Option password not being passed to doc file
SRtheTR opened this issue · 4 comments
Issue in handling password option when attempting to open.
Decryption is build under default location:
decryptor = /opt/cuckoo/msoffice/bin/msoffice-crypt.exe
When attempting to open a password encrypted doc file it seems that the option 'password' is not being passed to the decryption as it does not recognize the option
2019-08-26 21:28:53,000 [root] INFO: Date set to: 08-27-19, time set to: 01:28:53, timeout set to: 60
2019-08-26 21:28:53,015 [root] DEBUG: Starting analyzer from: C:\rgttlusf
2019-08-26 21:28:53,015 [root] DEBUG: Storing results at: C:\QXWhDMobJe
2019-08-26 21:28:53,015 [root] DEBUG: Pipe server name: \.\PIPE\GziRsFbLXk
2019-08-26 21:28:53,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-08-26 21:28:53,015 [root] INFO: Automatically selected analysis package "doc"
2019-08-26 21:28:54,983 [root] DEBUG: Started auxiliary module Browser
2019-08-26 21:28:55,000 [root] DEBUG: Started auxiliary module Curtain
2019-08-26 21:28:55,000 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-08-26 21:28:55,405 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-08-26 21:28:55,405 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-08-26 21:28:55,405 [root] DEBUG: Started auxiliary module DigiSig
2019-08-26 21:28:55,405 [root] DEBUG: Started auxiliary module Disguise
2019-08-26 21:28:55,405 [root] DEBUG: Started auxiliary module Human
2019-08-26 21:28:55,405 [root] DEBUG: Started auxiliary module Screenshots
2019-08-26 21:28:55,421 [root] DEBUG: Started auxiliary module Sysmon
2019-08-26 21:28:55,421 [root] DEBUG: Started auxiliary module Usage
2019-08-26 21:28:55,421 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL option
2019-08-26 21:28:55,421 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL_64 option
2019-08-26 21:28:55,467 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" with arguments ""C:\Users\IEUser\AppData\Local\Temp\71.doc" /q" with pid 3964
2019-08-26 21:28:55,483 [lib.api.process] INFO: Option 'password' with value '123' sent to monitor
2019-08-26 21:28:55,483 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-08-26 21:28:55,483 [lib.api.process] INFO: 32-bit DLL to inject is C:\rgttlusf\dll\mmcZBgBV.dll, loader C:\rgttlusf\bin\kGoyTDD.exe
2019-08-26 21:28:55,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \.\PIPE\GziRsFbLXk.
2019-08-26 21:28:55,500 [root] DEBUG: Loader: Injecting process 3964 (thread 3980) with C:\rgttlusf\dll\mmcZBgBV.dll.
2019-08-26 21:28:55,515 [root] DEBUG: Process image base: 0x2F640000
2019-08-26 21:28:55,515 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\rgttlusf\dll\mmcZBgBV.dll.
2019-08-26 21:28:55,515 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x2F79D000 - 0x76F00000
2019-08-26 21:28:55,515 [root] DEBUG: InjectDllViaIAT: Allocated 0x18c bytes for new import table at 0x2F7A0000.
2019-08-26 21:28:55,515 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-08-26 21:28:55,530 [root] DEBUG: Successfully injected DLL C:\rgttlusf\dll\mmcZBgBV.dll.
2019-08-26 21:28:55,530 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3964
2019-08-26 21:28:57,530 [lib.api.process] INFO: Successfully resumed process with pid 3964
2019-08-26 21:28:57,530 [root] INFO: Added new process to list with pid: 3964
2019-08-26 21:28:57,578 [root] DEBUG: Terminate processes on terminate_event disabled.
2019-08-26 21:28:57,578 [root] DEBUG: CAPE debug - unrecognised key password.
2019-08-26 21:28:57,578 [root] DEBUG: Process dumps enabled.
Yeah sflock should solve this - definitely the way forward.
Any luck trying sflock?
Well they say no news is good news! Since sflock solves this issue and we haven't heard back I assume all is now well.