Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dropped files not gathering all dropped files. #1672

Closed
6 tasks done
CarsonHrusovsky opened this issue Jul 24, 2023 · 12 comments
Closed
6 tasks done

Dropped files not gathering all dropped files. #1672

CarsonHrusovsky opened this issue Jul 24, 2023 · 12 comments

Comments

@CarsonHrusovsky
Copy link
Contributor

About accounts on capesandbox.com

  • Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • I am running the latest version
  • I did read the README!
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed
  • I'm reporting the issue to the correct repository (for multi-repository projects)
  • I have read and checked all configs (with all optional parts)

Expected Behavior

Easy access to all files found within an analysis.

Current Behavior

Currently, our instance will detect dropped files that actually dropped on disk, but doesn't detect or show files that are downloaded via URL.

This isn't necessarily a bug, as dropped files does what it is supposed to do - detect dropped files. This is more of a question / comment, is there an easier way to show downloaded files rather then search through the network pcap?
@kevoreilly
Copy link
Owner

kevoreilly commented Jul 24, 2023
edited
Loading

This is something that needs fixing - I would definitely expect to see downloaded files appear in dropped files. Are you able to elaborate by what mechanism they are downloaded/written to disk? For example using URLDownloadToFile they should indeed be captured:

HOOKDEF(HRESULT, WINAPI, URLDownloadToFileW,
	LPUNKNOWN pCaller,
	LPWSTR szURL,
	LPWSTR szFileName,
	DWORD dwReserved,
	LPVOID lpfnCB
) {
	HRESULT ret = Old_URLDownloadToFileW(pCaller, szURL, szFileName, dwReserved, lpfnCB);
	LOQ_hresult("network", "uFs", "URL", szURL, "FileName", szFileName, "StackPivoted", is_stack_pivoted() ? "yes" : "no");
	if (ret == S_OK && dropped_count < g_config.dropped_limit) {
		pipe("FILE_NEW:%Z", szFileName);
		dropped_count++;
	}

	return ret;
}

Note the pipe("FILE_NEW:%Z", szFileName); line which is where the message to capture this file in dropped is sent.

@CarsonHrusovsky
Copy link
Contributor Author

If I were to browse to any URL and download a file, that file won't appear in the dropped file section. Sounds like an error in my setup by what you've mentioned.

@kevoreilly
Copy link
Owner

You haven't given me much detail! It could have been a malware sample downloading, not a browser. Now I have to ask which browser. Please supply more information in your issues as per the template, such as browser version, os, example url etc so that I can recreate your issue exactly.

@CarsonHrusovsky
Copy link
Contributor Author

I apologize, in my initial post I didn't actually think this was an issue so I did not provide as much information. Here is my setup:

CAPE:

Running on Ubuntu 22.04. (Updated last week Monday)

Analysis Machines:

Browser: Microsoft Edge 114.0.1823.82
OS: Windows 10 Pro 10.0.19045
(I've confirmed that this behavior is consistent with Firefox (Latest Version)).

Additionally, I have confirmed that dropped files by other means (such as excel VBA code) show up in the dropped files section. This behavior is consistent in both viewing the CAPE site and under the /analyses/###/ page.
I will attach my analysis.log here. This was simply a download from a URL - nothing even malicious about this product, once downloaded the file does not appear in the dropped files section.

2023-07-20 09:52:49,732 [root] INFO: Date set to: 20230724T15:06:05, timeout set to: 60
2023-07-24 15:06:05,450 [root] DEBUG: Starting analyzer from: C:\tmpr1ubf8pk
2023-07-24 15:06:05,450 [root] DEBUG: Storing results at: C:\jXEeyE
2023-07-24 15:06:05,450 [root] DEBUG: Pipe server name: \\.\PIPE\ZbDZEI
2023-07-24 15:06:05,450 [root] DEBUG: Python path: C:\Users\Cape\AppData\Local\Programs\Python\Python312-32
2023-07-24 15:06:05,450 [root] INFO: Analysis package "edge" has been specified
2023-07-24 15:06:05,450 [root] DEBUG: Importing analysis package "edge"...
2023-07-24 15:06:05,450 [root] DEBUG: Initializing analysis package "edge"...
2023-07-24 15:06:05,450 [root] DEBUG: New location of moved file: https://install.trimble.com/datatransfer/index.html
2023-07-24 15:06:05,450 [root] INFO: Analyzer: Package modules.packages.edge does not specify a DLL option
2023-07-24 15:06:05,450 [root] INFO: Analyzer: Package modules.packages.edge does not specify a DLL_64 option
2023-07-24 15:06:05,450 [root] INFO: Analyzer: Package modules.packages.edge does not specify a loader option
2023-07-24 15:06:05,450 [root] INFO: Analyzer: Package modules.packages.edge does not specify a loader_64 option
2023-07-24 15:06:05,840 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2023-07-24 15:06:05,840 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2023-07-24 15:06:05,840 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2023-07-24 15:06:05,903 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2023-07-24 15:06:05,934 [root] DEBUG: Importing auxiliary module "modules.auxiliary.during_script"...
2023-07-24 15:06:05,949 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2023-07-24 15:06:05,949 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"...
2023-07-24 15:06:05,949 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2023-07-24 15:06:05,996 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"...
2023-07-24 15:06:05,996 [root] DEBUG: Importing auxiliary module "modules.auxiliary.pre_script"...
2023-07-24 15:06:05,996 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2023-07-24 15:06:06,012 [root] DEBUG: Importing auxiliary module "modules.auxiliary.recentfiles"...
2023-07-24 15:06:06,231 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2023-07-24 15:06:06,231 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2023-07-24 15:06:06,934 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2023-07-24 15:06:06,949 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2023-07-24 15:06:06,949 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2023-07-24 15:06:06,949 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2023-07-24 15:06:06,965 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2023-07-24 15:06:07,028 [root] DEBUG: Initialized auxiliary module "Browser"
2023-07-24 15:06:07,028 [root] DEBUG: Trying to start auxiliary module "Browser"...
2023-07-24 15:06:07,043 [root] DEBUG: Started auxiliary module "Browser"
2023-07-24 15:06:07,043 [root] DEBUG: Started auxiliary module Browser
2023-07-24 15:06:07,043 [root] DEBUG: Initialized auxiliary module "Curtain"
2023-07-24 15:06:07,043 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2023-07-24 15:06:07,153 [root] DEBUG: Started auxiliary module "Curtain"
2023-07-24 15:06:07,153 [root] DEBUG: Started auxiliary module Curtain
2023-07-24 15:06:07,153 [root] DEBUG: Initialized auxiliary module "DigiSig"
2023-07-24 15:06:07,153 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2023-07-24 15:06:07,153 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file
2023-07-24 15:06:07,153 [root] DEBUG: Started auxiliary module "DigiSig"
2023-07-24 15:06:07,153 [root] DEBUG: Started auxiliary module DigiSig
2023-07-24 15:06:07,153 [root] DEBUG: Initialized auxiliary module "Disguise"
2023-07-24 15:06:07,153 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2023-07-24 15:06:07,153 [modules.auxiliary.disguise] INFO: Disguising GUID to 850b4d72-b474-41bb-8a76-b852453027b8
2023-07-24 15:06:07,153 [root] DEBUG: Started auxiliary module "Disguise"
2023-07-24 15:06:07,153 [root] DEBUG: Started auxiliary module Disguise
2023-07-24 15:06:07,153 [root] DEBUG: Initialized auxiliary module "Evtx"
2023-07-24 15:06:07,153 [root] DEBUG: Trying to start auxiliary module "Evtx"...
2023-07-24 15:06:07,168 [root] DEBUG: Started auxiliary module "Evtx"
2023-07-24 15:06:07,168 [root] DEBUG: Started auxiliary module Evtx
2023-07-24 15:06:07,168 [root] DEBUG: Initialized auxiliary module "FilePickup"
2023-07-24 15:06:07,168 [root] DEBUG: Trying to start auxiliary module "FilePickup"...
2023-07-24 15:06:07,168 [root] DEBUG: Started auxiliary module "FilePickup"
2023-07-24 15:06:07,168 [root] DEBUG: Started auxiliary module FilePickup
2023-07-24 15:06:07,168 [root] DEBUG: Initialized auxiliary module "Human"
2023-07-24 15:06:07,168 [root] DEBUG: Trying to start auxiliary module "Human"...
2023-07-24 15:06:07,168 [root] DEBUG: Started auxiliary module "Human"
2023-07-24 15:06:07,168 [root] DEBUG: Started auxiliary module Human
2023-07-24 15:06:07,168 [root] DEBUG: Initialized auxiliary module "Permissions"
2023-07-24 15:06:07,168 [root] DEBUG: Trying to start auxiliary module "Permissions"...
2023-07-24 15:06:07,168 [root] DEBUG: Started auxiliary module "Permissions"
2023-07-24 15:06:07,168 [root] DEBUG: Started auxiliary module Permissions
2023-07-24 15:06:07,168 [root] DEBUG: Initialized auxiliary module "Pre_script"
2023-07-24 15:06:07,168 [root] DEBUG: Trying to start auxiliary module "Pre_script"...
2023-07-24 15:06:07,168 [root] DEBUG: Started auxiliary module "Pre_script"
2023-07-24 15:06:07,168 [root] DEBUG: Started auxiliary module Pre_script
2023-07-24 15:06:07,168 [root] DEBUG: Initialized auxiliary module "Procmon"
2023-07-24 15:06:07,168 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2023-07-24 15:06:07,184 [root] DEBUG: Started auxiliary module "Procmon"
2023-07-24 15:06:07,184 [root] DEBUG: Started auxiliary module Procmon
2023-07-24 15:06:07,184 [root] DEBUG: Initialized auxiliary module "RecentFiles"
2023-07-24 15:06:07,184 [root] DEBUG: Trying to start auxiliary module "RecentFiles"...
2023-07-24 15:06:07,184 [root] DEBUG: Started auxiliary module "RecentFiles"
2023-07-24 15:06:07,184 [root] DEBUG: Started auxiliary module RecentFiles
2023-07-24 15:06:07,184 [root] DEBUG: Initialized auxiliary module "Screenshots"
2023-07-24 15:06:07,184 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2023-07-24 15:06:07,184 [root] DEBUG: Started auxiliary module "Screenshots"
2023-07-24 15:06:07,184 [root] DEBUG: Started auxiliary module Screenshots
2023-07-24 15:06:07,184 [root] DEBUG: Initialized auxiliary module "Sysmon"
2023-07-24 15:06:07,184 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2023-07-24 15:06:07,184 [root] DEBUG: Started auxiliary module "Sysmon"
2023-07-24 15:06:07,184 [root] DEBUG: Started auxiliary module Sysmon
2023-07-24 15:06:07,184 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2023-07-24 15:06:07,184 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"...
2023-07-24 15:06:07,184 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 656
2023-07-24 15:06:07,371 [lib.api.process] INFO: Monitor config for process 656: C:\tmpr1ubf8pk\dll\656.ini
2023-07-24 15:06:07,371 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2023-07-24 15:06:07,371 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpr1ubf8pk\dll\dELRsvZ.dll, loader C:\tmpr1ubf8pk\bin\nmbrtJzd.exe
2023-07-24 15:06:07,403 [root] DEBUG: Loader: Injecting process 656 with C:\tmpr1ubf8pk\dll\dELRsvZ.dll.
2023-07-24 15:06:07,418 [root] DEBUG: Python path set to 'C:\Users\Cape\AppData\Local\Programs\Python\Python312-32'.
2023-07-24 15:06:07,418 [root] DEBUG: TLS secret dump mode enabled.
2023-07-24 15:06:07,418 [root] INFO: Disabling sleep skipping.
2023-07-24 15:06:07,418 [root] DEBUG: InternalYaraScan: Scanning 0x00007FFBB0510000, size 0x1f7546
2023-07-24 15:06:07,449 [root] DEBUG: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2023-07-24 15:06:07,449 [root] DEBUG: RtlInsertInvertedFunctionTable 0x00007FFBB052090E, LdrpInvertedFunctionTableSRWLock 0x00007FFBB067D510
2023-07-24 15:06:07,449 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 656 at 0x00007FFB78320000, thread 404, image base 0x00007FF76EB20000, stack from 0x00000080F32F4000-0x00000080F3300000
2023-07-24 15:06:07,449 [root] DEBUG: Commandline: C:\Windows\system32\lsass.exe
2023-07-24 15:06:07,512 [root] DEBUG: TLS 1.2 secrets logged to: C:\jXEeyE\tlsdump\tlsdump.log
2023-07-24 15:06:07,512 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2023-07-24 15:06:07,512 [root] DEBUG: Successfully injected DLL C:\tmpr1ubf8pk\dll\dELRsvZ.dll.
2023-07-24 15:06:07,512 [lib.api.process] INFO: Injected into 64-bit process with pid 656
2023-07-24 15:06:07,512 [root] DEBUG: Started auxiliary module "TLSDumpMasterSecrets"
2023-07-24 15:06:07,512 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2023-07-24 15:06:07,512 [root] DEBUG: Initialized auxiliary module "Usage"
2023-07-24 15:06:07,512 [root] DEBUG: Trying to start auxiliary module "Usage"...
2023-07-24 15:06:07,512 [root] DEBUG: Started auxiliary module "Usage"
2023-07-24 15:06:07,512 [root] DEBUG: Started auxiliary module Usage
2023-07-24 15:06:07,512 [root] DEBUG: Initialized auxiliary module "During_script"
2023-07-24 15:06:07,512 [root] DEBUG: Trying to start auxiliary module "During_script"...
2023-07-24 15:06:07,512 [root] DEBUG: Started auxiliary module "During_script"
2023-07-24 15:06:07,528 [root] DEBUG: Started auxiliary module During_script
2023-07-24 15:06:13,508 [root] INFO: Restarting WMI Service
2023-07-24 15:06:13,805 [lib.core.compound] INFO: C:\Users\Cape\AppData\Local\Temp already exists, skipping creation
2023-07-24 15:06:13,930 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" with arguments ""https://install.trimble.com/datatransfer/index.html"" with pid 3464
2023-07-24 15:06:13,930 [lib.api.process] INFO: Monitor config for process 3464: C:\tmpr1ubf8pk\dll\3464.ini
2023-07-24 15:06:13,977 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpr1ubf8pk\dll\dELRsvZ.dll, loader C:\tmpr1ubf8pk\bin\nmbrtJzd.exe
2023-07-24 15:06:14,055 [root] DEBUG: Loader: Injecting process 3464 (thread 3040) with C:\tmpr1ubf8pk\dll\dELRsvZ.dll.
2023-07-24 15:06:14,055 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2023-07-24 15:06:14,055 [root] DEBUG: Successfully injected DLL C:\tmpr1ubf8pk\dll\dELRsvZ.dll.
2023-07-24 15:06:14,070 [lib.api.process] INFO: Injected into 64-bit process with pid 3464
2023-07-24 15:06:16,088 [lib.api.process] INFO: Successfully resumed process with pid 3464
2023-07-24 15:06:16,088 [root] DEBUG: Python path set to 'C:\Users\Cape\AppData\Local\Programs\Python\Python312-32'.
2023-07-24 15:06:16,088 [root] DEBUG: Dropped file limit defaulting to 100.
2023-07-24 15:06:16,104 [root] DEBUG: YaraInit: Compiled 25 rule files
2023-07-24 15:06:16,104 [root] DEBUG: YaraInit: Compiled rules saved to file C:\tmpr1ubf8pk\data\yara\capemon.yac
2023-07-24 15:06:16,104 [root] DEBUG: InternalYaraScan: Scanning 0x00007FFBB0510000, size 0x1f7546
2023-07-24 15:06:16,119 [root] DEBUG: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2023-07-24 15:06:16,119 [root] DEBUG: RtlInsertInvertedFunctionTable 0x00007FFBB052090E, LdrpInvertedFunctionTableSRWLock 0x00007FFBB067D510
2023-07-24 15:06:16,119 [root] DEBUG: YaraScan: Scanning 0x00007FF7B4CD0000, size 0x367350
2023-07-24 15:06:16,150 [root] DEBUG: AmsiDumper initialised.
2023-07-24 15:06:16,150 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 3464 at 0x00007FFB78320000, thread 3040, image base 0x00007FF7B4CD0000, stack from 0x0000008B831F5000-0x0000008B83200000
2023-07-24 15:06:16,150 [root] DEBUG: Commandline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://install.trimble.com/datatransfer/index.html"
2023-07-24 15:06:16,166 [root] DEBUG: hook_api: Warning - CoCreateInstance export address 0x00007FFBAF6242CB differs from GetProcAddress -> 0x00007FFBAE63A420
2023-07-24 15:06:16,182 [root] DEBUG: hook_api: Warning - CoCreateInstanceEx export address 0x00007FFBAF62430A differs from GetProcAddress -> 0x00007FFBAE6B4180
2023-07-24 15:06:16,182 [root] DEBUG: hook_api: Warning - CoGetClassObject export address 0x00007FFBAF62489A differs from GetProcAddress -> 0x00007FFBAE63EB00
2023-07-24 15:06:16,182 [root] DEBUG: hook_api: Warning - UpdateProcThreadAttribute export address 0x00007FFBAF517644 differs from GetProcAddress -> 0x00007FFBADDCB520
2023-07-24 15:06:16,182 [root] DEBUG: hook_api: Warning - CLSIDFromProgID export address 0x00007FFBAF623B16 differs from GetProcAddress -> 0x00007FFBAE6B8570
2023-07-24 15:06:16,213 [root] DEBUG: RestoreHeaders: Restored original import table.
2023-07-24 15:06:16,213 [root] INFO: Loaded monitor into process with pid 3464
2023-07-24 15:06:16,244 [root] DEBUG: caller_dispatch: Added region at 0x00007FFB8DE70000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00007FFB8E01E203, thread 3040).
2023-07-24 15:06:16,244 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFB8DE70000...
2023-07-24 15:06:16,244 [root] DEBUG: YaraScan: Scanning 0x00007FFB8DE70000, size 0x35ee70
2023-07-24 15:06:16,260 [root] DEBUG: ProcessTrackedRegion: Region at 0x00007FFB8DE70000 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.82\msedge_elf.dll, skipping
2023-07-24 15:06:16,260 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d0 and local view 0x00007FFBAE190000 to global list.
2023-07-24 15:06:16,275 [root] DEBUG: DLL loaded at 0x00007FFBAE190000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2023-07-24 15:06:16,275 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1dc and local view 0x0000024115700000 to global list.
2023-07-24 15:06:16,291 [root] DEBUG: ProtectionHandler: New code detected at 0x00007FFB8DE70000, dumping.
2023-07-24 15:06:16,291 [root] DEBUG: YaraScan: Scanning 0x00007FFB8DE70000, size 0x35f006
2023-07-24 15:06:16,307 [root] DEBUG: ProcessTrackedRegion: Region at 0x00007FFB8DE70000 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.82\msedge_elf.dll, skipping
2023-07-24 15:06:16,322 [root] DEBUG: caller_dispatch: Added region at 0x00007FF7B4CD0000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00007FF7B4E58C4B, thread 3040).
2023-07-24 15:06:16,322 [root] DEBUG: YaraScan: Scanning 0x00007FF7B4CD0000, size 0x367350
2023-07-24 15:06:16,354 [root] DEBUG: DLL loaded at 0x00007FFB9F000000: C:\Windows\SYSTEM32\version (0xa000 bytes).
2023-07-24 15:06:16,354 [root] DEBUG: DLL unloaded from 0x00007FF7B4CD0000.
2023-07-24 15:06:16,354 [root] DEBUG: DLL loaded at 0x00007FFBACD10000: C:\Windows\system32\ntmarta (0x33000 bytes).
2023-07-24 15:06:16,369 [root] INFO: Disabling sleep skipping.
2023-07-24 15:06:16,369 [root] DEBUG: CreateProcessHandler: Injection info set for new process 600: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, ImageBase: 0x00007FF7B4CD0000
2023-07-24 15:06:16,369 [root] INFO: Announced 64-bit process name: msedge.exe pid: 600
2023-07-24 15:06:16,369 [lib.api.process] INFO: Monitor config for process 600: C:\tmpr1ubf8pk\dll\600.ini
2023-07-24 15:06:16,369 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpr1ubf8pk\dll\dELRsvZ.dll, loader C:\tmpr1ubf8pk\bin\nmbrtJzd.exe
2023-07-24 15:06:16,369 [root] INFO: Added new file to list with pid None and path C:\Users\Cape\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat
2023-07-24 15:06:16,369 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x24c and local view 0x00007FFBABAD0000 to global list.
2023-07-24 15:06:16,369 [root] DEBUG: DLL loaded at 0x00007FFBABAD0000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2023-07-24 15:06:16,385 [root] DEBUG: DLL loaded at 0x00007FFBAB600000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2023-07-24 15:06:16,385 [root] DEBUG: Loader: Injecting process 600 (thread 1308) with C:\tmpr1ubf8pk\dll\dELRsvZ.dll.
2023-07-24 15:06:16,385 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2023-07-24 15:06:16,385 [root] DEBUG: Successfully injected DLL C:\tmpr1ubf8pk\dll\dELRsvZ.dll.
2023-07-24 15:06:16,385 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x26c and local view 0x0000024113F70000 to global list.
2023-07-24 15:06:16,385 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x274 and local view 0x00007FFBAF6B0000 to global list.
2023-07-24 15:06:16,385 [lib.api.process] INFO: Injected into 64-bit process with pid 600
2023-07-24 15:06:16,385 [root] DEBUG: DLL unloaded from 0x00007FFBB0510000.
2023-07-24 15:06:16,385 [root] DEBUG: DLL loaded at 0x00007FFBAF6B0000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2023-07-24 15:06:16,385 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0000024112429A50 (size 0x11c0) injected into process 600.
2023-07-24 15:06:16,385 [lib.common.results] INFO: Uploading file C:\jXEeyE\CAPE\3464_157851662324172023 to CAPE\7fed68a67eb0c18b4af512b8f8e8a9738c65b67b632344569a84b382c0a59161; Size is 4449; Max size: 100000000
2023-07-24 15:06:16,385 [root] DEBUG: DLL loaded at 0x00007FFBA2430000: C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings (0x16000 bytes).
2023-07-24 15:06:16,400 [root] DEBUG: DumpMemory: Payload successfully created: C:\jXEeyE\CAPE\3464_157851662324172023 (size 4449 bytes)
2023-07-24 15:06:16,400 [root] DEBUG: DLL loaded at 0x00007FFBACC80000: C:\Windows\SYSTEM32\msvcp110_win (0x8a000 bytes).
2023-07-24 15:06:16,400 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2023-07-24 15:06:16,400 [root] INFO: Announced 64-bit process name: msedge.exe pid: 600
2023-07-24 15:06:16,400 [lib.api.process] INFO: Monitor config for process 600: C:\tmpr1ubf8pk\dll\600.ini
2023-07-24 15:06:16,400 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpr1ubf8pk\dll\dELRsvZ.dll, loader C:\tmpr1ubf8pk\bin\nmbrtJzd.exe
2023-07-24 15:06:16,400 [root] DEBUG: DLL loaded at 0x00007FFBA7060000: C:\Windows\SYSTEM32\policymanager (0xa3000 bytes).
2023-07-24 15:06:16,400 [root] DEBUG: DLL unloaded from 0x00007FFBA7060000.
2023-07-24 15:06:16,400 [root] DEBUG: Loader: Injecting process 600 (thread 1308) with C:\tmpr1ubf8pk\dll\dELRsvZ.dll.
2023-07-24 15:06:16,400 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2023-07-24 15:06:16,400 [root] DEBUG: Successfully injected DLL C:\tmpr1ubf8pk\dll\dELRsvZ.dll.
2023-07-24 15:06:16,400 [root] DEBUG: DLL unloaded from 0x00007FFBA2430000.
2023-07-24 15:06:16,416 [lib.api.process] INFO: Injected into 64-bit process with pid 600
2023-07-24 15:06:16,416 [root] INFO: Announced 64-bit process name: msedge.exe pid: 600
2023-07-24 15:06:16,416 [lib.api.process] INFO: Monitor config for process 600: C:\tmpr1ubf8pk\dll\600.ini
2023-07-24 15:06:16,416 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpr1ubf8pk\dll\dELRsvZ.dll, loader C:\tmpr1ubf8pk\bin\nmbrtJzd.exe
2023-07-24 15:06:16,416 [root] INFO: Added new file to list with pid None and path C:\Users\Cape\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
2023-07-24 15:06:16,416 [root] DEBUG: Loader: Injecting process 600 (thread 1308) with C:\tmpr1ubf8pk\dll\dELRsvZ.dll.
2023-07-24 15:06:16,416 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2023-07-24 15:06:16,416 [root] DEBUG: Successfully injected DLL C:\tmpr1ubf8pk\dll\dELRsvZ.dll.
2023-07-24 15:06:16,416 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x260 and local view 0x00007FFBAFC40000 to global list.
2023-07-24 15:06:16,416 [lib.api.process] INFO: Injected into 64-bit process with pid 600
2023-07-24 15:06:16,432 [root] DEBUG: DLL loaded at 0x00007FFBAFC40000: C:\Windows\System32\shcore (0xad000 bytes).
2023-07-24 15:06:16,432 [root] DEBUG: DLL unloaded from 0x00007FFBAFC40000.
2023-07-24 15:06:16,432 [root] DEBUG: DLL loaded at 0x00007FFBAFD80000: C:\Windows\System32\SHELL32 (0x744000 bytes).
2023-07-24 15:06:16,432 [root] DEBUG: DLL loaded at 0x00007FFBAD570000: C:\Windows\SYSTEM32\Wldp (0x2e000 bytes).
2023-07-24 15:06:16,432 [root] DEBUG: Python path set to 'C:\Users\Cape\AppData\Local\Programs\Python\Python312-32'.
2023-07-24 15:06:16,432 [root] DEBUG: DLL loaded at 0x00007FFBABCD0000: C:\Windows\SYSTEM32\windows.storage (0x793000 bytes).
2023-07-24 15:06:16,432 [root] DEBUG: Dropped file limit defaulting to 100.
2023-07-24 15:06:16,432 [root] DEBUG: DLL unloaded from 0x00007FFBADD50000.
2023-07-24 15:06:16,432 [root] INFO: Disabling sleep skipping.
2023-07-24 15:06:16,447 [root] DEBUG: DLL loaded at 0x00007FFBAFC40000: C:\Windows\System32\SHCORE (0xad000 bytes).
2023-07-24 15:06:16,447 [root] DEBUG: YaraInit: Compiled rules loaded from existing file C:\tmpr1ubf8pk\data\yara\capemon.yac
2023-07-24 15:06:16,447 [root] DEBUG: InternalYaraScan: Scanning 0x00007FFBB0510000, size 0x1f7546
2023-07-24 15:06:16,463 [root] DEBUG: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2023-07-24 15:06:16,998 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3464
2023-07-24 15:06:17,000 [root] DEBUG: RtlInsertInvertedFunctionTable 0x00007FFBB052090E, LdrpInvertedFunctionTableSRWLock 0x00007FFBB067D510
2023-07-24 15:06:17,017 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00007FF7B4CD0000.
2023-07-24 15:06:17,018 [root] DEBUG: YaraScan: Scanning 0x00007FF7B4CD0000, size 0x367350
2023-07-24 15:06:17,057 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2023-07-24 15:06:17,058 [root] DEBUG: AmsiDumper initialised.
2023-07-24 15:06:17,062 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00007FF7B4CD0000.
2023-07-24 15:06:17,063 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 600 at 0x00007FFB78320000, thread 1308, image base 0x00007FF7B4CD0000, stack from 0x00000050A9BF5000-0x00000050A9C00000
2023-07-24 15:06:17,064 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000014E500.
2023-07-24 15:06:17,070 [root] DEBUG: Commandline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Cape\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\
2023-07-24 15:06:17,113 [root] DEBUG: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed offset 0xb5038000, section 7
2023-07-24 15:06:17,121 [root] DEBUG: hook_api: Warning - CoCreateInstance export address 0x00007FFBAF6242CB differs from GetProcAddress -> 0x00007FFBAE63A420
2023-07-24 15:06:17,122 [root] DEBUG: hook_api: Warning - CoCreateInstanceEx export address 0x00007FFBAF62430A differs from GetProcAddress -> 0x00007FFBAE6B4180
2023-07-24 15:06:17,123 [root] DEBUG: hook_api: Warning - CoGetClassObject export address 0x00007FFBAF62489A differs from GetProcAddress -> 0x00007FFBAE63EB00
2023-07-24 15:06:17,125 [root] DEBUG: hook_api: Warning - UpdateProcThreadAttribute export address 0x00007FFBAF517644 differs from GetProcAddress -> 0x00007FFBADDCB520
2023-07-24 15:06:17,151 [root] DEBUG: hook_api: Warning - CLSIDFromProgID export address 0x00007FFBAF623B16 differs from GetProcAddress -> 0x00007FFBAE6B8570
2023-07-24 15:06:17,178 [root] DEBUG: RestoreHeaders: Restored original import table.
2023-07-24 15:06:17,184 [root] INFO: Loaded monitor into process with pid 600
2023-07-24 15:06:17,248 [root] DEBUG: caller_dispatch: Added region at 0x00007FFB8DE70000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00007FFB8E01E203, thread 1308).
2023-07-24 15:06:17,248 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFB8DE70000...
2023-07-24 15:06:17,250 [root] DEBUG: YaraScan: Scanning 0x00007FFB8DE70000, size 0x35ee70
2023-07-24 15:06:17,268 [lib.common.results] INFO: Uploading file C:\jXEeyE\CAPE\3464_6579001762324172023 to procdump\f178b5744fd8ba53d05ffde020ad7060ed7f251ea24765f7fc2e54be84cb60a7; Size is 4159488; Max size: 100000000
2023-07-24 15:06:17,285 [root] DEBUG: ProcessTrackedRegion: Region at 0x00007FFB8DE70000 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.82\msedge_elf.dll, skipping
2023-07-24 15:06:17,288 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3f7800.
2023-07-24 15:06:17,328 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1cc and local view 0x00007FFBAE190000 to global list.
2023-07-24 15:06:17,333 [root] DEBUG: DLL unloaded from 0x00007FFBAF440000.
2023-07-24 15:06:17,336 [root] DEBUG: DLL loaded at 0x00007FFBAE190000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2023-07-24 15:06:17,357 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1dc and local view 0x000001E570B00000 to global list.
2023-07-24 15:06:17,390 [root] INFO: Process with pid 3464 has terminated
2023-07-24 15:06:17,394 [root] DEBUG: caller_dispatch: Added region at 0x00007FF7B4CD0000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00007FF7B4E58C4B, thread 1308).
2023-07-24 15:06:17,395 [root] DEBUG: YaraScan: Scanning 0x00007FF7B4CD0000, size 0x367350
2023-07-24 15:06:17,435 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f0 and local view 0x00007FFBAFC40000 to global list.
2023-07-24 15:06:17,440 [root] DEBUG: DLL loaded at 0x00007FFBAFC40000: C:\Windows\System32\shcore (0xad000 bytes).
2023-07-24 15:06:17,443 [root] DEBUG: DLL unloaded from 0x00007FFBAFC40000.
2023-07-24 15:06:17,461 [root] DEBUG: DLL loaded at 0x00007FFBAB600000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2023-07-24 15:06:17,475 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x254 and local view 0x00007FFBAF240000 to global list.
2023-07-24 15:06:17,493 [root] DEBUG: DLL loaded at 0x00007FFBAF240000: C:\Windows\System32\MSCTF (0x114000 bytes).
2023-07-24 15:06:17,504 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x000001E56F740000 for section view with handle 0x254.
2023-07-24 15:06:17,506 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c and local view 0x000001E570E40000 to global list.
2023-07-24 15:06:17,509 [root] INFO: Added new file to list with pid None and path C:\Users\Cape\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
2023-07-24 15:06:17,512 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x258 and local view 0x000001E572200000 to global list.
2023-07-24 15:06:17,516 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x26c and local view 0x000001E56F740000 to global list.
2023-07-24 15:06:17,521 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x200 and local view 0x00007FFBABAD0000 to global list.
2023-07-24 15:06:17,536 [root] DEBUG: DLL loaded at 0x00007FFBABAD0000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2023-07-24 15:06:17,537 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 600
2023-07-24 15:06:17,539 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00007FF7B4CD0000.
2023-07-24 15:06:17,540 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2023-07-24 15:06:17,541 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00007FF7B4CD0000.
2023-07-24 15:06:17,542 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000014E500.
2023-07-24 15:06:17,548 [root] DEBUG: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed offset 0xb5038000, section 7
2023-07-24 15:06:17,714 [lib.common.results] INFO: Uploading file C:\jXEeyE\CAPE\600_794094057302324172023 to procdump\b66f6a0716a0f82d633e0fdbc91f230dba9f876dc453fc850c3d1e059242dfba; Size is 4159488; Max size: 100000000
2023-07-24 15:06:17,734 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3f7800.
2023-07-24 15:06:17,745 [root] DEBUG: DLL unloaded from 0x00007FFBAF440000.
2023-07-24 15:06:17,747 [root] INFO: Process with pid 600 has terminated
2023-07-24 08:06:43,420 [modules.auxiliary.screenshots] ERROR: Cannot take screenshot: screen grab failed
2023-07-24 08:06:52,126 [root] INFO: Process list is empty, terminating analysis
2023-07-24 08:06:53,138 [root] INFO: Created shutdown mutex
2023-07-24 08:06:54,148 [root] INFO: Shutting down package
2023-07-24 08:06:54,148 [root] INFO: Stopping auxiliary modules
2023-07-24 08:06:54,148 [root] INFO: Stopping auxiliary module: Browser
2023-07-24 08:06:54,148 [root] INFO: Stopping auxiliary module: Curtain
2023-07-24 08:06:54,877 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1690211214.8775861.curtain.log; Size is 20576; Max size: 100000000
2023-07-24 08:06:54,877 [root] INFO: Stopping auxiliary module: Evtx
2023-07-24 08:06:54,877 [root] INFO: Stopping auxiliary module: FilePickup
2023-07-24 08:06:54,877 [root] INFO: Stopping auxiliary module: Human
2023-07-24 08:06:54,877 [root] INFO: Stopping auxiliary module: Pre_script
2023-07-24 08:06:54,877 [root] INFO: Stopping auxiliary module: Procmon
2023-07-24 08:06:54,877 [root] INFO: Stopping auxiliary module: Screenshots
2023-07-24 08:06:54,877 [root] INFO: Stopping auxiliary module: Sysmon
2023-07-24 08:06:54,877 [root] INFO: Stopping auxiliary module: Usage
2023-07-24 08:06:54,877 [root] INFO: Stopping auxiliary module: During_script
2023-07-24 08:06:54,877 [root] INFO: Finishing auxiliary modules
2023-07-24 08:06:54,877 [root] INFO: Shutting down pipe server and dumping dropped files
2023-07-24 08:06:54,877 [lib.common.results] INFO: Uploading file C:\Users\Cape\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat to files\41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304; Size is 20; Max size: 100000000
2023-07-24 08:06:54,877 [lib.common.results] INFO: Uploading file C:\Users\Cape\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat to files\5058f499edcf472fcc440777df6f390fd0ee44179456e970a2de2e4be1be1a5c; Size is 280; Max size: 100000000
2023-07-24 08:06:54,877 [root] WARNING: Folder at path "C:\jXEeyE\debugger" does not exist, skipping
2023-07-24 08:06:54,877 [root] INFO: Uploading files at path "C:\jXEeyE\tlsdump"
2023-07-24 08:06:54,877 [lib.common.results] INFO: Uploading file C:\jXEeyE\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 10960; Max size: 100000000
2023-07-24 08:06:54,877 [root] INFO: Analysis completed

If any of this behavior does not sound uncommon for a CAPE installation - then I have ideas as our infrastructure is somewhat unique. However I haven't changed anything about the core processing functions or modules imported within an analysis itself.

@kevoreilly
Copy link
Owner

This is a browser-specific issue caused by the fact that it is no longer possible for cape to fully monitor all browser processes (particularly 'sandboxed' processes) due to their internal security and complexity.

The current solution is to selectively monitor only certain browser child processes, but this is still a young idea and may need further work to tackle issues such as this. I will need to research which child processes does the downloading (per browser family) and ensure that process is monitored with the relevant hooks active.

@CarsonHrusovsky
Copy link
Contributor Author

Thank you @kevoreilly, I can put some time into this during this week as well and see if I find a work around. Is this something other users have noticed? I could downgrade to an older version of Edge - something I was already looking at anyway because of another post I saw on here mentioning that newer versions of Edge crash.

@kevoreilly
Copy link
Owner

If you are willing to invest time then I will be grateful as it is a scarce commodity for me. What I would first of all like to establish is: which process is writing the file to disk? The quickest way to work this out is probably to use Sysinternal Process Monitor to catch the file being created - if you can do this is will save me some time.

@CarsonHrusovsky
Copy link
Contributor Author

Hello Kev I have some time to revisit this issue. I would like to understand the dropped file collection mechanism better but have had some trouble finding where this part of analysis is handled. What scripts handle this (either URL or XLS, just so I can understand it)?

@kevoreilly
Copy link
Owner

Hi Carson - sorry not to reply earlier - only just spotted your most recent message.

The mechanism for collecting dropped files starts with the file-related API hooks such as CreateFile, NtCreateFileEx, etc. This is where at the moment the files are being missed as the process that is downloading them is not running those hooks.

	else if (g_config.chrome || g_config.firefox || g_config.edge) {
		hooks = browser_hooks;
		hooks_size = sizeof(browser_hooks);
		hooks_arraysize = ARRAYSIZE(browser_hooks);
	}

So to tackle this properly I will need to prevent the monitor from assigning the browser_hooks for the process which writes these files to disk. Of course this means I need to know how to identify the process responsible among the myriad edge processes. I am hopeful this can be done on the basis of the process command line such as in the following example (for an unrelated component):

(!_stricmp(our_process_name, "WmiPrvSE.exe") && !can_open_parent() && wcsstr(our_commandline, L"-Embedding"))

So if you have time, a capture of the command line or other identifying characteristics of the edge process responsible for writing the downloads to disk would be useful. I would think by far the best way of gathering this information is use of Sysinternals Process Monitor.

@CarsonHrusovsky
Copy link
Contributor Author

Thanks Kev I will try and look into

@kevoreilly
Copy link
Owner

Thinking we can close this now after nearly 2 years!

@CarsonHrusovsky
Copy link
Contributor Author

Thinking we can close this now after nearly 2 years!

1 year 4 months 😝

Yes lets close it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kevoreilly @CarsonHrusovsky