Cuckoo file submission Analyzer error

[geekscrapy]

Request Type

Bug / Analyzer

Work Environment

(replace with N/A if not applicable)

Question	Answer
OS version (server)	CentOS 7 (Running Cortex in Docker )
OS version (client)	NA
Cortex Analyzer Name	CuckooSandbox_File_Analysis_Inet_1_0
Cortex Analyzer Version	1.0
Cortex Version	1.1.4

Docker version
Client:
Version: 17.12.0-ce
API version: 1.35
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:10:14 2017
OS/Arch: linux/amd64

Server:
Engine:
Version: 17.12.0-ce
API version: 1.35 (minimum version 1.12)
Go version: go1.9.2
Git commit: c97c6d6
Built: Wed Dec 27 20:12:46 2017
OS/Arch: linux/amd64
Experimental: false

Description

Trying to utilise the Cuckoo file submission Analyzer. Setup is pretty basic, however the sandbox I am trying to connect to is a fork of Cuckoo (https://github.com/ctxis/CAPE). This is served over HTTPS

The following error is given upon submission:

[info] s.ExternalAnalyzerSrv - Execute sh -c "./cuckoosandbox_analyzer.py"  in CuckooSandbox
Exception in thread "Thread-8" java.io.IOException: Broken pipe
	at java.io.FileOutputStream.writeBytes(Native Method)
	at java.io.FileOutputStream.write(FileOutputStream.java:326)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
	at java.io.FilterOutputStream.close(FilterOutputStream.java:158)
	at services.ExternalAnalyzerSrv$$anonfun$analyze$1$$anonfun$apply$11.apply(ExternalAnalyzerSrv.scala:91)
	at services.ExternalAnalyzerSrv$$anonfun$analyze$1$$anonfun$apply$11.apply(ExternalAnalyzerSrv.scala:89)
	at scala.sys.process.ProcessBuilderImpl$Simple$$anonfun$2.apply$mcV$sp(ProcessBuilderImpl.scala:73)
	at scala.sys.process.ProcessImpl$Spawn$$anon$1.run(ProcessImpl.scala:23)

Steps to Reproduce

Submit a file via the Cortex web gui

[garanews]

The analyzer speaks with cuckoo API:
http://docs.cuckoosandbox.org/en/latest/usage/api/
Are you trying to connect to capex online version? That one doesn't expose the API.

[geekscrapy]

No, an internal hosted one.

CAPE is a fork of Cuckoo and I believe the API functionality has not been changed much so should work out of the box with the Cuckoo analyzer.

However, I don't believe the issue is with the API but with the analyzer because I didn't see a network connection between Cortex and CAPE. The error seems to occur when passing the file from Cortex to the python analyzer, hence the Java error above

[garanews]

from cortex side machine, are you able to submit something manually with api?
curl -F file=@/home/cuckoo/xxx.exe http://localhost:8001/tasks/create/file
curl -F url="http://www.malicious.site" http://localhost:8001/tasks/create/url

What about permission of cuckoosandbox_analyzer.py ? does it have x for execution?

[garanews]

What is the filetype you're trying? What's the size? Did you try with other files?

[geekscrapy]

Curl tests aside I've been trying with executable files of around 1/2mb. Not tired with other files since it they are the only types of files I'll be submitting.

Testing the curl command and permissions later today

[3c7]

How's the progress on this? Does the error persists?

[geekscrapy]

For completness, I am now testing in the following environment (Cortex > About):

Cortex:2.0.3
Elastic4Play:1.5.0
Play:2.6.12
Elastic4s:5.6.0
ElasticSearch client:5.6.2
ElasticSearch cluster:5.6.0

With the analyser configured I get the following error:

Invalid output
sh: 1: CuckooSandbox/cuckoosandbox_analyzer.py: Permission denied

I've taken a look at this a little further and it appears that execution permissions are not given to cuckoosandbox_analyzer.py

daemon@e13d4e834b49:/opt/Cortex-Analyzers/analyzers/CuckooSandbox$ ls -l
-rw-r--r-- 1 root root 542 Apr 9 15:34 CuckooSandbox_File_Analysis.json
-rw-r--r-- 1 root root 514 Apr 9 15:34 CuckooSandbox_Url_Analysis.json
-rw-r--r-- 1 root root 6800 Apr 9 15:34 cuckoosandbox_analyzer.py
-rw-r--r-- 1 root root 21 Apr 9 15:34 requirements.txt

Once I provide it x perms:

daemon@e13d4e834b49:/opt/Cortex-Analyzers/analyzers/CuckooSandbox$ ls /opt/Cortex-Analyzers/analyzers/CuckooSandbox
total 20
-rw-r--r-- 1 root root 542 Apr 9 15:34 CuckooSandbox_File_Analysis.json
-rw-r--r-- 1 root root 514 Apr 9 15:34 CuckooSandbox_Url_Analysis.json
-rwxr-xr-x 1 root root 6800 Apr 9 15:34 cuckoosandbox_analyzer.py
-rw-r--r-- 1 root root 21 Apr 9 15:34 requirements.txt

I then get the following error:

Invalid output
Traceback (most recent call last):
File "CuckooSandbox/cuckoosandbox_analyzer.py", line 4, in
from cortexutils.analyzer import Analyzer
ImportError: No module named cortexutils.analyzer

[geekscrapy]

Potentially related:
TheHive-Project/CortexDocs#11
TheHive-Project/Cortex#55

[geekscrapy]

The following potentially solves the issue (in my scenario - however this still needs to be addressed in the main dist of docker):

root@e13d4e834b49:/opt/Cortex-Analyzers/analyzers/CuckooSandbox# pip install -r requirements.txt

Now I just have an SSL CERTIFICATE_VERIFY_FAILED error, but I doubt that is a problem with the analyzer.

[geekscrapy]

I believe this can be closed as the requirements.txt install fixed it