Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Calc / Notepad detonation fail #547

Closed
5 tasks done
gcmoreira opened this issue Jul 28, 2021 · 3 comments
Closed
5 tasks done

Calc / Notepad detonation fail #547

gcmoreira opened this issue Jul 28, 2021 · 3 comments

Comments

@gcmoreira
Copy link

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • I am running the latest version
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed
  • I'm reporting the issue to the correct repository (for multi-repository projects)
  • I'm have read all configs with all optional parts

Expected Behavior

  • See calc.exe up and running in the screenshot.
  • See notepad.exe up and running in the screenshot.
  • Get the full API call trace for each one.

Current Behavior

None of them seems to work.

  • The screenshot doesn't show calc/notepad.
  • They finish almost as soon as they start, within the second.
  • The API trace doesn't look like the actual .exe was executed.

Failure Information (for bugs)

As per the Behavioral Analysis they finish within the second it was executed.
I tested them in a local (updated) environment but also double-checked that the same results happen in your environment, see the following results:

Steps to Reproduce

  1. Take calc.exe and notepad.exe from c:\windows\sytem32 on the same win7 or win10 guest machine. Both .exe are PE 32 bit so it doesn't matter.
  2. Submit them using the web default settings. I only forced the "Machine" just to make sure it will execute there.

Context

I tested them in a local updated environment but also double-checked that the same results happen in yours.

Local setup

Question Answer
Git commit 5d5ba06
Community package Updated using $ python3 utils/community.py -waf
HOST OS version Ubuntu 20.04.2 LTS
GUEST OS versions win7x86, win7x64, win10x64

Failure Logs

Please check the result links above.
@kevoreilly
Copy link
Owner

Thanks for the heads up - will look into it.

@doomedraven doomedraven mentioned this issue Mar 27, 2022
Closed
@doomedraven
Copy link
Collaborator

MUI problem - https://twitter.com/hasherezade/status/1558841246944317441

@kevoreilly
Copy link
Owner

doomed is right - this is a mui issue not a cape issue. hasherezade offers a nice explanation: hasherezade/libpeconv#44

To prove this, instead of submitting notepad or calc, try submitting a batch file that launches them. Then cape has no problem monitoring these exes run from their proper location:

https://capesandbox.com/analysis/354918
https://capesandbox.com/analysis/354919

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@doomedraven @gcmoreira @kevoreilly