Can't analyse files after a fresh installation of LiSa
Vince147 opened this issue · comments
Hi,
I installed LiSa on a fresh new Ubuntu mate (Ubuntu MATE 18.04.3 LTS (Bionic)) and I submitted three malware samples (same Mirai compiled with different architectures from UrlHaust (r4z0r.arm, r4z0r.mips, r4z0r.x86)) and all three analysis failed.
ae2da66a4435800c63e50de2257b268e r4z0r.arm
e357a85565f26c505f20fb9c4aa9711e r4z0r.mips
4a388c6d3dfd5b54e3d74924337eae73 r4z0r.x86
References:
https://ubuntu-mate.org/download/ (to download ubuntu)
https://urlhaus.abuse.ch/browse/ (to get the download url of mirai)
When looking into the nginx webpage failed tab, I am seeing the following error message that is confusing me because it mention no image was found.
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/pexpect/spawnbase.py", line 150, in read_nonblocking
s = os.read(self.child_fd, size)
OSError: [Errno 5] Input/output error
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/pexpect/expect.py", line 99, in expect_loop
incoming = spawn.read_nonblocking(spawn.maxread, timeout)
File "/usr/local/lib/python3.6/site-packages/pexpect/pty_spawn.py", line 465, in read_nonblocking
return super(spawn, self).read_nonblocking(size)
File "/usr/local/lib/python3.6/site-packages/pexpect/spawnbase.py", line 155, in read_nonblocking
raise EOF('End Of File (EOF). Exception style platform.')
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/celery/app/trace.py", line 385, in trace_task
R = retval = fun(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/celery/app/trace.py", line 648, in __protected_call__
return self.run(*args, **kwargs)
File "/home/lisa/lisa/web_api/tasks.py", line 80, in full_analysis
master.run()
File "/home/lisa/lisa/analysis/top_level.py", line 69, in run
sub_output = analyzer.run_analysis()
File "/home/lisa/lisa/analysis/dynamic_analysis.py", line 36, in run_analysis
self._vm.start_vm()
File "/home/lisa/lisa/core/qemu_guest.py", line 100, in start_vm
self._proc.expect('login: ')
File "/usr/local/lib/python3.6/site-packages/pexpect/spawnbase.py", line 321, in expect
timeout, searchwindowsize, async)
File "/usr/local/lib/python3.6/site-packages/pexpect/spawnbase.py", line 345, in expect_list
return exp.expect_loop(timeout)
File "/usr/local/lib/python3.6/site-packages/pexpect/expect.py", line 105, in expect_loop
return self.eof(e)
File "/usr/local/lib/python3.6/site-packages/pexpect/expect.py", line 50, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7f2e80483fd0>
command: /home/lisa/images/arm/run.sh
args: [b'/home/lisa/images/arm/run.sh', b'/home/lisa/data/storage/3aad1d26-b450-4d79-adb7-68d632369bc5/rootfs']
buffer (last 100 chars): ''
before (last 100 chars): '/home/lisa/images/arm/run.sh: 10: /home/lisa/images/arm/run.sh: qemu-system-arm: not found\r\n'
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: 127
flag_eof: True
pid: 59
child_fd: 27
closed: False
timeout: 110
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: <_io.TextIOWrapper name='/home/lisa/data/storage/3aad1d26-b450-4d79-adb7-68d632369bc5/machine.log' mode='w' encoding='utf-8'>
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
0: re.compile("login: ")
The same kind of error message appear for the other architectures. After the installation of the operating system, I did the following command to run LiSa. I didn't do anything else after that, that could had interfere with the installation.
sudo apt-get install git
git clone https://github.com/danieluhricek/LiSa.git
cd LiSa
sudo apt-get install docker docker-compose
sudo docker-compose build
sudo docker-compose up
It weird because it says that I dont have the qemu image for mips. Same thing for the other architecture. When reading your docker image (worker), I can see that it download a TAR.GZ with the images from https://github.com/danieluhricek/linux-images/archive/v1.0.1.tar.gz. I was able to download the file so I am not sure why it is complaining about that.
I am fairly new with Docker and this framework but I don't mind trying to find what going on but If you know something about this issue, please let me know.
Thanks for your help.
I have find the error. In fact, the worker docker file (LiSa/docker/worker/Dockerfile) should contains an additional instruction to install the package "qemu-system" that contains the different architecture packages {qemu-system-mips, qemu-system-x86, qemu-system-arm, etc...}.
@Vince147
Sorry for late response. This problem was discussed in issue #1 :
Would you rather consider (and test if everything works that way on your side) to change your pull request that the Dockerfile installs qemu-system metapackage that installs qemu-system-* for all architectures (or as for now supported architectures by LiSa - packages qemu-system-x86, qemu-system-arm, qemu-system-mips)?
Since original author didn't change the pull request, I forgot about this issue.
Would you mind to fill the pull request with your change? (Otherwise I can fix this issue directly).
Sure thing. I forked a copy of the project and proposed a pull request.
Solved by #4