Once an analysis is completed, several files are stored in a dedicated directory. All the analyses are stored under the directory storage/analyses/ inside a subdirectory named after the incremental numerical ID that represents the analysis task in the database.
Following is an example of an analysis directory structure:
. |-- analysis.conf |-- analysis.log |-- binary |-- dump.pcap |-- memory.dmp |-- files | |-- 1234567890 | `-- dropped.exe |-- logs | |-- 1232.raw | |-- 1540.raw | `-- 1118.raw |-- reports | |-- report.html | |-- report.json | |-- report.maec-4.0.1.xml | `-- report.metadata.xml `-- shots |-- 0001.jpg |-- 0002.jpg |-- 0003.jpg `-- 0004.jpg
This is a configuration file automatically generated by CAPE to give its analyzer some details about the current analysis. It’s generally of no interest to the end-user, as it’s used internally by the sandbox.
This is a log file generated by the analyzer that contains a trace of the analysis execution inside the guest environment. It will report the creation of processes, files, and eventual errors that occurred during the execution.
This is the network dump generated by tcpdump or any other corresponding network sniffer.
In case you enabled it, this file contains the full memory dump of the analysis machine.
This directory contains all the files the malware operated on and that CAPE was able to dump.
This directory contains all the raw logs generated by CAPE’s process monitoring.
This directory contains all the reports generated by CAPE as explained in the Configuration chapter.
This directory contains all the screenshots of the guest’s desktop taken during the malware execution.