Submit an Analysis¶
Submission Utility¶
The easiest way to submit an analysis is to use the provided submit.py command-line utility. It currently has the following options available:
usage: submit.py [-h] [--remote REMOTE] [--url] [--package PACKAGE]
[--custom CUSTOM] [--timeout TIMEOUT] [--options OPTIONS]
[--priority PRIORITY] [--machine MACHINE]
[--platform PLATFORM] [--memory] [--enforce-timeout]
[--clock CLOCK] [--tags TAGS] [--max MAX] [--pattern PATTERN]
[--shuffle] [--unique] [--quiet]
target
positional arguments:
target URL, path to the file or folder to analyze
optional arguments:
-h, --help show this help message and exit
--remote REMOTE Specify IP:port to a CAPE API server to submit
remotely
--url Specify whether the target is an URL
--package PACKAGE Specify an analysis package
--custom CUSTOM Specify any custom value
--timeout TIMEOUT Specify an analysis timeout
--options OPTIONS Specify options for the analysis package (e.g.
"name=value,name2=value2")
--priority PRIORITY Specify a priority for the analysis represented by an
integer
--machine MACHINE Specify the identifier of a machine you want to use
--platform PLATFORM Specify the operating system platform you want to use
(windows/darwin/linux)
--memory Enable to take a memory dump of the analysis machine
--enforce-timeout Enable to force the analysis to run for the full
timeout period
--clock CLOCK Set virtual machine clock
--tags TAGS Specify tags identifier of a machine you want to use
--max MAX Maximum samples to add in a row
--pattern PATTERN Pattern of files to submit
--shuffle Shuffle samples before submitting them
--unique Only submit new samples, ignore duplicates
--quiet Only print text on failure
If you specify a directory as the target path, all of the files contained within that directory will be submitted for analysis.
The concept of analysis packages will be dealt with later in this documentation (at Analysis Packages). The following are some examples of how to use the submit.py tool:
Warning
Remember to use the
cape
user. The following commands are executed ascape
.
Example: Submit a local binary:
$ ./utils/submit.py /path/to/binary
Example: Submit an URL:
$ ./utils/submit.py --url http://www.example.com
Example: Submit a local binary and specify a higher priority:
$ ./utils/submit.py --priority 5 /path/to/binary
Example: Submit a local binary and specify a custom analysis timeout of 60 seconds:
$ ./utils/submit.py --timeout 60 /path/to/binary
Example: Submit a local binary and specify a custom analysis package:
$ ./utils/submit.py --package <name of package> /path/to/binary
Example: Submit a local binary and specify a custom analysis package and some options (in this case a command line argument for the malware):
$ ./utils/submit.py --package exe --options arguments=--dosomething /path/to/binary.exe
Example: Submit a local binary to be run on the virtual machine cape1:
$ ./utils/submit.py --machine cape1 /path/to/binary
Example: Submit a local binary to be run on a Windows machine:
$ ./utils/submit.py --platform windows /path/to/binary
Example: Submit a local binary and take a full memory dump of the analysis machine once the analysis is complete:
$ ./utils/submit.py --memory /path/to/binary
Example: Submit a local binary and force the analysis to be executed for the full timeout (disregarding the internal mechanism that CAPE uses to decide when to terminate the analysis):
$ ./utils/submit.py --enforce-timeout /path/to/binary
Example: Submit a local binary and set the virtual machine clock. The format is %m-%d-%Y %H:%M:%S. If not specified, the current time is used. For example, if we want to run a sample on January 24th, 2001, at 14:41:20:
$ ./utils/submit.py --clock "01-24-2001 14:41:20" /path/to/binary
Example: Submit a sample for Volatility analysis (to reduce side effects of the CAPE hooking, switch it off with options free=True):
$ ./utils/submit.py --memory --options free=True /path/to/binary
--options
Options Available¶
filename
: Rename the sample filename
: This will force family extractor to run, Ex: name=trickbotcurdir
: Change from where execute sample, by default %TEMP%, Ex: curdir=%APPDATA% or- curdir=%APPDATA%MicrosoftWindowsStart MenuProgramsStartup
executiondir
: Sets directory to launch the file from. Need not be the same as the directory of sample file. Defaults to %TEMP% if both executiondir and curdir are not specified. Only supports full pathsfree
: Run without monitoring (disables many capabilities) Ex: free=1force-sleepskip
: Override default sleep skipping behavior: 0 disables all sleep skipping, 1 skips all sleeps.full-logs
: By default, logs prior to network activity for URL analyses and prior to access of the file in question for non-executable formats are suppressed. Set to 1 to disable log suppression.force-flush
: For performance reasons, logs are buffered before being sent back to the result server. We make every attempt to flush the buffer at critical points including when exceptions occur, but in some rare termination scenarios, logs may be lost. Set to 1 to force flushing of the log buffers after any non-duplicate API is called, set to 2 to force flushing of every log.no-stealth
: Set to 1 to disable anti-anti-VM/sandbox code enabled by default.buffer-max
: When set to an integer of your choice, changes the maximum number of bytes that can be logged for most API buffers.large-buffer-max
: Some hooked APIs permit larger buffers to be logged. To change the limit for this, set this to an integer of your choice.norefer
: Disables use of a fake referrer when performing URL analysesfile
: When using the zip or rar package, set the name of the file to executepassword
: When using the zip or rar package, set the password to use for extraction. Also used when analyzing password-protected Office documents.function
: When using the dll package, set the name of the exported function to executedllloader
: When using the dll package, set the name of the process loading the DLL (defaults to rundll32.exe).arguments
: When using the dll, exe, or python packages, set the arguments to be passed to the executable or exported function.appdata
: When using the exe package, set to 1 to run the executable out of the Application Data path instead of the Temp directory.startbrowser
: Setting this option to 1 will launch a browser 30 seconds into the analysis (useful for some banking trojans).browserdelay
: Sets the number of seconds to wait before starting the browser with the startbrowser option. Defaults to 30 seconds.url
: When used with the startbrowser option, this will determine the URL the started browser will access.debug
: Set to 1 to enable reporting of critical exceptions occurring during analysis, set to 2 to enable reporting of all exceptions.disable_hook_content
: Set to 1 to remove functionality of all hooks except those critical for monitoring other processes. Set to 2 to apply to all hooks.hook-type
: Valid for 32-bit analyses only. Specifies the hook type to use: direct, indirect, or safe. Safe attempts a Detours-style hook.serial
: Spoof the serial of the system volume as the provided hex valuesingle-process
: When set to 1 this will limit behaviour monitoring to the initial process only.exclude-apis
: Exclude the colon-separated list of APIs from being hookedexclude-dlls
: Exclude the colon-separated list of DLLs from being hookeddropped-limit
: Override the default dropped file limit of 100 filescompression
: When set to 1 this will enable CAPE’s extraction of compressed payloadsextraction
: When set to 1 this will enable CAPE’s extraction of payloads from within each processinjection
: When set to 1 this will enable CAPE’s capture of injected payloads between processescombo
: This combines compression, injection and extraction with process dumpsdump-on-api
: Dump the calling module when a function from the colon-separated list of APIs is usedbp0
: Sets breakpoint 0 (processor/hardware) to a VA or RVA value (or module::export). Applies also to bp1-bp3.file-offsets
: Breakpoints in bp0-bp3 will be interpreted as PE file offsets rather than RVAsbreak-on-return
: Sets breakpoints on the return address(es) from a colon-separated list of APIsbase-on-api
: Sets the base address to which breakpoints will be applied (and sets breakpoints)depth
: Sets the depth an instruction trace will step into (defaults to 0, requires Trace package)count
: Sets the number of instructions in a trace (defaults to 128, requires Trace package)referrer
: Specify the referrer to be used for URL tasks, overriding the default Google referrerloop_detection
: Set this option to 1 to enable loop detection (compress call logs - behavior analysis)static
: Check if config can be extracted statically, if not, send to vmDl&Exec add headers
: Example: dnl_user_agent: “CAPE Sandbox”, dnl_referer: googleservicedesc
- for service package: Service descriptionarguments
- for service package: Service argumentsstore_memdump
: Will force STORE memdump, only when submitting to analyzer node directly, as distributed cluster can modify thispre_script_args
: Command line arguments for pre_script. Example: pre_script_args=file1 file2 file3pre_script_timeout
: pre_script_timeout will default to 60 seconds. Script will stop after timeout Example: pre_script_timeout=30during_script_args
: Command line arguments for during_script. Example: during_script_args=file1 file2 file3
Web Interface¶
Detailed usage of the web interface is described in Web interface.
Distributed CAPE¶
Detailed usage of the Distributed CAPE API interface is described in Distributed CAPE.
Python Functions¶
To keep track of submissions, samples, and overall execution, CAPE uses a popular Python ORM called SQLAlchemy that allows you to make the sandbox use PostgreSQL, SQLite, MySQL, and several other SQL database systems.
CAPE is designed to be easily integrated into larger solutions and to be fully
automated. To automate analysis submission we suggest using the REST
API interface described in REST API, but in case you want to write a
Python submission script, you can also use the add_path()
and add_url()
functions.
-
add_path
(file_path[, timeout=0[, package=None[, options=None[, priority=1[, custom=None[, machine=None[, platform=None[, memory=False[, enforce_timeout=False], clock=None[]]]]]]]]])¶ Add a local file to the list of pending analysis tasks. Returns the ID of the newly generated task.
Parameters: - file_path (string) – path to the file to submit
- timeout (integer) – maximum amount of seconds to run the analysis for
- package (string or None) – analysis package you want to use for the specified file
- options (string or None) – list of options to be passed to the analysis package (in the format
key=value,key=value
) - priority (integer) – numeric representation of the priority to assign to the specified file (1 being low, 2 medium, 3 high)
- custom (string or None) – custom value to be passed over and possibly reused at processing or reporting
- machine (string or None) – CAPE identifier of the virtual machine you want to use, if none is specified one will be selected automatically
- platform (string or None) – operating system platform you want to run the analysis one (currently only Windows)
- memory (True or False) – set to
True
to generate a full memory dump of the analysis machine - enforce_timeout (True or False) – set to
True
to force the execution for the full timeout - clock (string or None) – provide a custom clock time to set in the analysis machine
Return type: integer
Example usage:
1 2 3 4 5
>>> from lib.cuckoo.core.database import Database >>> db = Database() >>> db.add_path("/tmp/malware.exe") 1 >>>
-
add_url
(url[, timeout=0[, package=None[, options=None[, priority=1[, custom=None[, machine=None[, platform=None[, memory=False[, enforce_timeout=False], clock=None[]]]]]]]]])¶ Add a local file to the list of pending analysis tasks. Returns the ID of the newly generated task.
Parameters: - url (string) – URL to analyze
- timeout (integer) – maximum amount of seconds to run the analysis for
- package (string or None) – analysis package you want to use for the specified URL
- options (string or None) – list of options to be passed to the analysis package (in the format
key=value,key=value
) - priority (integer) – numeric representation of the priority to assign to the specified URL (1 being low, 2 medium, 3 high)
- custom (string or None) – custom value to be passed over and possibly reused at processing or reporting
- machine (string or None) – CAPE identifier of the virtual machine you want to use, if none is specified one will be selected automatically
- platform (string or None) – operating system platform you want to run the analysis one (currently only Windows)
- memory (True or False) – set to
True
to generate a full memory dump of the analysis machine - enforce_timeout (True or False) – set to
True
to force the execution for the full timeout - clock (string or None) – provide a custom clock time to set in the analysis machine
Return type: integer
Example Usage:
1 2 3 4 5 | >>> from lib.cuckoo.core.database import Database >>> db = Database() >>> db.add_url("http://www.cuckoosandbox.org") 2 >>> |
Troubleshooting¶
submit.py¶
If you try to submit an analysis using submit.py
and your output looks like:
$ sudo -u cape poetry run python3 submit.py /path/to/binary/test.exe
Error: adding task to database
It could be due to errors while trying to communicate with the PostgreSQL instance. PostgreSQL is installed and configured by default when executing cape2.sh
. Make sure your PostgreSQL instance is active and running. To check it out execute the following command:
$ sudo systemctl status postgresql
If the status is other than Active (it can be in exited status, as long as it is Active), there is something that needs to be fixed.
The logs for PostgreSQL can be found under /var/log/postgresql/*.log.
If everything is working regarding PostgreSQL, make sure the cape
user is able to access (both read and write) the directories involved in the analysis. For example, cape
must be able to read and write in /tmp.
Analysis results¶
Check Analysis Results.