Process Memory Dumps about cape HOT 13 CLOSED

I think that I should make the older memory dumps available by a config option and/or a checkbox on the submissions page. Would this help solve your issue?

The idea behind replacing these was that a process dump and possible behavioural package (e.g. Extraction) should cover code in the main image and newly created code regions elsewhere, but obviously this does not account for all data. Were a region of data to be found that is interesting to a given malware family, I would then create a specific package, but ultimately since I could allow both memory dump options to exist simultaneously I will look at making this configurable.

Thanks for the input.

from cape.

Yes, I think a checkbox on the submission page would be ideal. I still have users that are rely on the old memory dumps and strings extraction. I will look at duplicating the results using behavioral packages as you mentioned in the meantime.

I'm not sure why, but I've noticed that a number of my samples aren't capturing any process dumps. I'd like to troubleshoot why it's happening. Thoughts?

from cape.

No worries I will look at getting that option enabled. If you know of or come across a scenario/samples where valuable data is being missed by the process dump and no packages are triggered, please let me know. I can look at whether a new package could be created to cater for this scenario and dump the region in question.

As far as failure to capture dumps, maybe this is a bug. Please share the hashes with me if you can, and I will look into it.

from cape.

5968828f2bb2afa620dfc418a6aa9c6c540a930edd5fbe717c7e2257149da460 this sample, on VT, has a single process, however, there's no procdump generated.

from cape.

Hmm process dumps seem to be working for me. Check https://cape.contextis.com/analysis/620/ to see what should happen. Perhaps the analysis log from your failure would let me diagnose the problem?

from cape.

2017-06-08 01:09:19,937 [lib.api.process] INFO: Successfully executed process from path "C:\Users\carlos\AppData\Local\Temp\cdf4fcfcc984400c780d04adae438aa3.exe" with arguments "" with pid 2524
2017-06-08 01:09:19,937 [lib.api.process] DEBUG: No DLL has been specified for injection
2017-06-08 01:09:19,937 [lib.api.process] INFO: DLL to inject is dll\xvlomnh.dll
2017-06-08 01:09:19,937 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-06-08 01:09:20,000 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2524
2017-06-08 01:09:22,000 [lib.api.process] INFO: Successfully resumed process with pid 2524
2017-06-08 01:09:22,000 [root] INFO: Added new process to list with pid: 2524
2017-06-08 01:09:22,187 [root] DEBUG: CAPE initialised (32-bit).
2017-06-08 01:09:22,187 [root] INFO: Cuckoomon successfully loaded in process with pid 2524.
2017-06-08 01:09:22,953 [root] INFO: Disabling sleep skipping.
2017-06-08 01:09:27,467 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2017-06-08 01:09:28,500 [root] INFO: Notified of termination of process with pid 2524.
2017-06-08 01:09:29,125 [root] INFO: Process with pid 2524 has terminated
2017-06-08 01:09:43,125 [root] INFO: Process list is empty, terminating analysis.
2017-06-08 01:09:44,125 [root] INFO: Created shutdown mutex.
2017-06-08 01:09:45,125 [root] INFO: Shutting down package.
2017-06-08 01:09:45,125 [root] INFO: Stopping auxiliary modules.
2017-06-08 01:09:45,125 [root] INFO: Terminating remaining processes before shutdown.
2017-06-08 01:09:45,125 [root] INFO: Finishing auxiliary modules.
2017-06-08 01:09:45,125 [root] INFO: Shutting down pipe server and dumping dropped files.
2017-06-08 01:09:45,125 [root] INFO: Analysis completed.
06-08 01:09:45,125 [root] INFO: Finishing auxiliary modules.
2017-06-08 01:09:45,125 [root] INFO: Shutting down pipe server and dumping dropped files.
2017-06-08 01:09:45,125 [root] INFO: Analysis completed.

How do I enable CAPE debug statements?

from cape.

i should note I'm using KVM for my virtual machines, don't think that should matter.

from cape.

Hmm I think somehow the option isn't enabled. There is a line missing from your log:

2017-06-08 12:44:07,072 [root] INFO: Added new process to list with pid: 1676
2017-06-08 12:44:07,104 [root] DEBUG: Process memory dumps enabled. <-**** this is missing
2017-06-08 12:44:07,151 [root] DEBUG: CAPE initialised (32-bit).

Maybe it's a config option that's missing from your merge. Let me check this.

from cape.

It does work sometimes, just not always like this instance.

from cape.

Hmm that is odd. There should be a line either way. It should say "Process memory dumps disabled" if that option is not set. I wonder if the fact that the process crashes has something to do with it. The line "INFO: Found button "Close the program", clicking it" shows that the process crashes, although in my case it still seems able to get the dump before exiting.

It looks like a .NET sample so perhaps the variation is due to the state of the .NET runtime in our respective VMs...

from cape.

that could very well be. I think my VMs need some polishing.

from cape.

I have re-enabled the possibility of the old style memory dumps, although disabled it in the processing.conf by setting [procmemory] enabled = no. If you enable this option, that checkbox should reappear on the submission page allowing these dumps to be made.

Let me know if this solved your problem.

from cape.

Thanks. This worked great.

from cape.