Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ERROR: Failed to run the reporting module "MongoDB" #2188

Open
6 tasks done
albertososa-es opened this issue Jun 26, 2024 · 13 comments
Open
6 tasks done

ERROR: Failed to run the reporting module "MongoDB" #2188

albertososa-es opened this issue Jun 26, 2024 · 13 comments

Comments

@albertososa-es
Copy link

albertososa-es commented Jun 26, 2024

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • I am running the latest version
  • I did read the README!
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed
  • I'm reporting the issue to the correct repository (for multi-repository projects)
  • I have read and checked all configs (with all optional parts)

Expected Behavior

Finished analysis with reports.

Current Behavior

When I submit a sample to analize, an unhandled exception is throwed. See Failure Logs section. I've installed Volatility3 to full memory dump analysis.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

  1. Submit a sample via web interface.
  2. Boom!

Context

Question Answer
Git commit 8727513
OS version Ubuntu 22.04.4 LTS, Windows 10 (VM guest)

Config files:

cuckoo.conf

[cuckoo]
machinery_screenshots = on
memory_dump = on
freespace = 0
    
[resultserver]
ip = 192.168.2.1

auxiliary.conf

[auxiliary_modules]
procmon = yes
sysmon_windows = yes

[sniffer]
interface = virbr1

kvm.conf

[kvm]
machines = vm01

[vm01]
label = win10_msoffice
ip = 192.168.2.10
platform = windows
tags = win10,msoffice
snapshot = snapshot1
arch = x64

memory.conf

[basic]
guest_profile = Win10x64
delete_memdump = no

[malfind]
enabled = yes

[pslist]
enabled = yes

[psscan]
enabled = yes

[callbacks]
enabled = yes

[svcscan]
enabled = yes

processing.conf

[flare_capa]
enabled = yes
static = yes
cape = yes
procdump = yes

[detections]
virustotal = yes

[procmon]
enabled = yes

[memory]
enabled = yes

[virustotal]
enabled = yes
# API Key omitida por confidencialidad en este documento.
key = 697P45....a59

[deduplication]
enabled = yes

[xlsdeobf]
enabled = yes

reporting.conf

[mitre]
enabled = yes

[reporthtml]
enabled = yes
screenshots = yes
apicalls = yes

[reporthtmlsummary]
enabled = yes
screenshots = yes

[reportpdf]
enabled = yes

web.conf

[malscore]
enabled = yes

Failure Logs

cape

@doomedraven
Copy link
Collaborator

Try to disable capa in processing and reprocess a job just as test

@albertososa-es
Copy link
Author

CAPA disabled in processing and submited new sample with default options. Now it has a timeout:

cape3

I think that CAPA is not the problem, since my sample is a .doc, so this error message is correct from CAPA. Anyway, I'm working with snapshots (CAPE-host is a VM) and I notice that this error starts since I installed Volatility3 and flare-floss via poetry:

$ sudo -u cape poetry run pip install -U volatility3 flare-floss

Will be it related?

@doomedraven
Copy link
Collaborator

could be, i don't use capa, floss neither volatility integrations so idk in which state those plugins are

@albertososa-es
Copy link
Author

So, if I understand the memory analysis with Volatility should be done outside CAPE-host, right?

@doomedraven
Copy link
Collaborator

well you can use that in cape, but the thing here is that i don't maintain things that i don't use, is just unreal, so sometime community or other people must help support updated version of those libraries, it should works with the versions that is in pyproject, but if you install newer, then that's not ensured by us.

@albertososa-es
Copy link
Author

Ok perfect. I confirm that if I install Volatility, the cape-processor crashes.

@albertososa-es
Copy link
Author

Hi again! I setup tmpfs for memory dump analysis with Volatility and it doesn't crash due to timeout now.

@albertososa-es
Copy link
Author

News... I check that some Volatility modules configured in memory.conf are crashing MongoDB reports (first log error in this issue).

@doomedraven
Copy link
Collaborator

what modules crashing it? yes tmpfs speedup a lot processing of memdumps, but bear in mind as much plugins you enable, you might need to consider increase timeout from 900 to higher value

@albertososa-es
Copy link
Author

malfind is the first module that causes the crash. If you see the first screenshot in the issue, the exception is throwed at deepcopy function. Maybe there is a mismatch between libraries versions and expected data structures (?)

@doomedraven
Copy link
Collaborator

Probably it returns something that wasn't converted to json

@albertososa-es
Copy link
Author

Mm, not sure about that. I tried to replace the deepcopy with a JSON dump and load (only for test purposes) and it doesn't throw exceptions - errors. I've all modules enabled in memory.conf and it shows all information in web interface.

@doomedraven
Copy link
Collaborator

doomedraven commented Jun 28, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants