From 572b437536c8a4ad0e7088b9bb79df6b57bc4510 Mon Sep 17 00:00:00 2001 From: doomedraven Date: Wed, 28 Jan 2026 10:55:11 +0100 Subject: [PATCH 1/4] Update gcp_pubsub_service.py --- utils/gcp_pubsub_service.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/utils/gcp_pubsub_service.py b/utils/gcp_pubsub_service.py index 211ae6a3838..440f7c1b1db 100644 --- a/utils/gcp_pubsub_service.py +++ b/utils/gcp_pubsub_service.py @@ -67,18 +67,21 @@ def process_message(self, message): parent_id = payload.get("parent_id", "") transaction_id = payload.get("transaction_id", "") sample_name = payload.get("name", "sample") + source = payload.get("source", "") category = None if "category=static" in sandbox_options: category = "static" # Format custom fields with truncation to fit 255 chars custom_parts = [] - if sample_name: - custom_parts.append(f"name:{sample_name}") if parent_id: custom_parts.append(f"parent_id:{parent_id}") if transaction_id: custom_parts.append(f"transaction_id:{transaction_id}") + if source: + custom_parts.append(f"source:{source}") + if sample_name: + custom_parts.append(f"name:{sample_name}") custom = ",".join(custom_parts) if len(custom) > 255: From 85c803a637cfddf67f5fcd9d8818d4af595b2aaf Mon Sep 17 00:00:00 2001 From: doomedraven Date: Wed, 28 Jan 2026 12:21:19 +0100 Subject: [PATCH 2/4] move docker to community folder for clarification --- docker/.env.example | 8 ----- docker/Dockerfile | 36 --------------------- docker/docker-compose.yml | 67 --------------------------------------- docker/pcap.sh | 4 --- docker/readme.md | 4 --- docker/run.sh | 34 -------------------- 6 files changed, 153 deletions(-) delete mode 100644 docker/.env.example delete mode 100644 docker/Dockerfile delete mode 100644 docker/docker-compose.yml delete mode 100644 docker/pcap.sh delete mode 100644 docker/readme.md delete mode 100644 docker/run.sh diff --git a/docker/.env.example b/docker/.env.example deleted file mode 100644 index ac45eb4a119..00000000000 --- a/docker/.env.example +++ /dev/null @@ -1,8 +0,0 @@ -WEB_PORT=8000 -RESULT_PORT=2042 -PG_PORT=5432 -MONGO_PORT=27017 - -POSTGRES_USER=cape -POSTGRES_PASSWORD=cape -POSTGRES_DB=cape diff --git a/docker/Dockerfile b/docker/Dockerfile deleted file mode 100644 index 5e8975ddc89..00000000000 --- a/docker/Dockerfile +++ /dev/null @@ -1,36 +0,0 @@ -FROM python:3.11-bookworm - -RUN apt-get update \ - && apt-get install -y --no-install-recommends git libgraphviz-dev tcpdump libcap2-bin iproute2 libjansson-dev libmagic-dev \ - && rm -rf /var/lib/apt/lists/* - -RUN useradd -ms /bin/bash cape - -RUN pip install --no-cache-dir poetry - -RUN poetry config virtualenvs.create false - -RUN mkdir -p /etc/poetry/bin && ln -s $(which poetry) /etc/poetry/bin/poetry -RUN mkdir -p /opt && ln -s /cape /opt/CAPEv2 - -WORKDIR /cape - -COPY pyproject.toml poetry.lock* ./ - -RUN poetry install --no-interaction --no-ansi --no-root - -COPY . . - -RUN poetry install --no-interaction --no-ansi - -RUN pip install --no-cache-dir -U flare-floss -RUN bash extra/yara_installer.sh - -RUN bash docker/pcap.sh - -RUN bash conf/copy_configs.sh -RUN chown -R cape:cape /cape - -USER cape - -CMD ["bash", "docker/run.sh"] \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml deleted file mode 100644 index f94336ced5f..00000000000 --- a/docker/docker-compose.yml +++ /dev/null @@ -1,67 +0,0 @@ -services: - cape-db: - image: postgres:bookworm - hostname: cape-db - restart: unless-stopped - ports: - - "127.0.0.1:${PG_PORT:-5432}:5432" - environment: - POSTGRES_USER: ${POSTGRES_USER:-cape} - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-cape} - POSTGRES_DB: ${POSTGRES_DB:-cape} - PGDATA: /var/lib/postgresql/data/pgdata - volumes: - - cape-db-data:/var/lib/postgresql/data - healthcheck: - test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-cape} -d ${POSTGRES_DB:-cape}"] - interval: 5s - timeout: 5s - retries: 10 - start_period: 30s - - mongodb: - image: mongo:6 - command: ["--bind_ip_all"] - volumes: - - cape-mongo-data:/data/db - ports: - - "127.0.0.1:${MONGO_PORT:-27017}:27017" - restart: unless-stopped - healthcheck: - test: ["CMD", "mongosh", "--eval", "db.runCommand({ ping: 1 })"] - interval: 10s - timeout: 5s - retries: 12 - start_period: 20s - - cape-server: - build: - context: ../ - dockerfile: docker/Dockerfile - hostname: cape-server - restart: unless-stopped - depends_on: - cape-db: - condition: service_healthy - mongodb: - condition: service_healthy - environment: - - WEB_PORT=${WEB_PORT:-8000} - - POSTGRES_USER=${POSTGRES_USER:-cape} - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-cape} - - POSTGRES_DB=${POSTGRES_DB:-cape} - ports: - - "127.0.0.1:${RESULT_PORT:-2042}:2042" # result server - - "127.0.0.1:${WEB_PORT:-8000}:8000" # web ui - volumes: - - ../conf:/cape/conf - - ../custom/conf:/cape/custom/conf - - ../custom:/cape/custom - - ../storage:/cape/storage - cap_add: - - NET_ADMIN - - NET_RAW - -volumes: - cape-db-data: - cape-mongo-data: diff --git a/docker/pcap.sh b/docker/pcap.sh deleted file mode 100644 index a83b34c0315..00000000000 --- a/docker/pcap.sh +++ /dev/null @@ -1,4 +0,0 @@ -groupadd pcap -usermod -a -G pcap cape -chgrp pcap /usr/bin/tcpdump -setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump \ No newline at end of file diff --git a/docker/readme.md b/docker/readme.md deleted file mode 100644 index 7edb30667cf..00000000000 --- a/docker/readme.md +++ /dev/null @@ -1,4 +0,0 @@ -This is not official docker soluction! -Is community based contribution so use on your own risks! - -No support here from core devs! diff --git a/docker/run.sh b/docker/run.sh deleted file mode 100644 index dcb91965326..00000000000 --- a/docker/run.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash -set -e - -cd /cape - -# Initialize configs if mounted volume is empty -if [ ! -f "conf/cuckoo.conf" ]; then - echo "Initializing configuration files..." - bash conf/copy_configs.sh -fi - -# Configure Database connection for Docker environment -mkdir -p conf/cuckoo.conf.d -DB_CONF="conf/cuckoo.conf.d/00_docker_db.conf" -if [ ! -f "$DB_CONF" ]; then - echo "Creating Docker DB configuration..." - cat > "$DB_CONF" < Date: Wed, 28 Jan 2026 15:01:04 +0100 Subject: [PATCH 3/4] capemon deatils (#2875) * capemon deatils Changes implemented: 1. Tabbed Interface: Replaced the single long table with a tabbed layout, organizing options into clear categories: * Submission: General submission settings (files, args, scripts). * Monitor: Core monitoring configuration (stealth, evasion, interaction). * Hooks & Logs: detailed hooking and logging settings. * Dumping: Configuration for payloads, memory, and config dumping. * Debug: Advanced debugging and tracing options. 2. Extended Options: Integrated the comprehensive list of configuration options from capemon_details.md, including advanced hooking and anti-evasion settings. 3. Live Search: Added a real-time search filter that dynamically hides/shows rows across the active tables based on your input, making it much easier to find specific flags. 4. UI Improvements: Used Bootstrap 5 classes to match the existing dark theme (bg-dark, text-white, border-secondary) and ensure a consistent look and feel. You can now toggle the help section and use the search bar to instantly find any configuration option. * Update index.html * sync * Update index.html * Update index.html * Update index.html --- docs/book/src/usage/submit.rst | 179 +++++++---- web/templates/submission/index.html | 457 ++++++++++++---------------- 2 files changed, 319 insertions(+), 317 deletions(-) diff --git a/docs/book/src/usage/submit.rst b/docs/book/src/usage/submit.rst index 1550737f09b..e522e7d5a7a 100644 --- a/docs/book/src/usage/submit.rst +++ b/docs/book/src/usage/submit.rst @@ -113,61 +113,130 @@ some options (in this case a command line argument for the malware):: ``--options`` Options Available ------------------------------- -- ``filename``: Rename the sample file -- ``name``: This will force family extractor to run, Ex: name=trickbot -- ``curdir``: Change from where execute sample, by default %TEMP%, Ex: curdir=%APPDATA% or - curdir=%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup -- ``executiondir``: Sets directory to launch the file from. Need not be the same as the directory of sample file. Defaults to %TEMP% if both executiondir and curdir are not specified. Only supports full paths -- ``free``: Run without monitoring (disables many capabilities) Ex: free=1 -- ``force-sleepskip``: Override default sleep skipping behavior: 0 disables all sleep skipping, 1 skips all sleeps. -- ``full-logs``: By default, logs prior to network activity for URL analyses and prior to access of the file in question for non-executable formats are suppressed. Set to 1 to disable log suppression. -- ``force-flush``: For performance reasons, logs are buffered before being sent back to the result server. We make every attempt to flush the buffer at critical points including when exceptions occur, but in some rare termination scenarios, logs may be lost. Set to 1 to force flushing of the log buffers after any non-duplicate API is called, set to 2 to force flushing of every log. -- ``no-stealth``: Set to 1 to disable anti-anti-VM/sandbox code enabled by default. -- ``buffer-max``: When set to an integer of your choice, changes the maximum number of bytes that can be logged for most API buffers. -- ``large-buffer-max``: Some hooked APIs permit larger buffers to be logged. To change the limit for this, set this to an integer of your choice. -- ``norefer``: Disables use of a fake referrer when performing URL analyses -- ``file``: When using the zip or rar package, set the name of the file to execute -- ``password``: When using the zip or rar package, set the password to use for extraction. Also used when analyzing password-protected Office documents. -- ``function``: When using the dll package, set the name of the exported function to execute -- ``dllloader``: When using the dll package, set the name of the process loading the DLL (defaults to rundll32.exe). -- ``arguments``: When using the dll, exe, or python packages, set the arguments to be passed to the executable or exported function. -- ``appdata``: When using the exe package, set to 1 to run the executable out of the Application Data path instead of the Temp directory. -- ``startbrowser``: Setting this option to 1 will launch a browser 30 seconds into the analysis (useful for some banking trojans). -- ``browserdelay``: Sets the number of seconds to wait before starting the browser with the startbrowser option. Defaults to 30 seconds. -- ``url``: When used with the startbrowser option, this will determine the URL the started browser will access. -- ``debug``: Set to 1 to enable reporting of critical exceptions occurring during analysis, set to 2 to enable reporting of all exceptions. -- ``disable_hook_content``: Set to 1 to remove functionality of all hooks except those critical for monitoring other processes. Set to 2 to apply to all hooks. -- ``hook-type``: Valid for 32-bit analyses only. Specifies the hook type to use: direct, indirect, or safe. Safe attempts a Detours-style hook. -- ``serial``: Spoof the serial of the system volume as the provided hex value -- ``single-process``: When set to 1 this will limit behavior monitoring to the initial process only. -- ``exclude-apis``: Exclude the colon-separated list of APIs from being hooked -- ``exclude-dlls``: Exclude the colon-separated list of DLLs from being hooked -- ``dropped-limit``: Override the default dropped file limit of 100 files -- ``compression``: When set to 1 this will enable CAPE's extraction of compressed payloads -- ``extraction``: When set to 1 this will enable CAPE's extraction of payloads from within each process -- ``injection``: When set to 1 this will enable CAPE's capture of injected payloads between processes -- ``combo``: This combines compression, injection and extraction with process dumps -- ``dump-on-api``: Dump the calling module when a function from the colon-separated list of APIs is used -- ``bp0``: Sets breakpoint 0 (processor/hardware) to a VA or RVA value (or module::export). Applies also to bp1-bp3. -- ``file-offsets``: Breakpoints in bp0-bp3 will be interpreted as PE file offsets rather than RVAs -- ``break-on-return``: Sets breakpoints on the return address(es) from a colon-separated list of APIs -- ``base-on-api``: Sets the base address to which breakpoints will be applied (and sets breakpoints) -- ``depth``: Sets the depth an instruction trace will step into (defaults to 0, requires Trace package) -- ``count``: Sets the number of instructions in a trace (defaults to 128, requires Trace package) -- ``referrer``: Specify the referrer to be used for URL tasks, overriding the default Google referrer -- ``loop_detection``: Set this option to 1 to enable loop detection (compress call logs - behavior analysis) -- ``static``: Check if config can be extracted statically, if not, send to vm -- ``Dl&Exec add headers``: Example: dnl_user_agent: "CAPE Sandbox", dnl_referrer: google -- ``servicedesc`` - for service package: Service description -- ``arguments`` - for service package: Service arguments -- ``store_memdump``: Will force STORE memdump, only when submitting to analyzer node directly, as distributed cluster can modify this -- ``pre_script_args``: Command line arguments for pre_script. Example: pre_script_args=file1 file2 file3 -- ``pre_script_timeout``: pre_script_timeout will default to 60 seconds. Script will stop after timeout Example: pre_script_timeout=30 -- ``during_script_args``: Command line arguments for during_script. Example: during_script_args=file1 file2 file3 -- ``pwsh``: - for ps1 package: prefer PowerShell Core, if available in the vm -- ``check_shellcode``: - Setting check_shellcode=0 will disable checking for shellcode during package identification and extracting from archive -- ``unhook-apis``: - capability to dynamically unhook previously hooked functions (unhook-apis option takes colon-separated list e.g. unhook-apis=NtSetInformationThread:NtDelayExecution) -- ``ttd``: - ttd=1. TTD integration (Microsoft Time Travel Debugging). Place TTD binaries in analyzer/windows/bin (with wow64 subdirectory for 32-bit). .trc files output to TTD directory in results folder for manual retrieval + +Analysis options can be specified at submission time in the format ``option1=val1,option2=val2``. These options control the behavior of the monitor and analyzer during detonation. + +Submission & General +^^^^^^^^^^^^^^^^^^^^ +- ``filename``: Rename the sample file within the guest environment. +- ``name``: Force family extractor to run for a specific family (e.g., ``name=trickbot``). +- ``curdir``: Change the execution directory (default is ``%TEMP%``). Supports environment variables like ``%APPDATA%``. +- ``executiondir``: Sets the directory to launch the file from. Must be a full path. +- ``arguments``: Command line arguments to pass to the initial process or exported function. +- ``appdata``: Set to ``1`` to run the executable from the ``AppData`` path instead of ``Temp``. +- ``file``: For Zip/Rar packages, specify which file within the archive to execute. +- ``password``: Password for archive extraction or protected Office documents. +- ``function``: For DLL packages, specify exported function name(s) or ordinals (colon-separated). +- ``dllloader``: Specify a process name to fake the DLL launcher (default is ``rundll32.exe``). +- ``pwsh``: For PS1 package, prefer PowerShell Core (``pwsh.exe``) if available. +- ``ignore_size_check``: Allow ignoring file size limits (must be enabled in ``conf/web.conf``). +- ``check_shellcode``: Set to ``0`` to disable shellcode detection during package identification. +- ``pre_script_args`` / ``during_script_args``: Command line arguments for pre/during-execution scripts. +- ``pre_script_timeout``: Timeout for pre-execution script (default 60s). +- ``servicedesc`` / ``servicename``: Custom name and description for Service packages. +- ``lang``: Override the system language code (LCID). +- ``standalone``: Run in standalone mode without a Cuckoo pipe. +- ``monitor``: Inject the monitor into a specific PID or explorer (useful for interactive mode). +- ``shutdown-mutex``: Name of the mutex that signals a shutdown/termination. +- ``terminate-event``: Name of the event set by the analyzer to signal termination. +- ``terminate-processes``: If true, terminate processes when ``terminate-event`` is signaled. +- ``first-process``: (Internal) Flag indicating if this is the first process in the analysis tree. +- ``startup-time``: Milliseconds since system startup. + +Monitor & Evasion +^^^^^^^^^^^^^^^^^ +- ``free``: Run without monitoring (disables many capabilities for stealth or performance). +- ``no-stealth``: Set to ``1`` to disable built-in anti-anti-VM/sandbox tricks. +- ``force-sleepskip``: ``0`` = disable sleep skipping, ``1`` = skip all sleeps. +- ``serial``: Spoof the system volume serial number (Hex value). +- ``sysvol_ctimelow/high``: Spoof the creation time of the system volume. +- ``sys32_ctimelow/high``: Spoof the creation time of the System32 directory. +- ``fake-rdtsc``: Enable fake RDTSC (Read Time-Stamp Counter) results. +- ``nop-rdtscp``: NOP the RDTSCP instruction. +- ``ntdll-protect``: Enable write protection on ``ntdll.dll`` code. +- ``ntdll-unhook``: Enable protection against ntdll unhooking via ``NtReadFile``. +- ``ntdll-remap``: Enable ntdll remapping protection. +- ``protected-pids``: Enable protection for critical PIDs to prevent termination or injection. +- ``single-process``: Limit behavior monitoring to the initial process only. +- ``interactive``: Enable interactive desktop mode. +- ``pdf``: Enable specific hooks/behavior for Adobe Reader. +- ``startbrowser``: Launch a browser 30 seconds into the analysis. +- ``browserdelay``: Seconds to wait before starting the browser (default 30). +- ``url``: Determine the URL the started browser will access. +- ``referrer``: Specify a custom referrer for URL tasks. +- ``norefer``: Disable the use of a fake referrer. +- ``file-of-interest``: Specify a particular file or URL being analyzed. + +Hooking & Logging +^^^^^^^^^^^^^^^^^ +- ``hook-type``: Hooking method: ``indirect``, ``pushret``, ``direct``, or ``safe``. +- ``hook-range``: Limit the number of applied hooks (useful for testing). +- ``hook-low``: Allocate hook trampolines in low memory (<2GB) on x64 systems. +- ``hook-restore``: Attempt to restore hooks if modification is detected. +- ``hook-protect``: Enable write protection on hook pages. +- ``hook-watch``: Enable continuous monitoring of hook integrity. +- ``disable-hook-content``: ``1`` = remove payload of non-critical hooks, ``2`` = remove payload of all hooks. +- ``minhook`` / ``zerohook``: Enable only minimal hooks or disable all non-essential hooks. +- ``native``: Install only native (ntdll) hooks. +- ``syscall``: Enable syscall hooks (Windows 10+). +- ``exclude-apis`` / ``exclude-dlls``: Colon-separated lists of APIs or DLLs to exclude from hooking. +- ``unhook-apis``: Colon-separated list of APIs to dynamically unhook at runtime. +- ``coverage-modules``: Colon-separated list of DLLs to include in monitoring (exclude from 'dll range' filtering). +- ``full-logs``: Disable log suppression (logs before network/file activity are normally suppressed). +- ``force-flush``: ``1`` = flush logs after any non-duplicate API, ``2`` = force flush every log. +- ``log-exceptions`` / ``log-vexcept``: Enable logging of standard or Vectored Exception Handlers. +- ``log-breakpoints`` / ``log-bps``: Enable logging of breakpoints to the behavior log. +- ``trace-times`` / ``tt``: Enable timing information in instruction traces. +- ``buffer-max`` / ``large-buffer-max``: Max size for standard and large API log buffers. +- ``api-rate-cap`` / ``api-cap``: Limits for the rate and total number of API logs. +- ``no-logs`` / ``disable-logging``: Divert or completely disable the analysis log. + +Dumping & Payloads +^^^^^^^^^^^^^^^^^^ +- ``procdump``: Enable process memory dumping on exit or timeout. +- ``procmemdump``: Enable full process memory dumping. +- ``import-reconstruction``: Attempt import reconstruction on process dumps (slow). +- ``dump-limit``: Limit the number of payload dumps (default 10). +- ``dropped-limit``: Limit the number of dropped files logged (default 100). +- ``dump-on-api``: Dump the calling module when specific APIs (colon-separated) are called. +- ``dump-config-region``: Dump memory regions suspected to contain C2 configuration. +- ``dump-crypto`` / ``dump-keys``: Dump buffers from Crypto APIs or keys from ``CryptImportKey``. +- ``amsidump``: Enable AMSI buffer dumping (Windows 10+). +- ``jit-dumps``: Limit for .NET JIT cache dumps. +- ``tlsdump``: Enable dumping of TLS secrets. +- ``regdump``: Enable dumping of Registry data. +- ``unpacker``: ``1`` = passive unpacking, ``2`` = active unpacking. +- ``injection`` / ``extraction`` / ``compression``: Enable capture of injected payloads, process extractions, or compressed payloads. +- ``combo``: Combines compression, injection, and extraction with process dumps. +- ``store_memdump``: Force STORE memdump when submitting to an analyzer node directly. + +Debug & Tracing +^^^^^^^^^^^^^^^ +- ``debugger``: Enable the internal debugger engine (implicitly set by bp/trace options). +- ``debug``: ``1`` = report critical exceptions, ``2`` = report all exceptions. +- ``bp0``...``bp3``: Set hardware breakpoints (format: ``0xAddress``, ``Module:Export``, or ``ep`` for entrypoint). +- ``br0``, ``br1``: Set "break-on-return" addresses. +- ``bp`` / ``sysbp``: Colon-separated lists of software or syscall breakpoints. +- ``sysbpmode``: Mode for syscall breakpoints. +- ``break-on-return``: Colon-separated list of APIs to break on return. +- ``break-on-jit``: Break on .NET JIT compiled native code. +- ``trace-all``: Enable full execution tracing. +- ``trace-into-api``: Colon-separated list of APIs to trace into. +- ``branch-trace``: Enable branch tracing. +- ``depth``: Trace depth limit (integer or ``all``). +- ``count``: Trace instruction count limit (integer or ``all``). +- ``step-out``: Set a step-out breakpoint at a specific address. +- ``stepmode``: Custom trace stepping behavior. +- ``loopskip`` / ``loop_detection``: Enable loop skipping or detection to compress call logs. +- ``base-on-api``: Base breakpoints on specific API addresses. +- ``base-on-alloc``: Base breakpoints on executable memory allocations. +- ``base-on-caller``: Base breakpoints on new calling regions. +- ``file-offsets``: Interpret breakpoints as file offsets instead of RVAs. +- ``loaderlock``: Allow scans/dumps while the Loader Lock is held. +- ``snaps``: Enable Windows Loader Snaps output (LdrSnap). +- ``ttd``: Enable Microsoft Time Travel Debugging integration (requires TTD binaries). +- ``polarproxy``: Run PolarProxy for TLS decryption (TLS port can be set via ``tlsport``). +- ``mitmdump``: Run mitmdump to generate HAR with decrypted TLS. .. _webpy: diff --git a/web/templates/submission/index.html b/web/templates/submission/index.html index f786652bb3e..fc1f4c9afc7 100644 --- a/web/templates/submission/index.html +++ b/web/templates/submission/index.html @@ -286,261 +286,199 @@
Advance
- +
-

Syntax is option1=val1,option2=val2,option3=val3, etc.

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionDescription
filenameRename the sample file
nameThis will force family extractor to run, Ex: name=trickbot
curdirChange from where execute sample, by default %TEMP%, Ex: curdir=%APPDATA% or - curdir=%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup -
executiondirSets directory to launch the file from. Need not be the same as the directory of sample file. Defaults to %TEMP% if both executiondir and curdir are not specified. Only supports full paths
freeRun without monitoring (disables many capabilities) Ex: free=1
force-sleepskipOverride default sleep skipping behavior: 0 disables all sleep skipping, 1 skips all sleeps.
full-logsBy default, logs prior to network activity for URL analyses and prior to access of the file in question for non-executable formats are suppressed. Set to 1 to disable log suppression.
force-flushFor performance reasons, logs are buffered before being sent back to the result server. We make every attempt to flush the buffer at critical points including when exceptions occur, but in some rare termination scenarios, logs may be lost. Set to 1 to force flushing of the log buffers after any non-duplicate API is called, set to 2 to force flushing of every log.
no-stealthSet to 1 to disable anti-anti-VM/sandbox code enabled by default.
buffer-maxWhen set to an integer of your choice, changes the maximum number of bytes that can be logged for most API buffers.
large-buffer-maxSome hooked APIs permit larger buffers to be logged. To change the limit for this, set this to an integer of your choice.
noreferDisables use of a fake referrer when performing URL analyses
fileWhen using the zip or rar package, set the name of the file to execute
passwordWhen using the zip or rar package, set the password to use for extraction. Also used when analyzing password-protected Office documents.
functionWhen using the dll package, set the name of the exported function/ordinal to execute. Can be multiple function/ordinals splited by colon. Ex: function=func1:func2
dllloaderWhen using the dll package, set the name of the process loading the DLL (defaults to rundll32.exe).
argumentsWhen using the dll, exe, or python packages, set the arguments to be passed to the executable or exported function.
appdataWhen using the exe package, set to 1 to run the executable out of the Application Data path instead of the Temp directory.
startbrowserSetting this option to 1 will launch a browser 30 seconds into the analysis (useful for some banking trojans).
browserdelaySets the number of seconds to wait before starting the browser with the startbrowser option. Defaults to 30 seconds.
urlWhen used with the startbrowser option, this will determine the URL the started browser will access.
debugSet to 1 to enable reporting of critical exceptions occurring during analysis, set to 2 to enable reporting of all exceptions.
disable_hook_contentSet to 1 to remove functionality of all hooks except those critical for monitoring other processes. Set to 2 to apply to all hooks.
hook-typeValid for 32-bit analyses only. Specifies the hook type to use: direct, indirect, or safe. Safe attempts a Detours-style hook.
serialSpoof the serial of the system volume as the provided hex value
single-processWhen set to 1 this will limit behaviour monitoring to the initial process only.
exclude-apisExclude the colon-separated list of APIs from being hooked
exclude-dllsExclude the colon-separated list of DLLs from being hooked
dropped-limitOverride the default dropped file limit of 100 files
compressionWhen set to 1 this will enable CAPE's extraction of compressed payloads
extractionWhen set to 1 this will enable CAPE's extraction of payloads from within each process
injectionWhen set to 1 this will enable CAPE's capture of injected payloads between processes
comboThis combines compression, injection and extraction with process dumps
dump-on-apiDump the calling module when a function from the colon-separated list of APIs is used
bp0Sets breakpoint 0 (processor/hardware) to a VA or RVA value (or module::export). Applies also to bp1-bp3.
file-offsetsBreakpoints in bp0-bp3 will be interpreted as PE file offsets rather than RVAs
break-on-returnSets breakpoints on the return address(es) from a colon-separated list of APIs
base-on-apiSets the base address to which breakpoints will be applied (and sets breakpoints)
depthSets the depth an instruction trace will step into (defaults to 0, requires Trace package)
countSets the number of instructions in a trace (defaults to 128, requires Trace package)
referrerSpecify the referrer to be used for URL tasks, overriding the default Google referrer
loop_detectionSet this option to 1 to enable loop detection (compress call logs - behavior analysis)
staticCheck if config can be extracted statically, if not, send to vm
Dl&Exec add headers examplednl_user_agent: "CAPE Sandbox", dnl_referer: google
servicedesc - for service packageService description
arguments - for service packageService arguments
store_memdumpWill force STORE memdump, only when submitting to analyzer node directly, as distributed cluster can modify this
pre_script_argsCommand line arguments for pre_script. Example: pre_script_args=file1 file2 file3
pre_script_timeoutpre_script_timeout will default to 60 seconds. Script will stop after timeout Example: pre_script_timeout=30
during_script_argsCommand line arguments for during_script. Example: during_script_args=file1 file2 file3
ignore_size_checkAllow ignore file size, must be enabled in conf/web.conf
pwshWhen using the ps1 package, prefer PowerShell Core (pwsh.exe) if available (defaults to powershell.exe)
unpackerEx: unpacker=2 - Add description here
check_shellcodeSetting check_shellcode=0 will disable checking for shellcode during package identification and extracting from archive
unhook-apisCapability to dynamically unhook previously hooked functions (unhook-apis option takes colon-separated list e.g. unhook-apis=NtSetInformationThread:NtDelayExecution)
ttdttd=1. TTD integration (Microsoft Time Travel Debugging). Requires binaries to be placed in correct folder
polarproxyRun PolarProxy to generate PCAP with decrypted TLS streams. Ex: polarproxy=1
tlsportTLS port for PolarProxy to MITM (Default: 443). Ex: tlsport=10443
mitmdumpRun mitmdump to generate HAR with decrypted TLS streams. Ex: mitmdump=1
+
+ + Syntax: option1=val1,option2=val2
+ +
+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OptionDescription
filenameRename the sample file
nameForce family extractor to run (e.g., name=trickbot)
curdirExecution directory (default %TEMP%)
executiondirDirectory to launch file from (default %TEMP%)
argumentsArguments for the executable or exported function
appdataRun executable from AppData instead of Temp
pwshPrefer PowerShell Core (pwsh.exe)
freeRun without monitoring (disables many capabilities)
ignore_size_checkAllow ignore file size (must be enabled in conf)
check_shellcodeDisable shellcode check during package ID (check_shellcode=0)
functionExported function/ordinal to execute (DLL)
dllloaderProcess loading the DLL (default rundll32.exe)
fileName of file to execute (Zip/Rar)
passwordPassword for extraction/Office
startbrowserLaunch browser 30s into analysis
browserdelaySeconds to wait before starting browser
urlURL for started browser
servicedescService description (Service package)
pre_script_argsArgs for pre_script
during_script_argsArgs for during_script
langOverride system language (LCID)
standaloneRun in standalone mode (no pipe)
monitorInject monitor into PID/Explorer
shutdown-mutexMutex name for shutdown signal
terminate-eventEvent name for termination signal
terminate-processesTerminate processes on event
first-process(Internal) First process in tree
startup-timeMS since system startup
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + +
OptionDescription
no-stealthDisable anti-anti-VM/sandbox tricks
force-sleepskip1 = Skip all sleeps, 0 = Disable sleep skipping
serialSpoof the system volume serial number
single-processLimit monitoring to initial process only
interactiveEnable interactive desktop mode
referrerFake referrer for URL analysis
noreferDisable fake referrer
file-of-interestSpecific file or URL being analyzed
pdfAdobe Reader specific hooks/behavior
sysvol_ctimelow/highSpoof creation time of system volume
fake-rdtscEnable fake RDTSC results
ntdll-protectEnable write protection on ntdll.dll code
ntdll-unhookEnable protection against ntdll unhooking
protected-pidsEnable protection for critical PIDs
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + + + +
OptionDescription
full-logsDisable log suppression
force-flush1 = Flush after non-duplicate API, 2 = Force flush every log
buffer-maxMax size for log buffer
large-buffer-maxMax size for large log buffers
api-rate-capLimit rate of API logging
api-capLimit total number of API logs
hook-typeHook type: direct, indirect, or safe (32-bit only)
syscallEnable syscall hooks (Win10+)
disable-hook-content1 = Remove payload of non-critical hooks, 2 = All hooks
exclude-apisColon-separated list of APIs to exclude from hooking
exclude-dllsColon-separated list of DLLs to exclude from hooking
unhook-apisDynamically unhook functions (colon-separated)
coverage-modulesColon-separated list of DLLs to include in monitoring (exclude from 'dll range' filtering)
zerohookDisable all hooks except essential
hook-protectEnable write protection on hook pages
log-exceptionsEnable logging of exceptions
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + + + +
OptionDescription
procdumpEnable process memory dumping on exit/timeout
procmemdumpEnable full process memory dumping
dump-on-apiDump calling module when specific APIs are called (colon-separated)
dump-config-regionDump memory regions suspected to contain C2 config
dump-cryptoDump buffers from Crypto APIs
dump-keysDump keys from CryptImportKey
amsidumpEnable AMSI buffer dumping (Win10+)
tlsdumpEnable dumping of TLS secrets
dropped-limitOverride default dropped file limit (100)
compressionEnable CAPE's extraction of compressed payloads
extractionEnable CAPE's extraction of payloads from within process
injectionEnable CAPE's capture of injected payloads
comboCombine compression, injection, and extraction
unpacker1 = Passive unpacking, 2 = Active unpacking
import-reconstructionAttempt import reconstruction on dumps
store_memdumpForce STORE memdump (submit to analyzer directly)
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + +
OptionDescription
debuggerEnable internal debugger engine
debug1 = Report critical exceptions, 2 = All exceptions
bp0...bp3Hardware breakpoints (Address or Module:Export)
bpSoftware breakpoints (colon-separated addresses)
break-on-returnBreak on return from specific APIs
base-on-apiSet base address for breakpoints based on API
file-offsetsInterpret breakpoints as file offsets
trace-allEnable full execution tracing
depthTrace depth limit (default 0)
countTrace instruction count limit (default 128)
loop_detectionEnable loop detection (compress call logs)
ttdTime Travel Debugging (ttd=1)
polarproxyRun PolarProxy (TLS PCAP)
mitmdumpRun mitmdump (TLS HAR)
+
+
+
+
@@ -598,15 +536,6 @@
Advance id="duringScript" name="during_script"> {% endif %} -
- -
-
-
Advance
- +
Advance
+
+ + +
From 06a17a49de95c8d38e50df4c9a9a8523c0acbcab Mon Sep 17 00:00:00 2001 From: doomedraven Date: Wed, 28 Jan 2026 15:04:53 +0100 Subject: [PATCH 4/4] Update cape2.sh --- installer/cape2.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/installer/cape2.sh b/installer/cape2.sh index 25394b4c0b0..7a9964b62ed 100755 --- a/installer/cape2.sh +++ b/installer/cape2.sh @@ -120,6 +120,7 @@ cat << EndOfHelp jemalloc - Install jemalloc, required for CAPE to decrease memory usage Details: https://zapier.com/engineering/celery-python-jemalloc/ crowdsecurity - Install CrowdSecurity for NGINX and webgui + introvirt - Install IntroVirt docker - install docker osslsigncode - Linux alternative to Windows signtool.exe modsecurity - install Nginx ModSecurity plugin @@ -169,6 +170,13 @@ function install_crowdsecurity() { sudo ./install.sh } +function install_IntroVirt() { + wget https://github.com/IntroVirt/IntroVirt/releases/latest/download/Ubuntu-$(lsb_release -sc)-$(lsb_release -sr).tar.xz + tar -Jxvf Ubuntu-$(lsb_release -sc)-$(lsb_release -sr).tar.xz + cd Ubuntu-$(lsb_release -sc)-$(lsb_release -sr) + sudo apt install ./*.deb +} + function install_docker() { echo "[+] Install docker" # https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04 @@ -1876,6 +1884,8 @@ case "$COMMAND" in install_DIE;; 'fluentd') install_fluentd;; +'introvirt') + install_IntroVirt;; 'passivedns') install_passivedns;; *)