小贝子编程

布谷鸟文件分析问题



当提交一个二进制文件以进行布谷鸟分析时,它似乎什么都不做。我能够在虚拟机和主机操作系统(Ubuntu 14.04 LTS)之间进行ping,python 2.7和PIL安装在虚拟机上(Windows 7 32位)。Cuckoo可以旋转虚拟机快照,但它似乎并没有真正发送文件。从主机操作系统执行curl操作可以在Windows7虚拟机中运行的agent.py上获得输出。以下是我在调试模式下运行bucko.py时得到的输出,以及submit.py 的输出

cuckoo@cuckoo-virtual-machine:~/Downloads/cuckoo$ ./cuckoo.py -d
Cuckoo Sandbox 2.0-rc1
www.cuckoosandbox.org
Copyright (c) 2010-2015
Checking for updates...
Good! You have the latest version available.
2016-05-05 14:18:34,079 [root] DEBUG: Importing modules...
2016-05-05 14:18:34,168 [root] DEBUG: Imported "signatures" modules:
2016-05-05 14:18:34,168 [root] DEBUG:    |-- CreatesExe
2016-05-05 14:18:34,168 [root] DEBUG:    `-- SystemMetrics
2016-05-05 14:18:34,169 [root] DEBUG: Imported "processing" modules:
2016-05-05 14:18:34,169 [root] DEBUG:    |-- AnalysisInfo
2016-05-05 14:18:34,169 [root] DEBUG:    |-- ApkInfo
2016-05-05 14:18:34,169 [root] DEBUG:    |-- Baseline
2016-05-05 14:18:34,169 [root] DEBUG:    |-- BehaviorAnalysis
2016-05-05 14:18:34,169 [root] DEBUG:    |-- DroppedBuffer
2016-05-05 14:18:34,169 [root] DEBUG:    |-- Debug
2016-05-05 14:18:34,170 [root] DEBUG:    |-- Droidmon
2016-05-05 14:18:34,170 [root] DEBUG:    |-- Dropped
2016-05-05 14:18:34,170 [root] DEBUG:    |-- TLSMasterSecrets
2016-05-05 14:18:34,170 [root] DEBUG:    |-- GooglePlay
2016-05-05 14:18:34,170 [root] DEBUG:    |-- Memory
2016-05-05 14:18:34,170 [root] DEBUG:    |-- NetworkAnalysis
2016-05-05 14:18:34,171 [root] DEBUG:    |-- ProcessMemory
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Screenshots
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Snort
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Static
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Strings
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Suricata
2016-05-05 14:18:34,171 [root] DEBUG:    |-- TargetInfo
2016-05-05 14:18:34,171 [root] DEBUG:    `-- VirusTotal
2016-05-05 14:18:34,172 [root] DEBUG: Imported "auxiliary" modules:
2016-05-05 14:18:34,172 [root] DEBUG:    |-- MITM
2016-05-05 14:18:34,172 [root] DEBUG:    |-- Services
2016-05-05 14:18:34,172 [root] DEBUG:    `-- Sniffer
2016-05-05 14:18:34,172 [root] DEBUG: Imported "reporting" modules:
2016-05-05 14:18:34,172 [root] DEBUG:    |-- JsonDump
2016-05-05 14:18:34,172 [root] DEBUG:    |-- Moloch
2016-05-05 14:18:34,173 [root] DEBUG:    |-- MongoDB
2016-05-05 14:18:34,173 [root] DEBUG:    `-- ReportHTML
2016-05-05 14:18:34,173 [root] DEBUG: Imported "machinery" modules:
2016-05-05 14:18:34,173 [root] DEBUG:    `-- VirtualBox
2016-05-05 14:18:34,175 [root] DEBUG: Checking for locked tasks..
2016-05-05 14:18:34,181 [root] DEBUG: Checking for pending service tasks..
2016-05-05 14:18:34,184 [root] DEBUG: Initializing Yara...
2016-05-05 14:18:34,185 [root] DEBUG:    |-- index_binaries.yar
2016-05-05 14:18:34,185 [root] DEBUG:    `-- index_memory.yar
2016-05-05 14:18:34,190 [lib.cuckoo.core.resultserver] DEBUG: ResultServer running on 192.168.56.1:2042.
2016-05-05 14:18:34,192 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2016-05-05 14:18:34,266 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:18:34,340 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status poweroff
2016-05-05 14:18:34,358 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2016-05-05 14:18:34,368 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2016-05-05 14:19:31,411 [lib.cuckoo.core.scheduler] DEBUG: Processing task #1
2016-05-05 14:19:31,413 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "XXX.exe" (task #1, options "")
2016-05-05 14:19:31,468 [lib.cuckoo.core.scheduler] INFO: Task #1: acquired machine Windows_7 (label=Windows_7)
2016-05-05 14:19:31,469 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2016-05-05 14:19:31,523 [modules.machinery.virtualbox] DEBUG: Starting vm Windows_7
2016-05-05 14:19:31,523 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:19:31,600 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status poweroff
2016-05-05 14:19:31,621 [modules.machinery.virtualbox] DEBUG: Using current snapshot for virtual machine Windows_7
2016-05-05 14:19:31,684 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:19:31,771 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status saved
2016-05-05 14:19:34,167 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:19:34,289 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status running

cuckoo@cuckoo-virtual-machine:~/Downloads/cuckoo/utils$ ./submit.py -d /home/cuckoo/Downloads/XXX.exe
Success: File "/home/cuckoo/Downloads/XXX.exe" added as task with ID 1
cuckoo@cuckoo-virtual-machine:~/Downloads/cuckoo/utils$

它可能是一个VM检测器恶意软件。它检测到虚拟机环境并且不开始运行。试着把它提交给virustotal或其他网站看看结果如何。u还可以增加分析时间和上传大小,更多的分析时间会给更多的机会

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium