drakvuf-sandbox
drakvuf-sandbox copied to clipboard
Published
20 hours ago •
CERT-Polska
CERT-Polska
Cant run task on windows 10 1909
Describe the bug
Hello Cant run exe or doc in sandbox, i can upload them, but after 1 min im always recieve an error. Im using windows 10 x64 pro 1909
How to reproduce
Steps to reproduce the behavior:
- Install drakcore and drakrun
- Execute
draksetup ... - Execute (what commands?)...
Output of the status checking commands
root@srvtest:/var/log# drak-healthcheck
Checking daemon status...
drak-web.service OK
drak-system.service OK
drak-minio.service OK
Checking worker status...
[email protected] OK
[email protected] OK
SYSLOG
May 12 18:30:45 srvtest uwsgi[964]: [pid: 964|app: 0|req: 77/201] 192.168.0.100 () {36 vars in 692 bytes} [Wed May 12 18:30:45 2021] GET /status/495d91bc-7580-483e-8d20-df283f4acc09 => generated 33 bytes in 1 msecs (HTTP/1.1 200) 4 headers in 140 bytes (1 switches on core 0)
May 12 18:30:46 srvtest drakrun[793]: [2021-05-12 18:30:46,129][ERROR] Analysis attempt failed. Retrying...
May 12 18:30:46 srvtest drakrun[793]: Traceback (most recent call last):
May 12 18:30:46 srvtest drakrun[793]: File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/main.py", line 657, in process
May 12 18:30:46 srvtest drakrun[793]: info = self.analyze_sample(sample_path, workdir, outdir, start_command, timeout)
May 12 18:30:46 srvtest drakrun[793]: File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/main.py", line 569, in analyze_sample
May 12 18:30:46 srvtest drakrun[793]: raise e
May 12 18:30:46 srvtest drakrun[793]: File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/main.py", line 559, in analyze_sample
May 12 18:30:46 srvtest drakrun[793]: subprocess.run(
May 12 18:30:46 srvtest drakrun[793]: File "/usr/lib/python3.8/subprocess.py", line 512, in run
May 12 18:30:46 srvtest drakrun[793]: raise CalledProcessError(retcode, process.args,
May 12 18:30:46 srvtest drakrun[793]: subprocess.CalledProcessError: Command '['drakvuf', '-a', 'apimon', '-a', 'memdump', '-a', 'procmon', '-a', 'syscalls', '-a', 'tlsmon', '-o', 'json', '-F', '-j', '60', '-t', '120', '-i', '4912', '-k', '0x1aa002', '-d', 'vm-1', '--dll-hooks-list', '/tmp/drakrun/vm-1/hooks.txt', '--memdump-dir', '/tmp/drakrun/vm-1/output/dumps', '--ipt-dir', '/tmp/drakrun/vm-1/output/ipt', '--ipt-trace-user', '--codemon-dump-dir', '/tmp/drakrun/vm-1/output/ipt', '--codemon-log-everything', '--codemon-analyse-system-dll-vad', '-r', '/var/lib/drakrun/profiles/kernel.json', '-e', 'C:\\Users\\user\\Desktop\\nwamafour.exe', '-c', 'C:\\Users\\user\\Desktop', '--json-wow', '/var/lib/drakrun/profiles/wow_ntdll_profile.json', '--json-tcpip', '/var/lib/drakrun/profiles/tcpip_profile.json', '--json-sspicli', '/var/lib/drakrun/profiles/sspicli_profile.json', '--json-kernel32', '/var/lib/drakrun/profiles/kernel32_profile.json', '--json-kernelbase', '/var/lib/drakrun/profiles/kernelbase_profile.json', '--json-wow-kernel32', '/var/lib/drakrun/profiles/wow_kernel32_profile.json', '--json-iphlpapi', '/var/lib/drakrun/profiles/iphlpapi_profile.json', '--json-mpr', '/var/lib/drakrun/profiles/mpr_profile.json', '--json-ntdll', '/var/lib/drakrun/profiles/ntdll_profile.json']' returned non-zero exit status 1.
May 12 18:30:46 srvtest drakrun[793]: ERROR:karton.drakrun-prod:Analysis attempt failed. Retrying...
May 12 18:30:46 srvtest drakrun[793]: Traceback (most recent call last):
May 12 18:30:46 srvtest drakrun[793]: File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/main.py", line 657, in process
May 12 18:30:46 srvtest drakrun[793]: info = self.analyze_sample(sample_path, workdir, outdir, start_command, timeout)
May 12 18:30:46 srvtest drakrun[793]: File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/main.py", line 569, in analyze_sample
May 12 18:30:46 srvtest drakrun[793]: raise e
May 12 18:30:46 srvtest drakrun[793]: File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/main.py", line 559, in analyze_sample
May 12 18:30:46 srvtest drakrun[793]: subprocess.run(
May 12 18:30:46 srvtest drakrun[793]: File "/usr/lib/python3.8/subprocess.py", line 512, in run
May 12 18:30:46 srvtest drakrun[793]: raise CalledProcessError(retcode, process.args,
May 12 18:30:46 srvtest drakrun[793]: subprocess.CalledProcessError: Command '['drakvuf', '-a', 'apimon', '-a', 'memdump', '-a', 'procmon', '-a', 'syscalls', '-a', 'tlsmon', '-o', 'json', '-F', '-j', '60', '-t', '120', '-i', '4912', '-k', '0x1aa002', '-d', 'vm-1', '--dll-hooks-list', '/tmp/drakrun/vm-1/hooks.txt', '--memdump-dir', '/tmp/drakrun/vm-1/output/dumps', '--ipt-dir', '/tmp/drakrun/vm-1/output/ipt', '--ipt-trace-user', '--codemon-dump-dir', '/tmp/drakrun/vm-1/output/ipt', '--codemon-log-everything', '--codemon-analyse-system-dll-vad', '-r', '/var/lib/drakrun/profiles/kernel.json', '-e', 'C:\\Users\\user\\Desktop\\nwamafour.exe', '-c', 'C:\\Users\\user\\Desktop', '--json-wow', '/var/lib/drakrun/profiles/wow_ntdll_profile.json', '--json-tcpip', '/var/lib/drakrun/profiles/tcpip_profile.json', '--json-sspicli', '/var/lib/drakrun/profiles/sspicli_profile.json', '--json-kernel32', '/var/lib/drakrun/profiles/kernel32_profile.json', '--json-kernelbase', '/var/lib/drakrun/profiles/kernelbase_profile.json', '--json-wow-kernel32', '/var/lib/drakrun/profiles/wow_kernel32_profile.json', '--json-iphlpapi', '/var/lib/drakrun/profiles/iphlpapi_profile.json', '--json-mpr', '/var/lib/drakrun/profiles/mpr_profile.json', '--json-ntdll', '/var/lib/drakrun/profiles/ntdll_profile.json']' returned non-zero exit status 1.
May 12 18:30:46 srvtest drakrun[793]: [2021-05-12 18:30:46,132][ERROR] Giving up after 3 failures...
May 12 18:30:46 srvtest drakrun[793]: ERROR:karton.drakrun-prod:Giving up after 3 failures...
May 12 18:30:46 srvtest drakrun[793]: [2021-05-12 18:30:46,141][INFO] Task done - ba38cabc-acaf-4874-bf8e-31ab193b6259
May 12 18:30:46 srvtest drakrun[793]: INFO:karton.drakrun-prod:Task done - ba38cabc-acaf-4874-bf8e-31ab193b6259
May 12 18:30:46 srvtest drak-system[992]: [2021-05-12 18:30:46,143][INFO] [495d91bc-7580-483e-8d20-df283f4acc09] karton.drakrun-prod Finished task ba38cabc-acaf-4874-bf8e-31ab193b6259
May 12 18:30:46 srvtest uwsgi[964]: [pid: 964|app: 0|req: 78/202] 192.168.0.100 () {36 vars in 692 bytes} [Wed May 12 18:30:46 2021] GET /status/495d91bc-7580-483e-8d20-df283f4acc09 => generated 30 bytes in 1 msecs (HTTP/1.1 200) 4 headers in 140 bytes (1 switches on core 0)
May 12 18:30:46 srvtest uwsgi[964]: [pid: 964|app: 0|req: 79/203] 192.168.0.100 () {36 vars in 688 bytes} [Wed May 12 18:30:46 2021] GET /logs/495d91bc-7580-483e-8d20-df283f4acc09 => generated 53 bytes in 3 msecs (HTTP/1.1 200) 4 headers in 140 bytes (1 switches on core 0)
May 12 18:30:46 srvtest uwsgi[962]: [pid: 962|app: 0|req: 45/204] 192.168.0.100 () {36 vars in 690 bytes} [Wed May 12 18:30:46 2021] GET /graph/495d91bc-7580-483e-8d20-df283f4acc09 => generated 29 bytes in 4 msecs (HTTP/1.1 404) 4 headers in 147 bytes (1 switches on core 0)
May 12 18:30:46 srvtest uwsgi[964]: [pid: 964|app: 0|req: 80/205] 192.168.0.100 () {36 vars in 724 bytes} [Wed May 12 18:30:46 2021] GET /processed/495d91bc-7580-483e-8d20-df283f4acc09/process_tree => generated 29 bytes in 2 msecs (HTTP/1.1 404) 4 headers in 147 bytes (1 switches on core 0)
Hello,
thanks for reporting. Seems like we have some issues with Windows 10 since a few latest releases. We will look at it.
The best tested OS for DRAKVUF Sandbox is Windows 7, in the meantime I suggest trying this one, should work much better.
