Requesting config extraction for Ursnif. I am able to get the final Ursnif payload that's injected into Explorer.exe using CAPE extraction and a yara rule. I've done some RE and have the functions that build the comms strings prior to encryption. At this point, I'd like to dump the data along with the encryption key. Would this require a capemon dll to hook these functions? Thoughts?

2019-09-04 09:23:11,633 [root] INFO: Generating grammar tables from /usr/lib/python2.7/lib2to3/Grammar.txt
2019-09-04 09:23:11,682 [root] INFO: Generating grammar tables from /usr/lib/python2.7/lib2to3/PatternGrammar.txt
2019-09-04 09:23:15,710 [lib.cuckoo.core.scheduler] INFO: Using "kvm" machine manager with max_analysis_count=0, max_machines_count=2, and max_vmstartup_count=2
2019-09-04 09:23:16,263 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2019-09-04 09:23:16,272 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.

Host: Debian 10 VM: Windows 10 x64 VM Config: UAC disabled, Firewall Disabled, Defender Disabled Machinery: KVM

Not sure why, but when using KVM as my machinery, the analysis never starts. It just sits there waiting for analysis tasks, despite showing 1 pending task.

Is there a way to enable debug logging so I can maybe see what isn't happening?

Dear all,

I am running CAPE with VirtualBox machinery and rooter to route traffic through tor if the need arises. The tor network is selectable as expected when I submit an analysis.

The circumvent geofencing of some malware I thought it would make sense to buy a vpn (like NordVPN) and create a VPN tunnel for every country I want to be able to use and select this VPN in the web interface before submitting the task.

Unfortunately I don't see the VPNs I added under conf/vpn.conf. As stated before Tor is running fine through rooter and the OpenVPN tunnel itsself is running fine also.

Here is my vpn.conf:

[vpn]
vpns = vpn0

[vpn0]
name = vpn0
description = openvpn_tunnel
interface = tun0
rt_table = tun0

Here is my /etc/iproute2/rt_tables:

255 local
254 main
253 default
0 unspec

400 eno1
401 tun0

(eno1 is my dirty/internet line)

Here is the crucial part of my cuckoo.conf:

[routing]
route = internet
internet = eno1
rt_table = main
auto_rt = yes

tor = on
tor_dnsport = 5353
tor_proxyport = 9040
tor_interface = eno1

Please excuse if I understood the whole thing wrong and this isn't possible at all to display all VPN connections in the dropdown on the web interface.

Every suggestion is highly appreciated!

Thanks

cc @kevoreilly

@doomedraven's distributed changes a few commits back causes this error

python manage.py runserver Performing system checks...

Unhandled exception in thread started by <function wrapper at 0x7fc63c059050> Traceback (most recent call last): File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/utils/autoreload.py", line 228, in wrapper fn(*args, **kwargs) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/management/commands/runserver.py", line 124, in inner_run self.check(display_num_errors=True) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/management/base.py", line 359, in check include_deployment_checks=include_deployment_checks, File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/management/base.py", line 346, in _run_checks return checks.run_checks(**kwargs) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/checks/registry.py", line 81, in run_checks new_errors = check(app_configs=app_configs) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/checks/urls.py", line 16, in check_url_config return check_resolver(resolver) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/core/checks/urls.py", line 26, in check_resolver return check_method() File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/urls/resolvers.py", line 256, in check for pattern in self.url_patterns: File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/utils/functional.py", line 35, in get res = instance.dict[self.name] = self.func(instance) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/urls/resolvers.py", line 407, in url_patterns patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/utils/functional.py", line 35, in get res = instance.dict[self.name] = self.func(instance) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/django/urls/resolvers.py", line 400, in urlconf_module return import_module(self.urlconf_name) File "/usr/lib/python2.7/importlib/init.py", line 37, in import_module import(name) File "/home/cuckoo/CAPE/web/web/urls.py", line 15, in from submission import urls as submission File "/home/cuckoo/CAPE/web/submission/urls.py", line 6, in from submission import views File "/home/cuckoo/CAPE/web/submission/views.py", line 83, in session = create_session(repconf.distributed.db) File "/home/cuckoo/CAPE/web/../lib/cuckoo/common/dist_db.py", line 95, in create_session engine = create_engine(db_connectionn, pool_size=20, max_overflow=100) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/sqlalchemy/engine/init.py", line 425, in create_engine return strategy.create(*args, **kwargs) File "/home/cuckoo/venv/local/lib/python2.7/site-packages/sqlalchemy/engine/strategies.py", line 162, in create engineclass.name)) TypeError: Invalid argument(s) 'pool_size','max_overflow' sent to create_engine(), using configuration SQLiteDialect_pysqlite/NullPool/Engine. Please check that the keyword arguments are appropriate for this combination of components.

This Word doc has a macro that executes an encoded powershell script: 5bc978433646fa357d6b2c29ab45f6789b14379c224d2d3fc25d310cc7258733

If I run with behavioral analysis either disabled or set disable_hook_content=1, the script will execute fully and attempt to download the next stage. However, if full hooking is left enabled the script is executed (shows up in executed_commands), but the network activity does not occur.

Hi I'm having an issue with CAPE connecting to my guest VM. I have verified that networking is not the issue and am able to curl vmip:8000 and get code 501. I continually get

2019-08-09 10:34:46,303 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:47,305 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:48,306 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:49,307 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:50,309 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:51,311 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:52,313 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet 2019-08-09 10:34:53,314 [lib.cuckoo.core.guest] DEBUG: Win7: not ready yet

and no activity on my VM. After timeout I get the following error

2019-08-09 10:35:02,698 [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "Dropped": Traceback (most recent call last): File "/home/cuckoo/CAPE/lib/cuckoo/core/plugins.py", line 197, in process data = current.run() File "/home/cuckoo/CAPE/modules/processing/dropped.py", line 28, in run file_names = os.listdir(self.dropped_path) OSError: [Errno 2] No such file or directory: '/opt/CAPE/storage/analyses/6/files'

After going to the dir I noticed the "files" dir doesn't exists. Any tips for resolving this issue.

I just noticed that CAPE includes copies of the files olefile.py, olevba, oleid, etc. (which is great, I'm glad they are useful) As those tools are regularly updated to fix bugs and to support new formats and new obfuscation tricks, it would be better not to include old copies here, but to install the latest versions with pip. Is there a specific reason why they are copied rather than imported?

I added the latest commits and am now getting the following errors. I've run multiple samples and get the same results.

2018-07-09 22:00:36,972 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "CheckRemoteDebuggerPresent":
Traceback (most recent call last):
  File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
    result = sig.on_call(call, proc)
  File "/opt/cuckoo/utils/../modules/signatures/CAPE.py", line 558, in on_call
    ProcessInformationClass = int(self.get_raw_argument(call, "ProcessInformationClass"), 0)
TypeError: int() can't convert non-string with explicit base
2018-07-09 22:00:37,056 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "critical_process":
Traceback (most recent call last):
  File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
    result = sig.on_call(call, proc)
  File "/opt/cuckoo/utils/../modules/signatures/critical_process.py", line 34, in on_call
    value = int(self.get_argument(call, "Value"))
TypeError: int() argument must be a string or a number, not 'NoneType'
2018-07-09 22:00:37,056 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "dep_disable":
Traceback (most recent call last):
  File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
    result = sig.on_call(call, proc)
  File "/opt/cuckoo/utils/../modules/signatures/dep_disable.py", line 34, in on_call
    value = int(self.get_argument(call, "Value"))
TypeError: int() argument must be a string or a number, not 'NoneType'
2018-07-09 22:00:37,071 [lib.cuckoo.core.plugins] ERROR: Failed to run signature "NtSetInformationThread":
Traceback (most recent call last):
  File "/opt/cuckoo/utils/../lib/cuckoo/core/plugins.py", line 414, in run
    result = sig.on_call(call, proc)
  File "/opt/cuckoo/utils/../modules/signatures/CAPE.py", line 497, in on_call
    ThreadInformationClass = int(self.get_raw_argument(call, "ThreadInformationClass"), 0)
TypeError: int() can't convert non-string with explicit base

It's been observed that CAPE's debugger does not work in KVM VMs - this is to do with the fact that KVM doesn't allow for use of the debug registers by the guest as discussed here:

https://patchwork.kernel.org/patch/4717311/ https://patchwork.kernel.org/patch/8436261/ https://bugzilla.redhat.com/show_bug.cgi?id=1068627

This means that several packages, most notably including the 'Extraction' behavioural package, will not work properly on these systems due to their dependence on the debugger.

If anyone knows of a workaround to allow use of debug registers within guest VMs on KVM, please let me know.

start with No handlers could be found for logger "lib.cuckoo.common.abstracts" works fine until I submit a file

CRITICAL: Unable to passthrough root command (drop_enable) as the rooter unix socket doesn't exist.

and it got stuck at DEBUG: cuckoo1: waiting for status 0x0001

Unable to go ahead after below step

INFO [alembic.runtime.migration] Context impl SQLiteImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL.

Hello, I have problem with start suricata and pcap file. I followed similar errors, but I did not manage to solve it, and i need a help to resolve the issue.

022-11-16 23:05:09,272 [Task 45] [modules.processing.behavior] INFO: Analysis results folder does not contain any file or injection was disabled 2022-11-16 23:05:09,279 [Task 45] [modules.processing.network] WARNING: The PCAP file does not exist at path "/opt/CAPEv2/storage/analyses/45/dump.pcap" 2022-11-16 23:05:09,280 [Task 45] [modules.processing.suricata] WARNING: Unable to Run Suricata: Pcap file /opt/CAPEv2/storage/analyses/45/dump.pcap does not exist

Bumps lief from 0.9.0 to 0.12.2.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps numpy from 1.15.0 to 1.22.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps numpy from 1.15.0 to 1.22.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

When I enable the memory dump to integrate malconfscan functionality into an environment with proxmox, I notice that the memory dump does not work (memory dump not found), and the machinery/proxmox source code I do not see the function for the dump. Am I doing something wrong?

In the CAPE report, inside CAPE.configs, in a CobalStrike sample, I found the following value under "C2Server": 185.150.119.33,/pixel

There is a "," (comma) between the IP and the path which renders the URL invalid. Is this on purpose or is this a bug?

The sample hash is 1b9309cc3159a8dc44bcde02642e559b65d1065f