cuckoomon-modified icon indicating copy to clipboard operation
cuckoomon-modified copied to clipboard
verified publisher icon spender-sandbox

IE11 errors on 64-bit Win 7 VM

Open enzok opened this issue 9 years ago • 6 comments

I’m having an issue when submitting a task that runs Internet Explorer 11 in a 64-bit Windows 7 VM. IE throws an error popup and doesn’t run. This issue doesn’t happen in my 32-bit VM. However, if I disable injection, then IE runs.

IE Version - 11.0.9600.16428 (KB2841134)

2017-01-20 09:21:25,812 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""http://"" with pid 2848 2017-01-20 09:21:25,812 [lib.api.process] DEBUG: Using QueueUserAPC injection. 2017-01-20 09:21:25,921 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848 2017-01-20 09:21:27,921 [lib.api.process] INFO: Successfully resumed process with pid 2848 2017-01-20 09:21:27,921 [root] INFO: Added new process to list with pid: 2848 2017-01-20 09:21:28,015 [root] INFO: Cuckoomon successfully loaded in process with pid 2848. 2017-01-20 09:21:28,046 [root] INFO: Announced 64-bit process name: iexplore.exe pid: 2688 2017-01-20 09:21:28,046 [lib.api.process] DEBUG: Using QueueUserAPC injection. 2017-01-20 09:21:28,092 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2688 2017-01-20 09:21:28,092 [root] INFO: Disabling sleep skipping. 2017-01-20 09:21:28,187 [root] INFO: Disabling sleep skipping. 2017-01-20 09:21:28,203 [root] INFO: Added new process to list with pid: 2688 2017-01-20 09:21:28,203 [root] INFO: Cuckoomon successfully loaded in process with pid 2688. 2017-01-20 09:21:29,875 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it 2017-01-20 09:21:30,937 [root] INFO: Notified of termination of process with pid 2688. 2017-01-20 09:21:30,937 [root] INFO: Notified of termination of process with pid 2848. 2017-01-20 09:21:31,921 [root] INFO: Process with pid 2848 has terminated 2017-01-20 09:21:32,921 [root] INFO: Process with pid 2688 has terminated 2

enzok avatar Jan 23 '17 18:01 enzok

add debug=1 to options, and check your cuckoo log

-Brad

spender-sandbox avatar Jan 23 '17 18:01 spender-sandbox

Here's the debug output: 2017-01-23 13:51:46,506 [lib.cuckoo.core.guest] INFO: Starting analysis on guest

2017-01-23 13:51:57,345 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:51:57,345 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:32,856 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:32,856 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:40,264 [requests.packages.urllib3.connectionpool] INFO: Starting new HTTPS connection (1): www.virustotal.com 2017-01-23 13:52:41,523 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:41,523 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,142 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,143 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,586 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,587 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:48,812 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:48,813 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

enzok avatar Jan 23 '17 19:01 enzok

See if the problem persists with disable_hook_content=1 passed in options

-Brad

spender-sandbox avatar Jan 23 '17 19:01 spender-sandbox

Problem persists, same exceptions.

enzok avatar Jan 23 '17 20:01 enzok

I had forgotten about this issue thread. You may want to ensure all security-related stuff is disabled: https://github.com/spender-sandbox/cuckoo-modified/issues/235

KillerInstinct avatar Jan 26 '17 14:01 KillerInstinct

I disabled all security settings that I am aware of, however, I'll go back and verify that I didn't miss something or revert to a snapshot that wasn't setup properly. Otherwise, it looks like I installed IE the same way as what is described in issue #235 thread.

enzok avatar Jan 26 '17 15:01 enzok