1

在 cuckoo 中提交二进制文件进行分析时,它似乎没有做任何事情。我能够在虚拟机和主机操作系统(Ubuntu 14.04 LTS)之间进行 ping,python 2.7 和 PIL 安装在虚拟机(Windows 7 32 位)上。Cuckoo 能够启动 VM 快照,但它似乎并没有实际发送文件。从主机操作系统执行 curl 可以让我在 Windows 7 VM 中运行的 agent.py 上输出。这是我在调试模式下运行 cuckoo.py 时得到的输出,以及 submit.py 的输出

cuckoo@cuckoo-virtual-machine:~/Downloads/cuckoo$ ./cuckoo.py -d

Cuckoo Sandbox 2.0-rc1
www.cuckoosandbox.org
Copyright (c) 2010-2015
Checking for updates...
Good! You have the latest version available.
2016-05-05 14:18:34,079 [root] DEBUG: Importing modules...
2016-05-05 14:18:34,168 [root] DEBUG: Imported "signatures" modules:
2016-05-05 14:18:34,168 [root] DEBUG:    |-- CreatesExe
2016-05-05 14:18:34,168 [root] DEBUG:    `-- SystemMetrics
2016-05-05 14:18:34,169 [root] DEBUG: Imported "processing" modules:
2016-05-05 14:18:34,169 [root] DEBUG:    |-- AnalysisInfo
2016-05-05 14:18:34,169 [root] DEBUG:    |-- ApkInfo
2016-05-05 14:18:34,169 [root] DEBUG:    |-- Baseline
2016-05-05 14:18:34,169 [root] DEBUG:    |-- BehaviorAnalysis
2016-05-05 14:18:34,169 [root] DEBUG:    |-- DroppedBuffer
2016-05-05 14:18:34,169 [root] DEBUG:    |-- Debug
2016-05-05 14:18:34,170 [root] DEBUG:    |-- Droidmon
2016-05-05 14:18:34,170 [root] DEBUG:    |-- Dropped
2016-05-05 14:18:34,170 [root] DEBUG:    |-- TLSMasterSecrets
2016-05-05 14:18:34,170 [root] DEBUG:    |-- GooglePlay
2016-05-05 14:18:34,170 [root] DEBUG:    |-- Memory
2016-05-05 14:18:34,170 [root] DEBUG:    |-- NetworkAnalysis
2016-05-05 14:18:34,171 [root] DEBUG:    |-- ProcessMemory
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Screenshots
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Snort
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Static
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Strings
2016-05-05 14:18:34,171 [root] DEBUG:    |-- Suricata
2016-05-05 14:18:34,171 [root] DEBUG:    |-- TargetInfo
2016-05-05 14:18:34,171 [root] DEBUG:    `-- VirusTotal
2016-05-05 14:18:34,172 [root] DEBUG: Imported "auxiliary" modules:
2016-05-05 14:18:34,172 [root] DEBUG:    |-- MITM
2016-05-05 14:18:34,172 [root] DEBUG:    |-- Services
2016-05-05 14:18:34,172 [root] DEBUG:    `-- Sniffer
2016-05-05 14:18:34,172 [root] DEBUG: Imported "reporting" modules:
2016-05-05 14:18:34,172 [root] DEBUG:    |-- JsonDump
2016-05-05 14:18:34,172 [root] DEBUG:    |-- Moloch
2016-05-05 14:18:34,173 [root] DEBUG:    |-- MongoDB
2016-05-05 14:18:34,173 [root] DEBUG:    `-- ReportHTML
2016-05-05 14:18:34,173 [root] DEBUG: Imported "machinery" modules:
2016-05-05 14:18:34,173 [root] DEBUG:    `-- VirtualBox
2016-05-05 14:18:34,175 [root] DEBUG: Checking for locked tasks..
2016-05-05 14:18:34,181 [root] DEBUG: Checking for pending service tasks..
2016-05-05 14:18:34,184 [root] DEBUG: Initializing Yara...
2016-05-05 14:18:34,185 [root] DEBUG:    |-- index_binaries.yar
2016-05-05 14:18:34,185 [root] DEBUG:    `-- index_memory.yar
2016-05-05 14:18:34,190 [lib.cuckoo.core.resultserver] DEBUG: ResultServer running on 192.168.56.1:2042.
2016-05-05 14:18:34,192 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" as machine manager
2016-05-05 14:18:34,266 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:18:34,340 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status poweroff
2016-05-05 14:18:34,358 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2016-05-05 14:18:34,368 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.
2016-05-05 14:19:31,411 [lib.cuckoo.core.scheduler] DEBUG: Processing task #1
2016-05-05 14:19:31,413 [lib.cuckoo.core.scheduler] INFO: Starting analysis of FILE "XXX.exe" (task #1, options "")
2016-05-05 14:19:31,468 [lib.cuckoo.core.scheduler] INFO: Task #1: acquired machine Windows_7 (label=Windows_7)
2016-05-05 14:19:31,469 [lib.cuckoo.core.plugins] DEBUG: Started auxiliary module: Sniffer
2016-05-05 14:19:31,523 [modules.machinery.virtualbox] DEBUG: Starting vm Windows_7
2016-05-05 14:19:31,523 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:19:31,600 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status poweroff
2016-05-05 14:19:31,621 [modules.machinery.virtualbox] DEBUG: Using current snapshot for virtual machine Windows_7
2016-05-05 14:19:31,684 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:19:31,771 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status saved
2016-05-05 14:19:34,167 [modules.machinery.virtualbox] DEBUG: Getting status for Windows_7
2016-05-05 14:19:34,289 [modules.machinery.virtualbox] DEBUG: Machine Windows_7 status running


cuckoo@cuckoo-virtual-machine:~/Downloads/cuckoo/utils$ ./submit.py -d /home/cuckoo/Downloads/XXX.exe
Success: File "/home/cuckoo/Downloads/XXX.exe" added as task with ID 1
cuckoo@cuckoo-virtual-machine:~/Downloads/cuckoo/utils$
4

1 回答 1

0

它可能是 VM 检测器恶意软件。它检测到虚拟机环境并且不开始运行。尝试将其提交到 virustotal 或其他网站,看看结果如何。你也可以增加分析时间和上传大小,更多的分析时间给布谷鸟更多的机会

于 2016-06-06T20:15:45.840 回答