杜鹃文件分析问题

问题描述 投票:1回答:1

在杜鹃中提交二进制文件进行分析时,它似乎没有做任何事情。我可以在VM和主机操作系统(Ubuntu 14.04 LTS)之间执行ping操作,在VM上安装python 2.7和PIL(Windows 7 32位)。 Cuckoo能够启动虚拟机快照,但它似乎并没有实际发送文件。从主机操作系统执行curl会在Windows 7 VM中运行的agent.py上输出。这是在调试模式下运行cuckoo.py时获得的输出,以及submit.py的输出

cuckoo@cuckoo-virtual-machine:~/Downloads/cuckoo$ ./cuckoo.py -d

Cuckoo Sandbox 2.0-rc1
www.cuckoosandbox.org
Copyright (c) 2010-2015
Checking for updates...
Good! You have the latest version available.
2016-05-05 14:18:34,079 [root] DEBUG: Importing modules...
2016-05-05 14:18:34,168 [root] DEBUG: Imported "signatures" modules:
2016-05-05 14:18:34,168 [root] DEBUG:    |-- CreatesExe
2016-05-05 14:18:34,168 [root] DEBUG:    `-- SystemMetrics
2016-05-05 14:18:34,169 [root] DEBUG: Imported "processing" modules:
2016-05-05 14:18:34,169 [root] DEBUG:    |-- AnalysisInfo
2016-05-05 14:18:34,169 [root] DEBUG:    |-- ApkInfo
2016-05-05 14:18:34,169 [root] DEBUG:    |-- Baseline
2016-05-05 14:18:34,169 [root] DEBUG:    |-- BehaviorAnalysis
2016-05-05 14:18:34,169 [root] DEBUG:    |-- DroppedBuffer
2016-05-05 14:18:34,169 [root] DEBUG:    |-- Debug
2016-05-05 14:18:34,170 [root] DEBUG:    |-- Droidmon
2016-05-05 14:18:34,170 [root] DEBUG:    |-- Dropped
2016-05-05 14:18:34,170 [root] DEBUG:    |-- TLSMasterSecrets
2016-05-05 14:18:34,170 [root] DEBUG:    |-- GooglePlay
2016-05-05 14:18:34,170 [root] DEBUG:    |-- Memory
2016-05-05 14:18:34,170 [root] DEBUG:    |-- NetworkAnalysis
2016-05-05 14:18:34,171 [root] DEBUG:    |-- ProcessMemory
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Screenshots
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Snort
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Static
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Strings
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Suricata
2016-05-05 14:18:34,171 [root] DEBUG:    |-- TargetInfo
2016-05-05 14:18:34,171 [root] DEBUG:    `-- VirusTotal
2016-05-05 14:18:34,172 [root] DEBUG: Imported "auxiliary" modules:
2016-05-05 14:18:34,172 [root] DEBUG:    |-- MITM
2016-05-05 14:18:34,172 [root] DEBUG:    |-- Services
2016-05-05 14:18:34,172 [root] DEBUG:    `-- Sniffer
2016-05-05 14:18:34,172 [root] DEBUG: Imported "reporting" modules:
2016-05-05 14:18:34,172 [root] DEBUG:    |-- JsonDump
2016-05-05 14:18:34,172 [root] DEBUG:    |-- Moloch
2016-05-05 14:18:34,173 [root] DEBUG:    |-- MongoDB
2016-05-05 14:18:34,173 [root] DEBUG:    `-- ReportHTML
2016-05-05 14:18:34,173 [root] DEBUG: Imported "machinery" modules:
2016-05-05 14:18:34,173 [root] DEBUG:    `-- VirtualBox
2016-05-05 14:18:34,175 [root] DEBUG: Checking for locked tasks..
2016-05-05 14:18:34,181 [root] DEBUG: Checking for pending service tasks..
2016-05-05 14:18:34,184 [root] DEBUG: Initializing Yara...
2016-05-05 14:18:34,185 [root] DEBUG:    |-- index_binaries.yar
2016-05-05 14:18:34,185 [root] DEBUG:    `-- index_memory.yar
2016-05-05 14:18:34,190 [lib.cuckoo.core.resultserver] DEBUG: ResultServer running on 192.168.56.1:2042.
2016-05-05 14:18:34,192 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2016-05-05 14:18:34,266 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:18:34,340 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status poweroff
2016-05-05 14:18:34,358 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2016-05-05 14:18:34,368 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2016-05-05 14:19:31,411 [lib.cuckoo.core.scheduler] DEBUG: Processing task #1
2016-05-05 14:19:31,413 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "XXX.exe" (task #1, options "")
2016-05-05 14:19:31,468 [lib.cuckoo.core.scheduler] INFO: Task #1: acquired machine Windows_7 (label=Windows_7)
2016-05-05 14:19:31,469 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2016-05-05 14:19:31,523 [modules.machinery.virtualbox] DEBUG: Starting vm Windows_7
2016-05-05 14:19:31,523 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:19:31,600 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status poweroff
2016-05-05 14:19:31,621 [modules.machinery.virtualbox] DEBUG: Using current snapshot for virtual machine Windows_7
2016-05-05 14:19:31,684 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:19:31,771 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status saved
2016-05-05 14:19:34,167 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:19:34,289 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status running


cuckoo@cuckoo-virtual-machine:~/Downloads/cuckoo/utils$ ./submit.py -d /home/cuckoo/Downloads/XXX.exe
Success: File "/home/cuckoo/Downloads/XXX.exe" added as task with ID 1
cuckoo@cuckoo-virtual-machine:~/Downloads/cuckoo/utils$
python django sandbox malware-detection cuckoo
1个回答
0
投票

它可能是VM检测器恶意软件。它检测到虚拟机环境并且没有开始运行。尝试将其提交到virustotal或其他网站,看看结果是什么。你也可以增加分析和上传大小的时间,更多的分析时间给予杜鹃更多的机会

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.