We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe the bug
I got this error after some analysis:
May 20 23:51:38 malawi drak-postprocess[621]: b'{"Plugin":"sysret","TimeStamp":"1716241755.143929","PID":3120,"PPID":1720,"TID":2976,"UserName":"SessionID","UserId":0,"ProcessName":"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\mscorsvw.exe","Method":"09\xaa\xbd,V","EventUID":"0x48910e","Module":"win32k","vCPU":0,"CR3":"0x18fb8000","Syscall":632,"Ret":1,"Info":"STATUS_WAIT_1"}\n' May 20 23:51:38 malawi drak-postprocess[621]: Traceback (most recent call last): May 20 23:51:38 malawi drak-postprocess[621]: File "/opt/venvs/drakcore/lib/python3.8/site-packages/drakcore/postprocess/drakparse.py", line 205, in parse_logs May 20 23:51:38 malawi drak-postprocess[621]: line_obj = json.loads(line, strict=False) May 20 23:51:38 malawi drak-postprocess[621]: File "/usr/lib/python3.8/json/__init__.py", line 343, in loads May 20 23:51:38 malawi drak-postprocess[621]: s = s.decode(detect_encoding(s), 'surrogatepass') May 20 23:51:38 malawi drak-postprocess[621]: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xaa in position 236: invalid start byte
How to reproduce Submit a file to the sandbox.
The text was updated successfully, but these errors were encountered:
Hi! It seems that drak-postprocess doesn't like that part: "Method":"09\xaa\xbd,V"
"Method":"09\xaa\xbd,V"
I see that it shouldn't affect the rest of log processing, because drak-postpostprocess will just omit this line as a part of exception handling (https://github.com/CERT-Polska/drakvuf-sandbox/blob/master/drakcore/drakcore/postprocess/drakparse.py#L205).
Is it real, obfuscated method name in that .NET malware?
Sorry, something went wrong.
No branches or pull requests
Describe the bug
I got this error after some analysis:
How to reproduce
Submit a file to the sandbox.
The text was updated successfully, but these errors were encountered: