Cuckoomon injection causes IE 11 to crash at start of URL analysis

[seanthegeek]

I just upgraded my Cuckoo VMs to IE 11, to better reflect real-world systems. IE is now crashing upon Cuckoo's injects. Disabling injects works fine. How can I collect debug info for this?

[spender-sandbox]

Run with debug=2 and give me the logs that result. Also try with disable_hook_content=1

-Brad

[seanthegeek]

2016-08-01 13:04:31,000 [root] INFO: Date set to: 08-01-16, time set to: 17:04:31
2016-08-01 13:04:31,046 [root] DEBUG: Starting analyzer from: C:\igiuz
2016-08-01 13:04:31,046 [root] DEBUG: Storing results at: C:\HLFSUU
2016-08-01 13:04:31,046 [root] DEBUG: Pipe server name: \\.\PIPE\gSbTOKOe
2016-08-01 13:04:31,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2016-08-01 13:04:31,046 [root] INFO: Automatically selected analysis package "ie"
2016-08-01 13:04:31,312 [root] DEBUG: Started auxiliary module Browser
2016-08-01 13:04:31,312 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2016-08-01 13:04:31,312 [root] DEBUG: Started auxiliary module DigiSig
2016-08-01 13:04:31,312 [root] DEBUG: Started auxiliary module Disguise
2016-08-01 13:04:31,328 [root] DEBUG: Started auxiliary module Human
2016-08-01 13:04:31,328 [root] DEBUG: Started auxiliary module Screenshots
2016-08-01 13:04:31,328 [root] DEBUG: Started auxiliary module Usage
2016-08-01 13:04:31,375 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""cnn.com"" with pid 2468
2016-08-01 13:04:31,375 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2016-08-01 13:04:31,546 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2468
2016-08-01 13:04:33,562 [lib.api.process] INFO: Successfully resumed process with pid 2468
2016-08-01 13:04:33,562 [root] INFO: Added new process to list with pid: 2468
2016-08-01 13:04:34,140 [root] INFO: Cuckoomon successfully loaded in process with pid 2468.
2016-08-01 13:04:34,203 [root] INFO: Announced 64-bit process name: iexplore.exe pid: 2692
2016-08-01 13:04:34,203 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2016-08-01 13:04:34,250 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2692
2016-08-01 13:04:34,250 [root] INFO: Disabling sleep skipping.
2016-08-01 13:04:34,437 [root] INFO: Disabling sleep skipping.
2016-08-01 13:04:34,515 [root] INFO: Added new process to list with pid: 2692
2016-08-01 13:04:34,515 [root] INFO: Cuckoomon successfully loaded in process with pid 2692.
2016-08-01 13:04:37,515 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2016-08-01 13:04:38,717 [root] INFO: Notified of termination of process with pid 2692.
2016-08-01 13:04:39,203 [root] INFO: Notified of termination of process with pid 2468.
2016-08-01 13:04:39,562 [root] INFO: Process with pid 2468 has terminated
2016-08-01 13:04:40,562 [root] INFO: Process with pid 2692 has terminated
2016-08-01 13:04:55,078 [root] INFO: Process list is empty, terminating analysis.
2016-08-01 13:04:56,108 [root] INFO: Created shutdown mutex.
2016-08-01 13:04:57,217 [root] INFO: Shutting down package.
2016-08-01 13:04:57,280 [root] INFO: Stopping auxiliary modules.
2016-08-01 13:04:57,280 [root] INFO: Terminating remaining processes before shutdown.
2016-08-01 13:04:57,296 [root] INFO: Finishing auxiliary modules.
2016-08-01 13:04:57,296 [root] INFO: Shutting down pipe server and dumping dropped files.
2016-08-01 13:04:57,296 [root] INFO: Analysis completed.

No improvement with disable_hook_content=1.

[spender-sandbox]

The logs would be sent to the server console, not to analysis.log

-Brad

[seanthegeek]

2016-08-01 13:40:54,612 [lib.cuckoo.core.resultserver] DEBUG: New process (pid=3060, ppid=2768, name=iexplore.exe, path=C:\Program Files\Internet Explorer\iexplore.exe)
2016-08-01 13:40:54,612 [lib.cuckoo.core.resultserver] DEBUG: New thread (tid=0, pid=3060)
2016-08-01 13:40:54,613 [lib.cuckoo.core.resultserver] DEBUG: Environ received for pid 3060
2016-08-01 13:40:54,847 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 3060 EIP: ntdll.dll+533dd 772a33dd, Fault Address: 00000074, Esp: 002ef6b0, Exception Code: c0000005,  ntdll.dll+1a59f ntdll.dll+18e42 ntdll.dll+51278 ntdll.dll+533dd WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c521 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2016-08-01 13:40:54,847 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 3060 EIP: ntdll.dll+533dd 772a33dd, Fault Address: 00000074, Esp: 002ef6b0, Exception Code: c0000005,  kernel32.dll+99460 ntdll.dll+943b8 ntdll.dll+185a8 ntdll.dll+29d0d ntdll.dll+191af ntdll.dll+51278 ntdll.dll+533dd WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c521 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2016-08-01 13:40:55,423 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:40:56,427 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:40:57,431 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:40:58,439 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:40:59,490 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:00,579 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:01,707 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:02,784 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:04,007 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:05,017 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:06,020 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:07,024 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:08,028 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:09,031 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:10,034 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:11,037 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:12,040 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:13,051 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:14,054 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:15,058 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:16,062 [lib.cuckoo.core.guest] DEBUG: sandbox-win7-01: analysis not completed yet (status=2)
2016-08-01 13:41:17,065 [lib.cuckoo.core.guest] INFO: sandbox-win7-01: analysis completed successfully
2016-08-01 13:41:17,065 [lib.cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2016-08-01 13:41:17,149 [modules.auxiliary.tor] INFO: Shutdown Tor transparent proxy for 192.168.100.2
2016-08-01 13:41:17,150 [lib.cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Tor
2016-08-01 13:41:17,150 [lib.cuckoo.common.abstracts] DEBUG: Stopping machine sandbox-win7-01
2016-08-01 13:41:17,151 [lib.cuckoo.common.abstracts] DEBUG: Getting status for sandbox-win7-01
2016-08-01 13:41:17,819 [lib.cuckoo.common.abstracts] DEBUG: Getting status for sandbox-win7-01
2016-08-01 13:41:18,007 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.100.2:49158
2016-08-01 13:41:18,386 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.100.2:49159
2016-08-01 13:41:18,886 [lib.cuckoo.core.resultserver] DEBUG: Uploaded file length: 64
2016-08-01 13:41:18,886 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.100.2:49160
2016-08-01 13:41:19,876 [lib.cuckoo.core.resultserver] DEBUG: Connection closed: 192.168.100.2:49162
2016-08-01 13:41:19,908 [lib.cuckoo.core.scheduler] DEBUG: Task #444: Released database task with status True
2016-08-01 13:41:19,911 [lib.cuckoo.core.plugins] DEBUG: Executing processing module "Decompression" on analysis at "/data/cuckoo/storage/analyses/444"
2016-08-01 13:41:19,912 [lib.cuckoo.core.plugins] DEBUG: Executing processing module "AnalysisInfo" on analysis at "/data/cuckoo/storage/analyses/444"
2016-08-01 13:41:19,929 [lib.cuckoo.core.plugins] DEBUG: Executing processing module "BehaviorAnalysis" on analysis at "/data/cuckoo/storage/analyses/444"
2016-08-01 13:41:20,015 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 3060 EIP: ntdll.dll+533dd 772a33dd, Fault Address: 00000074, Esp: 002ef6b0, Exception Code: c0000005,  ntdll.dll+1a59f ntdll.dll+18e42 ntdll.dll+51278 ntdll.dll+533dd WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c521 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2016-08-01 13:41:20,015 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 3060 EIP: ntdll.dll+533dd 772a33dd, Fault Address: 00000074, Esp: 002ef6b0, Exception Code: c0000005,  kernel32.dll+99460 ntdll.dll+943b8 ntdll.dll+185a8 ntdll.dll+29d0d ntdll.dll+191af ntdll.dll+51278 ntdll.dll+533dd WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c521 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

[seanthegeek]

Anything else I can do to help with this?

[spender-sandbox]

Have you disabled all the security settings in IE? Protected mode, etc?

-Brad

[jgajek]

FWIW, I am running IE11 in a Win7 x64 VM, and am not experiencing these crashes. I have all IE security settings turned down to the lowest available level.

However, I am consistently getting signature hits of the type:

iexplore.exe (1552) called API GetSystemTimeAsFileTime 2534523 times

Perhaps there is some sort of recursive loop in the hook for this API?

[jgajek]

Actually, the GetSystemTimeAsFileTime API spamming may be normal behavior for IE. It is whitelisted in the api_spamming.py signature. It just needs its whitelist adjusted to work with the Program Files (x86) path on 64-bit systems.

[seanthegeek]

Protected mode is off. And security settings are as low as I can make them.

@jgajek Did you apply any other Windows patches to your VMs? I only installed the [minimum prerequisites(https://support.microsoft.com/en-us/kb/2847882) for IE11.

[jgajek]

Here's what I did:

• Win7 Pro SP1 base install -- Windows updates, firewall, UAC turned off
• Installed IE11
• Disabled protected mode
• Turned off pop-up blocker
• Disabled certificate revocation checks in Advanced Internet Options
• Disabled all restrictions in Internet Zone Security settings (i.e. allowed unsigned ActiveX controls, etc.)
• Disabled IE security settings check (HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck=1)
• Disabled IE welcome screen (HKLM\Software\Wow6432Node\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize=1)

I also have latest version of Chrome installed on the VM as a non-default browser.

[seanthegeek]

@jgajek I'm using the same settings. Are you using the latest version of cuckoomon? Maybe there's a regression?

[jgajek]

I'm running cuckoo-modified inside a Docker container, so I haven't done a git pull in a few weeks. I'll do a rebuild later today and report back.

[seanthegeek]

Thanks. If you can make note of the git revision you are currently using, that would be great

[jgajek]

I'm not seeing any IE11 crashes even on the latest revision.

[KillerInstinct]

I just got a VM up with IE11 on W7x64 SP1, installed some lame patch to get windows update to work, and then installed IE11. I did install ie8 updates in-line though. No crashes here.

[enzok]

@seanthegeek did you ever resolve this issue, I'm having the same problem.

[nebu10uz]

I'm having the same issue but for Win7-32 bits SP1. Did anybody resolved this?

[ezolution]

Highly doubt so . i am experiencing the same problem here and dying to find the solution