CAPEv2 icon indicating copy to clipboard operation
CAPEv2 copied to clipboard

Published 20 hours ago verified publisher icon kevoreilly

AWS non-autoscale single EC2 guest still relies on an AMI while snapshot is available.

Open loust opened this issue 11 months ago • 1 comments

About accounts on capesandbox.com

  • Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • [ * ] I am running the latest version
  • [ * ] I did read the README!
  • [ * ] I checked the documentation and found no answer
  • [ * ] I checked to make sure that this issue has not already been filed
  • [ * ] I'm reporting the issue to the correct repository (for multi-repository projects)
  • [ * ] I have read and checked all configs (with all optional parts)

Expected Behavior

The aws.conf has enough configuration steps to look into what instance ID and snapshot ID to launch the correct machine. This means, whenever you run poetry run python3 cuckoo.py and it gets ready for analysis, uploading a binary to test from the web UI, it should turn off the specified instance, re-launch it, and do the analysis.

Current Behavior

Once poetry run python3 cuckoo.py is ran, CAPEv2 turns off the instance and readies it up for analysis. It awaits user input from the web UI, and once that's done, it crashes with an error saying that the AMI is not placed in aws.conf even though autoscale = no is configured and commented out.

Everything under [machine_name] for configuration is set where machines = machine_name is configured. It should follow up and use the snapshot, however, it gets stuck and throws this error: Failure in AnalysisManager.run: An error occurred (InvalidAMIID.Malformed) when calling the RunInstances operation: Invalid id: "ami-abcdefgh123456789" (expecting "ami-...")

Failure Information (for bugs)

There may be a configuration logic or parsing issue where it WANTS to create a new instance, regardless of autoscaling is turned off. So, it does not just turn on the existing EC2 with the hard coded instance ID, it just wants to make a new one for some reason due to the following error lines:

  File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 355, in acquire_machine
    machine = machinery.acquire(
  File "/opt/CAPEv2/modules/machinery/aws.py", line 184, in acquire
    self._start_or_create_machines()  # prepare another machine
  File "/opt/CAPEv2/modules/machinery/aws.py", line 208, in _start_or_create_machines
    if not self._allocate_new_machine():
  File "/opt/CAPEv2/modules/machinery/aws.py", line 139, in _allocate_new_machine
    instance = self._create_instance(
  File "/opt/CAPEv2/modules/machinery/aws.py", line 315, in _create_instance
    response = self.ec2_resource.create_instances(

Steps to Reproduce

  1. Configure aws.conf by placing the credentials in addition in ~/.aws/credentials
  2. Turn off the autoscaling feature, or comment out the entire thing
  3. Make sure that you have created your guest, and have made a snapshot out of it. Copy the Instance ID and snapshot ID
  4. Place the info from step 3 in the appropriate locations, in addition to the private IP of the host, including the SG and subnets.
  5. Make sure arch is also placed under the [machine_name] where machines = machine_name to force the arch to be seen by CAPE, otherwise, it does not, and is another issue.
  6. Launch poetry run python3 cuckoo.py, it will turn off the machine, and await an entry.
  7. Go to the web UI and upload a sample
  8. CAPE will complain that there is no AMI ID placed, even though in this configuration, it is not needed

Note that I've tried placing the AMI ID, it did not work still. I'm assuming the source code of scheduler.py or aws.py need to be changed? I can look into it soon to see what I can do.

Context

Basic AWS setup, default Windows AMI and Ubuntu 22.04 images.

Question Answer
Git commit commit 2b9b122110856a9e5703c6b94757597f41a6d8bd
OS version Ubuntu 22.04 (host) , Windows 10 (guest)

Failure Logs

cape@ip-xxx-xxx-xxx-xxx:/opt/CAPEv2$ poetry run python3 cuckoo.py

  .-----------------.
  | Cuckoo Sandbox? |
  |     OH NOES!    |\  '-.__.-'
  '-----------------' \  /oo |--.--,--,--.
                         \_.-'._i__i__i_.'
                               """""""""

 Cuckoo Sandbox 2.4-CAPE
 www.cuckoosandbox.org
 Copyright (c) 2010-2015

 CAPE: Config and Payload Extraction
 github.com/kevoreilly/CAPEv2

OPTIONAL! Missed dependency: pip3 install https://github.com/CAPESandbox/peepdf/archive/20eda78d7d77fc5b3b652ffc2d8a5b0af796e3dd.zip#egg=peepdf==0.4.2
OPTIONAL! Missed dependency: poetry run pip install -U git+https://github.com/DissectMalware/batch_deobfuscator
OPTIONAL! Missed dependency: poetry run pip install -U git+https://github.com/CAPESandbox/httpreplay
/usr/bin/tcpdump
2024-03-14 23:43:29,336 [modules.machinery.aws] INFO: connecting to AWS:us-east-2
2024-03-14 23:43:29,925 [modules.machinery.aws] INFO: instance state: poweroff
2024-03-14 23:43:29,989 [modules.machinery.aws] INFO: instance state: poweroff
2024-03-14 23:43:30,577 [lib.cuckoo.core.scheduler] INFO: Using "aws" machine manager with max_analysis_count=0, max_machines_count=10, and max_vmstartup_count=5
2024-03-14 23:43:30,582 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2024-03-14 23:43:30,586 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks
2024-03-14 23:43:42,967 [lib.cuckoo.core.scheduler] INFO: Task #6: File already exists at '/opt/CAPEv2/storage/binaries/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
2024-03-14 23:43:42,968 [lib.cuckoo.core.scheduler] INFO: Task #6: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_ox8jqm0_/xxxxxxx.exe'
2024-03-14 23:43:43,013 [modules.machinery.aws] INFO: All machines are busy, allocating new machine
2024-03-14 23:43:43,285 [lib.cuckoo.core.scheduler] ERROR: Task #6: Failure in AnalysisManager.run: An error occurred (InvalidAMIID.Malformed) when calling the RunInstances operation: Invalid id: "ami-abcdefgh123456789" (expecting "ami-...")
Traceback (most recent call last):
  File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 623, in run
    success = self.launch_analysis()
  File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 478, in launch_analysis
    self.acquire_machine()
  File "/opt/CAPEv2/lib/cuckoo/core/scheduler.py", line 355, in acquire_machine
    machine = machinery.acquire(
  File "/opt/CAPEv2/modules/machinery/aws.py", line 184, in acquire
    self._start_or_create_machines()  # prepare another machine
  File "/opt/CAPEv2/modules/machinery/aws.py", line 208, in _start_or_create_machines
    if not self._allocate_new_machine():
  File "/opt/CAPEv2/modules/machinery/aws.py", line 139, in _allocate_new_machine
    instance = self._create_instance(
  File "/opt/CAPEv2/modules/machinery/aws.py", line 315, in _create_instance
    response = self.ec2_resource.create_instances(
  File "/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/boto3/resources/factory.py", line 581, in do_action
    response = action(self, *args, **kwargs)
  File "/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/boto3/resources/action.py", line 88, in __call__
    response = getattr(parent.meta.client, operation_name)(*args, **params)
  File "/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/botocore/client.py", line 553, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/cape/.cache/pypoetry/virtualenvs/capev2-t2x27zRb-py3.10/lib/python3.10/site-packages/botocore/client.py", line 1009, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidAMIID.Malformed) when calling the RunInstances operation: Invalid id: "ami-abcdefgh123456789" (expecting "ami-...")
InvalidAMIID.Malformed^C2024-03-14 23:50:45,388 [root] INFO: Received keyboard interrupt, stopping.
2024-03-14 23:50:45,403 [lib.cuckoo.common.abstracts] INFO: Still 1 guests still alive, shutting down...
2024-03-14 23:50:45,599 [modules.machinery.aws] INFO: instance state: running
2024-03-14 23:50:46,051 [modules.machinery.aws] INFO: instance state: stopping
2024-03-14 23:50:47,127 [modules.machinery.aws] INFO: instance state: stopping

loust avatar Mar 15 '24 02:03 loust

Hello, AWS is community driven machinery, we can't help with this, so wait till someone with AWS comes to rescue o you will find to figurate yourself, as error comes from aws related library not cape

doomedraven avatar Mar 15 '24 06:03 doomedraven

i would suggest to review this https://y4nush.com/posts/installation-of-capev2-sandbox-on-aws/ but as nobody response and we don't provide support to AWS im closing it

doomedraven avatar Jul 12 '24 07:07 doomedraven