URL Analysis Problem about cape HOT 15 CLOSED

I would say the first thing to check is that the URLs are launched in a browser package whether this be for IE, Firefox or Chrome. You should then verify that the behavioural analysis has occured in the resulting output, with API calls from the browser process appearing. If not this can perhaps be diagnosed by looking in the analysis log.

from cape.

Also, if these links are in any way dodgy it's probably best not to paste them directly into comments as anyone could click on them outside of a sandbox and end up in trouble.

from cape.

Hi @kevoreilly these links are launching in a browser when the page is accessed by the browser in sandbox it doesn't click on the buttons and all the above links are only like this. it needs human interaction to click on the button to each time. All these links contains addons which needs human interaction and yeah I forgot to edit these links, kindly throw these links in your sandbox, you will understand what right now happening.

from cape.

Have you had any luck getting the analysis working?

from cape.

no not yet that's why I gave these links, so that you can check and help it.

from cape.

Did you see my points about checking the package, behavioural analysis output, analysis log, etc.

from cape.

Yes I checked all the points before

from cape.

I was hoping for some more information from these sources in order to try and help diagnose what is going on.

from cape.

I tried few things manually each links contains buttons and most of the buttons contains javascript code, so I think that's why the sandbox is not able to click on these buttons because in file analysis they look for some buttons text like "next, install, close etc" which they worked properly. But on the URL part buttons not clicked by the sandbox because they contains javascript code and I think sandbox needs to add some extra functionality for handling these kind of behaviour.

Second thing if we throw the link which contains exe in the URL (ex(ccleaner setup-->).
hxxps://s3-us-west-2.amazonaws.com/filehippo-assets/installers/ccsetup540pro_fh.exe)
then it will works. It will download the setup and run it successfully because this URL contain the direct link and popup the window with option run, save and cancel in that case sandbox will handle this part and execute the binary.

from cape.

Aha! This sounds like a limitation in the automated interaction which is governed by the 'human' auxiliary module: analyzer/windows/modules/auxiliary/human.py

This module contains, among other things, lists of buttons to click or not to click. Perhaps with an appropriate addition here you will succeed in automating the clicking of the right box to trigger the download you are after.

from cape.

I know about this file and I tried also but for web pages they are not working

from cape.

This is a question then of automated web/browser interaction which is beyond the scope of what I think was intended with the human auxiliary module. Nonetheless it may be possible to add to this module or create another one for this purpose, perhaps taking inspiration from projects like Splinter (https://github.com/cobrateam/splinter) which let you automate browser actions, such interacting with web pages.

from cape.

I hope that someone implement it in cuckoo I will try to suggest them.

from cape.

im sure there much more priorities, but you always can PR working poc to speedup integration :)

from cape.

Closing this now - it's more of a feature request than an issue - maybe someone down the line will contribute automated browser interaction.

from cape.