CAPEv2 icon indicating copy to clipboard operation
CAPEv2 copied to clipboard

Published 20 hours ago verified publisher icon kevoreilly

Calc / Notepad detonation fail

Open gcmoreira opened this issue 4 years ago • 2 comments
trafficstars

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • [X] I am running the latest version
  • [X] I checked the documentation and found no answer
  • [X] I checked to make sure that this issue has not already been filed
  • [X] I'm reporting the issue to the correct repository (for multi-repository projects)
  • [X] I'm have read all configs with all optional parts

Expected Behavior

  • See calc.exe up and running in the screenshot.
  • See notepad.exe up and running in the screenshot.
  • Get the full API call trace for each one.

Current Behavior

None of them seems to work.

  • The screenshot doesn't show calc/notepad.
  • They finish almost as soon as they start, within the second.
  • The API trace doesn't look like the actual .exe was executed.

Failure Information (for bugs)

As per the Behavioral Analysis they finish within the second it was executed. I tested them in a local (updated) environment but also double-checked that the same results happen in your environment, see the following results:

  • https://capesandbox.com/analysis/174313 (calc.exe on win7x64)
  • https://capesandbox.com/analysis/174567 (calc.exe on win7x86)
  • https://capesandbox.com/analysis/174568 (notepad.exe on win7x86)

Steps to Reproduce

  1. Take calc.exe and notepad.exe from c:\windows\sytem32 on the same win7 or win10 guest machine. Both .exe are PE 32 bit so it doesn't matter.
  2. Submit them using the web default settings. I only forced the "Machine" just to make sure it will execute there.

Context

I tested them in a local updated environment but also double-checked that the same results happen in yours.

Local setup

Question Answer
Git commit 5d5ba06d8788ac561b267b20eec49e437decdf88
Community package Updated using $ python3 utils/community.py -waf
HOST OS version Ubuntu 20.04.2 LTS
GUEST OS versions win7x86, win7x64, win10x64

Failure Logs

Please check the result links above.

gcmoreira avatar Jul 28 '21 05:07 gcmoreira

Thanks for the heads up - will look into it.

kevoreilly avatar Jul 28 '21 05:07 kevoreilly

MUI problem - https://twitter.com/hasherezade/status/1558841246944317441

doomedraven avatar Aug 16 '22 07:08 doomedraven

doomed is right - this is a mui issue not a cape issue. hasherezade offers a nice explanation: https://github.com/hasherezade/libpeconv/issues/44

To prove this, instead of submitting notepad or calc, try submitting a batch file that launches them. Then cape has no problem monitoring these exes run from their proper location:

https://capesandbox.com/analysis/354918 https://capesandbox.com/analysis/354919

kevoreilly avatar Jan 20 '23 11:01 kevoreilly