0

I have a problem with Cuckoo Sandbox and its memory dump it should generate in order to be able to analyse it with Volatility.

My issue is:

Cuckoo's log files telling me that a memory dump has successfully been generated but it can not access them because they can not be found. Manually looking for them in the directory confirms that they do not exist. Cuckoo tells me to enable memory_dump in cuckoo.conf which is enabled.

My Cuckoo version and operating system are:

Cuckoo: 2.0.6

Host: Ubuntu 18.04.1 LTS

Guest: Win7 Ultimate, Service Pack 1, 32-bit

Those are my config files:

cuckoo.conf

memory_dump = yes

memory.conf

guest_profile = Win7SP1x86
delete_memdump = no

processing.conf

[memory]
enabled = yes
This is the output of the cuckoo.log: 
INFO: Successfully generated memory dump for virtual machine with label Win7 to path /home/test/.cuckoo/storage/analyses/1/memory.dmp
[...]
ERROR: VM memory dump not found: to create VM memory dumps you have to enable memory_dump in cuckoo.conf!

Any kind of help is appreciated. If you need any more information from me please let me know

Edit: Only memory dump of full machine is not being generated. If malware is injected in a new process then memory dump is generated as shown in the report.json

INFO: injected into process with pid 3844 and name 'iexplorer.exe'
INFO: memory dump of process with pid 3844 completed

and I can also find the 3844-1.dmp file in the directory

pharZyde
  • 9
  • 5
  • anyone has any ideas on how to solve this? I think I configured all config files correctly but although cuckoo log tells me that it successfully created the memory.dmp it is nowhere to find – pharZyde Feb 15 '19 at 13:19
  • just tested it with a WinXP machine as guest but same problem occurs – pharZyde Feb 15 '19 at 13:19

1 Answers1

0

I had a similar issue some time back where the memory dump creation was a little inconsistent. However that was with a older version of the cuckoo sandbox. In processing.conf, check to see if you have set

    [procmemory] 
    enabled = yes

I do remember that I had issues where I would sometimes get full memory dumps if I submitted a sample via the web GUI but I would not get memory dumps if I submitted a sample via commandline or vice versa. Sometimes I would only get memory dumps after the first sample failed. I found that a good place to start was with with something like a 32 bit putty.exe. Once the memory dumps started to work though I never had a issue after that. So I never documented what I done. I do remember playing around with the memory settings, so it may be worth playing around with processing.conf settings, turn them on and off to see what works.

    [memory]
    enabled = yes

    [procmemory] 
    enabled = yes

and cuckoo.conf

    memory_dump = yes

I know it may sound odd but I sometimes seen different functionality when submitting samples through both terminal or webgui mode. I no longer have my setup so I have nothing to compare it to.

[Edit] Also make sure you have the correct dependencies installed https://github.com/volatilityfoundation/volatility/wiki/Linux

bosco
  • 1
  • 2
  • thank you for your comment. I tried headless and gui mode, I switched between yes/no for [memory], [procmemory] and memory_dump but nothing seems to change the result. memory dump is never created – pharZyde Mar 08 '19 at 15:07
  • I also tried submitting it via webgui but that didnt change anything either – pharZyde Mar 09 '19 at 11:09