IE11 errors on 64-bit Win 7 VM

Question

IE11 errors on 64-bit Win 7 VM

enzok opened this issue 8 years ago · comments

I’m having an issue when submitting a task that runs Internet Explorer 11 in a 64-bit Windows 7 VM. IE throws an error popup and doesn’t run. This issue doesn’t happen in my 32-bit VM. However, if I disable injection, then IE runs.

IE Version - 11.0.9600.16428 (KB2841134)

2017-01-20 09:21:25,812 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""http://"" with pid 2848
2017-01-20 09:21:25,812 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-01-20 09:21:25,921 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2848
2017-01-20 09:21:27,921 [lib.api.process] INFO: Successfully resumed process with pid 2848
2017-01-20 09:21:27,921 [root] INFO: Added new process to list with pid: 2848
2017-01-20 09:21:28,015 [root] INFO: Cuckoomon successfully loaded in process with pid 2848.
2017-01-20 09:21:28,046 [root] INFO: Announced 64-bit process name: iexplore.exe pid: 2688
2017-01-20 09:21:28,046 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-01-20 09:21:28,092 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2688
2017-01-20 09:21:28,092 [root] INFO: Disabling sleep skipping.
2017-01-20 09:21:28,187 [root] INFO: Disabling sleep skipping.
2017-01-20 09:21:28,203 [root] INFO: Added new process to list with pid: 2688
2017-01-20 09:21:28,203 [root] INFO: Cuckoomon successfully loaded in process with pid 2688.
2017-01-20 09:21:29,875 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2017-01-20 09:21:30,937 [root] INFO: Notified of termination of process with pid 2688.
2017-01-20 09:21:30,937 [root] INFO: Notified of termination of process with pid 2848.
2017-01-20 09:21:31,921 [root] INFO: Process with pid 2848 has terminated
2017-01-20 09:21:32,921 [root] INFO: Process with pid 2688 has terminated
2

Brad Spengler · Answer 1 · Tue Jan 24 2017 02:09:07 GMT+0800 (China Standard Time)

add debug=1 to options, and check your cuckoo log

-Brad

enzo · Answer 2 · Tue Jan 24 2017 03:05:04 GMT+0800 (China Standard Time)

Here's the debug output:
2017-01-23 13:51:46,506 [lib.cuckoo.core.guest] INFO: Starting analysis on guest

2017-01-23 13:51:57,345 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:51:57,345 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:32,856 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:32,856 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:40,264 [requests.packages.urllib3.connectionpool] INFO: Starting new HTTPS connection (1): www.virustotal.com
2017-01-23 13:52:41,523 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:52:41,523 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,142 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,143 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,586 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:43,587 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:48,812 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2017-01-23 13:55:48,813 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 1144 EIP: ntdll.dll+5339d 77a2339d, Fault Address: 00000074, Esp: 0022f290, Exception Code: c0000005, kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1742 WININET.dll+f71c7 IEFRAME.dll+402ea IEFRAME.dll+40546 IEFRAME.dll+404a7 IEFRAME.dll+1092da IEFRAME.dll+109922 IEXPLORE.EXE+11e9 IEXPLORE.EXE+129d kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

Brad Spengler · Answer 3 · Tue Jan 24 2017 03:40:55 GMT+0800 (China Standard Time)

See if the problem persists with disable_hook_content=1 passed in options

-Brad

enzo · Answer 4 · Tue Jan 24 2017 04:24:00 GMT+0800 (China Standard Time)

Problem persists, same exceptions.

KillerInstinct · Answer 5 · Thu Jan 26 2017 22:51:57 GMT+0800 (China Standard Time)

I had forgotten about this issue thread. You may want to ensure all security-related stuff is disabled:
spender-sandbox/cuckoo-modified#235

enzo · Answer 6 · Thu Jan 26 2017 23:03:00 GMT+0800 (China Standard Time)

I disabled all security settings that I am aware of, however, I'll go back and verify that I didn't miss something or revert to a snapshot that wasn't setup properly. Otherwise, it looks like I installed IE the same way as what is described in issue #235 thread.