/xmlrpclib.py", line 1224, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib/python2.7/xmlrpclib.py", line 1578, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.7/xmlrpclib.py", line 1264, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib/python2.7/xmlrpclib.py", line 1297, in single_request
    return self.parse_response(response)
  File "/usr/lib/python2.7/xmlrpclib.py", line 1473, in parse_response
    return u.close()
  File "/usr/lib/python2.7/xmlrpclib.py", line 793, in close
    raise Fault(**self._stack[0])
Fault: <Fault 1: "<type 'exceptions.MemoryError'>:">

Hello,

Lately I've seen a lot of IE-injecting malware from Exploit Kit drops. Kaspersky calls them Trojan-Downloader.Win32.Piker.pft. They don't seem to run properly in Cuckoo, I've tried using my own install and also on malwr. Here is the the link to the malwr sample - https://malwr.com/analysis/ZmViNjRjMDc0ZjdkNDUyM2I4NmRmZWFlNWE0NDQ2NGQ/#

And here is a VT link - https://www.virustotal.com/en/file/2d314da07fa74e8b45f1dbb30758b1a7c8d842ad6754885c2d18a3df221c2ade/analysis/1370307028/

Something seems to be going wrong with cuckoomon when it injects into the malware. It unpacks much like typical malware by rewriting the sections, however, ZwMapViewOfSection seems to get hung-up, getting called some 300 times. The injection never actually occurs into IE. When I run the binary with the "free" option, everything works fine, and I can see the DNS requests to the rogue servers.

The analysis always times out. You can find the log at http://pastebin.com/xMHtkRpZ

I've tried running the binary under a WinXP and Win7 sandbox, both with IE8 installed.

I've tried using a different cuckoomon dll. I spoke to Jurriaan Bremer via email earlier and he referred me to the issue at #224 (comment). It wouldn't seem to be a related issue, as the IE injection never occurs here.

If anyone needs samples, I have plenty.

Hi!

after submit a binary to cuckoo i get this error, if y try to see the report via web, i have this other error:

Error response

Error code 404.

Message: Not Found.

Error code explanation: 404 = Nothing matches the given URI.

Console error.

[2012-02-06 18:18:01,695] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:02,520] [VirtualMachine.Execute] INFO: Cuckoo analyzer exited with code 0 on virtual machine "Cuckoo2".
[2012-02-06 18:18:02,623](Task #434) [Core.Analysis.SaveResults] INFO: Analysis results successfully saved to "analysis/434".
[2012-02-06 18:18:02,646](Task #434) [Core.Analysis.CleanShare] DEBUG: Shared folder "shares/Cuckoo2" cleaned successfully.
[2012-02-06 18:18:02,697] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:02,769] [Database.Complete] DEBUG: Task with ID 434 updated to status "1".
[2012-02-06 18:18:02,798] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:02,799](Task #434) [Core.Analysis.Processing] INFO: Analysis results processor started with PID "5883".
[2012-02-06 18:18:03,446] [VirtualMachine.Stop] INFO: Virtual machine "Cuckoo2" powered off successfully.
[2012-02-06 18:18:03,458](Task #434) [Core.Analysis.FreeVM] INFO: Virtual machine "Cuckoo2" released.
[2012-02-06 18:18:03,458](Task #434) [Core.Analysis.Run] INFO: Analyis completed.
[2012-02-06 18:18:03,801] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:03,827] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:04,834] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:04,855] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:05,865] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:05,889] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:06,901] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:06,928] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:07,930] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:07,953] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:08,955] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:08,982] [Core.Dispatcher] DEBUG: No tasks pending.

------------------------------------[ERROR]-------------------------------------
Cuckoo stumbled in an unhandled error!
Before reporting the problem, please run with latest release from the development
Git repository at:
http://github.com/cuckoobox/cuckoo
If the exception persists, please send the following traceback to:
[email protected]
The developers will try to reproduce the bug, fix it and get in touch with you.

----------------------------------[TRACEBACK]-----------------------------------
Cuckoo version: v0.3.2
Python version: 2.7.2+ (default, Oct 4 2011, 20:06:09)
[GCC 4.6.1]
OS: linux2
Command line: processor.py analysis/434
Traceback (most recent call last):
File "processor.py", line 67, in
main()
File "processor.py", line 61, in main
ReportProcessor(analysis_path).report(CuckooDict(analysis_path).process())
File "/root/cuckoo/cuckoo/reporting/reporter.py", line 59, in report
self._observable.notify(report)
File "/root/cuckoo/cuckoo/reporting/observers.py", line 68, in notify
observer.update(results)
File "/root/cuckoo/cuckoo/reporting/tasks/reporthtml.py", line 47, in update
html = template.render(**results)
File "/usr/lib/python2.7/dist-packages/mako/template.py", line 296, in render
return runtime.render(self, self.callable, args, data)
File "/usr/lib/python2.7/dist-packages/mako/runtime.py", line 660, in _render
**kwargs_for_callable(callable, data))
File "/usr/lib/python2.7/dist-packages/mako/runtime.py", line 692, in _render_context
_exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
File "/usr/lib/python2.7/dist-packages/mako/runtime.py", line 718, in exec_template
callable(context, _args, *_kwargs)
File "base_html", line 37, in render_body
File "report_html", line 48, in render_content
File "/usr/lib/python2.7/dist-packages/mako/runtime.py", line 587, in include_file
callable(ctx, *_kwargs_for_include(callable, context._data, *_kwargs))
File "sections_general_information_html", line 94, in render_body

UnicodeDecodeError: 'ascii' codec can't decode byte 0xf3 in position 5036: ordinal not in range(128)

[2012-02-06 18:18:09,762] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:09,776] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:10,778] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:10,799] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:11,802] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:11,822] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:12,824] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:12,839] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:13,845] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:13,860] [Core.Dispatcher] DEBUG: No tasks pending.
[2012-02-06 18:18:14,867] [Database.Init] DEBUG: Connected to SQLite database "db/cuckoo.db".
[2012-02-06 18:18:14,881] [Core.Dispatcher] DEBUG: No tasks pending.

Thanks.

For some days now I cannot get any repot. Cuckoo exists with an error that seems to be related with yara. But I don't know why. I uninstalled and deleted everything related to yara on my system and reinstalled using

sudo pip install yara

That installed Yara 1.7.6 and Yara-Ctypes 1.7.6 successfully.

But I always get that kind of errror at the end of an analysis run:

2014-01-29 15:35:58,051 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "Dropped": Traceback (most recent call last): File "/RAID/cuckoosandbox/cuckoo-development/lib/cuckoo/core/plugins.py", line 184, in process data = current.run() File "/RAID/cuckoosandbox/cuckoo-development/modules/processing/dropped.py", line 23, in run file_info = File(file_path=file_path).get_all() File "/RAID/cuckoosandbox/cuckoo-development/lib/cuckoo/common/objects.py", line 264, in get_all infos["yara"] = self.get_yara() File "/RAID/cuckoosandbox/cuckoo-development/lib/cuckoo/common/objects.py", line 240, in get_yara except yara.Error as e: AttributeError: 'module' object has no attribute 'Error'

What can I do?

Migrate Cuckoo to use Python's logging library:
http://docs.python.org/library/logging.html

The number of machines in DB keeps growing upon restart of cuckoo.py when swapping to a different DBMS e.g. MySQL or postgres.

2013-12-16 22:24:45,907 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager
2013-12-16 22:24:48,824 [lib.cuckoo.core.scheduler] INFO: Loaded 9 machine/s
2013-12-16 22:24:48,824 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...
^C

[... snip ...]

2013-12-16 22:25:09,685 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager
2013-12-16 22:25:14,318 [lib.cuckoo.core.scheduler] INFO: Loaded 18 machine/s
2013-12-16 22:25:14,319 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...
^C

[... snip ...]

2013-12-16 22:25:34,033 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager
2013-12-16 22:25:40,111 [lib.cuckoo.core.scheduler] INFO: Loaded 27 machine/s
2013-12-16 22:25:40,112 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks...

I got an Error when non-ascii char exists in the path:

dev@L670:~/Téléchargements$ ~/cuckoo/utils/submit.py monbin.exe Traceback (most recent call last): File "/home/dev/cuckoo/utils/submit.py", line 96, in <module> main() File "/home/dev/cuckoo/utils/submit.py", line 91, in main print(bold(green("Success")) + ": File \"{0}\" added as task with ID {1}".format(file_path, task_id)) UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 11: ordinal not in range(128)

Low priority for this issue

I'm getting the following error lines, when I cuckoo is configured to do a memory dump. Whats irritating to me: I can only count 2 arguments:

• self.machine.label
• result of os.join.path

Should work for my understanding?

2013-12-13 09:57:46,732 [lib.cuckoo.core.scheduler]

ERROR: Failure in AnalysisManager.run
Traceback (most recent call last):
File "/_/__/__/lib/cuckoo/core/scheduler.py", line 367, in run
success = self.launch_analysis()
File "/__/__/*_*//lib/cuckoo/core/scheduler.py", line 276, in launch_analysis
os.path.join(self.storage, "memory.dmp"))
TypeError: dump_memory() takes exactly 2 arguments (3 given)

Yesterday I tried to setup a new cuckoo box using the newest development branch. I played around with reporting.conf using enablehtml = yes/no/on/off ... but what I don't get is a html-report.

Do you see any reason what could be wrong?

thx,
Crashman

I am annoyed by the gazillion count of the name of the author everywhere in the code. Just as a suggestion:
http://stackoverflow.com/questions/1497756/declaring-copyright-in-a-foss-project-with-major-and-minor-contributors

We as the people of the world are really thankful for any contribution i.e. to FOSS but it does not shed a good light if the authors (and there have already been more than one) put notes like:

"Cuckoo Sandbox is property of Claudio Guarnieri" (As seen on the html reports)

As FOSS is property of the community and not one entity. What the author(s) can do though is to dual license it to there liking but for this they have to get the consent of all the contributors as small there contribution might have been or not.

No offence Claudio we really appreciate the great work you have done but don't put a shadow on your work with this behaviour. Explicit is not always better then implicit.

According to the The Zen of Python (http://www.python.org/dev/peps/pep-0020/) explicit is better than implicit and according to http://docs.python.org/tutorial/modules.html#importing-from-a-package and many other suggestions implicit importing is a bad habit and can cause problems. And in the code there are many places where there is only a small amount of things to import thus an explicit approach would be easier.

In some situations, leftover connections from previous analyses appear in following ones.
In order to prevent this from showing in the reports, we can blacklist non-local IP addresses sending packages to the VM. We assume that every established connection should start outbound.

In some cases the malware ends powering off the virtual machine. At current stage, if Cuckoo fails to power it off by itself, it assumes that the machine is corrupted and removes it from the pool.

Need to add a forced attempt to restore virtual machine's snapshot even after a failed power off. In this way we can try to recover the machine and reuse it for other analyses.

I would suggest adding a feature that allows passing a password for Office and PDF Documents from Host to Guest!

Something like this has been implemented for Zip files already!

thx

By default Cuckoo doesn't capture any traffic to/from the sandbox VM on port 8000. This makes cuckoo totally blind to attacks/infections that occur over port 8000 (which just happens to be the default port Neutrino exploit kit uses these days.)

I think this change fixes that problem while keeping XMLRPC traffic out of the dump:

  diff --git a/modules/auxiliary/sniffer.py b/modules/auxiliary/sniffer.py
  index 3f0d6cd..9d491de 100644
  --- a/modules/auxiliary/sniffer.py
  +++ b/modules/auxiliary/sniffer.py
  @@ -49,13 +49,8 @@ class Sniffer(Auxiliary):

         pargs.extend(["-w", file_path])
         pargs.extend(["host", host])
  -        # Do not capture XMLRPC agent traffic.
  -        pargs.extend(["and", "not", "(", "host", host, "and", "port",
  -                      str(CUCKOO_GUEST_PORT), ")"])
  -        # Do not capture ResultServer traffic.
  -        pargs.extend(["and", "not", "(", "host",
  -                      str(Config().resultserver.ip), "and", "port",
  -                      str(Config().resultserver.port), ")"])
  +        # Don't capture any traffic to/from the result server
  +        pargs.extend(["and", "not", "host", Config().resultserver.ip])

         if bpf:
             pargs.extend(["and", bpf])

Need to complete and include updated setup and usage documentation.

Sometime in the last 30 days, a process tracing regression has occurred in the development branch. The process tables in the HTML report are empty.

Often I find that the code is too modular as in f.e. the logging module is made up of four files which could be easily put into the init.py file and thus be available with a simple "from cuckoo import logging" . Why splitting logic to that extend. It is not a bad programming practice to define two/more classes/functions in the same file unless they are huge and/or have a completely different purpose which is not the case in the above example. The reason to put them together is much better readability of the code for example if it would be only a logging.py file in the cuckoo directory.
Often the copyright notes are longer than the code ?!

Hi everyone,
I've find an error in the cuckoo versions 0.5 and 1.0. I hoped that in the version 1.0 it'll be fixed but not, it remains.

I'm analizyng an exe, a hesperbot sample. This sample makes requests to yahoo.com, google.com, wikipedia.org and the real C&C, ***gement.biz.

When I send the sample to cuckoo 1.0 the exe doesn't make the requests. But when I send the sample to cuckoo with the option free=yes (to avoid the injection of cuckoomon.dll) the sample works good and make the http requests.

I use this line:
utils/submit.py --timeout 60 hesperbot.exe --options free=yes

I think that there is a problem between the sample analyzed and the dll injected by cuckoo (cuckoomon.dll).

Anyone knows what is wrong? I can send the sample to test it. (https://www.virustotal.com/es/file/7e45f248f2e64cf5c8a6f996f0281a1876f06d4e69c4d21033b4c2f721383e85/analysis/)

Best regards!

When trying to log events, it might happen that under certain circumstances the script is not able to handle some characters properly.
That might happen for example with not-standard file names.

Under category "recent" in django webinterface you can see all recent analysis task. I'm sorry, but after some days and 100 analysis tasks I don't know which hash corresponds with the analysis report I'm currently looking for.

I wish I could see more details! For example the machine that the analysis was run on. Maybe the filename of the file that was tested.

Or, much better: own tags!

Since Cuckoo's analysis packages provide the possibility to not actually inject and monitor any process, it's necessary to adapt the main checking procedure and disable the check for active processes.
By not injecting, Cuckoo is not able to follow newly spawned processes, so such check is not functional.

I've some Excel files that I want to analyse. When I select "Detect Automatically" cuckoo will start MS Word and not Excel!

When I select Excel Filetype manually, cuckoo sandbox will work correctly.

I took a look into the repository, but couldn't find the mistake. it happens with Cuckoo 1.0 and 1.1-dev.

when trying to pass an url and not a file

2014-01-28 22:31:53,288 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "MAEC40Report":
Traceback (most recent call last):
...
File "/Users/user/Project/cuckoo-dma/modules/reporting/maec40.py", line 704, in createWinExecFileObj
if len(self.results["static"]["pe_exports"]) > 0:
KeyError: 'pe_exports'

the createWinExecFileObj function assumes there is a "pe_exports" and "pe_imports" which seems to not always be the case