Skip to content

KeyError:3 while running capa on VMRay analysis archive #2394

New issue
New issue
Closed
#2396
Closed
KeyError:3 while running capa on VMRay analysis archive#2394
#2396
Assignees
mr-tz
@ForensicITGuy

Description

@ForensicITGuy
ForensicITGuy
opened on Sep 23, 2024

Description

While running capa 7.3.0 on a VMRay analysis archive, capa crashed and provided a stack trace for troubleshooting.

Steps to Reproduce

  • Obtain VMRay sample archive for sample 2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4 (attached)
  • Run ./capa -d -f vmray 2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4_analysis_archive.zip
  • Observe output

Expected behavior:

I expected a capability report.

Actual behavior:

The capa process crashed with stack trace:

DEBUG:capa:--------------------------------------------------------------------------------
DEBUG:capa: Using default embedded rules.
DEBUG:capa: To provide your own rules, use the form:
DEBUG:capa:
DEBUG:capa:     `capa.exe -r ./path/to/rules/  /path/to/mal.exe`.
DEBUG:capa:
DEBUG:capa: You can see the current default rule set here:
DEBUG:capa:
DEBUG:capa:     https://github.com/mandiant/capa-rules
DEBUG:capa:--------------------------------------------------------------------------------
DEBUG:capa.rules:reading rules from directory /tmp/_MEIoxSNmT/rules
DEBUG:capa.rules.cache:loading rule set from cache: /tmp/_MEIoxSNmT/cache/capa-df400217.cache
DEBUG:capa:successfully loaded 901 rules
DEBUG:capa.features.extractors.vmray:file_type: Windows Exe (x86-32), file_path: internal/static_analyses/2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4/objects/files/2f8a7
9b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4
Traceback (most recent call last):
  File "main.py", line 1094, in <module>
  File "main.py", line 956, in main
  File "main.py", line 708, in get_file_extractors_from_cli
  File "loader.py", line 390, in get_file_extractors
  File "features/extractors/vmray/extractor.py", line 122, in from_zipfile
  File "features/extractors/vmray/__init__.py", line 87, in __init__
  File "features/extractors/vmray/__init__.py", line 141, in _compute_process_threads
  File "features/extractors/vmray/__init__.py", line 161, in get_process_os_pid
KeyError: 3
[PYI-1584:ERROR] Failed to execute script 'main' due to unhandled exception!

Versions

capa 7.3.0
5.15.0-1047-aws 20.04.1-Ubuntu x86_64

Additional Information

See attached analysis archive for troubleshooting
2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4_analysis_archive.zip

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions