CAPE Sandbox Book

CAPE Sandbox is an Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.

This guide will explain how to set up CAPE, use it and customize it.

Having troubles?

If you’re having troubles you might want to check out the FAQ as it may already have the answers to your questions.

• FAQ
  • General Questions
    • Can I analyze URLs with CAPE?
    • What I need to use CAPE with VMware ESXi?
  • Troubleshooting
    • After upgrade CAPE stops to work
    • CAPE stumbles and produces some error I don’t understand
    • Check and restore current snapshot with KVM
    • Check and restore current snapshot with VirtualBox
    • Unable to bind result server error

Otherwise you can ask the developers and/or other CAPE users, see Join the discussion.

Contents

• Introduction
  • Sandboxing
    • Using a Sandbox
  • What is CAPE?
    • Some History
    • Use Cases
    • Architecture
    • Obtaining CAPE
  • License
  • Disclaimer
  • Cuckoo Foundation
• Installation
  • Preparing the Host
    • Installing CAPE
      • Automated installation, read the full page before you start
      • To install KVM
      • To install CAPE
      • To install dependencies
        • Optional dependencies
    • ATTENTION! cape user
    • Configuration
      • cuckoo.conf
      • auxiliary.conf
      • <machinery>.conf
      • memory.conf
      • processing.conf
      • reporting.conf
      • routing.conf
      • Using environment variables in config files
    • Per-Analysis Network Routing
      • Per-Analysis Network Routing Options
      • Using Per-Analysis Network Routing
      • Configuring netplan
      • Protecting host ports
        • None Routing
        • Drop Routing
        • Internet Routing
        • InetSim Routing
        • Tor Routing
        • VPN Routing
        • Wireguard VPN
      • Setup Wireguard
        • SOCKS Routing
    • Troubleshooting
      • Manually testing Internet connection
      • Debugging iptables rules
    • Deploying CAPE in the Cloud
      • Azure
        • Resource groups
        • Networking
        • Credential Management
  • Preparing the Guest
    • Creation of the Virtual Machine
    • Requirements
      • Install Python
      • Additional Software
    • Network Configuration
      • Windows Settings
      • Windows 10
      • Windows XP
      • Virtual Networking
      • Creating an isolated network
      • Setting a static IP
      • Disable Noisy Network Services
      • Teredo
      • Link Local Multicast Name Resolution (LLMNR)
      • gpedit.msc missing
      • Network Connectivity Status Indicator, Error Reporting, etc
    • Installing the Agent
      • Prior To Windows 10
      • Windows 10+
    • Additional Configuration
      • Windows Guest
        • Disable Microsoft Store
        • Reduce Overall Noise
        • Windows automatically enables the Virus Real-time Protection
    • Troubleshooting
      • No Internet connection in the guest
      • PCAP Generation
    • Saving the Virtual Machine
      • KVM
      • VirtualBox
      • VMware Workstation
      • XenServer
        • Memory Snapshots
        • Booting from Disk
      • Azure
    • Cloning the Virtual Machine
    • Installing the Linux guest
      • Preparing x32/x64 Linux guests
        • x32 guests
        • x64 guests
  • Preparing the Guest (Physical Machine)
    • Creation of the Physical Machine
    • Requirements
      • Install Python
      • Additional Software
      • Additional Host Requirements
    • Network Configuration
      • Windows Settings
      • Networking
    • Installing the Agent
      • Prior To Windows 10
      • Windows 10+
    • Saving the Guest
      • Fog
  • Upgrade from a previous release
    • Upgrade starting from scratch
    • Migrate your CAPE
    • Python library upgrades:
    • Troubleshooting:
• Usage
  • Starting CAPE
    • Poetry users
    • Troubleshooting
      • PermissionError: [Errno 13] Permission denied: '/opt/CAPEv2/log/cuckoo.log'
      • CuckooCriticalError: Cannot bind ResultServer on port 2042 because it was in use, bailing
      • CuckooCriticalError: Unable to bind Result server on <IP> [Errno 99]
    • Starting processing data generated by virtual machine
  • CAPE internals
    • CAPE base core components
    • CAPE advanced core components
    • How CAPE processing works?
  • Submit an Analysis
    • Submission Utility
      • --options Options Available
    • Web Interface
    • API
    • Distributed CAPE
    • Python Functions
      • add_path()
      • add_url()
    • Troubleshooting
      • submit.py
    • Analysis results
  • Web interface
    • Configuration
      • Enable web interface auth
      • Enable/Disable REST API Endpoints
    • Usage
    • Subscription
    • Exposed to internet
    • Best practices for production
      • Gunicorn
      • NGINX
        • Let’s Encrypt certificates
    • Some extra security TIP(s)
    • Troubleshooting
      • Login error: no such column: users_userprofile.reports
      • No such table: auth_user
  • REST API
    • CAPE throttling, aka requests per minute/hour/day.
  • api.py DEPRECATED
    • Resources
      • /tasks/create/file
      • /tasks/create/url
      • /tasks/list
      • /tasks/view
      • /tasks/delete
      • /tasks/report
      • /tasks/screenshots
      • /files/view
      • /files/get
      • /pcap/get
      • /machines/list
      • /machines/view
      • /cuckoo/status
  • Distributed CAPE
    • Dependencies
    • Starting the Distributed REST API
    • RESTful resources
      • GET /node
      • POST /node
      • GET /node/<name>
      • PUT /node/<name>
      • DELETE /node/<name>
    • Quick usage
    • Proposed setup
      • Configuration settings
        • custom/conf/cuckoo.conf
        • custom/conf/processing.conf
        • custom/conf/reporting.conf
        • custom/conf/distributed.conf
      • Register CAPE nodes
      • VM Maintenance
      • Good practice for production
  • CAPE advanced administration
    • WIP YET!
    • Dependencies
      • SSH Pivoting explained
      • Comparing files
      • The rest of the possibilities
  • Analysis Packages
  • Analysis Results
    • analysis.conf
    • analysis.log
    • dump.pcap
    • memory.dmp
    • files/
    • logs/
    • reports/
    • shots/
  • Clean all Tasks and Samples
  • CAPE Rooter
    • Virtualenv
    • CAPE Rooter Usage
  • Utilities
    • Cleanup utility
    • Submission Utility
    • Web Utility
    • Processing Utility
    • Community Download Utility
    • Database migration utility
    • Stats utility
    • Machine utility
  • Performance
    • Processing
      • Evented signatures
      • Reporting
      • Ram-boost
  • CAPE’s debugger
    • Breakpoints: bp0, bp1, bp2, bp3
    • Depth
    • Count
    • Break-on-return
    • Base-on-api
    • Base-on-alloc
    • Actions
    • Type
    • br0, br1, br2, br3
    • Fake-rdtsc
    • Practical examples
    • Importing instruction traces into disassembler
  • Interactive session
    • Installation
    • Web server configuration
    • Virtual machine configuration
    • Having troubles?
  • Pattern replacement
    • Cleaning Operation system patterns.
    • Cleaning Network patterns as IP(s)/Domains.
• Customization
  • Auxiliary Modules
  • Machinery Modules
    • Configuration
    • LibVirt
  • Analysis Packages
    • Getting started
      • start()
      • check()
      • execute()
      • finish()
    • Options
    • Process API
      • Methods
        • Process.open()
        • Process.exit_code()
        • Process.is_alive()
        • Process.get_parent_pid()
        • Process.execute()
        • Process.resume()
        • Process.terminate()
        • Process.inject()
        • Process.dump_memory()
  • Processing Modules
    • Global Container
    • Getting started
  • Signatures
    • Getting Started
    • Creating your new signature
    • Evented Signatures
    • Matches
      • Signature.add_match()
      • Signature.has_matches()
    • Helpers
      • Signature.check_file()
      • Signature.check_key()
      • Signature.check_mutex()
      • Signature.check_api()
      • Signature.check_argument()
      • Signature.check_ip()
      • Signature.check_domain()
      • Signature.check_url()
    • Categories
    • Troubleshooting
      • No signatures
      • Errors/warnings in the logs
  • Reporting Modules
    • Getting Started
• Integrations
  • Box-js
    • Installation
    • Preparation
    • Starting box-js rest-api
    • Box-js rest-api endpoints
    • Sandbox configuration
  • Curtain
  • LibreNMS
  • Suricata
• Development
  • Development Notes
    • Git branches
    • Release Versioning
    • Ticketing system
    • Contribute
  • Coding Style
    • Formatting
      • Copyright header
      • Indentation
      • Maximum Line Length
      • Blank Lines
      • Imports
      • Strings
      • Printing and Logging
      • Checking for keys in data structures
    • Exceptions
      • Naming
      • Exception handling
    • Documentation
    • Automated testing
    • Poetry and pre-commit hooks
  • Development examples
    • Curtain
    • Suricata name detection
• Final Remarks
  • Links
  • Asking for help
  • Support Us
  • People
    • Active Developers