Problems that may arise during the use of Cuckoo Sandbox and their solutions





Collect recent problems

Question 1:

You do not have the m2crypto library installed preventing certificate extraction. Please read the Cuckoo documentation on installing m2crypto (you need SWIG installed and then pip install m2crypto==0.24.0)!

Solution:

  • Install m2crypto using pip command
pip install m2crypto==0.24.0  # This command installation is likely to report an error

pip install m2crypto          # Install the latest version directly
copy

#Question 2:

It appears that you haven't loaded any Cuckoo Signatures. Signatures are highly recommended and improve & enrich the information extracted during an analysis. They also make up for the analysis score that you see in the Web Interface - so, pretty important!

Solution:

cuckoo community
## If the network speed is slow, it is recommended to use a proxy to download master.tar.gz first, and then execute the following command
## url:https://github.com/cuckoosandbox/community/archive/master.tar.gz
# cuckoo community --file /home/master.tar.gz
copy

#Question 3:

2020-12-20 20:19:31,634 [cuckoo.core.plugins] ERROR: Failed to run the processing module "Static" for task #28: Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 246, in process data = current.run() File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/static.py", line 1075, in run static.update(PortableExecutable(f.file_path).run()) File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/static.py", line 317, in run results["signature"] = self._get_signature() File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/static.py", line 279, in _get_signature "locality": subject.L, File "/usr/lib/python2.7/dist-packages/M2Crypto/X509.py", line 321, in __getattr__ return util.py3str(m2.x509_name_by_nid(self.x509_name, self.nid[attr])) File "/usr/lib/python2.7/dist-packages/M2Crypto/util.py", line 66, in py3str raise TypeError('No string argument provided') TypeError: No string argument provided

This problem occurs because the installed version of m2crypto is too high. The official website specifies the version as m2crypto==0.24.0

Solution:

  • Download deb installation package and dependent package installation
sudo apt remove python-m2crypto     # Uninstall m2crypto installed via apt
sudo pip uninstall m2crypto         # Uninstall m2crypto installed via pip
## Execute both commands above.

wget http://security.debian.org/debian-security/pool/updates/main/o/openssl1.0/libssl1.0.2_1.0.2u-1~deb9u3_amd64.deb    
#The dependency package libssl1.0.2_1.0.2u-1~deb9u3_amd64.deb required by m2crypto
wget http://ftp.br.debian.org/debian/pool/main/m/m2crypto/python-m2crypto_0.24.0-1.1_amd64.deb
# m2crypto version 0.24.0

sudo dpkg -i python-m2crypto_0.24.0-1.1_amd64.deb
sudo dpkg -i libssl1.0.2_1.0.2u-1~deb9u3_amd64.deb

#To avoid updates, you need to lock the version to 0.24.0
sudo apt-mark hold python-m2crypto
copy

#Question 4:

After the Windows 7 virtual machine network on the guest side is configured as host-only, it cannot access the network, but the Windows 7 virtual machine can ping the Ubuntu host machine.

Solution:

  1. Enable IP forwarding

Edit /etc/sysctl.conf,

sudo vim /etc/sysctl.conf
copy

Find net.ipv4.ip_forward=1 and uncomment it, save the file, and then execute the following command to make the configuration effective.

sysctl -p /etc/sysctl.conf
copy
  1. Need to configure iptables forwarding rules (temporary effect)
sudo -i
iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
copy

After the configuration is complete, the Windows 7 virtual machine on the guest side can access the network normally, but the Ubuntu on the host side will have problems accessing the network. This is due to the DNS configuration problem. Modify /etc/resolv.conf, change nameserver 127.0.0.53 to nameserver 114.114.114.114, and save the file to access the network normally.

  1. Persistent iptables forwarding rules can be achieved using the iptables-persistent tool
sudo apt-get install iptables-persistent
sudo netfilter-persistent save
sudo netfilter-persistent reload

sudo systemctl enable netfilter-persistent.service
## Description
# The saved rule file path is as follows
#/etc/iptables/rules.v4
#/etc/iptables/rules.v6
copy
  1. Solve the problem of DNS overwriting 127.0.0.53
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo apt install unbound
sudo rm -rf /etc/resolv.conf
sudo vim  /etc/NetworkManager/NetworkManager.conf
copy

Add the following line below [main]:

dns=unbound
copy
  1. Just restart

#Question 5:

2020-12-21 08:58:46,225 [cuckoo] ERROR: The maximum number of open files is low (4096). If you do not increase it, you may run into errors later on. 2020-12-21 08:58:46,225 [cuckoo] ERROR: See also: https://cuckoo.sh/docs/faq/index.html#ioerror-errno-24-too-many-open-files

Solution:

  • Increase file limit

View the current file number limit:ulimit -n

  1. modify /etc/systemd/user.conf and /etc/systemd/system.conf
DefaultLimitNOFILE=65535
copy
  1. modify /etc/security/limits.conf

Add the following two lines:

mkasberg hard nofile 65535
mkasberg soft nofile 65535
copy
  1. Restart

#Question 6:

2020-12-22 10:32:18,751 [cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.

Modify the cuckoo.conf configuration file and change the default maximum file upload size from 128MB to 512MB (536870912 Bytes)

[processing]
# Set the maximum size of analyses generated files to process. This is used
# to avoid the processing of big files which may take a lot of processing
# time. The value is expressed in bytes, by default 128 MB.
analysis_size_limit = 536870912
copy

#Question 7:

2020-12-22 16:31:25,236 [cuckoo.core.plugins] ERROR: Unable to stop auxiliary module: Sniffer Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 164, in stop module.stop() File "/usr/local/lib/python2.7/dist-packages/cuckoo/auxiliary/sniffer.py", line 156, in stop (out, err, faq("permission-denied-for-tcpdump")) CuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis; stdout = '' and stderr = 'tcpdump: vboxnet0: That device is not up\n'. Did you enable the extra capabilities to allow running tcpdump as non-root user and disable AppArmor properly (the latter only applies to Ubuntu-based distributions with AppArmor, see also https://cuckoo.sh/docs/faq/index.html#permission-denied-for-tcpdump)?

Solution:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
copy

#Question 8:

The following error occurs when starting VirtualBox without an interface:

2021-04-15 21:54:08,824 [cuckoo.core.scheduler] ERROR: Error starting Virtual Machine! VM: Windows7-SP1, error: VBoxManage failed starting the machine in headless mode. Are you sure your machine is still functioning correctly when trying to use it manually? Error: VBoxManage: error: The VM session was aborted
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component SessionMachine, interface ISession

2021-04-15 21:54:09,438 [cuckoo.core.scheduler] WARNING: Unable to stop machine Windows7-SP1: Trying to stop an already stopped VM: Windows7-SP1
2021-04-15 21:54:09,675 [cuckoo.processing.behavior] WARNING: Analysis results folder does not contain any behavior log files.
2021-04-15 21:54:11,439 [cuckoo.processing.debug] ERROR: Error processing task #2: it appears that the Virtual Machine hasn't been able to contact back to the Cuckoo Host. There could be a few reasons for this, please refer to our documentation on the matter: https://cuckoo.sh/docs/faq/index.html#troubleshooting-vm-network-configuration
copy

Solution:

In Settings >> Display >> Screen >> Uncheck Hardware Acceleration


Restart the VM, run agent.pyw as an administrator, and regenerate a snapshot

#Question 9:

The following error occurs when using cuckoo api to submit in batches:

2021-04-16 11:52:52,854 [cuckoo.core.database] ERROR: Database error counting machines: (sqlite3.OperationalError) database is locked
[SQL: SELECT count(*) AS count_1 
FROM (SELECT machines.rcparams AS machines_rcparams, machines.id AS machines_id, machines.name AS machines_name, machines.label AS machines_label, machines.ip AS machines_ip, machines.platform AS machines_platform, machines.options AS machines_options, machines.interface AS machines_interface, machines.snapshot AS machines_snapshot, machines.locked AS machines_locked, machines.locked_changed_on AS machines_locked_changed_on, machines.status AS machines_status, machines.status_changed_on AS machines_status_changed_on, machines.resultserver_ip AS machines_resultserver_ip, machines.resultserver_port AS machines_resultserver_port 
FROM machines 
WHERE machines.locked = 0) AS anon_1]
(Background on this error at: http://sqlalche.me/e/e3q8)

OperationalError: (sqlite3.OperationalError) database is locked
[SQL: SELECT count(*) AS count_1 
FROM (SELECT machines.rcparams AS machines_rcparams, machines.id AS machines_id, machines.name AS machines_name, machines.label AS machines_label, machines.ip AS machines_ip, machines.platform AS machines_platform, machines.options AS machines_options, machines.interface AS machines_interface, machines.snapshot AS machines_snapshot, machines.locked AS machines_locked, machines.locked_changed_on AS machines_locked_changed_on, machines.status AS machines_status, machines.status_changed_on AS machines_status_changed_on, machines.resultserver_ip AS machines_resultserver_ip, machines.resultserver_port AS machines_resultserver_port 
FROM machines 
WHERE machines.locked = 0) AS anon_1]
(Background on this error at: http://sqlalche.me/e/e3q8)
copy

Solution: Change the database from the default sqlite to postgresql

  1. Install PostgreSQL Database
sudo apt-get install postgresql libpq-dev -y
pip install psycopg2
copy
  1. Create database cuckoo
sudo -u postgres psql
CREATE DATABASE cuckoo;
CREATE USER cuckoo WITH ENCRYPTED PASSWORD 'password';
GRANT ALL PRIVILEGES ON DATABASE cuckoo TO cuckoo;
\q
copy

Subsequent cuckoo.conf configuration will require

**Note:** Password must be enclosed in single quotes

  1. Configure /etc/postgresql/10/main/pg_hba.conf and add the following line
host all    all     192.168.0.2/32      trust
copy

192.168.0.2Is the client (physical host) IP address

  1. Configuring the cuckoo.conf File
[database]
# Do not use the default sqlite, use postgresql
connection = postgresql://cuckoo:password@localhost:5432/cuckoo
copy

#

Comments

Post a Comment

Popular posts from this blog

I want to know the difference between dnf and yum

dnf and yum are both package managers used on RPM-based Linux distributions (like Fedora, RHEL, CentOS, etc.), but there are some important differences between them. 1. DNF (Dandified YUM) Replacement for YUM : dnf is the next-generation version of yum , introduced as the default package manager in Fedora 22 and later. RHEL 8 and CentOS 8 also use dnf by default. Performance : dnf is faster than yum because it uses a more efficient dependency resolution algorithm and leverages parallel downloading. API and Python3 : dnf is written in Python 3, whereas yum is written in Python 2. This means dnf has better long-term support and improved APIs for developers. Better Dependency Management : dnf uses a more accurate dependency resolver, which leads to fewer problems with package dependencies. Backward Compatibility : dnf is mostly backward-compatible with yum , meaning you can often use dnf in place of yum commands. 2. YUM (Yellowdog Updater, Modified) Older Version : yum...
Read more