1

I have a problem with Cuckoo Sandbox and its memory dump it should generate in order to be able to analyse it with Volatility.

My issue is:

Cuckoo's log files telling me that a memory dump has successfully been generated but it can not access them because they can not be found. Manually looking for them in the directory confirms that they do not exist. Cuckoo tells me to enable memory_dump in cuckoo.conf which is enabled.

My Cuckoo version and operating system are:

Cuckoo: 2.0.6 Host: Ubuntu 18.04.1 LTS Guest: Win7 Ultimate, Service Pack 1, 32-bit

Those are my config files:

cuckoo.conf

memory_dump = yes

memory.conf

guest_profile = Win7SP1x86
delete_memdump = no

processing.conf

[memory]
enabled = yes
This is the output of the cuckoo.log: 
INFO: Successfully generated memory dump for virtual machine with label Win7 to path /home/test/.cuckoo/storage/analyses/1/memory.dmp
[...]
ERROR: VM memory dump not found: to create VM memory dumps you have to enable memory_dump in cuckoo.conf!

Any kind of help is appreciated. If you need any more information from me please let me know

Edit: Only memory dump of full machine is not being generated. If malware is injected in a new process then memory dump is generated as shown in the report.json

INFO: injected into process with pid 3844 and name 'iexplorer.exe'
INFO: memory dump of process with pid 3844 completed

and I can also find the 3844-1.dmp file in the directory

Improve this question
2
  • anyone has any ideas on how to solve this? I think I configured all config files correctly but although cuckoo log tells me that it successfully created the memory.dmp it is nowhere to find
    – pharZyde
    Commented Feb 15, 2019 at 13:19
  • just tested it with a WinXP machine as guest but same problem occurs
    – pharZyde
    Commented Feb 15, 2019 at 13:19

1 Answer 1

Reset to default
2

After a lot of tries, I found that the problem is in:

/lib/python2.7/site-packages/cuckoo/machinery/virtualbox.py

If you replace this file with the latest version you will get the memory dump working fine, but maybe you could break other things, I guess the best option in install cuckoo from source. You should also replace agent.py for the latest one (version 0.10). Using pip to install cuckoo you do not have the latest version.

To conclude that what I tried (you should try the first one):

  1. Tried a memory dump using the same command that cuckoo uses:

    VBoxManage debugvm yourvmname dumpvmcore --filename=memory.dmp

    works fine, so the problem is in cuckoo call, not in VM, volatility, or anything else.

  2. Tried without success:

    • cuckoo submit with --memory options, the config files were equal to yours, but without sucess.
    • different profiles for volatility
    • different VMs, same OS
    • different installations, another computer, different Virtualbox version (6.0.8 instead 6.0.6).

Replacing virtualbox.py and agent.py for the latest version solved my problem, I hope I can help you. This is an essential part of my dissertation paper. Without memory dump there is no paper.

Update 19/06/2019

If you just replace:

if output.startswith("5"): for if output.startswith(("5", "6")):

in line 361 of /lib/python2.7/site-packages/cuckoo/machinery/virtualbox.py

it should be enough to solve the problem, but, as you can see, Cuckoo 2.0.6 is not ready to work with Vbox 6.x, so, even with this fix, other problems can ocurr. Or update cuckoo to unstable version or go back to Vbox 5.x.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .