cuckoo-modified icon indicating copy to clipboard operation
cuckoo-modified copied to clipboard
verified publisher icon brad-sp

BehaviorAnalysis hangs on Office .doc file

Open markro20 opened this issue 10 years ago • 10 comments

I have current version installed but when processing an infected DOC file on Win7x64, multiple errors are raised and in the final the processing hangs. On WinXP the same file process fine with no to many results but at least is not hanging.

Here are some errors examples I found in log file:

2015-11-05 09:03:30,277 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "BehaviorAnalysis": Traceback (most recent call last): File "/home/sandbox1/cuckoo-modified/lib/cuckoo/core/plugins.py", line 197, in process data = current.run() File "/home/sandbox1/cuckoo-modified/modules/processing/behavior.py", line 1106, in run for call in process["calls"]: File "/home/sandbox1/cuckoo-modified/modules/processing/behavior.py", line 191, in next return self.cacheless_next() File "/home/sandbox1/cuckoo-modified/modules/processing/behavior.py", line 168, in cacheless_next self.wait_for_lastcall() File "/home/sandbox1/cuckoo-modified/modules/processing/behavior.py", line 146, in wait_for_lastcall if not self.parser.read_next_message(): File "/home/sandbox1/cuckoo-modified/lib/cuckoo/common/netlog.py", line 195, in read_next_message self.handler.log_call(context, apiname, category, arguments) File "/home/sandbox1/cuckoo-modified/modules/processing/behavior.py", line 252, in log_call returnval] + arguments) File "/home/sandbox1/cuckoo-modified/modules/processing/behavior.py", line 311, in _parse pretty = pretty_print_arg(category, api_name, arg_name, argument["value"]) File "/home/sandbox1/cuckoo-modified/lib/cuckoo/common/utils.py", line 1261, in pretty_print_arg val = int(arg_val, 16) ValueError: invalid literal for int() with base 16: '0x-7fffffff'

2015-11-05 09:03:36,957 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "antianalysis_detectfile": Traceback (most recent call last): File "/home/sandbox1/cuckoo-modified/lib/cuckoo/core/plugins.py", line 351, in process data = current.run() File "/home/sandbox1/cuckoo-modified/modules/signatures/antianalysis_detectfile.py", line 26, in run file_match = self.check_file(pattern=indicator, regex=True, all=True) File "/home/sandbox1/cuckoo-modified/lib/cuckoo/common/abstracts.py", line 762, in check_file subject = self.results["behavior"]["summary"]["files"] KeyError: 'behavior'

2015-11-05 09:03:37,002 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "fleercivet_mutex": Traceback (most recent call last): File "/home/sandbox1/cuckoo-modified/lib/cuckoo/core/plugins.py", line 351, in process data = current.run() File "/home/sandbox1/cuckoo-modified/modules/signatures/trojan_fleercivet_mutex.py", line 34, in run if self.check_mutex(pattern=indicator): File "/home/sandbox1/cuckoo-modified/lib/cuckoo/common/abstracts.py", line 890, in check_mutex subject = self.results["behavior"]["summary"]["mutexes"] KeyError: 'behavior'

And the process completely hangs at:

2015-11-05 09:03:37,004 [lib.cuckoo.core.plugins] DEBUG: Running signature "volatility_svcscan_3" 2015-11-05 09:03:37,004 [lib.cuckoo.core.plugins] DEBUG: Running signature "webmail_phish" 2015-11-05 09:03:37,004 [lib.cuckoo.core.scheduler] ERROR: Failure in AnalysisManager.run: 'behavior' Traceback (most recent call last): File "/home/sandbox1/cuckoo-modified/lib/cuckoo/core/scheduler.py", line 429, in run self.process_results() File "/home/sandbox1/cuckoo-modified/lib/cuckoo/core/scheduler.py", line 373, in process_results RunReporting(task=self.task.to_dict(), results=results).run() File "/home/sandbox1/cuckoo-modified/lib/cuckoo/core/plugins.py", line 577, in init for process in results["behavior"]["processes"]: KeyError: 'behavior'

Any ideas what is wrong??

markro20 avatar Nov 05 '15 08:11 markro20

Researching more, I found that this could be linked with Issue #58 but it seems the problems appears in some situations.

markro20 avatar Nov 05 '15 13:11 markro20

Can you provide me with the bson logs for that analysis so I can see if it's the same issue of the bad version of bson?

brad-sp avatar Nov 05 '15 13:11 brad-sp

Here are the logs https://db.tt/os8tH49c

markro20 avatar Nov 05 '15 15:11 markro20

Any more advices on the issue I have? Is it because of the wrong bson version? Thanks!

markro20 avatar Nov 16 '15 10:11 markro20

I am running into the same traceback while analyzing a PE binary (MD5 d8165ba07f937a94e5a48d90e0ad3197). Subsequently, all signatures error out with tracebacks, and the analysis hangs in a processing state.

jgajek avatar Nov 25 '15 18:11 jgajek

Thanks, I can reproduce it now as well on a 64-bit guest.

-Brad

brad-sp avatar Nov 25 '15 18:11 brad-sp

Thanks Brad, I tried installing the latest 'bson' module over the one that comes with pymongo in my Dockerized Cuckoo build (https://github.com/jgajek/cuckoo-docker) but this conflicts and breaks the Django web UI. So unfortunately installing the 'bson' module is not a viable solution.

jgajek avatar Nov 25 '15 19:11 jgajek

Hi, I am also having this issue, it makes Cuckoo Sandbox almost unusable. Is there any fix for this problem? Thanks.

ernestszocs avatar Dec 02 '15 16:12 ernestszocs

ernestszocs: Yes, I submitted a fix which has been merged here: https://github.com/spender-sandbox/cuckoo-modified

jgajek avatar Dec 02 '15 20:12 jgajek

Thanks Jacob. Your fix worked for me.

markro20 avatar Dec 03 '15 13:12 markro20