Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IE11 errors on 64-bit Win 7 VM #26

Open
enzok opened this issue Jan 23, 2017 · 6 comments
Open

IE11 errors on 64-bit Win 7 VM #26

enzok opened this issue Jan 23, 2017 · 6 comments

Comments

@enzok
Copy link

enzok commented Jan 23, 2017

I’m having an issue when submitting a task that runs Internet Explorer 11 in a 64-bit Windows 7 VM. IE throws an error popup and doesn’t run. This issue doesn’t happen in my 32-bit VM. However, if I disable injection, then IE runs.

IE Version - 11.0.9600.16428 (KB2841134)

2017-01-20 09:21:25,812 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""http://"" with pid 2848
2017-01-20 09:21:25,812 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-01-20 09:21:25,921 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2017-01-20 09:21:27,921 [lib.api.process] INFO: Successfully resumed process with pid 2848
2017-01-20 09:21:27,921 [root] INFO: Added new process to list with pid: 2848
2017-01-20 09:21:28,015 [root] INFO: Cuckoomon successfully loaded in process with pid 2848.
2017-01-20 09:21:28,046 [root] INFO: Announced 64-bit process name: iexplore.exe pid: 2688
2017-01-20 09:21:28,046 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-01-20 09:21:28,092 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2688
2017-01-20 09:21:28,092 [root] INFO: Disabling sleep skipping.
2017-01-20 09:21:28,187 [root] INFO: Disabling sleep skipping.
2017-01-20 09:21:28,203 [root] INFO: Added new process to list with pid: 2688
2017-01-20 09:21:28,203 [root] INFO: Cuckoomon successfully loaded in process with pid 2688.
2017-01-20 09:21:29,875 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2017-01-20 09:21:30,937 [root] INFO: Notified of termination of process with pid 2688.
2017-01-20 09:21:30,937 [root] INFO: Notified of termination of process with pid 2848.
2017-01-20 09:21:31,921 [root] INFO: Process with pid 2848 has terminated
2017-01-20 09:21:32,921 [root] INFO: Process with pid 2688 has terminated
2

@spender-sandbox
Copy link
Owner

add debug=1 to options, and check your cuckoo log

-Brad

@enzok
Copy link
Author

enzok commented Jan 23, 2017

Here's the debug output:
2017-01-23 13:51:46,506 [lib.cuckoo.core.guest] INFO: Starting analysis on guest

2017-01-23 13:51:57,345 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:51:57,345 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:32,856 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:32,856 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:40,264 [requests.packages.urllib3.connectionpool] INFO: Starting new HTTPS connection (1): www.virustotal.com
2017-01-23 13:52:41,523 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:41,523 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,142 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,143 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,586 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,587 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:48,812 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:48,813 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

@spender-sandbox
Copy link
Owner

See if the problem persists with disable_hook_content=1 passed in options

-Brad

@enzok
Copy link
Author

enzok commented Jan 23, 2017

Problem persists, same exceptions.

@KillerInstinct
Copy link
Contributor

I had forgotten about this issue thread. You may want to ensure all security-related stuff is disabled:
spender-sandbox/cuckoo-modified#235

@enzok
Copy link
Author

enzok commented Jan 26, 2017

I disabled all security settings that I am aware of, however, I'll go back and verify that I didn't miss something or revert to a snapshot that wasn't setup properly. Otherwise, it looks like I installed IE the same way as what is described in issue #235 thread.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants