Upload of specific file not completely done without any error.

[nrrpinto]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu 20.04.1
OS version (client)	Windows 10
Cortex version	3.1.4-1
Play Version	2.8.3
Package Type	Binary
Browser type & version	Mozilla Firefox 97.0.1 and Microsoft Edge 98.0.1108.56

Problem Description

I was developing an analyzer for CAPEv2, and I was getting two different hashes from the same file, between direct execution of the analyzer and the upload/execution through the Cortex or TheHive GUIs. After some digging I realize that when I use CORTEX GUI or through TheHive, the file uploads just 256000 bytes, and not the total 834560 bytes. I found this by tracking the temporary files created on the /tmp folder. Here is a screenshot:

No matter which analyzer I select, the result is that, that file uploads just those 250KB.

I tried other files bigger than 250KB, and I did not observed the same issue. I even tried the same file zipped, and everything worked fine. That file has some characteristic that results on an incorrect upload.

I've attached the file avaddon.exe.zip with the password: infected The extension was changed to avoid unintentional execution, but please be careful with the file, it is a ransomware.

I would like to understand why this file does not upload correctly to predict other files in the future and avoid wrong analysis.

Steps to Reproduce

1. Open Cortex on a Web Browser
2. Select "+New Analysis"
3. Change Data Type to file, drag and drop the avaddon ransomware sample, select any file analysis analyzer, click start
4. Find temp folder where the file is dropped, size is not like original OR compare result from the analyzer

Complementary information

Thanks

[m5050]

I'm facing the same issue for some files for unknown reason where analyzers is processing different file hash than the original one. did you got any idea or solution for that?

[etnarek]

I'm having the exact same issue. Any news on how to solve it or from where it comes?