├── .actrc ├── .github ├── ISSUE_TEMPLATE │ └── bug_report.md ├── actions │ └── python-setup │ │ └── action.yml └── workflows │ ├── antitemplaters.yml_disabled │ ├── export-requirements.yml │ ├── pip-audit.yml │ ├── python-package-windows.yml │ ├── python-package.yml │ ├── todo.yml_disabled │ └── yara-audit.yml ├── .gitignore ├── .gitmodules ├── .pre-commit-config.yaml ├── .readthedocs.yaml ├── .yara-ci.yml ├── CITATION.cff ├── LICENSE ├── README.md ├── SECURITY.md ├── acknowledgment.md ├── admin ├── admin.py └── admin_conf.py_example ├── agent ├── agent.py ├── pytest.ini ├── test_agent.py └── test_python_architecture.py ├── analyzer ├── linux │ ├── analyzer.py │ ├── dbus_next │ │ ├── __init__.py │ │ ├── __version__.py │ │ ├── _private │ │ │ ├── __init__.py │ │ │ ├── address.py │ │ │ ├── constants.py │ │ │ ├── marshaller.py │ │ │ ├── unmarshaller.py │ │ │ └── util.py │ │ ├── aio │ │ │ ├── __init__.py │ │ │ ├── message_bus.py │ │ │ └── proxy_object.py │ │ ├── auth.py │ │ ├── constants.py │ │ ├── errors.py │ │ ├── introspection.py │ │ ├── message.py │ │ ├── message_bus.py │ │ ├── proxy_object.py │ │ ├── py.typed │ │ ├── service.py │ │ ├── signature.py │ │ └── validators.py │ ├── lib │ │ ├── __init__.py │ │ ├── api │ │ │ ├── __init__.py │ │ │ ├── process.py │ │ │ └── screenshot.py │ │ ├── common │ │ │ ├── __init__.py │ │ │ ├── abstracts.py │ │ │ ├── common.py │ │ │ ├── constants.py │ │ │ ├── exceptions.py │ │ │ ├── hashing.py │ │ │ ├── rand.py │ │ │ └── results.py │ │ └── core │ │ │ ├── __init__.py │ │ │ ├── config.py │ │ │ ├── packages.py │ │ │ └── startup.py │ └── modules │ │ ├── __init__.py │ │ ├── auxiliary │ │ ├── __init__.py │ │ ├── filecollector.py │ │ ├── human.py │ │ └── screenshots.py │ │ └── packages │ │ ├── __init__.py │ │ ├── bash.py │ │ ├── deb.py │ │ ├── doc.py │ │ ├── firefox.py │ │ ├── generic.py │ │ ├── jar.py │ │ ├── js.py │ │ ├── pdf.py │ │ ├── perl.py │ │ ├── python.py │ │ ├── python_whl.py │ │ ├── wget.py │ │ └── zip.py └── windows │ ├── analyzer.py │ ├── bin │ ├── PPLinject.exe │ ├── PPLinject64.exe │ ├── autoit3.exe │ ├── loader.exe │ ├── loader_x64.exe │ ├── psexec.exe │ └── signtool.exe │ ├── data │ ├── msix.ps1 │ └── yara │ │ ├── AgentTesla.yar │ │ ├── AntiCuckoo.yar │ │ ├── Blister.yar │ │ ├── BruteRatel.yar │ │ ├── BuerLoader.yar │ │ ├── BumbleBee.yar │ │ ├── CargoBayLoader.yar │ │ ├── DarkGate.yar │ │ ├── DarkGateLoader.yar │ │ ├── DoomedLoader.yar │ │ ├── DridexLoader.yar │ │ ├── EmotetPacker.yar │ │ ├── Formbook.yar │ │ ├── GetTickCountAntiVM.yar │ │ ├── Guloader.yar │ │ ├── HeavensSyscall.yar │ │ ├── IcedID.yar │ │ ├── Latrodectus.yar │ │ ├── Lumma.yar │ │ ├── ModiLoader.yar │ │ ├── MysterySnail.yar │ │ ├── NSIS.yar │ │ ├── NitrogenLoader.yar │ │ ├── Pikabot.yar │ │ ├── PrivateLoader.yar │ │ ├── QakBot.yar │ │ ├── RdtscpAntiVM.yar │ │ ├── Rhadamanthys.yar │ │ ├── RisePro.yar │ │ ├── SingleStepAntiHook.yar │ │ ├── SlowLoader.yar │ │ ├── SmokeLoader.yar │ │ ├── Socks5Systemz.yar │ │ ├── Stealc.yar │ │ ├── Syscall.yar │ │ ├── Themida.yar │ │ ├── UPX.yar │ │ ├── UrsnifV3.yar │ │ ├── VBCrypter.yar │ │ ├── XWorm.yar │ │ └── Zloader.yar │ ├── dll │ ├── capemon.dll │ ├── capemon_x64.dll │ ├── version.dll │ └── version_x64.dll │ ├── lib │ ├── __init__.py │ ├── api │ │ ├── __init__.py │ │ ├── process.py │ │ ├── screenshot.py │ │ └── utils.py │ ├── common │ │ ├── __init__.py │ │ ├── abstracts.py │ │ ├── common.py │ │ ├── constants.py │ │ ├── defines.py │ │ ├── errors.py │ │ ├── exceptions.py │ │ ├── hashing.py │ │ ├── parse_pe.py │ │ ├── rand.py │ │ ├── registry.py │ │ ├── results.py │ │ └── zip_utils.py │ └── core │ │ ├── __init__.py │ │ ├── compound.py │ │ ├── config.py │ │ ├── log.py │ │ ├── packages.py │ │ ├── pipe.py │ │ ├── privileges.py │ │ └── startup.py │ ├── modules │ ├── __init__.py │ ├── auxiliary │ │ ├── __init__.py │ │ ├── amsi.py │ │ ├── amsi_collector.py │ │ ├── browser.py │ │ ├── browsermonitor.py │ │ ├── digisig.py │ │ ├── disguise.py │ │ ├── dns_etw.py │ │ ├── during_script.py │ │ ├── evtx.py │ │ ├── filepickup.py │ │ ├── human.py │ │ ├── permissions.py │ │ ├── pre_script.py │ │ ├── recentfiles.py │ │ ├── screenshots.py │ │ ├── sslkeylogfile.py │ │ ├── tlsdump.py │ │ ├── usage.py │ │ ├── watchdownloads.py │ │ └── wmi_etw.py │ └── packages │ │ ├── Ie4uinit.py │ │ ├── __init__.py │ │ ├── access.py │ │ ├── applet.py │ │ ├── archive.py │ │ ├── autoit.py │ │ ├── batch.py │ │ ├── chm.py │ │ ├── chrome.py │ │ ├── chromium.py │ │ ├── chromium_ext.py │ │ ├── cpl.py │ │ ├── crx.py │ │ ├── dll.py │ │ ├── doc.py │ │ ├── doc2016.py │ │ ├── doc_antivm.py │ │ ├── edge.py │ │ ├── eml.py │ │ ├── exe.py │ │ ├── firefox.py │ │ ├── firefox_ext.py │ │ ├── generic.py │ │ ├── hta.py │ │ ├── hwp.py │ │ ├── ichitaro.py │ │ ├── ie.py │ │ ├── inf.py │ │ ├── inp.py │ │ ├── jar.py │ │ ├── js.py │ │ ├── js_antivm.py │ │ ├── lnk.py │ │ ├── mht.py │ │ ├── msbuild.py │ │ ├── msg.py │ │ ├── msi.py │ │ ├── msix.py │ │ ├── nsis.py │ │ ├── ollydbg.py │ │ ├── one.py │ │ ├── pdf.py │ │ ├── ppt.py │ │ ├── ppt2016.py │ │ ├── ps1.py │ │ ├── pub.py │ │ ├── pub2016.py │ │ ├── python.py │ │ ├── rar.py │ │ ├── rdp.py │ │ ├── reg.py │ │ ├── regsvr.py │ │ ├── sct.py │ │ ├── service.py │ │ ├── service_dll.py │ │ ├── shellcode.py │ │ ├── shellcode_x64.py │ │ ├── swf.py │ │ ├── tor_browser.py │ │ ├── vbejse.py │ │ ├── vbs.py │ │ ├── wsf.py │ │ ├── xls.py │ │ ├── xls2016.py │ │ ├── xps.py │ │ ├── xslt.py │ │ ├── zip.py │ │ └── zip_compound.py │ ├── prescripts │ └── prescript_detection.py │ ├── pytest.ini │ └── tests │ ├── lib │ ├── api │ │ └── test_process.py │ └── common │ │ └── test_abstracts.py │ ├── modules │ └── packages │ │ └── test_ps1.py │ ├── test_analysis_packages.py │ ├── test_analyzer.py │ ├── test_analyzer_files.py │ └── test_analyzer_process_list.py ├── changelog.md ├── conf ├── copy_configs.sh ├── default │ ├── api.conf.default │ ├── auxiliary.conf.default │ ├── aws.conf.default │ ├── az.conf.default │ ├── cuckoo.conf.default │ ├── cuckoomx.conf.default │ ├── distributed.conf.default │ ├── esx.conf.default │ ├── externalservices.conf.default │ ├── hosts.conf.default │ ├── integrations.conf.default │ ├── kvm.conf.default │ ├── logging.conf.default │ ├── malheur.conf.default │ ├── memory.conf.default │ ├── mitmdump.conf.default │ ├── multi.conf.default │ ├── physical.conf.default │ ├── processing.conf.default │ ├── proxmox.conf.default │ ├── qemu.conf.default │ ├── reporting.conf.default │ ├── routing.conf.default │ ├── smtp_sinkhole.conf.default │ ├── virtualbox.conf.default │ ├── vmware.conf.default │ ├── vmwarerest.conf.default │ ├── vmwareserver.conf.default │ ├── vpn.conf.default │ ├── vsphere.conf.default │ ├── web.conf.default │ └── xenserver.conf.default └── readme.md ├── cuckoo.py ├── custom ├── .gitignore ├── parsers │ └── __init__.py ├── signatures │ └── __init__.py └── yara │ ├── CAPE │ └── .placeholder │ ├── binaries │ └── .placeholder │ ├── macro │ └── .placeholder │ ├── memory │ └── .placeholder │ ├── monitor │ └── .placeholder │ └── urls │ └── .placeholder ├── data ├── .gitignore ├── __init__.py ├── dnsbl.py ├── family_detection_names.py ├── google_creds.json ├── html │ ├── base-report.html │ ├── base-web.html │ ├── browse.html │ ├── css │ │ ├── bootstrap.min.css │ │ ├── bootstrap.min.css.map │ │ └── style.css │ ├── error.html │ ├── generic │ │ ├── _dotnet.html │ │ ├── _file_info.html │ │ ├── _floss.html │ │ ├── _java.html │ │ ├── _lnk.html │ │ ├── _office.html │ │ ├── _pdf.html │ │ ├── _pe.html │ │ ├── _subfile_info.html │ │ ├── _virustotal.html │ │ └── _xlmmacro.html │ ├── graphic │ │ └── logo.html │ ├── img │ │ ├── glyphicons-halflings-white.png │ │ └── glyphicons-halflings.png │ ├── js │ │ ├── bootstrap.min.js │ │ ├── functions.js │ │ └── jquery.min.js │ ├── pagination-menu.html │ ├── pagination-rpp.html │ ├── report.html │ ├── sections │ │ ├── behavior.html │ │ ├── dropped.html │ │ ├── errors.html │ │ ├── file.html │ │ ├── info.html │ │ ├── memory │ │ │ ├── _apihooks.html │ │ │ ├── _callbacks.html │ │ │ ├── _devicetree.html │ │ │ ├── _gdt.html │ │ │ ├── _idt.html │ │ │ ├── _malfind.html │ │ │ ├── _messagehooks.html │ │ │ ├── _modscan.html │ │ │ ├── _netscan.html │ │ │ ├── _pslist.html │ │ │ ├── _sockscan.html │ │ │ ├── _ssdt.html │ │ │ ├── _svcscan.html │ │ │ ├── _timers.html │ │ │ └── _yarascan.html │ │ ├── network.html │ │ ├── payloads.html │ │ ├── screenshots.html │ │ ├── signatures.html │ │ ├── url.html │ │ └── volatility.html │ ├── statistics.html │ ├── statistics │ │ └── README │ ├── submit.html │ └── success.html ├── linux │ └── linux-syscalls.json ├── maec_api_call_mappings.json ├── safelist │ ├── __init__.py │ ├── disposable_domain_list.txt │ ├── domains.py │ └── replacepatterns.py ├── signature_overlay.json ├── src │ └── binpackage │ │ ├── Makefile │ │ └── execsc.c └── yara │ ├── CAPE │ ├── AgentTesla.yar │ ├── Amadey.yar │ ├── Arkei.yar │ ├── AsyncRAT.yar │ ├── Atlas.yar │ ├── AuroraStealer.yar │ ├── Azer.yar │ ├── Azorult.yar │ ├── BadRabbit.yar │ ├── Bazar.yar │ ├── BitPaymer.yar │ ├── BlackDropper.yar │ ├── Blister.yar │ ├── BruteRatel.yar │ ├── BuerLoader.yar │ ├── BumbleBee.yar │ ├── Carbanak.yar │ ├── CargoBayLoader.yar │ ├── Cerber.yar │ ├── CobaltStrikeBeacon.yar │ ├── CobaltStrikeStager.yar │ ├── Codoso.yar │ ├── Conti.yar │ ├── Cryptoshield.yar │ ├── DarkGate.yar │ ├── DoomedLoader.yar │ ├── DoppelPaymer.yar │ ├── Dreambot.yar │ ├── DridexLoader.yar │ ├── DridexV4.yar │ ├── Emotet.yar │ ├── EmotetLoader.yar │ ├── EternalRomance.yar │ ├── Fareit.yar │ ├── Formbook.yar │ ├── Gandcrab.yar │ ├── Gootkit.yar │ ├── Guloader.yar │ ├── Hancitor.yar │ ├── Hermes.yar │ ├── IcedID.yar │ ├── IcedIDLoader.yar │ ├── Jaff.yar │ ├── KoiLoader.yar │ ├── Kovter.yar │ ├── Kpot.yar │ ├── Kronos.yar │ ├── Latrodectus.yar │ ├── Lockbit.yar │ ├── Locky.yar │ ├── LokiBot.yar │ ├── Lumma.yar │ ├── Magniber.yar │ ├── MassLogger.yar │ ├── MegaCortex.yar │ ├── Mole.yar │ ├── NanoLocker.yar │ ├── Nemty.yar │ ├── NetTraveler.yar │ ├── Nighthawk.yar │ ├── NitrogenLoader.yar │ ├── Obfuscar.yar │ ├── Origin.yar │ ├── Oyster.yar │ ├── Pafish.yar │ ├── PetrWrap.yar │ ├── Petya.yar │ ├── PikaBot.yar │ ├── QakBot.yar │ ├── Quickbind.yar │ ├── RCSession.yar │ ├── Ramnit.yar │ ├── Remcos.yar │ ├── Rhadamanthys.yar │ ├── RokRat.yar │ ├── Rozena.yar │ ├── Ryuk.yar │ ├── Scarab.yar │ ├── Sedreco.yar │ ├── Seduploader.yar │ ├── SmokeLoader.yar │ ├── Socks5Systemz.yar │ ├── SparkRAT.yar │ ├── SquirrelWaffle.yar │ ├── Stealc.yar │ ├── TClient.yar │ ├── TSCookie.yar │ ├── TrickBot.yar │ ├── Ursnif.yar │ ├── UrsnifV3.yar │ ├── Varenyky.yar │ ├── Vidar.yar │ ├── WanaCry.yar │ ├── XenoRAT.yar │ ├── ZeroT.yar │ ├── ZeusPanda.yar │ └── Zloader.yar │ ├── binaries │ ├── HeavensGate.yar │ └── Themida.yar │ ├── macro │ └── test │ ├── memory │ └── .gitignore │ ├── monitor │ ├── .gitkeep │ └── yara │ ├── readme.md │ └── urls │ └── .gitignore ├── dev_utils ├── __init__.py ├── elasticsearchdb.py ├── mongo_hooks.py ├── mongodb.py └── readme.md ├── docs ├── README ├── book │ └── src │ │ ├── Makefile │ │ ├── _images │ │ ├── logo │ │ │ └── cape.png │ │ ├── schemas │ │ │ └── architecture-main.png │ │ └── screenshots │ │ │ ├── create_kvm_snapshot.png │ │ │ ├── creating_isolated_network_0.png │ │ │ ├── creating_isolated_network_1.png │ │ │ ├── creating_isolated_network_2.png │ │ │ ├── creating_isolated_network_3.png │ │ │ ├── creating_isolated_network_4.png │ │ │ ├── creating_isolated_network_5.png │ │ │ ├── creating_task_scheduler_0.png │ │ │ ├── creating_task_scheduler_1.png │ │ │ ├── creating_task_scheduler_2.png │ │ │ ├── debugger2disassembler.png │ │ │ ├── fog_host_management.png │ │ │ ├── fog_image_management.png │ │ │ ├── fog_scheduled_job.png │ │ │ ├── guest_win10_disable_firewall.png │ │ │ ├── guest_win10_disable_firewall_1.png │ │ │ ├── guest_win10_disable_updates.png │ │ │ ├── guest_win10_static_IP.png │ │ │ ├── guest_win10_static_IP_1.png │ │ │ ├── guest_win10_static_IP_2.png │ │ │ ├── guest_win10_static_IP_3.png │ │ │ ├── internal_external_snapshot.png │ │ │ ├── libvirt_error_virtmanager.png │ │ │ ├── login_error_user_usersprofile.png │ │ │ ├── no_signatures.png │ │ │ ├── python_guest_win10_installation_PATH.png │ │ │ ├── rooter_0.png │ │ │ ├── running_agentpy_within_guest_0.png │ │ │ ├── running_agentpy_within_guest_1.png │ │ │ ├── shared_folders.png │ │ │ ├── signatures.png │ │ │ ├── troubleshooting_0.png │ │ │ ├── troubleshooting_error_0.png │ │ │ ├── troubleshooting_error_1.png │ │ │ ├── troubleshooting_error_2.png │ │ │ ├── troubleshooting_error_3.png │ │ │ ├── windows_network.png │ │ │ ├── windows_registry.png │ │ │ └── windows_security.png │ │ ├── _static │ │ └── .gitkeep │ │ ├── conf.py │ │ ├── customization │ │ ├── auxiliary.rst │ │ ├── index.rst │ │ ├── machinery.rst │ │ ├── packages.rst │ │ ├── processing.rst │ │ ├── reporting.rst │ │ └── signatures.rst │ │ ├── development │ │ ├── code_style.rst │ │ ├── current_module_improvement.rst │ │ ├── development_notes.rst │ │ └── index.rst │ │ ├── faq │ │ └── index.rst │ │ ├── finalremarks │ │ └── index.rst │ │ ├── index.rst │ │ ├── installation │ │ ├── guest │ │ │ ├── additional_configuration.rst │ │ │ ├── agent.rst │ │ │ ├── cloning.rst │ │ │ ├── creation.rst │ │ │ ├── index.rst │ │ │ ├── linux.rst │ │ │ ├── network.rst │ │ │ ├── requirements.rst │ │ │ ├── saving.rst │ │ │ └── troubleshooting.rst │ │ ├── guest_physical │ │ │ ├── creation.rst │ │ │ ├── index.rst │ │ │ ├── network.rst │ │ │ ├── requirements.rst │ │ │ └── saving.rst │ │ ├── host │ │ │ ├── cloud.rst │ │ │ ├── configuration.rst │ │ │ ├── index.rst │ │ │ ├── installation.rst │ │ │ └── routing.rst │ │ ├── index.rst │ │ └── upgrade.rst │ │ ├── integrations │ │ ├── box-js.rst │ │ ├── curtain.rst │ │ ├── index.rst │ │ ├── librenms.rst │ │ ├── suricata.rst │ │ └── tracee-linux.rst │ │ ├── introduction │ │ ├── index.rst │ │ ├── license.rst │ │ ├── sandboxing.rst │ │ └── what.rst │ │ └── usage │ │ ├── api.rst │ │ ├── clean.rst │ │ ├── cluster_administration.rst │ │ ├── dist.rst │ │ ├── index.rst │ │ ├── interactive_desktop.rst │ │ ├── internals.rst │ │ ├── monitor.rst │ │ ├── packages.rst │ │ ├── patterns_replacement.rst │ │ ├── performance.rst │ │ ├── results.rst │ │ ├── rooter.rst │ │ ├── start.rst │ │ ├── submit.rst │ │ ├── utilities.rst │ │ └── web.rst └── requirements.txt ├── extra ├── browser_extension │ ├── README.md │ ├── background.js │ └── manifest.json ├── buildvswitch.sh ├── cape-fluentd.conf ├── guac related │ ├── fstab.in │ └── nginx-site-config.txt ├── libvirt_installer.sh ├── linux_agent.sh ├── optional_dependencies.txt ├── services │ ├── moloch │ └── openvswitch-switch ├── whitelist_domains.txt ├── whitelist_ips.txt ├── whitelist_network.txt └── yara_installer.sh ├── installer ├── README.md ├── cape2.sh ├── choco.bat ├── disable_win7noise.bat ├── kvm-qemu.sh ├── suricata_from_source.sh └── win10_disabler.ps1 ├── lib ├── __init__.py ├── cuckoo │ ├── __init__.py │ ├── common │ │ ├── __init__.py │ │ ├── abstracts.py │ │ ├── admin_utils.py │ │ ├── cape_utils.py │ │ ├── cents │ │ │ └── __init__.py │ │ ├── cleaners_utils.py │ │ ├── colors.py │ │ ├── compare.py │ │ ├── compressor.py │ │ ├── config.py │ │ ├── constants.py │ │ ├── decoders │ │ │ └── __init__.py │ │ ├── defines.py │ │ ├── demux.py │ │ ├── dictionary.py │ │ ├── dist_db.py │ │ ├── dns.py │ │ ├── dotnet_utils.py │ │ ├── email_utils.py │ │ ├── exceptions.py │ │ ├── extractor_utils.py │ │ ├── files.py │ │ ├── fraunhofer_helper.py │ │ ├── gcp.py │ │ ├── hypervisor_config.py │ │ ├── icon.py │ │ ├── integrations │ │ │ ├── XLMMacroDeobfuscator.py │ │ │ ├── __init__.py │ │ │ ├── capa.py │ │ │ ├── clamav.py │ │ │ ├── file_extra_info.py │ │ │ ├── file_extra_info_modules │ │ │ │ ├── __init__.py │ │ │ │ ├── overlay.py │ │ │ │ ├── pyinstaller.py │ │ │ │ └── readme.md │ │ │ ├── floss.py │ │ │ ├── mandiant_intel.py │ │ │ ├── mitre.py │ │ │ ├── office_one.py │ │ │ ├── parse_dotnet.py │ │ │ ├── parse_elf.py │ │ │ ├── parse_encoded_script.py │ │ │ ├── parse_hwp.py │ │ │ ├── parse_java.py │ │ │ ├── parse_lnk.py │ │ │ ├── parse_office.py │ │ │ ├── parse_pdf.py │ │ │ ├── parse_pe.py │ │ │ ├── parse_rdp.py │ │ │ ├── parse_url.py │ │ │ ├── parse_wsf.py │ │ │ ├── pdfminer.py │ │ │ ├── peepdf.py │ │ │ ├── pyinstxtractor.py │ │ │ ├── strings.py │ │ │ ├── vba2graph.py │ │ │ ├── vbadeobf.py │ │ │ ├── vbe_decoder.py │ │ │ └── virustotal.py │ │ ├── irc.py │ │ ├── load_extra_modules.py │ │ ├── logo.py │ │ ├── logtbl.py │ │ ├── mapTTPs.py │ │ ├── misc.py │ │ ├── netlog.py │ │ ├── objects.py │ │ ├── path_utils.py │ │ ├── quarantine.py │ │ ├── replace_patterns_utils.py │ │ ├── safelist.py │ │ ├── saztopcap.py │ │ ├── scoring.py │ │ ├── socket_utils.py │ │ ├── sshclient.py │ │ ├── structures.py │ │ ├── suri_specs.py │ │ ├── suricata_detection.py │ │ ├── suricatasc.py │ │ ├── trim_utils.py │ │ ├── url_validate.py │ │ ├── utils.py │ │ ├── utils_dicts.py │ │ ├── utils_pretty_print_funcs.py │ │ ├── web_utils.py │ │ └── webadmin_utils.py │ └── core │ │ ├── __init__.py │ │ ├── analysis_manager.py │ │ ├── database.py │ │ ├── guest.py │ │ ├── log.py │ │ ├── machinery_manager.py │ │ ├── plugins.py │ │ ├── resultserver.py │ │ ├── rooter.py │ │ ├── scheduler.py │ │ └── startup.py └── downloaders │ ├── __init__.py │ ├── malwarebazaar.py │ └── virustotal.py ├── modules ├── __init__.py ├── auxiliary │ ├── AzSniffer.py │ ├── Mitmdump.py │ ├── QemuScreenshots.py │ ├── __init__.py │ └── sniffer.py ├── feeds │ └── __init__.py ├── machinery │ ├── __init__.py │ ├── aws.py │ ├── az.py │ ├── esx.py │ ├── kvm.py │ ├── multi.py │ ├── physical.py │ ├── proxmox.py │ ├── qemu.py │ ├── virtualbox.py │ ├── vmware.py │ ├── vmwarerest.py │ ├── vmwareserver.py │ ├── vsphere.py │ └── xenserver.py ├── processing │ ├── CAPE.py │ ├── __init__.py │ ├── amsi.py │ ├── analysisinfo.py │ ├── antiransomware.py │ ├── behavior.py │ ├── boxjs.py │ ├── debug.py │ ├── decompression.py │ ├── deduplication.py │ ├── dumptls.py │ ├── maliciousmacrobot.py │ ├── memory.py │ ├── network.py │ ├── pcapng.py │ ├── platform │ │ └── linux.py │ ├── procmemory.py │ ├── procmon.py │ ├── reversinglabs.py │ ├── script_log_processing.py │ ├── strace.py │ ├── suricata.py │ ├── url_analysis.py │ └── usage.py ├── reporting │ ├── __init__.py │ ├── bingraph.py │ ├── browserext.py │ ├── callback.py │ ├── compression.py │ ├── elasticsearchdb.py │ ├── jsondump.py │ ├── litereport.py │ ├── maec41.py │ ├── maec5.py │ ├── mitre.py │ ├── mongodb.py │ ├── report_doc.py │ └── tmpfsclean.py └── signatures │ ├── CAPE.py │ ├── __init__.py │ ├── all │ └── __init__.py │ ├── cape_extracted.py │ ├── https.py │ ├── linux │ └── __init__.py │ └── windows │ └── __init__.py ├── poetry.lock ├── pyproject.toml ├── requirements.txt ├── systemd ├── README.md ├── cape-dist.service ├── cape-fstab.service ├── cape-processor.service ├── cape-rooter.service ├── cape-web.service ├── cape.service ├── guac-web.service ├── guacd.service ├── suricata-update.service ├── suricata-update.timer └── suricata.service ├── tests ├── conftest.py ├── email_test.py ├── grab_samples.py ├── integrity.py ├── processor_tests.py ├── readme.md ├── reporter_tests.py ├── sniffer_tests.py ├── tcr_misc.py ├── test_abstracts.py ├── test_analysis_manager.py ├── test_behavior.py ├── test_bson.bson ├── test_cape_utils.py ├── test_cleaners_utils.py ├── test_colors.py ├── test_compressor.py ├── test_config.py ├── test_data │ ├── 1 │ │ └── reports │ │ │ └── report.json │ ├── 2 │ │ └── reports │ │ │ └── report.json │ └── 3 │ │ └── reports │ │ └── report.json ├── test_database.py ├── test_demux.py ├── test_dist_db.py ├── test_downloaders.py ├── test_file_extra_info.py ├── test_files.py ├── test_icon.py ├── test_logo.py ├── test_mitre.py ├── test_netlog.py ├── test_objects.py ├── test_parse_office.py ├── test_peepdf.py ├── test_processing.py ├── test_quarantine.py ├── test_signature.py ├── test_strings.py ├── test_suricata_naming.py ├── test_tls_utils.py ├── test_utils.py ├── test_utils_pretty_print_funcs.py ├── test_web_utils.py ├── test_yara.py ├── utils_pretty_print_funcs_data.py ├── web │ ├── test_apiv2.py │ └── test_submission_views.py └── zip_compound │ ├── files │ ├── example_config.json │ └── misconfiguration.json │ ├── test_extract_path.py │ ├── test_json_config.py │ └── test_windows_zip_compound.py ├── utils ├── __init__.py ├── admin.py ├── cleaners.py ├── community.py ├── community_blocklist.py ├── db_migration │ ├── alembic.ini │ ├── env.py │ ├── script.py.mako │ └── versions │ │ ├── 2.2-cape.py │ │ ├── 2_3_1_square_hammer.py │ │ ├── 2_3_2_custom_auth_usernames.py │ │ ├── 2_3_3_add_arch_to_machine_conf.py │ │ ├── 2_3_3_expand_error_message.py │ │ ├── 2_3_task2user_id.py │ │ ├── 2_4_0_change_options_to_text.py │ │ ├── add_distributed.py │ │ ├── add_on_delete_cascade_to_task_tags_.py │ │ ├── add_platform_column_for_guests.py │ │ ├── add_reserved_column_for_machines.py │ │ ├── add_sample_parent_id.py │ │ ├── add_shrike_and_parent_id_columns.py │ │ ├── add_source_url.py │ │ ├── add_task_tlp.py │ │ ├── from_0_6_to_1_1.py │ │ ├── from_1_1_to_1_2-added_states.py │ │ ├── from_1_1_to_1_2-extend_file_type.py │ │ ├── from_1_2_to_1_2-accuvant-add_statistics.py │ │ ├── options_255_2_1024.py │ │ ├── proper_indexes.py │ │ └── set_guest_platform_to_non_nullable.py ├── db_migration_dist │ ├── alembic.ini │ ├── env.py │ ├── script.py.mako │ └── versions │ │ ├── dist_1.2.py │ │ ├── dist_1.3.py │ │ └── dist_1_1.py ├── dist.py ├── down.py ├── fstab.py ├── process.py ├── profiling.py ├── proxy2cape.py ├── rooter.py ├── route.py ├── router_manager.py ├── sample_path.py ├── submit.py ├── tcpdumpwrapper.py ├── tls.py ├── vpn2cape.py └── vpncheck.py ├── uwsgi ├── cape.conf ├── cape.ini └── capedist.ini └── web ├── analysis ├── __init__.py ├── forms.py ├── templatetags │ ├── __init__.py │ ├── analysis_tags.py │ ├── generic_tags.py │ ├── key_tags.py │ └── pdf_tags.py ├── urls.py └── views.py ├── apiv2 ├── __init__.py ├── throttling.py ├── urls.py └── views.py ├── captcha_admin ├── __init__.py ├── admin.py ├── apps.py ├── forms.py ├── mixins.py ├── models.py └── templates │ └── admin │ └── captcha_login.html ├── compare ├── __init__.py ├── urls.py └── views.py ├── dashboard ├── __init__.py ├── urls.py └── views.py ├── guac ├── __init__.py ├── consumers.py ├── routing.py ├── templates │ └── guac │ │ ├── error.html │ │ ├── index.html │ │ └── wait.html ├── urls.py └── views.py ├── manage.py ├── static ├── css │ ├── bootstrap-social.min.css │ ├── bootstrap-social.min.css.map │ ├── bootstrap.min.css │ ├── bootstrap.min.css.map │ ├── datatables.min.css │ ├── fontawesome-all.css │ ├── guac-main.css │ ├── guac-playback.css │ ├── lightbox.css │ └── style.css ├── django_extensions │ ├── css │ │ └── jquery.autocomplete.css │ ├── img │ │ └── indicator.gif │ └── js │ │ ├── jquery.ajaxQueue.js │ │ ├── jquery.autocomplete.js │ │ └── jquery.bgiframe.js ├── generated │ └── README ├── graphic │ ├── background.png │ └── cape.png ├── img │ ├── cape.png │ ├── close.png │ ├── github_login.png │ ├── google_login.png │ ├── loading.gif │ ├── next.png │ └── prev.png ├── js │ ├── bootstrap-fileupload.js │ ├── bootstrap-transition.js │ ├── bootstrap.min.js │ ├── bootstrap.min.js.map │ ├── crypto-js.min.js │ ├── datatables.min.js │ ├── guac-main.js │ ├── guac-playback.js │ ├── guacamole-1.4.0-all.min.js │ ├── hexdump.js │ ├── jquery-ui.min.js │ ├── jquery.js │ ├── lightbox.js │ ├── moment.min.js │ └── pako_inflate.min.js └── webfonts │ ├── fa-brands-400.ttf │ ├── fa-brands-400.woff2 │ ├── fa-regular-400.ttf │ ├── fa-regular-400.woff2 │ ├── fa-solid-900.ttf │ ├── fa-solid-900.woff2 │ ├── fa-v4compatibility.ttf │ └── fa-v4compatibility.woff2 ├── submission ├── __init__.py ├── urls.py └── views.py ├── templates ├── account │ ├── account_inactive.html │ ├── email.html │ ├── email_confirm.html │ ├── login.html │ ├── logout.html │ ├── password_change.html │ ├── password_reset.html │ ├── password_reset_done.html │ ├── password_reset_from_key.html │ ├── password_reset_from_key_done.html │ ├── signup.html │ ├── signup_closed.html │ ├── verification_sent.html │ └── verified_email_required.html ├── admin │ ├── base_site.html │ └── captcha_login.html ├── analysis │ ├── CAPE │ │ └── index.html │ ├── admin │ │ └── index.html │ ├── antivirus.html │ ├── backscatter.html │ ├── behavior │ │ ├── _api_call.html │ │ ├── _chunk.html │ │ ├── _processes.html │ │ ├── _search.html │ │ ├── _search_results.html │ │ ├── _tree.html │ │ └── index.html │ ├── classification.html │ ├── comments │ │ └── index.html │ ├── debugger │ │ └── index.html │ ├── dropped │ │ └── index.html │ ├── generic │ │ ├── _capeyara.html │ │ ├── _dotnet.html │ │ ├── _file_info.html │ │ ├── _floss.html │ │ ├── _java.html │ │ ├── _lnk.html │ │ ├── _office.html │ │ ├── _pdf.html │ │ ├── _pe.html │ │ ├── _rdp.html │ │ ├── _subfile_capeyara.html │ │ ├── _subfile_info.html │ │ ├── _subfile_yara.html │ │ ├── _virustotal.html │ │ ├── _xlmmacro.html │ │ └── _yara.html │ ├── index.html │ ├── memory │ │ ├── _apihooks.html │ │ ├── _callbacks.html │ │ ├── _devicetree.html │ │ ├── _dlllist.html │ │ ├── _gdt.html │ │ ├── _getsids.html │ │ ├── _handles.html │ │ ├── _idt.html │ │ ├── _malfind.html │ │ ├── _messagehooks.html │ │ ├── _modscan.html │ │ ├── _mutantscan.html │ │ ├── _netscan.html │ │ ├── _privs.html │ │ ├── _pslist.html │ │ ├── _psscan.html │ │ ├── _rootkit.html │ │ ├── _sockscan.html │ │ ├── _ssdt.html │ │ ├── _svcscan.html │ │ ├── _timers.html │ │ ├── _yarascan.html │ │ └── index.html │ ├── misp │ │ └── index.html │ ├── network │ │ ├── _cif.html │ │ ├── _dns.html │ │ ├── _dns_not_ajax.html │ │ ├── _hosts.html │ │ ├── _hosts_not_ajax.html │ │ ├── _http.html │ │ ├── _icmp.html │ │ ├── _irc.html │ │ ├── _smtp.html │ │ ├── _suricata_alerts.html │ │ ├── _suricata_files.html │ │ ├── _suricata_http.html │ │ ├── _suricata_tls.html │ │ ├── _tcp.html │ │ ├── _udp.html │ │ └── index.html │ ├── overview │ │ ├── _capa_summary.html │ │ ├── _curtain.html │ │ ├── _info.html │ │ ├── _mitre.html │ │ ├── _playback.html │ │ ├── _reports.html │ │ ├── _screenshots.html │ │ ├── _signatures.html │ │ ├── _statistics.html │ │ ├── _summary.html │ │ ├── _url.html │ │ ├── _usage.html │ │ └── index.html │ ├── pending.html │ ├── procdump │ │ └── index.html │ ├── procmemory │ │ └── index.html │ ├── report.html │ ├── search.html │ ├── shrike.html │ ├── similar │ │ └── index.html │ ├── strace │ │ ├── _api_call.html │ │ ├── _chunk.html │ │ ├── _processes.html │ │ ├── _search.html │ │ ├── _syscall.html │ │ ├── _tree.html │ │ └── index.html │ ├── surialert.html │ ├── surifiles.html │ ├── surihttp.html │ ├── suritls.html │ └── tracee │ │ └── index.html ├── apiv2 │ └── index.html ├── auth │ ├── base.html │ ├── base_site.html │ ├── login.html │ └── logout.html ├── base.html ├── compare │ ├── _info.html │ ├── _summary_table.html │ ├── both.html │ ├── hash.html │ └── left.html ├── dashboard │ └── index.html ├── error.html ├── footer.html ├── header.html ├── robots.txt ├── socialaccount │ ├── authentication_error.html │ ├── connections.html │ ├── login_cancelled.html │ └── signup.html ├── standalone_error.html ├── statistics.html ├── submission │ ├── complete.html │ ├── index.html │ ├── remote_status.html │ └── status.html ├── success.html ├── success_simple.html └── success_vtup.html ├── users ├── __init__.py ├── admin.py ├── apps.py ├── migrations │ ├── 0001_initial.py │ ├── 0002_reports.py │ ├── 0003_rename_field_subscription.py │ └── __init__.py ├── models.py ├── tests.py └── views.py └── web ├── __init__.py ├── allauth_adapters.py ├── allauth_forms.py ├── asgi.py ├── guac_settings.py ├── guac_urls.py ├── headers.py ├── local_settings.py ├── middleware ├── __init__.py ├── custom_auth.py └── db_transaction.py ├── settings.py ├── urls.py ├── views.py └── wsgi.py /.actrc: -------------------------------------------------------------------------------- 1 | # Nektos act runs tests as root. Without this environment variable 2 | # being set, CAPE exits at line 10 of web/web/settings.py, 3 | # and no tests are run. 4 | 5 | --env CAPE_AS_ROOT=1 6 | -------------------------------------------------------------------------------- /.github/workflows/pip-audit.yml: -------------------------------------------------------------------------------- 1 | name: PIP audit 2 | 3 | on: 4 | schedule: 5 | - cron: '0 8 * * 1' 6 | 7 | jobs: 8 | test: 9 | runs-on: ubuntu-latest 10 | timeout-minutes: 20 11 | strategy: 12 | matrix: 13 | python-version: ["3.10"] 14 | 15 | steps: 16 | - name: Check out repository code 17 | uses: actions/checkout@v4 18 | 19 | - uses: pypa/gh-action-pip-audit@v1.0.8 20 | with: 21 | inputs: requirements.txt 22 | -------------------------------------------------------------------------------- /.github/workflows/todo.yml_disabled: -------------------------------------------------------------------------------- 1 | name: "ToDo to issue" 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | 7 | jobs: 8 | build: 9 | runs-on: "ubuntu-latest" 10 | steps: 11 | - uses: "actions/checkout@master" 12 | - name: "TODO to Issue" 13 | uses: "alstr/todo-to-issue-action@v4.6.8" 14 | id: "todo" 15 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | *.DS_Store 3 | *.log 4 | *.db 5 | *.sqlite 6 | *.pyc 7 | *.yarc 8 | __pycache__/ 9 | .cache/ 10 | .local/ 11 | .env/ 12 | .vscode 13 | env/ 14 | tests/test_objects/ 15 | log/ 16 | storage/ 17 | conf/*.conf 18 | 19 | web/web/secret_key.py 20 | tests/test_bson.bson.compressed 21 | *~ 22 | 23 | installer/cape-config.sh 24 | installer/kvm-config.sh 25 | 26 | docs/book/src/_build -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "tests/data"] 2 | path = tests/data 3 | url = https://github.com/CAPESandbox/CAPE-TestFiles.git 4 | -------------------------------------------------------------------------------- /.yara-ci.yml: -------------------------------------------------------------------------------- 1 | files: 2 | accept: 3 | - "data/yara/**.yar" 4 | - "analyzer/windows/data/yara/**.yar" 5 | 6 | false_positives: 7 | ignore: 8 | - rule: "CobaltStrikeBeacon" 9 | - rule: "Emotet" 10 | - rule: "NSIS" 11 | - rule: "UPX" 12 | - rule: "Syscall" 13 | - rule: "FormhookB" 14 | -------------------------------------------------------------------------------- /CITATION.cff: -------------------------------------------------------------------------------- 1 | cff-version: 1.2.0 2 | title: "CAPE: Malware Configuration And Payload Extraction" 3 | message: "If you use this software, please cite it as below." 4 | type: software 5 | authors: 6 | - given-names: Kevin 7 | family-names: O'Reilly 8 | - given-names: Andriy 9 | family-names: Brukhovetskyy 10 | url: "https://github.com/kevoreilly/CAPEv2" 11 | version: 2 12 | abstract: > 13 | CAPEv2: Malware Configuration And Payload Extraction is a 14 | malware sandbox. 15 | keywords: 16 | - malware 17 | - sandbox 18 | - cape 19 | - capev2 20 | - analysis 21 | license: GPL-3.0 22 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Supported Versions 4 | 5 | Use this section to tell people about which versions of your project are 6 | currently being supported with security updates. 7 | 8 | | Version | Supported | 9 | | ------- | ------------------ | 10 | | 5.1.x | :white_check_mark: | 11 | | 5.0.x | :x: | 12 | | 4.0.x | :white_check_mark: | 13 | | < 4.0 | :x: | 14 | 15 | ## Reporting a Vulnerability 16 | 17 | To report any issue send email to kev@capesandbox.com or https://twitter.com/CapeSandbox 18 | -------------------------------------------------------------------------------- /agent/pytest.ini: -------------------------------------------------------------------------------- 1 | [pytest] 2 | pythonpath = . 3 | asyncio_mode = auto 4 | -------------------------------------------------------------------------------- /analyzer/linux/dbus_next/__version__.py: -------------------------------------------------------------------------------- 1 | __title__ = "dbus_next" 2 | __description__ = "A zero-dependency DBus library for Python with asyncio support" 3 | __url__ = "https://github.com/altdesktop/python-dbus-next" 4 | __version__ = "0.2.3" 5 | __author__ = "Tony Crisci" 6 | __author_email__ = "tony@dubstepdish.com" 7 | __license__ = "MIT" 8 | __copyright__ = "Copyright 2019 Tony Crisci" 9 | -------------------------------------------------------------------------------- /analyzer/linux/dbus_next/_private/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/linux/dbus_next/_private/__init__.py -------------------------------------------------------------------------------- /analyzer/linux/dbus_next/_private/constants.py: -------------------------------------------------------------------------------- 1 | from enum import Enum 2 | 3 | PROTOCOL_VERSION = 1 4 | 5 | LITTLE_ENDIAN = ord("l") 6 | BIG_ENDIAN = ord("B") 7 | 8 | 9 | class HeaderField(Enum): 10 | PATH = 1 11 | INTERFACE = 2 12 | MEMBER = 3 13 | ERROR_NAME = 4 14 | REPLY_SERIAL = 5 15 | DESTINATION = 6 16 | SENDER = 7 17 | SIGNATURE = 8 18 | UNIX_FDS = 9 19 | -------------------------------------------------------------------------------- /analyzer/linux/dbus_next/aio/__init__.py: -------------------------------------------------------------------------------- 1 | from .message_bus import MessageBus 2 | from .proxy_object import ProxyInterface, ProxyObject 3 | -------------------------------------------------------------------------------- /analyzer/linux/dbus_next/py.typed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/linux/dbus_next/py.typed -------------------------------------------------------------------------------- /analyzer/linux/lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/linux/lib/__init__.py -------------------------------------------------------------------------------- /analyzer/linux/lib/api/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/linux/lib/api/__init__.py -------------------------------------------------------------------------------- /analyzer/linux/lib/common/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/linux/lib/common/__init__.py -------------------------------------------------------------------------------- /analyzer/linux/lib/common/constants.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2014-2016 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | import tempfile 7 | 8 | from lib.common.rand import random_string 9 | 10 | ROOT = os.path.join(tempfile.gettempdir(), random_string(6, 10)) 11 | 12 | PATHS = { 13 | "root": ROOT, 14 | "logs": os.path.join(ROOT, "logs"), 15 | "files": os.path.join(ROOT, "files"), 16 | "shots": os.path.join(ROOT, "shots"), 17 | "memory": os.path.join(ROOT, "memory"), 18 | "drop": os.path.join(ROOT, "drop"), 19 | } 20 | 21 | OPT_CURDIR = "curdir" 22 | -------------------------------------------------------------------------------- /analyzer/linux/lib/common/exceptions.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2014-2016 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | 6 | class CuckooError(Exception): 7 | pass 8 | 9 | 10 | class CuckooPackageError(Exception): 11 | pass 12 | -------------------------------------------------------------------------------- /analyzer/linux/lib/common/hashing.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2014-2016 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import hashlib 6 | 7 | BUFSIZE = 1024 * 1024 8 | 9 | 10 | def sha256_file(path): 11 | return hash_file(hashlib.sha256, path) 12 | 13 | 14 | def hash_file(method, path): 15 | """Calculate a hash on a file by path. 16 | @param method: callable hashing method 17 | @param path: file path 18 | @return: computed hash string 19 | """ 20 | h = method() 21 | with open(path, "rb") as f: 22 | buf = f.read(BUFSIZE) 23 | while buf: 24 | h.update(buf) 25 | buf = f.read(BUFSIZE) 26 | return h.hexdigest() 27 | -------------------------------------------------------------------------------- /analyzer/linux/lib/common/rand.py: -------------------------------------------------------------------------------- 1 | import random 2 | import string 3 | 4 | 5 | def random_string(minimum, maximum=None, charset=None): 6 | if maximum is None: 7 | maximum = minimum 8 | 9 | count = random.randint(minimum, maximum) 10 | if not charset: 11 | return "".join(random.choice(string.ascii_letters) for x in range(count)) 12 | 13 | return "".join(random.choice(charset) for x in range(count)) 14 | 15 | 16 | def random_integer(digits): 17 | start = 10 ** (digits - 1) 18 | end = (10**digits) - 1 19 | return random.randint(start, end) 20 | -------------------------------------------------------------------------------- /analyzer/linux/lib/core/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/linux/lib/core/__init__.py -------------------------------------------------------------------------------- /analyzer/linux/modules/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/linux/modules/__init__.py -------------------------------------------------------------------------------- /analyzer/linux/modules/auxiliary/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/linux/modules/auxiliary/__init__.py -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/linux/modules/packages/__init__.py -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/bash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2015 Dmitry Rodionov 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | from lib.core.packages import Package 7 | 8 | 9 | class Bash(Package): 10 | """Bash shell script analysys package.""" 11 | 12 | def prepare(self): 13 | self.args = [self.target] + self.args 14 | self.target = "/bin/bash" 15 | -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/deb.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2024 xiangchen96 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | from lib.core.packages import Package 7 | 8 | 9 | class Deb(Package): 10 | """Deb analysis package.""" 11 | 12 | def prepare(self): 13 | self.args = [self.target] + self.args 14 | self.target = "dpkg -i" 15 | -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/doc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2018 phdphuc 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | from os import system 7 | 8 | from lib.core.packages import Package 9 | 10 | 11 | class Doc(Package): 12 | """LibreOffice document.""" 13 | 14 | def prepare(self): 15 | system(f'/bin/chmod +x "{self.target}"') 16 | self.args = [self.target] + self.args 17 | self.target = "/usr/bin/libreoffice --writer" 18 | -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/firefox.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2018 phdphuc 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | from lib.core.packages import Package 7 | 8 | 9 | class Ff(Package): 10 | """Firefox analysys package.""" 11 | 12 | def prepare(self): 13 | self.args = [self.target] + self.args 14 | self.target = "/usr/bin/firefox" 15 | -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/generic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2018 phdphuc 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | from os import system 7 | 8 | from lib.core.packages import Package 9 | 10 | 11 | class Generic(Package): 12 | """Generic analysis package.""" 13 | 14 | def prepare(self): 15 | # Make sure that our target is executable 16 | # /usr/bin/open will handle it 17 | system(f'/bin/chmod +x "{self.target}"') 18 | self.args = [self.target] + self.args 19 | self.target = "sh -c" 20 | -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/jar.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2018 phdphuc 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | from lib.core.packages import Package 7 | 8 | 9 | class Jar(Package): 10 | """Java analysis package.""" 11 | 12 | def prepare(self): 13 | class_path = self.options.get("class") 14 | if class_path: 15 | args = ["-cp", self.target, class_path] 16 | else: 17 | args = ["-jar", self.target] 18 | self.args = args + self.args 19 | self.target = "/usr/bin/java" 20 | -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/js.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2015 Dmitry Rodionov 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | from lib.core.packages import Package 7 | 8 | 9 | class Js(Package): 10 | """Java script analysys package.""" 11 | 12 | def prepare(self): 13 | self.args = [self.target] + self.args 14 | self.target = "/usr/bin/node" 15 | -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/pdf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2015 Dmitry Rodionov 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | from os import system 7 | 8 | from lib.core.packages import Package 9 | 10 | 11 | class Pdf(Package): 12 | """Bash shell script analysys package.""" 13 | 14 | def prepare(self): 15 | system(f'/bin/chmod +x "{self.target}"') 16 | self.args = [self.target] + self.args 17 | self.target = "/usr/bin/xpdf" 18 | -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/perl.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2018 phdphuc 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | from lib.core.packages import Package 7 | 8 | 9 | class Perl(Package): 10 | """Perl script analysis package.""" 11 | 12 | def prepare(self): 13 | self.args = [self.target] + self.args 14 | self.target = "/usr/bin/perl" 15 | -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/python.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2018 phdphuc 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | from lib.core.packages import Package 7 | 8 | 9 | class Python(Package): 10 | """Python script analysis package.""" 11 | 12 | def prepare(self): 13 | self.args = [self.target] + self.args 14 | self.target = "/usr/bin/python" 15 | -------------------------------------------------------------------------------- /analyzer/linux/modules/packages/python_whl.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2024 xiangchen96 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | from lib.core.packages import Package 7 | 8 | 9 | class Python_whl(Package): 10 | """Python wheel analysis package.""" 11 | 12 | def prepare(self): 13 | self.args = [self.target] + self.args 14 | self.target = "/usr/bin/python -m pip install" 15 | -------------------------------------------------------------------------------- /analyzer/windows/bin/PPLinject.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/windows/bin/PPLinject.exe -------------------------------------------------------------------------------- /analyzer/windows/bin/PPLinject64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/windows/bin/PPLinject64.exe -------------------------------------------------------------------------------- /analyzer/windows/bin/autoit3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/windows/bin/autoit3.exe -------------------------------------------------------------------------------- /analyzer/windows/bin/loader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/windows/bin/loader.exe -------------------------------------------------------------------------------- /analyzer/windows/bin/loader_x64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/windows/bin/loader_x64.exe -------------------------------------------------------------------------------- /analyzer/windows/bin/psexec.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/windows/bin/psexec.exe -------------------------------------------------------------------------------- /analyzer/windows/bin/signtool.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/windows/bin/signtool.exe -------------------------------------------------------------------------------- /analyzer/windows/data/yara/AntiCuckoo.yar: -------------------------------------------------------------------------------- 1 | rule AntiCuckoo 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "AntiCuckoo bypass: https://github.com/therealdreg/anticuckoo" 6 | cape_options = "bp0=$HKActivOldStackCrash+36,action0=jmp,count=1" 7 | hash = "ad5e52f144bb4a1dae3090978c6ecb4c7732538c9b62a6cedd32eccee6094be5" 8 | strings: 9 | $HKActivOldStackCrash = {5B 81 FB FA FA FA FA 74 01 41 3B E0 75 ?? 83 E9 0B 83 F9 04 7F 04 C6 45 ?? 00 89 4D ?? 89 65 ?? 80 7D ?? 00 74} 10 | condition: 11 | uint16(0) == 0x5A4D and all of them 12 | } 13 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/BuerLoader.yar: -------------------------------------------------------------------------------- 1 | rule BuerLoader 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "BuerLoader RDTSC Trap Bypass" 6 | cape_options = "bp0=$trap+43,action0=skip,count=0" 7 | strings: 8 | $trap = {0F 31 89 45 ?? 6A 00 8D 45 ?? 8B CB 50 E8 [4] 0F 31} 9 | condition: 10 | uint16(0) == 0x5A4D and any of them 11 | } 12 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/CargoBayLoader.yar: -------------------------------------------------------------------------------- 1 | rule CargoBayLoader 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "CargoBayLoader anti-vm bypass" 6 | cape_options = "bp0=$jmp1+4,action0=skip,bp1=$jmp2+2,action1=skip,count=1,force-sleepskip=1" 7 | hash = "75e975031371741498c5ba310882258c23b39310bd258239277708382bdbee9c" 8 | strings: 9 | $jmp1 = {40 42 0F 00 0F 82 [2] 00 00 48 8D 15 [4] BF 04 00 00 00 41 B8 04 00 00 00 4C 8D [3] 4C 89 F1 E8} 10 | $jmp2 = {84 DB 0F 85 [2] 00 00 48 8D 15 [4] 41 BE 03 00 00 00 41 B8 03 00 00 00 4C 8D 7C [2] 4C 89 F9 E8} 11 | condition: 12 | uint16(0) == 0x5A4D and all of them 13 | } 14 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/DoomedLoader.yar: -------------------------------------------------------------------------------- 1 | rule DoomedLoader 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | cape_options = "clear,bp0=$anti*-4,action0=setzeroflag,sysbp=$syscall+7,count=0,procdump=2" 6 | packed = "914b1b3180e7ec1980d0bafe6fa36daade752bb26aec572399d2f59436eaa635" 7 | strings: 8 | $anti = {48 8B 4C 24 ?? E8 [4] 84 C0 B8 [4] 41 0F 45 C6 EB} 9 | $syscall = {49 89 CA 8B 44 24 08 FF 64 24 10} 10 | condition: 11 | uint16(0) == 0x5A4D and all of them 12 | } 13 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/DridexLoader.yar: -------------------------------------------------------------------------------- 1 | rule DridexLoader 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "DridexLoader API Spam Bypass" 6 | cape_options = "bp0=$trap-13,action0=ret,count=0" 7 | strings: 8 | $trap = {6A 50 6A 14 6A 03 5A 8D 4C 24 ?? E8 [4] 68 [4] 68 [4] E8 [4] 85 C0 74 05} 9 | condition: 10 | uint16(0) == 0x5A4D and $trap 11 | } 12 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/EmotetPacker.yar: -------------------------------------------------------------------------------- 1 | rule EmotetPacker 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Emotet bypass" 6 | cape_options = "bp0=$trap1+31,action0=skip,bp1=$trap2+43,action1=jmp:186,count=1" 7 | hash = "5a95d1d87ce69881b58a0e3aafc1929861e2633cdd960021d7b23e2a36409e0d" 8 | strings: 9 | $trap1 = {8B 45 08 0F 28 0D [4] 0F 57 C0 0F 29 46 30 89 46 40 C7 46 44 00 00 00 00 0F 11 4E 48 E8} 10 | $trap2 = {F2 0F 10 15 [4] BE 01 00 00 00 0F 01 F9 C7 44 24 60 00 00 00 00 89 4C 24 60 0F 01 F9 C7 44 24 5C 00 00 00 00 89 4C 24 5C 0F 1F 84 00 00 00 00 00} 11 | condition: 12 | uint16(0) == 0x5A4D and any of ($trap*) 13 | } 14 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/HeavensSyscall.yar: -------------------------------------------------------------------------------- 1 | rule HeavensSyscall 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Bypass variants of heaven's gate direct syscalls" 6 | cape_options = "clear,br0=$gate1-9,action1=seteax:0,count=0,sysbp=$sysenter+10" 7 | packed = "2950b4131886e06bdb83ab1611b71273df23b0d31a4d8eb6baddd33327d87ffa" 8 | strings: 9 | $gate1 = {00 00 00 00 74 24 8D 45 F8 50 6A FF FF 95 [4] 85 C0 74 08 8B 4D F8 89 4D FC EB 07 C7 45 FC 00 00 00 00 8B 45 FC EB 02 33 C0 8B E5 5D C2 C0} 10 | $sysenter = {68 [4] E8 [4] E8 [4] C2 ?? 00 CC CC CC CC CC CC CC CC} 11 | condition: 12 | uint16(0) == 0x8B55 and all of them 13 | } 14 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/Latrodectus.yar: -------------------------------------------------------------------------------- 1 | rule Latrodectus 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Latrodectus export selection" 6 | cape_options = "export=$export" 7 | hash = "378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05" 8 | strings: 9 | $export = {48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 EC 30 4C 8B 05 [4] 33 D2 C7 40 [5] 88 50 ?? 49 63 40 3C 42 8B 8C 00 88 00 00 00 85 C9 0F 84} 10 | condition: 11 | uint16(0) == 0x5A4D and all of them 12 | } 13 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/MysterySnail.yar: -------------------------------------------------------------------------------- 1 | rule MysterySnail 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "MysterySnail anti-sandbox bypass" 6 | cape_options = "bp0=$anti+62,action0=skip,count=0" 7 | strings: 8 | $anti = {F2 0F 10 [3] 66 0F 2F 05 [4] 76 0A 8B [3] FF C0 89 [3] B9 5B 05 00 00 FF 15 [4] E8 [4] 89 [3] 8B [3] 8B [3] 2B C8 8B C1 3B [3] 7E 16} 9 | condition: 10 | any of them 11 | } 12 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/NSIS.yar: -------------------------------------------------------------------------------- 1 | rule NSIS 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "NSIS Integrity Check function" 6 | cape_options = "exclude-apis=LdrLoadDll" 7 | hash = "d0c1e946f02503a290d24637b5c522145f58372a9ded9e647d24cd904552d235" 8 | strings: 9 | $check = {6A 1C 8D 45 [3-8] E8 [4] 8B 45 ?? A9 F0 FF FF FF 75 ?? 81 7D ?? EF BE AD DE 75 ?? 81 7D ?? 49 6E 73 74 75 ?? 81 7D ?? 73 6F 66 74 75 ?? 81 7D ?? 4E 75 6C 6C 75 ?? 09 45 08 8B 45 08 8B 0D [4] 83 E0 02 09 05 [4] 8B 45 ?? 3B C6 89 0D [4] 0F 8? [2] 00 00 F6 45 08 08 75 06 F6 45 08 04 75} 10 | condition: 11 | uint16(0) == 0x5A4D and all of them 12 | } 13 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/PrivateLoader.yar: -------------------------------------------------------------------------------- 1 | rule PrivateLoader 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "PrivateLoader indirect syscall capture" 6 | cape_options = "clear,sysbp=$syscall*-2" 7 | packed = "075d0dafd7b794fbabaf53d38895cfd7cffed4a3fe093b0fc7853f3b3ce642a4" 8 | strings: 9 | $syscall = {48 31 C0 4C 8B 19 8B 41 10 48 8B 49 08 49 89 CA 41 FF E3} 10 | condition: 11 | any of them 12 | } 13 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/RdtscpAntiVM.yar: -------------------------------------------------------------------------------- 1 | rule RdtscpAntiVM 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "RdtscpAntiVM bypass" 6 | cape_options = "nop-rdtscp=1" 7 | strings: 8 | $antivm = {46 0F 01 F9 [0-4] 66 0F 6E C6 F3 0F E6 C0 66 0F 2F ?? 73} 9 | condition: 10 | any of them 11 | } 12 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/SingleStepAntiHook.yar: -------------------------------------------------------------------------------- 1 | rule SingleStepAntiHook 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Single-step anti-hook Bypass" 6 | cape_options = "bp0=$antihook+6,action0=skip,count=0" 7 | strings: 8 | $antihook = {FF D? 83 EC 08 9C 81 0C 24 00 01 00 00 9D} 9 | condition: 10 | any of them 11 | } 12 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/SlowLoader.yar: -------------------------------------------------------------------------------- 1 | rule SlowLoader 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "SlowLoader detonation aide for slow cpus (thread race)" 6 | cape_options = "break-on-return=CreateProcessA,action0=sleep:1000,count=0" 7 | packed = "f6eeb73ffb3e6d6cc48f74344cb590614db7e3116ba00a52aefd7dff468a60a5" 8 | strings: 9 | $code = {0F B6 44 07 08 0F B6 54 1F 08 03 C2 25 FF 00 00 80 79 07 48 0D 00 FF FF FF 40 89 45 ?? 6A 00} 10 | condition: 11 | any of them 12 | } -------------------------------------------------------------------------------- /analyzer/windows/data/yara/SmokeLoader.yar: -------------------------------------------------------------------------------- 1 | rule SmokeLoader 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "SmokeLoader Payload" 6 | cape_options = "bp0=$gate+19,action0=DumpSectionViews,count=1" 7 | strings: 8 | $gate = {68 [2] 00 00 50 E8 [4] 8B 45 ?? 89 F1 8B 55 ?? 9A [2] 40 00 33 00 89 F9 89 FA 81 C1 [2] 00 00 81 C2 [2] 00 00 89 0A 8B 46 ?? 03 45 ?? 8B 4D ?? 8B 55 ?? 9A [2] 40 00 33 00} 9 | condition: 10 | uint16(0) == 0x5A4D and any of them 11 | } 12 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/Syscall.yar: -------------------------------------------------------------------------------- 1 | rule Syscall 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "x64 syscall instruction (direct)" 6 | cape_options = "clear,dump,sysbp=$syscall0+8,sysbp=$syscallA+10,sysbp=$syscallB+7,sysbp=$syscallC+18" 7 | strings: 8 | $syscall0 = {4C 8B D1 B8 [2] 00 00 (0F 05|FF 25 ?? ?? ?? ??) C3} // mov eax, X 9 | $syscallA = {4C 8B D1 66 8B 05 [4] (0F 05|FF 25 ?? ?? ?? ??) C3} // mov ax, [p] 10 | $syscallB = {4C 8B D1 66 B8 [2] (0F 05|FF 25 ?? ?? ?? ??) C3} // mov ax, X 11 | $syscallC = {4C 8B D1 B8 [2] 00 00 [10] 0F 05 C3} 12 | condition: 13 | any of them 14 | } 15 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/Themida.yar: -------------------------------------------------------------------------------- 1 | rule Themida 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Themida detonation shim" 6 | cape_options = "unhook-apis=NtSetInformationThread,force-sleepskip=0" 7 | packed = "6337ff4cf413f56cc6c9a8e67f24b8d7f94f620eae06ac9f0b113b5ba82ea176" 8 | strings: 9 | $code = {FC 31 C9 49 89 CA 31 C0 31 DB AC 30 C8 88 E9 88 D5 88 F2 B6 08 66 D1 EB 66 D1 D8 73 09} 10 | condition: 11 | uint16(0) == 0x5A4D and all of them 12 | } 13 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/UPX.yar: -------------------------------------------------------------------------------- 1 | rule UPX 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "UPX dump on OEP (original entry point)" 6 | cape_options = "bp0=$upx32*,bp0=$upx64*,hc0=1,action0=step2oep" 7 | strings: 8 | $upx32 = {6A 00 39 C4 75 FA 83 EC ?? E9} 9 | $upx64 = {6A 00 48 39 C4 75 F9 48 83 EC [1-16] E9} 10 | condition: 11 | uint16(0) == 0x5A4D and any of them 12 | } 13 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/VBCrypter.yar: -------------------------------------------------------------------------------- 1 | rule VBCrypter 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "VBCrypter anti-hook Bypass" 6 | cape_options = "bp0=$antihook-12,action0=jmp,count=0" 7 | strings: 8 | $antihook = {43 39 C3 0F 84 ?? 00 00 00 80 3B B8 75 ?? 83 7B 01 00 75 ?? 80 7B 05 BA 75 ?? 8B 53 06 83 C3 0A 31 C9} 9 | condition: 10 | any of them 11 | } 12 | -------------------------------------------------------------------------------- /analyzer/windows/data/yara/XWorm.yar: -------------------------------------------------------------------------------- 1 | rule XWorm 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "XWorm Config Extractor" 6 | cape_options = "bp0=$decrypt+11,action0=string:r10,count=1,typestring=XWorm Config" 7 | strings: 8 | $decrypt = {45 33 C0 39 09 FF 15 [4] 48 8B F0 E8 [4] 48 8B C8 48 8B D6 48 8B 00 48 8B 40 68 FF 50 ?? 90} 9 | condition: 10 | any of them 11 | } 12 | -------------------------------------------------------------------------------- /analyzer/windows/dll/capemon.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/windows/dll/capemon.dll -------------------------------------------------------------------------------- /analyzer/windows/dll/capemon_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/windows/dll/capemon_x64.dll -------------------------------------------------------------------------------- /analyzer/windows/dll/version.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/windows/dll/version.dll -------------------------------------------------------------------------------- /analyzer/windows/dll/version_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/analyzer/windows/dll/version_x64.dll -------------------------------------------------------------------------------- /analyzer/windows/lib/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/lib/api/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/lib/common/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/lib/common/exceptions.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | 6 | class CuckooError(Exception): 7 | pass 8 | 9 | 10 | class CuckooPackageError(Exception): 11 | pass 12 | -------------------------------------------------------------------------------- /analyzer/windows/lib/common/hashing.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | BUFSIZE = 1024 * 1024 6 | 7 | 8 | def hash_file(method, path): 9 | """Calculates an hash on a file by path. 10 | @param method: callable hashing method 11 | @param path: file path 12 | @return: computed hash string 13 | """ 14 | h = method() 15 | with open(path, "rb") as f: 16 | buf = f.read(BUFSIZE) 17 | while buf: 18 | h.update(buf) 19 | buf = f.read(BUFSIZE) 20 | return h.hexdigest() 21 | -------------------------------------------------------------------------------- /analyzer/windows/lib/common/rand.py: -------------------------------------------------------------------------------- 1 | import random 2 | import string 3 | 4 | 5 | def random_string(minimum, maximum=None, charset=None): 6 | if maximum is None: 7 | maximum = minimum 8 | 9 | count = random.randint(minimum, maximum) 10 | if not charset: 11 | return "".join(random.choice(string.ascii_letters) for _ in range(count)) 12 | 13 | return "".join(random.choice(charset) for _ in range(count)) 14 | 15 | 16 | def random_integer(digits): 17 | start = 10 ** (digits - 1) 18 | end = (10**digits) - 1 19 | return random.randint(start, end) 20 | -------------------------------------------------------------------------------- /analyzer/windows/lib/core/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/modules/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/modules/auxiliary/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/autoit.py: -------------------------------------------------------------------------------- 1 | from lib.common.abstracts import Package 2 | from lib.common.constants import OPT_ARGUMENTS 3 | 4 | 5 | class AutoIT(Package): 6 | """AutoIT analysis package.""" 7 | 8 | summary = "Executes the sample with autoit3." 9 | description = f"""Uses 'bin\\autoit3.exe [arguments]' to execute the sample, 10 | Set the '{OPT_ARGUMENTS}' option to provide additional arguments.""" 11 | option_names = (OPT_ARGUMENTS,) 12 | 13 | def start(self, path): 14 | arguments = self.options.get(OPT_ARGUMENTS, "") 15 | return self.execute("bin\\autoit3.exe", f"{path} {arguments}", path) 16 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/cpl.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | 8 | class CPL(Package): 9 | """Control Panel Applet analysis package.""" 10 | 11 | PATHS = [ 12 | ("SystemRoot", "system32", "control.exe"), 13 | ] 14 | summary = "Opens the sample using the control panel." 15 | description = """Uses control.exe to open the sample.""" 16 | 17 | def start(self, path): 18 | control = self.get_path("control.exe") 19 | return self.execute(control, f'"{path}"', path) 20 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/edge.py: -------------------------------------------------------------------------------- 1 | from lib.common.abstracts import Package 2 | 3 | 4 | class Edge(Package): 5 | """Edge analysis package.""" 6 | 7 | PATHS = [ 8 | ("ProgramFiles", "Microsoft", "Edge", "Application", "msedge.exe"), 9 | ] 10 | summary = "Opens the URL in Microsoft Edge." 11 | description = """Uses msedge.exe to open the supplied url.""" 12 | 13 | def start(self, url): 14 | edge = self.get_path("msedge.exe") 15 | return self.execute(edge, f'"{url}"', url) 16 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/firefox.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2014 Optiv, Inc. (brad.spengler@optiv.com) 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | 8 | class Firefox(Package): 9 | """Firefox analysis package.""" 10 | 11 | PATHS = [ 12 | ("ProgramFiles", "Mozilla Firefox", "firefox.exe"), 13 | ] 14 | summary = "Opens the URL in firefox." 15 | description = """Uses firefox.exe to open the supplied url.""" 16 | 17 | def start(self, url): 18 | firefox = self.get_path("firefox.exe") 19 | # pass the URL instead of a filename in this case 20 | return self.execute(firefox, f'"{url}"', url) 21 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/ie.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | 8 | class IE(Package): 9 | """Internet Explorer analysis package.""" 10 | 11 | PATHS = [ 12 | ("ProgramFiles", "Internet Explorer", "iexplore.exe"), 13 | ] 14 | summary = "Opens the URL in Internet Explorer." 15 | description = """Uses iexplore.exe to open the supplied url.""" 16 | 17 | def start(self, url): 18 | iexplore = self.get_path("Internet Explorer") 19 | # pass the URL instead of a filename in this case 20 | return self.execute(iexplore, f'"{url}"', url) 21 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/ollydbg.py: -------------------------------------------------------------------------------- 1 | from lib.common.abstracts import Package 2 | from lib.common.constants import OPT_ARGUMENTS 3 | 4 | 5 | class OllyDbg(Package): 6 | """OllyDbg analysis package.""" 7 | 8 | summary = "Opens the sample with OllyDbg" 9 | description = f"""Uses 'bin\\OllyDbg\\OLLYDBG.EXE [arguments]' to launch the sample. 10 | The '{OPT_ARGUMENTS}' option can be used to pass additional arguments.""" 11 | option_names = (OPT_ARGUMENTS,) 12 | 13 | def start(self, path): 14 | arguments = self.options.get(OPT_ARGUMENTS, "") 15 | return self.execute("bin\\OllyDbg\\OLLYDBG.EXE", f"{path} {arguments}", path) 16 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/rdp.py: -------------------------------------------------------------------------------- 1 | from lib.common.abstracts import Package 2 | from lib.common.common import check_file_extension 3 | 4 | 5 | class RDP(Package): 6 | """RDP analysis package.""" 7 | 8 | PATHS = [ 9 | ("SystemRoot", "system32", "mstsc.exe"), 10 | ] 11 | 12 | def start(self, path): 13 | args = self.options.get("arguments") 14 | 15 | path = check_file_extension(path, ".rdp") 16 | mstsc = self.get_path_glob("mstsc.exe") 17 | return self.execute(mstsc, f'"{path}" {args}', path) 18 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/reg.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | 8 | class Reg(Package): 9 | """Reg analysis package.""" 10 | 11 | PATHS = [ 12 | ("SystemRoot", "System32", "reg.exe"), 13 | ] 14 | summary = "Opens a registry file with reg.exe." 15 | description = """Uses 'reg.exe import ' to open the sample.""" 16 | 17 | def start(self, path): 18 | regexe = self.get_path("reg.exe") 19 | reg_args = f'import "{path}"' 20 | return self.execute(regexe, reg_args, path) 21 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/sct.py: -------------------------------------------------------------------------------- 1 | # This file is part of CAPE Sandbox - https://github.com/kevoreilly/CAPE 2 | # See the file 'docs/LICENSE' for copying permission. 3 | 4 | from lib.common.abstracts import Package 5 | 6 | 7 | class SCT(Package): 8 | """SCT analysis package.""" 9 | 10 | PATHS = [ 11 | ("SystemRoot", "system32", "regsvr32.exe"), 12 | ] 13 | summary = "Opens the sample with regsvr32.exe scrobj.dll" 14 | description = """Uses 'regsvr32.exe /u /n /i: scrobj.dll' to launch the sample 15 | script component.""" 16 | 17 | def start(self, path): 18 | regsvr32 = self.get_path("regsvr32.exe") 19 | args = f"/u /n /i:{path} scrobj.dll" 20 | return self.execute(regsvr32, args, path) 21 | -------------------------------------------------------------------------------- /analyzer/windows/modules/packages/xps.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.common.abstracts import Package 6 | 7 | 8 | class Xps(Package): 9 | """XPS analysis package.""" 10 | 11 | PATHS = [ 12 | ("SystemRoot", "system32", "xpsrchvw.exe"), 13 | ] 14 | summary = "Opens the sample file with xpsrchvw.exe." 15 | description = """Uses xpsrchvw.exe to open the supplied sample.""" 16 | 17 | def start(self, path): 18 | xpsrchvw_path = self.get_path("xpsrchvw.exe") 19 | xpsrchvw_args = f'"{path}"' 20 | return self.execute(xpsrchvw_path, xpsrchvw_args, path) 21 | -------------------------------------------------------------------------------- /analyzer/windows/pytest.ini: -------------------------------------------------------------------------------- 1 | [pytest] 2 | pythonpath = . 3 | -------------------------------------------------------------------------------- /conf/copy_configs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for filename in conf/default/*.conf.default; do 4 | cp -vf "./$filename" "./$(echo "$filename" | sed -e 's/.default//g' | sed -e 's/default//g')"; 5 | done 6 | -------------------------------------------------------------------------------- /conf/default/cuckoomx.conf.default: -------------------------------------------------------------------------------- 1 | [cuckoomx] 2 | server = domain 3 | port = 465 4 | user = x 5 | password = cuckoo 6 | db = sqlite:///cuckoomx.db 7 | archive_password = infected 8 | cuckoo_url = http://host/analysis/ 9 | -------------------------------------------------------------------------------- /conf/default/externalservices.conf.default: -------------------------------------------------------------------------------- 1 | [misp] 2 | enabled = no 3 | url = 4 | apikey = 5 | hash_lookup = no 6 | 7 | # Register for API Account at www.whoisxmlapi.com is able to retrieve the API Key 8 | [whoisxmlapi] 9 | enabled = no 10 | apikey = 11 | -------------------------------------------------------------------------------- /conf/default/hosts.conf.default: -------------------------------------------------------------------------------- 1 | [hosts] 2 | # All your private hosts goes here to not have them hardcoded all over CAPE 3 | -------------------------------------------------------------------------------- /conf/default/logging.conf.default: -------------------------------------------------------------------------------- 1 | [logger] 2 | # Stream copy of log to Syslog. Useful for cloud setups 3 | syslog_cape = off 4 | syslog_process = off 5 | syslog_dev = /dev/log 6 | 7 | process_per_task_log = off 8 | # Store log inside of the analysis folder instead of log. Useful for distributed setup to fetch to main server to show on webgui. 9 | process_analysis_folder = off 10 | 11 | # Useful only with per_task_logs = off 12 | [log_rotation] 13 | # Activate log rotation for cuckoo.log and process.log. 14 | enabled = on 15 | # Keep 30 days of log history (default is 7). 16 | backup_count = 30 17 | -------------------------------------------------------------------------------- /conf/default/malheur.conf.default: -------------------------------------------------------------------------------- 1 | generic = { 2 | input_format = "mist"; 3 | }; 4 | 5 | cluster = { 6 | reject_num = 2; 7 | }; 8 | 9 | features = { 10 | mist_level = 2; 11 | }; 12 | -------------------------------------------------------------------------------- /conf/default/mitmdump.conf.default: -------------------------------------------------------------------------------- 1 | [cfg] 2 | # bin path to mitmdump 3 | bin = /opt/mitmproxy/mitmdump 4 | 5 | # Host ip where mitmdump is listening 6 | host = 127.0.0.1 7 | 8 | # Interface where mitmdump is listening 9 | interface = virbr0 10 | 11 | # Future options like custom ports, cert paths, etc 12 | -------------------------------------------------------------------------------- /conf/default/multi.conf.default: -------------------------------------------------------------------------------- 1 | [multi] 2 | # Specify a comma-separated list of the machinery modules to be used. 3 | machinery = kvm 4 | 5 | # Specify a comma-separated list of available machines to be used. 6 | # This list should be the combination of the machines present in each 7 | # sub-machinery module. 8 | #machines = cuckoo1 9 | -------------------------------------------------------------------------------- /conf/default/smtp_sinkhole.conf.default: -------------------------------------------------------------------------------- 1 | [email] 2 | server = 172.16.200.52 3 | port = 465 4 | user = spam@malicious.systems 5 | password = 6 | # coma space separated list, if more then one receiver 7 | to = spam@malicious.systems 8 | from = spam@malicious.systems 9 | -------------------------------------------------------------------------------- /custom/.gitignore: -------------------------------------------------------------------------------- 1 | /* 2 | !/README.md 3 | !/.gitignore 4 | -------------------------------------------------------------------------------- /custom/parsers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/custom/parsers/__init__.py -------------------------------------------------------------------------------- /custom/signatures/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/custom/signatures/__init__.py -------------------------------------------------------------------------------- /custom/yara/CAPE/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/custom/yara/CAPE/.placeholder -------------------------------------------------------------------------------- /custom/yara/binaries/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/custom/yara/binaries/.placeholder -------------------------------------------------------------------------------- /custom/yara/macro/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/custom/yara/macro/.placeholder -------------------------------------------------------------------------------- /custom/yara/memory/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/custom/yara/memory/.placeholder -------------------------------------------------------------------------------- /custom/yara/monitor/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/custom/yara/monitor/.placeholder -------------------------------------------------------------------------------- /custom/yara/urls/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/custom/yara/urls/.placeholder -------------------------------------------------------------------------------- /data/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore binaries use for self-extracting. 2 | UnAutoIt 3 | 7zz 4 | innoextract 5 | procyon.jar 6 | NETReactorSlayer.CLI 7 | -------------------------------------------------------------------------------- /data/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/data/__init__.py -------------------------------------------------------------------------------- /data/family_detection_names.py: -------------------------------------------------------------------------------- 1 | # Here you can add your names for your detection to match it 2 | # First is how it was matched, second is how you want to represent it 3 | # We won't modify this. so you can keep your detections mapping schema here 4 | family_detection_names = { 5 | # Example: 6 | # "azorult": "Azorult", 7 | } 8 | -------------------------------------------------------------------------------- /data/google_creds.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "service_account", 3 | "project_id": "-----", 4 | "private_key_id": "----", 5 | "private_key": "-----BEGIN PRIVATE KEY-----\n---------END PRIVATE KEY-----\n", 6 | "client_email": "--------", 7 | "client_id": "-----", 8 | "auth_uri": "https://accounts.google.com/o/oauth2/auth", 9 | "token_uri": "https://oauth2.googleapis.com/token", 10 | "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", 11 | "client_x509_cert_url": "----------------" 12 | } 13 | -------------------------------------------------------------------------------- /data/html/error.html: -------------------------------------------------------------------------------- 1 | {% extends "base-web.html" %} 2 | {% block content %} 3 |
4 |

Ouch! KaBoom!

5 |
6 |
7 |
8 | Error: {{error}} 9 |
10 |
11 | {% endblock %} 12 | -------------------------------------------------------------------------------- /data/html/generic/_java.html: -------------------------------------------------------------------------------- 1 |
2 |
3 | {% if file.java and file.java.decompiled %} 4 | 
{{file.java.decompiled}}
5 | {% endif %} 6 |
7 |
8 | -------------------------------------------------------------------------------- /data/html/generic/_xlmmacro.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |

XLM Macro

4 | 
 5 |             {% for line in file.office.XLMMacroDeobfuscator.Code %}
 6 |                 {{line}}
 7 |             {% endfor %}
 8 |
9 |
10 |
11 | -------------------------------------------------------------------------------- /data/html/img/glyphicons-halflings-white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/data/html/img/glyphicons-halflings-white.png -------------------------------------------------------------------------------- /data/html/img/glyphicons-halflings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/data/html/img/glyphicons-halflings.png -------------------------------------------------------------------------------- /data/html/js/functions.js: -------------------------------------------------------------------------------- 1 | function showHide(id, lbl) { 2 | var e = document.getElementById(id); 3 | 4 | if (lbl !== "undefined") 5 | var l = document.getElementById(lbl); 6 | 7 | if(e.style.display == "none") { 8 | e.style.display = "block"; 9 | if (l) { 10 | l.innerHTML = "Collapse"; 11 | } 12 | } 13 | else { 14 | e.style.display = "none"; 15 | if (l) 16 | l.innerHTML = "Expand"; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /data/html/sections/errors.html: -------------------------------------------------------------------------------- 1 | {% if results.debug and results.debug.errors %} 2 |
3 |

Errors

4 |
5 |
6 |
    7 | {% for error in results.debug.errors %} 8 |
  • {{error}}
    • 9 | {% endfor %} 10 |
11 |
12 | {% endif %} 13 | -------------------------------------------------------------------------------- /data/html/sections/memory/_apihooks.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | {% for hook in results.memory.apihooks.data %} 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | {% endfor %} 21 | 22 |
PIDProcess NameVictim FunctionHook TypeHooking Module
{{hook.process_id}}{{hook.process_name}}{{hook.victim_function}}{{hook.hook_type}}{{hook.hooking_module}}
23 | -------------------------------------------------------------------------------- /data/html/sections/memory/_callbacks.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | {% for x in results.memory.callbacks %} 12 | 13 | 14 | 15 | 16 | 17 | 18 | {% endfor %} 19 | 20 |
ModuleCallbackTypeDetails
{{x.Module}}{{x.Callback}}{{x.Type}}{{x.Details}}
21 | -------------------------------------------------------------------------------- /data/html/sections/memory/_idt.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for x in results.memory.idt.data %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 | 24 |
CPUIndexSelectorAddressModuleSection
{{x.cpu_number}}{{x.index}}{{x.selector}}{{x.address}}{{x.module}}{{x.section}}
25 | -------------------------------------------------------------------------------- /data/html/sections/memory/_malfind.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for mal in results.memory.malfind %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 | 24 |
PIDProcess NameStartEndTagProtection
{{mal.PID}}{{mal.Process}}ToDoToDo{{mal.Tag}}{{mal.Protection}}
25 | -------------------------------------------------------------------------------- /data/html/sections/memory/_modscan.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | {% for mod in results.memory.modscan %} 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | {% endfor %} 21 | 22 |
Base AddressOffsetNameFileSize
{{mod.Base}}{{mod.Offset}}{{mod.Name}}{{mod.Path}}{{mod.Size}}
23 | -------------------------------------------------------------------------------- /data/html/sections/memory/_sockscan.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for sock in results.memory.sockscan.data %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 | 24 |
OffsetPIDLocal AddressLocal PortProtocolCreation Time
{{sock.offset}}{{sock.process_id}}{{sock.address}}{{sock.port}}{{sock.protocol}}{{sock.create_time}}
25 | -------------------------------------------------------------------------------- /data/html/sections/memory/_ssdt.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | {% for x in results.memory.ssdt %} 12 | 13 | 14 | 15 | 16 | 17 | 18 | {% endfor %} 19 | 20 |
IndexSyscall AddrSyscall ModnameSyscall Name
{{x.Index}}{{x.Address}}{{x.Module}}{{x.Symbol}}
21 | -------------------------------------------------------------------------------- /data/html/sections/memory/_timers.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for x in results.memory.timers.data %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 | 24 |
OffsetDue TimePeriodSignaledRoutineModule
{{x.offset}}{{x.due_time}}{{x.period}}{{x.signaled}}{{x.routine}}{{x.module}}
25 | -------------------------------------------------------------------------------- /data/html/sections/memory/_yarascan.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | {% for x in results.memory.yarascan.data %} 11 | 12 | 13 | 14 | 15 | 16 | {% endfor %} 17 | 18 |
OwnerRuleHexdump
{{x.owner}}{{x.rule}}
{{x.hexdump}}
19 | -------------------------------------------------------------------------------- /data/html/sections/screenshots.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |

Screenshots

4 |
5 | {% if results.shots %} 6 | {% for shot in results.shots %} 7 | 8 | {% endfor %} 9 | {% else %} 10 | No screenshots available. 11 | {% endif %} 12 |
13 | -------------------------------------------------------------------------------- /data/html/statistics.html: -------------------------------------------------------------------------------- 1 | {% extends "base-web.html" %} 2 | {% block content %} 3 | 4 |
5 |
6 |
7 |
8 |

Statistics

9 | {% for he, desc, im in stat_items %} 10 |

{{he}}

11 | 12 | {{desc}} 13 | {% endfor %} 14 |
15 |
16 |
17 |
18 | {% endblock %} 19 | -------------------------------------------------------------------------------- /data/html/statistics/README: -------------------------------------------------------------------------------- 1 | This is an empty directory where statistics images will be created. 2 | -------------------------------------------------------------------------------- /data/html/success.html: -------------------------------------------------------------------------------- 1 | {% extends "base-web.html" %} 2 | {% block content %} 3 |
4 |

New Analysis

5 |
6 |
7 |
8 | GOOD! File {{submitfile}} was submitted for analysis with Task ID {{taskid}}. 9 |
10 |
11 | {% endblock %} 12 | -------------------------------------------------------------------------------- /data/safelist/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/data/safelist/__init__.py -------------------------------------------------------------------------------- /data/signature_overlay.json: -------------------------------------------------------------------------------- 1 | { 2 | "creates_exe": { 3 | "severity": 2, 4 | "alert": false, 5 | "custom_attribute": "machete" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /data/src/binpackage/Makefile: -------------------------------------------------------------------------------- 1 | execsc.exe: execsc.c 2 | i586-mingw32msvc-cc -Wall -o $@ $< 3 | -------------------------------------------------------------------------------- /data/src/binpackage/execsc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main (int argc, char ** argv) { 6 | int fd; 7 | char buf[2048] = {0}; 8 | 9 | if (argc < 2) return 1; 10 | 11 | // read in shellcode from analysis target file 12 | fd = open(argv[1], 0); 13 | read(fd, buf, 2048); 14 | close(fd); 15 | 16 | // jump into shellcode 17 | int (*func)(); 18 | func = (int (*)()) buf; 19 | (int)(*func)(); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /data/yara/CAPE/Amadey.yar: -------------------------------------------------------------------------------- 1 | rule Amadey 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Amadey Payload" 6 | cape_type = "Amadey Payload" 7 | hash = "988258716d5296c1323303e8fe4efd7f4642c87bfdbe970fe9a3bb3f410f70a4" 8 | strings: 9 | $decode1 = {8B D1 B8 FF FF FF 7F D1 EA 2B C2 3B C8 76 07 BB FF FF FF 7F EB 08 8D 04 0A 3B D8 0F 42 D8} 10 | $decode2 = {33 D2 8B 4D ?? 8B C7 F7 F6 8A 84 3B [4] 2A 44 0A 01 88 87 [4] 47 8B 45 ?? 8D 50 01} 11 | $decode3 = {8A 04 02 88 04 0F 41 8B 7D ?? 8D 42 01 3B CB 7C} 12 | condition: 13 | uint16(0) == 0x5A4D and 2 of them 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/Atlas.yar: -------------------------------------------------------------------------------- 1 | rule Atlas 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Atlas Payload" 6 | cape_type = "Atlas Payload" 7 | strings: 8 | $a1 = "bye.bat" 9 | $a2 = "task=knock&id=%s&ver=%s x%s&disks=%s&other=%s&ip=%s&pub=" 10 | $a3 = "process call create \"cmd /c start vssadmin delete shadows /all /q" 11 | condition: 12 | uint16(0) == 0x5A4D and (all of ($a*)) 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Azer.yar: -------------------------------------------------------------------------------- 1 | rule Azer 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Azer Payload" 6 | cape_type = "Azer Payload" 7 | strings: 8 | $a1 = "webmafia@asia.com" wide 9 | $a2 = "INTERESTING_INFORMACION_FOR_DECRYPT.TXT" wide 10 | $a3 = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ" //-----BEGIN PUBLIC KEY----- 11 | condition: 12 | uint16(0) == 0x5A4D and (all of ($a*)) 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Azorult.yar: -------------------------------------------------------------------------------- 1 | rule Azorult 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Azorult Payload" 6 | cape_type = "Azorult Payload" 7 | strings: 8 | $code1 = {C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 00 00 00 8D 85 80 F5 FF FF 89 47 2C C7 47 30 00 08 00 00 8D 85 80 F1 FF FF 89 47 34 C7 47 38 00 04 00 00 57 68 00 00 00 90} 9 | $string1 = "SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),\"unixepoch\")" 10 | condition: 11 | uint16(0) == 0x5A4D and all of them 12 | } 13 | -------------------------------------------------------------------------------- /data/yara/CAPE/BadRabbit.yar: -------------------------------------------------------------------------------- 1 | rule BadRabbit 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "BadRabbit Payload" 6 | cape_type = "BadRabbit Payload" 7 | strings: 8 | $a1 = "caforssztxqzf2nm.onion" wide 9 | $a2 = "schtasks /Create /SC once /TN drogon /RU SYSTEM" wide 10 | $a3 = "schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal" wide 11 | condition: 12 | uint16(0) == 0x5A4D and (all of ($a*)) 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Bazar.yar: -------------------------------------------------------------------------------- 1 | rule Bazar 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | cape_type = "Bazar Payload" 6 | strings: 7 | $decode = {F7 E9 [0-2] C1 FA 0? 8B C2 C1 E8 1F 03 D0 6B C2 ?? 2B C8} 8 | $rsa = {C7 00 52 53 41 33 48 8D 48 09 C7 40 04 00 08 00 00 4C 8D 05 [3] 00 C6 40 08 03 B8 09 00 00 00 [0-3] 48 8D 89 80 00 00 00 41 0F 10 00} 9 | condition: 10 | uint16(0) == 0x5A4D and 2 of them 11 | } 12 | -------------------------------------------------------------------------------- /data/yara/CAPE/BitPaymer.yar: -------------------------------------------------------------------------------- 1 | rule BitPaymer 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "BitPaymer Payload" 6 | cape_type = "BitPaymer Payload" 7 | 8 | strings: 9 | $decrypt32 = {6A 40 58 3B C8 0F 4D C1 39 46 04 7D 50 53 57 8B F8 81 E7 3F 00 00 80 79 05 4F 83 CF C0 47 F7 DF 99 1B FF 83 E2 3F 03 C2 F7 DF C1 F8 06 03 F8 C1 E7 06 57} 10 | $antidefender = "TouchMeNot" wide 11 | condition: 12 | uint16(0) == 0x5A4D and all of them 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/BlackDropper.yar: -------------------------------------------------------------------------------- 1 | rule BlackDropper 2 | { 3 | meta: 4 | author = "enzok" 5 | description = "BlackDropper" 6 | cape_type = "BlackDropper Payload" 7 | hash = "f8026ae3237bdd885e5fcaceb86bcab4087d8857e50ba472ca79ce44c12bc257" 8 | strings: 9 | $string1 = "BlackDropperCPP" 10 | $string2 = "Builder.dll" 11 | $string3 = "\\Builder.exe" 12 | $crypt1 = {33 D2 48 8B 44 24 ?? 48 8B 4C 24 ?? 48 F7 F1 48 8B C2 48 8B D0 48 8D 4C 24 ?? E8} 13 | $crypt2 = {0F BE 00 8B 4C 24 ?? 33 C8 8B C1 88 44 24 ?? 48 8B 54 24 ?? 48 8D 4C 24} 14 | $crypt3 = {E8 [4] 0F B6 4C 24 ?? 88 08 E9} 15 | condition: 16 | 2 of ($string*) or 2 of ($crypt*) 17 | } -------------------------------------------------------------------------------- /data/yara/CAPE/BruteRatel.yar: -------------------------------------------------------------------------------- 1 | rule BruteRatel 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "BruteRatel Payload" 6 | cape_type = "BruteRatel Payload" 7 | strings: 8 | $syscall1 = {49 89 CA 4? 89 ?? (41 FF|FF)} 9 | $syscall2 = {49 89 CA 48 8B 44 24 ?? FF 64 24} 10 | $jmpapi = {49 89 ?? 10 49 C7 45 08 ?? 00 00 00 E8 00 00 00 00 ?? (48|49) 83 [2] 41 FF E2} 11 | $decode = {89 C2 8A 14 17 40 38 EA 75 06 FF C0 89 03 EB 0B 41 88 14 08 48 FF C1 FF 03 EB} 12 | condition: 13 | 2 of them 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/BuerLoader.yar: -------------------------------------------------------------------------------- 1 | rule BuerLoader 2 | { 3 | meta: 4 | author = "kevoreilly & Rony (@r0ny_123)" 5 | cape_type = "BuerLoader Payload" 6 | strings: 7 | $trap = {0F 31 89 45 ?? 6A 00 8D 45 ?? 8B CB 50 E8 [4] 0F 31} 8 | $decode = {8A 0E 84 C9 74 0E 8B D0 2A 0F 46 88 0A 42 8A 0E 84 C9 75 F4 5F 5E 5D C2 04 00} 9 | $op = {33 C0 85 D2 7E 1? 3B C7 7D [0-15] 40 3B C2 7C ?? EB 02} 10 | condition: 11 | uint16(0) == 0x5A4D and 2 of them 12 | } 13 | -------------------------------------------------------------------------------- /data/yara/CAPE/Carbanak.yar: -------------------------------------------------------------------------------- 1 | rule Carbanak 2 | { 3 | meta: 4 | author = "enzok" 5 | description = "Carnbanak Payload" 6 | cape_type = "Carbanak Payload" 7 | sample = "c9c1b06cb9c9bd6fc4451f5e2847a1f9524bb2870d7bb6f0ee09b9dd4e3e4c84" 8 | strings: 9 | $sboxinit = {0F BE 02 4? 8D 05 [-] 4? 8D 4D ?? E8 [3] 00 33 F6 4? 8D 5D ?? 4? 63 F8 8B 45 ?? B? B1 E3 14 06} 10 | $decode_string = {0F BE 03 FF C9 83 F8 20 7D ?? B? 1F [3] 4? 8D 4A E2 EB ?? 3D 80 [3] 7D ?? B? 7F [3] 4? 8D 4A A1 EB ?? B? FF [3] 4? 8D 4A 81} 11 | $constants = {0F B7 05 [3] 00 0F B7 1D [3] 00 83 25 [3] 00 00 89 05 [3] 00 0F B7 05 [3] 00 89 1D [3] 00 89 05 [3] 00 33 C0 4? 8D 4D} 12 | condition: 13 | uint16(0) == 0x5A4D and 2 of them 14 | } -------------------------------------------------------------------------------- /data/yara/CAPE/CargoBayLoader.yar: -------------------------------------------------------------------------------- 1 | rule CargoBayLoader 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "CargoBay Loader" 6 | cape_type = "CargoBay Loader" 7 | hash = "75e975031371741498c5ba310882258c23b39310bd258239277708382bdbee9c" 8 | strings: 9 | $jmp1 = {40 42 0F 00 0F 82 [2] 00 00 48 8D 15 [4] BF 04 00 00 00 41 B8 04 00 00 00 4C 8D [3] 4C 89 F1 E8} 10 | $jmp2 = {84 DB 0F 85 [2] 00 00 48 8D 15 [4] 41 BE 03 00 00 00 41 B8 03 00 00 00 4C 8D 7C [2] 4C 89 F9 E8} 11 | condition: 12 | uint16(0) == 0x5A4D and all of them 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Cerber.yar: -------------------------------------------------------------------------------- 1 | rule Cerber 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Cerber Payload" 6 | cape_type = "Cerber Payload" 7 | strings: 8 | $code1 = {33 C0 66 89 45 8? 8D 7D 8? AB AB AB AB AB [0-2] 66 AB 8D 45 8? [0-3] E8 ?? ?? 00 00} 9 | condition: 10 | //check for MZ Signature at offset 0 11 | uint16(0) == 0x5A4D and all of them 12 | } 13 | -------------------------------------------------------------------------------- /data/yara/CAPE/CobaltStrikeStager.yar: -------------------------------------------------------------------------------- 1 | rule CobaltStrikeStager 2 | { 3 | meta: 4 | author = "@dan__mayer " 5 | description = "Cobalt Strike Stager Payload" 6 | cape_type = "CobaltStrikeStager Payload" 7 | strings: 8 | $smb = { 68 00 B0 04 00 68 00 B0 04 00 6A 01 6A 06 6A 03 52 68 45 70 DF D4 } 9 | $http_x86 = { 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07 } 10 | $http_x64 = { 49 BE 77 69 6E 69 6E 65 74 00 41 56 49 89 E6 4C 89 F1 41 BA 4C 77 26 07 } 11 | $dns = { 68 00 10 00 00 68 FF FF 07 00 6A 00 68 58 A4 53 E5 } 12 | 13 | condition: 14 | any of them 15 | } 16 | -------------------------------------------------------------------------------- /data/yara/CAPE/Codoso.yar: -------------------------------------------------------------------------------- 1 | rule Codoso 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Codoso Payload" 6 | cape_type = "Codoso Payload" 7 | strings: 8 | $a1 = "WHO_A_R_E_YOU?" 9 | $a2 = "DUDE_AM_I_SHARP-3.14159265358979" 10 | $a3 = "USERMODECMD" 11 | condition: 12 | uint16(0) == 0x5A4D and (all of ($a*)) 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Conti.yar: -------------------------------------------------------------------------------- 1 | rule Conti 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Conti Ransomware" 6 | cape_type = "Conti Payload" 7 | strings: 8 | $crypto1 = {8A 07 8D 7F 01 0F B6 C0 B9 ?? 00 00 00 2B C8 6B C1 ?? 99 F7 FE 8D [2] 99 F7 FE 88 ?? FF 83 EB 01 75 DD} 9 | $website1 = "https://contirecovery.info" ascii wide 10 | $website2 = "https://contirecovery.best" ascii wide 11 | condition: 12 | uint16(0) == 0x5A4D and any of them 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Cryptoshield.yar: -------------------------------------------------------------------------------- 1 | rule Cryptoshield 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Cryptoshield Payload" 6 | cape_type = "Cryptoshield Payload" 7 | strings: 8 | $a1 = "CRYPTOSHIELD." wide 9 | $a2 = "Click on Yes in the next window for restore work explorer" wide 10 | $a3 = "r_sp@india.com - SUPPORT" 11 | condition: 12 | uint16(0) == 0x5A4D and (all of ($a*)) 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/DoomedLoader.yar: -------------------------------------------------------------------------------- 1 | rule DoomedLoader 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | cape_type = "DoomedLoader Payload" 6 | packed = "914b1b3180e7ec1980d0bafe6fa36daade752bb26aec572399d2f59436eaa635" 7 | strings: 8 | $anti = {48 8B 4C 24 ?? E8 [4] 84 C0 B8 [4] 41 0F 45 C6 EB} 9 | $syscall = {49 89 CA 8B 44 24 08 FF 64 24 10} 10 | condition: 11 | uint16(0) == 0x5A4D and all of them 12 | } 13 | -------------------------------------------------------------------------------- /data/yara/CAPE/DoppelPaymer.yar: -------------------------------------------------------------------------------- 1 | rule DoppelPaymer 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "DoppelPaymer Payload" 6 | cape_type = "DoppelPaymer Payload" 7 | 8 | strings: 9 | $getproc32 = {81 FB ?? ?? ?? ?? 74 2D 8B CB E8 ?? ?? ?? ?? 85 C0 74 0C 8B C8 8B D7 E8 ?? ?? ?? ?? 5B 5F C3} 10 | $cmd_string = "Setup run\\n" wide 11 | condition: 12 | uint16(0) == 0x5A4D and all of them 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Dreambot.yar: -------------------------------------------------------------------------------- 1 | rule Dreambot 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Dreambot Payload" 6 | cape_type = "Dreambot Payload" 7 | strings: 8 | $a1 = {53 56 33 F6 33 DB C1 6C 24 0C 02 74 2F 8B 02 85 C0 75 11 83 7C 24 0C 02 76 0A 39 42 04 75 05 39 42 08 74 18 43 8A CB D3 C0 33 C6 33 44 24 10 8B F0 89 32 83 C2 04 FF 4C 24 0C 75 D1 5E 5B C2 08 00} 9 | $a2 = {53 33 C9 33 DB C1 6C 24 08 02 74 22 56 8B 02 85 C0 8B F0 74 18 33 C1 33 44 24 10 43 8A CB D3 C8 8B CE 89 02 83 C2 04 FF 4C 24 0C 75 E0 5E 5B C2 08 00} 10 | $b1 = "Oct 5 2016" 11 | $b2 = ".bss" 12 | condition: 13 | uint16(0) == 0x5A4D and (1 of ($a*)) and (all of ($b*)) 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/EmotetLoader.yar: -------------------------------------------------------------------------------- 1 | rule EmotetLoader 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Emotet Loader" 6 | cape_type = "EmotetLoader Payload" 7 | strings: 8 | $antihook = {8B 15 ?? ?? ?? ?? 03 15 ?? ?? ?? ?? 89 95 28 FF FF FF A1 ?? ?? ?? ?? 2D 4D 01 00 00 A3 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 3B 0D ?? ?? ?? ?? 76 26 8B 95 18 FF FF FF 8B 42 38} 9 | condition: 10 | //check for MZ Signature at offset 0 11 | uint16(0) == 0x5A4D and any of them 12 | } 13 | -------------------------------------------------------------------------------- /data/yara/CAPE/Fareit.yar: -------------------------------------------------------------------------------- 1 | rule Fareit 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Fareit Payload" 6 | cape_type = "Fareit Payload" 7 | strings: 8 | $string1 = {0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 31 20 20 09 20 20 67 6F 74 6F 20 09 0D 20 6B 74 6B 0D 0A 20 64 65 6C 20 09 20 20 25 30 20 00} 9 | condition: 10 | uint16(0) == 0x5A4D and any of ($string*) 11 | } 12 | -------------------------------------------------------------------------------- /data/yara/CAPE/Gandcrab.yar: -------------------------------------------------------------------------------- 1 | rule Gandcrab 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Gandcrab Payload" 6 | cape_type = "Gandcrab Payload" 7 | strings: 8 | $string1 = "GDCB-DECRYPT.txt" wide 9 | $string2 = "GandCrabGandCrabnomoreransom.coinomoreransom.bit" 10 | $string3 = "action=result&e_files=%d&e_size=%I64u&e_time=%d&" wide 11 | $string4 = "KRAB-DECRYPT.txt" wide 12 | condition: 13 | uint16(0) == 0x5A4D and any of ($string*) 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/Gootkit.yar: -------------------------------------------------------------------------------- 1 | rule Gootkit 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Gootkit Payload" 6 | cape_type = "Gootkit Payload" 7 | strings: 8 | $code1 = {C7 45 ?? ?? ?? 4? 00 C7 45 ?? ?? 10 40 00 C7 45 E? D8 ?? ?? 00 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 [1-2] 00 10 40 00 89 [5-6] 43 00 89 ?? ?? 68 E8 80 00 00 FF 15} 9 | condition: 10 | uint16(0) == 0x5A4D and all of them 11 | } 12 | -------------------------------------------------------------------------------- /data/yara/CAPE/Hancitor.yar: -------------------------------------------------------------------------------- 1 | rule Hancitor 2 | { 3 | meta: 4 | author = "threathive" 5 | description = "Hancitor Payload" 6 | cape_type = "Hancitor Payload" 7 | strings: 8 | $fmt_string = "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)" 9 | $fmt_string2 = "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x32)" 10 | $ipfy = "http://api.ipify.org" 11 | $user_agent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko" 12 | condition: 13 | uint16(0) == 0x5A4D and all of them 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/Hermes.yar: -------------------------------------------------------------------------------- 1 | rule Hermes 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Hermes Payload" 6 | cape_type = "Hermes Payload" 7 | strings: 8 | $ext = ".HRM" wide 9 | $vss = "vssadmin Delete" 10 | $email = "supportdecrypt@firemail.cc" wide 11 | condition: 12 | uint16(0) == 0x5A4D and all of ($*) 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Jaff.yar: -------------------------------------------------------------------------------- 1 | rule Jaff 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Jaff Payload" 6 | cape_type = "Jaff Payload" 7 | strings: 8 | $a1 = "CryptGenKey" 9 | $a2 = "353260540318613681395633061841341670181307185694827316660016508" 10 | $b1 = "jaff" 11 | $b2 = "2~1c0q4t7" 12 | condition: 13 | uint16(0) == 0x5A4D and (any of ($a*) ) and (1 of ($b*)) 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/Kovter.yar: -------------------------------------------------------------------------------- 1 | rule Kovter 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Kovter Payload" 6 | cape_type = "Kovter Payload" 7 | strings: 8 | $a1 = "chkok" 9 | $a2 = "k2Tdgo" 10 | $a3 = "13_13_13" 11 | $a4 = "Win Server 2008 R2" 12 | condition: 13 | uint16(0) == 0x5A4D and (all of ($a*)) 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/Kpot.yar: -------------------------------------------------------------------------------- 1 | rule Kpot 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Kpot Stealer" 6 | cape_type = "Kpot Payload" 7 | strings: 8 | $format = "%s | %s | %s | %s | %s | %s | %s | %d | %s" 9 | $username = "username:s:" 10 | $os = "OS: %S x%d" 11 | condition: 12 | uint16(0) == 0x5A4D and 2 of them 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Kronos.yar: -------------------------------------------------------------------------------- 1 | rule Kronos 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Kronos Payload" 6 | cape_type = "Kronos Payload" 7 | strings: 8 | $a1 = "user_pref(\"network.cookie.cookieBehavior\"" 9 | $a2 = "T0E0H4U0X3A3D4D8" 10 | $a3 = "wow64cpu.dll" wide 11 | $a4 = "Kronos" fullword ascii wide 12 | condition: 13 | uint16(0) == 0x5A4D and (2 of ($a*)) 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/Lockbit.yar: -------------------------------------------------------------------------------- 1 | rule Lockbit 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Lockbit Payload" 6 | cape_type = "Lockbit Payload" 7 | strings: 8 | $string1 = "/C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 \"%s\" & Del /f /q \"%s\"" wide 9 | $string2 = "Ransom" ascii wide 10 | $crypto = {8B 4D 08 C1 E9 10 0F B6 D1 8B 4D 0C C1 E9 08 0F B6 C9 8B 14 95 [4] 8B 7D FC 33 14 8D [4] 8B CF C1 E9 18 33 14 8D [4] 0F B6 CB 33 14 8D [4] 8B CF 33 10} 11 | $decode1 = {8A ?4 34 ?C 0? 00 00 8B 8? 24 ?8 0? 00 00 0F BE ?? 0F BE C? 33 ?? 88 ?? 34 ?? 0? 00 00 46 83 FE 0? 72 DD} 12 | $decode2 = {8A 44 24 ?? 30 44 0C ?? 41 83 F9 ?? 72 F2} 13 | condition: 14 | uint16(0) == 0x5A4D and (2 of them) 15 | } 16 | -------------------------------------------------------------------------------- /data/yara/CAPE/Locky.yar: -------------------------------------------------------------------------------- 1 | rule Locky 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Locky Payload" 6 | cape_type = "Locky Payload" 7 | strings: 8 | $string1 = "wallet.dat" wide 9 | $string2 = "Locky_recover" wide 10 | $string3 = "opt321" wide 11 | condition: 12 | //check for MZ Signature at offset 0 13 | uint16(0) == 0x5A4D and all of them 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/LokiBot.yar: -------------------------------------------------------------------------------- 1 | rule LokiBot 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "LokiBot Payload" 6 | cape_type = "LokiBot Payload" 7 | strings: 8 | $a1 = "DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW" 9 | $a2 = "last_compatible_version" 10 | condition: 11 | uint16(0) == 0x5A4D and (all of ($a*)) 12 | } 13 | -------------------------------------------------------------------------------- /data/yara/CAPE/Lumma.yar: -------------------------------------------------------------------------------- 1 | rule Lumma 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Lumma Payload" 6 | cape_type = "Lumma Payload" 7 | packed = "0ee580f0127b821f4f1e7c032cf76475df9724a9fade2e153a69849f652045f8" 8 | packed = "23ff1c20b16d9afaf1ce443784fc9a025434a010e2194de9dec041788c369887" 9 | strings: 10 | $decode1 = {C1 (E9|EA) 02 [0-3] 0F B6 (44|4C) ?? FF 83 (F8|F9) 3D 74 05 83 (F8|F9) 2E 75 01 (49|4A) [0-30] 2E 75} 11 | $decode2 = {B0 40 C3 B0 3F C3 89 C8 04 D0 3C 09 77 06 80 C1 04 89 C8 C3 89 C8 04 BF 3C} 12 | $decode3 = {B0 40 C3 B0 3F C3 80 F9 30 72 ?? 80 F9 39 77 06 80 C1 04 89 C8 C3} 13 | condition: 14 | uint16(0) == 0x5a4d and any of them 15 | } 16 | -------------------------------------------------------------------------------- /data/yara/CAPE/Magniber.yar: -------------------------------------------------------------------------------- 1 | rule Magniber 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Magniber Payload" 6 | cape_type = "Magniber Payload" 7 | strings: 8 | $a1 = {8B 55 FC 83 C2 01 89 55 FC 8B 45 FC 3B 45 08 7D 45 6A 01 6A 00 E8 26 FF FF FF 83 C4 08 89 45 F4 83 7D F4 00 75 18 6A 7A 6A 61 E8 11 FF FF FF 83 C4 08 8B 4D FC 8B 55 F8 66 89 04 4A EB 16} 9 | condition: 10 | uint16(0) == 0x5A4D and (all of ($a*)) 11 | } 12 | -------------------------------------------------------------------------------- /data/yara/CAPE/MassLogger.yar: -------------------------------------------------------------------------------- 1 | rule MassLogger 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "MassLogger" 6 | cape_type = "MassLogger Payload" 7 | strings: 8 | $name = "MassLogger" 9 | $fody = "Costura" 10 | condition: 11 | uint16(0) == 0x5A4D and 2 of them 12 | } 13 | -------------------------------------------------------------------------------- /data/yara/CAPE/MegaCortex.yar: -------------------------------------------------------------------------------- 1 | rule MegaCortex 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "MegaCortex Payload" 6 | cape_type = "MegaCortex Payload" 7 | strings: 8 | $str1 = ".megac0rtx" ascii wide 9 | $str2 = "vssadmin delete shadows /all" ascii 10 | $sha256 = {98 2F 8A 42 91 44 37 71 CF FB C0 B5 A5 DB B5 E9} 11 | condition: 12 | uint16(0) == 0x5A4D and all of them 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Mole.yar: -------------------------------------------------------------------------------- 1 | rule Mole 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Mole Payload" 6 | cape_type = "Mole Payload" 7 | strings: 8 | $a1 = ".mole0" wide 9 | $a2 = "_HELP_INSTRUCTION.TXT" wide 10 | $a3 = "-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ" 11 | condition: 12 | uint16(0) == 0x5A4D and (all of ($a*)) 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/NanoLocker.yar: -------------------------------------------------------------------------------- 1 | rule NanoLocker 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "NanoLocker Payload" 6 | cape_type = "NanoLocker Payload" 7 | strings: 8 | $a1 = "NanoLocker" 9 | $a2 = "$humanDeadline" 10 | $a3 = "Decryptor.lnk" 11 | condition: 12 | uint16(0) == 0x5A4D and (all of ($a*)) 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Nemty.yar: -------------------------------------------------------------------------------- 1 | rule Nemty 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Nemty Ransomware Payload" 6 | cape_type = "Nemty Payload" 7 | strings: 8 | $tordir = "TorDir" 9 | $decrypt = "DECRYPT.txt" 10 | $nemty = "NEMTY" 11 | condition: 12 | uint16(0) == 0x5A4D and all of them 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/NetTraveler.yar: -------------------------------------------------------------------------------- 1 | rule NetTraveler 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "NetTraveler Payload" 6 | cape_type = "NetTraveler Payload" 7 | strings: 8 | $string1 = { 4E 61 6D 65 3A 09 25 73 9 | 0D 0A 54 79 70 65 3A 09 10 | 25 73 0D 0A 53 65 72 76 11 | 65 72 3A 09 25 73 0D 0A } // Name:\t%s\r\nType:\t%s\r\nServer:\t%s\r\n 12 | $string2 = "Password Expiried Time:" 13 | $string3 = "Memory: Total:%dMB,Left:%dMB (for %.2f%s)" 14 | 15 | condition: 16 | uint16(0) == 0x5A4D and all of them 17 | } 18 | -------------------------------------------------------------------------------- /data/yara/CAPE/Obfuscar.yar: -------------------------------------------------------------------------------- 1 | rule Obfuscar 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Obfuscar xor routime" 6 | // cape_type = "AgentTesla Payload" 7 | // https://github.com/obfuscar/obfuscar/blob/65e9ced171e0f2a92d2c64c479c3a1ec3624802a/Obfuscar/Obfuscator.cs#L1693 8 | strings: 9 | $decode = {06 91 06 61 20 [4] 61 D2 9C 06 17 58 0A 06 7E [4] 8E 69 FE 04 2D ?? 2A} 10 | condition: 11 | uint16(0) == 0x5A4D and any of them 12 | } 13 | -------------------------------------------------------------------------------- /data/yara/CAPE/Pafish.yar: -------------------------------------------------------------------------------- 1 | rule Pafish 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Paranoid Fish Sandbox Detection" 6 | cape_type = "Pafish Payload" 7 | strings: 8 | $rdtsc_vmexit = {8B 45 E8 80 F4 00 89 C3 8B 45 EC 80 F4 00 89 C6 89 F0 09 D8 85 C0 75 07} 9 | $cape_string = "cape_options" 10 | condition: 11 | uint16(0) == 0x5A4D and $rdtsc_vmexit and not $cape_string 12 | } 13 | -------------------------------------------------------------------------------- /data/yara/CAPE/PetrWrap.yar: -------------------------------------------------------------------------------- 1 | rule PetrWrap 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "PetrWrap Payload" 6 | cape_type = "PetrWrap Payload" 7 | strings: 8 | $a1 = "http://petya3jxfp2f7g3i.onion/" 9 | $a2 = "http://petya3sen7dyko2n.onion" 10 | 11 | $b1 = "http://mischapuk6hyrn72.onion/" 12 | $b2 = "http://mischa5xyix2mrhd.onion/" 13 | condition: 14 | uint16(0) == 0x5A4D and (any of ($a*)) and (any of ($b*)) 15 | } 16 | -------------------------------------------------------------------------------- /data/yara/CAPE/Petya.yar: -------------------------------------------------------------------------------- 1 | rule Petya 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Petya Payload" 6 | cape_type = "Petya Payload" 7 | strings: 8 | $a1 = "CHKDSK is repairing sector" 9 | $a2 = "wowsmith123456@posteo.net" 10 | $a3 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" wide 11 | condition: 12 | uint16(0) == 0x5A4D and (all of ($a*)) 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Quickbind.yar: -------------------------------------------------------------------------------- 1 | rule Quickbind 2 | { 3 | meta: 4 | author = "enzok" 5 | description = "Quickbind" 6 | cape_type = "Quickbind Payload" 7 | strings: 8 | $anti_appdirs = {E8 [4] 83 F8 0? 7? ?? E8} 9 | $anti_procs_ram = {E8 [4] 83 F8 0? 7? ?? E8 [4] 3D (FF 0E | 00 0F | FF 16) 00 00} 10 | $anti_procs = {4C 89 F1 [0-9] FF D3 83 7C 24 ?? (03 | 07)} 11 | $anti_ram = {E8 [4] 3D (FF 1F | 00 20 | 00 17 | FF 0E | FF 16 | FF 2F) 00 00} 12 | $sleep = {B9 64 00 00 00 [0-7] FF} 13 | $mutex_api = "CreateMutexW" 14 | $mutex_error = {FF [1-5] 3D B7 00 00 00} 15 | condition: 16 | //any of them 17 | 3 of ($anti_*) and all of ($mutex_*) and $sleep 18 | } 19 | -------------------------------------------------------------------------------- /data/yara/CAPE/RCSession.yar: -------------------------------------------------------------------------------- 1 | rule RCSession 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "RCSession Payload" 6 | cape_type = "RCSession Payload" 7 | strings: 8 | $a1 = {56 33 F6 39 74 24 08 7E 4C 53 57 8B F8 2B FA 8B C6 25 03 00 00 80 79 05 48 83 C8 FC 40 83 E8 00 74 19 48 74 0F 48 74 05 6B C9 09 EB 15 8B C1 C1 E8 02 EB 03 8D 04 09 2B C8} 9 | $a2 = {83 C4 10 85 C0 74 ?? BE ?? ?? ?? ?? 89 74 24 10 E8 ?? ?? ?? ?? 6A 03 68 48 0B 00 00 56 53 57 68 02 00 00 80 E8 ?? ?? ?? ?? 83 C4 18 85 C0 74 18 E8 ?? ?? ?? ?? 6A 03 68 48} 10 | condition: 11 | (any of ($a*)) 12 | } 13 | -------------------------------------------------------------------------------- /data/yara/CAPE/Ramnit.yar: -------------------------------------------------------------------------------- 1 | rule Ramnit 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Ramnit Payload" 6 | cape_type = "Ramnit Payload" 7 | strings: 8 | $DGA = {33 D2 B9 1D F3 01 00 F7 F1 8B C8 B8 A7 41 00 00 F7 E2 8B D1 8B C8 B8 14 0B 00 00 F7 E2 2B C8 33 D2 8B C1 8B} 9 | $xor_loop = {83 7D 0C 00 74 27 83 7D 14 00 74 21 8B 4D 0C 8B 7D 08 8B 75 10 BA 00 00 00 00 0B D2 75 04 8B 55 14 4A 8A 1C 32 32 1F 88 1F 47 4A E2 ED} 10 | $id_string = "{%08X-%04X-%04X-%04X-%08X%04X}" 11 | condition: 12 | uint16(0) == 0x5A4D and all of ($*) 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Remcos.yar: -------------------------------------------------------------------------------- 1 | rule Remcos 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Remcos Payload" 6 | cape_type = "Remcos Payload" 7 | strings: 8 | $name = "Remcos" nocase 9 | $time = "%02i:%02i:%02i:%03i" 10 | $crypto1 = {81 E1 FF 00 00 80 79 ?? 4? 81 C9 00 FF FF FF 4? 8A ?4 8?} 11 | $crypto2 = {0F B6 [1-7] 8B 45 08 [0-2] 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 ?? ?? FF FF 30 06 47 3B 7D 0C 72} 12 | condition: 13 | uint16(0) == 0x5A4D and ($name) and ($time) and any of ($crypto*) 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/Rhadamanthys.yar: -------------------------------------------------------------------------------- 1 | rule Rhadamanthys 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Rhadamanthys Loader" 6 | cape_type = "Rhadamanthys Loader" 7 | strings: 8 | $rc4 = {88 4C 01 08 41 81 F9 00 01 00 00 7C F3 89 75 08 33 FF 8B 4D 08 3B 4D 10 72 04 83 65 08 00} 9 | $code = {8B 4D FC 3B CF 8B C1 74 0D 83 78 04 02 74 1C 8B 40 1C 3B C7 75 F3 3B CF 8B C1 74 57 83 78 04 17 74 09 8B 40 1C 3B C7 75 F3 EB} 10 | $conf = {46 BB FF 00 00 00 23 F3 0F B6 44 31 08 03 F8 23 FB 0F B6 5C 39 08 88 5C 31 08 88 44 39 08 02 C3 8B 5D 08 0F B6 C0 8A 44 08 08} 11 | $cape_string = "cape_options" 12 | condition: 13 | 2 of them and not $cape_string 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/RokRat.yar: -------------------------------------------------------------------------------- 1 | rule RokRat 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "RokRat Payload" 6 | cape_type = "RokRat Payload" 7 | strings: 8 | $code1 = {8B 57 04 8D 7F 04 33 57 FC 81 E2 FF FF FF 7F 33 57 FC 8B C2 24 01 0F B6 C0 F7 D8 1B C0 D1 EA 25 DF B0 08 99 33 87 30 06 00 00 33 C2 89 87 3C F6 FF FF 83 E9 01 75 C9} 9 | $string1 = "/pho_%s_%d.jpg" wide 10 | condition: 11 | uint16(0) == 0x5A4D and (any of ($code*)) and (any of ($string*)) 12 | } 13 | -------------------------------------------------------------------------------- /data/yara/CAPE/Rozena.yar: -------------------------------------------------------------------------------- 1 | rule Rozena 2 | { 3 | meta: 4 | cape_type = "Rozena Payload" 5 | strings: 6 | $ip_port = {FF D5 6A 0A 68 [4] 68 [4] 89 E6 50 50 50 50 40 50 40 50 68 [4] FF D5} 7 | $socket = {6A 00 6A 04 56 57 68 [4] FF D5 [0-5] 8B 36 6A 40 68 00 10 00 00 56 6A 00 68} 8 | condition: 9 | all of them 10 | } 11 | -------------------------------------------------------------------------------- /data/yara/CAPE/Ryuk.yar: -------------------------------------------------------------------------------- 1 | rule Ryuk 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Ryuk Payload" 6 | cape_type = "Ryuk Payload" 7 | strings: 8 | $ext = ".RYK" wide 9 | $readme = "RyukReadMe.txt" wide 10 | $main = "InvokeMainViaCRT" 11 | $code = {48 8B 4D 10 48 8B 03 48 C1 E8 07 C1 E0 04 F7 D0 33 41 08 83 E0 10 31 41 08 48 8B 4D 10 48 8B 03 48 C1 E8 09 C1 E0 03 F7 D0 33 41 08 83 E0 08 31 41 08} 12 | condition: 13 | uint16(0) == 0x5A4D and 3 of ($*) 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/Scarab.yar: -------------------------------------------------------------------------------- 1 | rule Scarab 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Scarab Payload" 6 | cape_type = "Scarab Payload" 7 | strings: 8 | $crypt1 = {8B D8 32 1A 0F B6 DB 8B 1C 9F C1 E8 08 33 D8 8B C3 42 8B D8 32 1A 0F B6 DB 8B 1C 9F C1 E8 08 33 D8 8B C3 42 8B D8 32 1A 0F B6 DB 8B 1C 9F C1 E8 08} 9 | $crypt2 = {8B 4C 82 0C 8B D9 C1 E3 18 C1 E9 08 0B D9 8B CB 0F B6 D9 8B 1C 9D AC 0C 43 00 89 5C 24 04 8B D9 C1 EB 08 0F B6 DB 8B 34 9D AC 0C 43 00 8B D9 C1 EB 10} 10 | $crypt3 = {8B 13 8B CA 81 E1 80 80 80 80 8B C1 C1 E8 07 50 8B C1 59 2B C1 25 1B 1B 1B 1B 8B CA 81 E1 7F 7F 7F 7F 03 C9 33 C1 8B C8 81 E1 80 80 80 80 8B F1 C1 EE 07} 11 | condition: 12 | uint16(0) == 0x5A4D and all of them 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Sedreco.yar: -------------------------------------------------------------------------------- 1 | rule Sedreco 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Sedreco encrypt function entry" 6 | cape_type = "Sedreco Payload" 7 | strings: 8 | $encrypt1 = {55 8B EC 83 EC 2C 53 56 8B F2 57 8B 7D 08 B8 AB AA AA AA} 9 | $encrypt2 = {55 8B EC 83 EC 20 8B 4D 10 B8 AB AA AA AA} 10 | 11 | $encrypt64_1 = {48 89 4C 24 08 53 55 56 57 41 54 41 56 48 83 EC 18 45 8D 34 10 48 8B E9 B8 AB AA AA AA 4D 8B E1 44 89 44 24 60 41 F7 E0 8B F2 B8 AB AA AA AA} 12 | 13 | condition: 14 | uint16(0) == 0x5A4D and $encrypt1 or $encrypt2 or $encrypt64_1 15 | } 16 | -------------------------------------------------------------------------------- /data/yara/CAPE/Seduploader.yar: -------------------------------------------------------------------------------- 1 | rule Seduploader 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Seduploader decrypt function" 6 | cape_type = "Seduploader Payload" 7 | strings: 8 | $decrypt1 = {8D 0C 30 C7 45 FC 0A 00 00 00 33 D2 F7 75 FC 8A 82 ?? ?? ?? ?? 32 04 0F 88 01 8B 45 0C 40 89 45 0C 3B C3 7C DB} 9 | condition: 10 | uint16(0) == 0x5A4D and any of ($decrypt*) 11 | } 12 | -------------------------------------------------------------------------------- /data/yara/CAPE/Socks5Systemz.yar: -------------------------------------------------------------------------------- 1 | rule Socks5Systemz 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Socks5Systemz Payload" 6 | cape_type = "Socks5Systemz Payload" 7 | packed = "9b997d0de3fe83091726919a0dc653e22f8f8b20b1bb7d0b8485652e88396f29" 8 | strings: 9 | $chunk1 = {0F B6 84 8A [4] E9 [3] (00|FF)} 10 | $chunk2 = {0F B6 04 8D [4] E9 [3] (00|FF)} 11 | $chunk3 = {66 0F 6F 05 [4] E9 [3] (00|FF)} 12 | $chunk4 = {F0 0F B1 95 [4] E9 [3] (00|FF)} 13 | $chunk5 = {83 FA 04 E9 [3] (00|FF)} 14 | $chunk6 = {8A 04 8D [4] E9 [3] (00|FF)} 15 | $chunk7 = {83 C4 04 83 C4 04 E9} 16 | $chunk8 = {83 C2 04 87 14 24 5C E9} 17 | condition: 18 | uint16(0) == 0x5A4D and 5 of them 19 | } 20 | -------------------------------------------------------------------------------- /data/yara/CAPE/SquirrelWaffle.yar: -------------------------------------------------------------------------------- 1 | rule SquirrelWaffle 2 | { 3 | meta: 4 | author = "kevoreilly & R3MRUM" 5 | cape_type = "SquirrelWaffle Payload" 6 | strings: 7 | $code = {8D 45 ?? C6 45 ?? 00 0F 43 4D ?? 83 7D ?? 10 0F 43 45 ?? 8A 04 10 32 04 39 8D 4D ?? 0F B6 C0 50 6A 01 E8 [4] C6 45} 8 | $decode = {F7 75 ?? 83 7D ?? 10 8D 4D ?? 8D 45 ?? C6 45 ?? 00 0F 43 4D ?? 83 7D ?? 10 0F 43 45 ?? 8A 04 10 32 04 39} 9 | condition: 10 | uint16(0) == 0x5A4D and all of them 11 | } 12 | -------------------------------------------------------------------------------- /data/yara/CAPE/Stealc.yar: -------------------------------------------------------------------------------- 1 | rule Stealc 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Stealc Payload" 6 | cape_type = "Stealc Payload" 7 | hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" 8 | strings: 9 | $nugget1 = {68 04 01 00 00 6A 00 FF 15 [4] 50 FF 15} 10 | $nugget2 = {64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 8B 00 8B 40 18 89 45 FC} 11 | condition: 12 | uint16(0) == 0x5A4D and all of them 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/TClient.yar: -------------------------------------------------------------------------------- 1 | rule TClient 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "TClient Payload" 6 | cape_type = "TClient Payload" 7 | strings: 8 | $code1 = {41 0F B6 00 4D 8D 40 01 34 01 8B D7 83 E2 07 0F BE C8 FF C7 41 0F BE 04 91 0F AF C1 41 88 40 FF 81 FF 80 03 00 00 7C D8} 9 | condition: 10 | uint16(0) == 0x5A4D and any of ($code*) 11 | } 12 | -------------------------------------------------------------------------------- /data/yara/CAPE/TSCookie.yar: -------------------------------------------------------------------------------- 1 | rule TSCookie 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "TSCookie Payload" 6 | cape_type = "TSCookie Payload" 7 | strings: 8 | $string1 = "http://%s:%d" wide 9 | $string2 = "/Default.aspx" wide 10 | $string3 = "\\wship6" 11 | condition: 12 | uint16(0) == 0x5A4D and all of them 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/CAPE/Varenyky.yar: -------------------------------------------------------------------------------- 1 | rule Varenyky 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Varenyky Payload" 6 | cape_type = "Varenyky Payload" 7 | strings: 8 | $onion = "jg4rli4xoagvvmw47fr2bnnfu7t2epj6owrgyoee7daoh4gxvbt3bhyd.onion" 9 | condition: 10 | uint16(0) == 0x5A4D and ($onion) 11 | } 12 | -------------------------------------------------------------------------------- /data/yara/CAPE/WanaCry.yar: -------------------------------------------------------------------------------- 1 | rule WanaCry 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "WanaCry Payload" 6 | cape_type = "WanaCry Payload" 7 | strings: 8 | $exename = "@WanaDecryptor@.exe" 9 | $res = "%08X.res" 10 | $pky = "%08X.pky" 11 | $eky = "%08X.eky" 12 | $taskstart = {8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53} 13 | condition: 14 | //check for MZ Signature at offset 0 15 | uint16(0) == 0x5A4D and all of them 16 | } 17 | -------------------------------------------------------------------------------- /data/yara/CAPE/XenoRAT.yar: -------------------------------------------------------------------------------- 1 | rule XenoRAT { 2 | meta: 3 | author = "jeFF0Falltrades" 4 | cape_type = "XenoRAT payload" 5 | strings: 6 | $str_xeno_rat_1 = "xeno rat" wide ascii nocase 7 | $str_xeno_rat_2 = "xeno_rat" wide ascii nocase 8 | $str_xeno_update_mgr = "XenoUpdateManager" wide ascii 9 | $str_nothingset = "nothingset" wide ascii 10 | $byte_enc_dec_pre = { 1f 10 8d [4] (0a | 0b) } 11 | $patt_config = { 72 [3] 70 80 [3] 04 } 12 | condition: 13 | 4 of them and #patt_config >= 5 14 | } 15 | -------------------------------------------------------------------------------- /data/yara/CAPE/ZeroT.yar: -------------------------------------------------------------------------------- 1 | rule ZeroT 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "ZeroT Payload" 6 | cape_type = "ZeroT Payload" 7 | strings: 8 | $decrypt = {8B C1 8D B5 FC FE FF FF 33 D2 03 F1 F7 75 10 88 0C 33 41 8A 04 3A 88 06 81 F9 00 01 00 00 7C E0} 9 | $string1 = "(*^GF(9042&*" 10 | $string2 = "s2-18rg1-41g3j_.;" 11 | $string3 = "GET" wide 12 | $string4 = "open" 13 | condition: 14 | uint16(0) == 0x5A4D and all of them 15 | } 16 | -------------------------------------------------------------------------------- /data/yara/CAPE/ZeusPanda.yar: -------------------------------------------------------------------------------- 1 | rule ZeusPanda 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "ZeusPanda Payload" 6 | cape_type = "ZeusPanda Payload" 7 | strings: 8 | $code1 = {8B 01 57 55 55 55 55 55 55 53 51 FF 50 0C 85 C0 78 E? 55 55 6A 03 6A 03 55 55 6A 0A FF 37} 9 | $code2 = {8D 85 B0 FD FF FF 50 68 ?? ?? ?? ?? 8D 85 90 FA FF FF 68 0E 01 00 00 50 E8 ?? ?? ?? ?? 83 C4 10 83 F8 FF 7E ?? 68 04 01 00 00 8D 85 B0 FD FF FF} 10 | condition: 11 | //check for MZ Signature at offset 0 12 | uint16(0) == 0x5A4D and all of them 13 | } 14 | -------------------------------------------------------------------------------- /data/yara/binaries/HeavensGate.yar: -------------------------------------------------------------------------------- 1 | rule HeavensGate 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Heaven's Gate: Switch from 32-bit to 64-mode" 6 | cape_type = "Heaven's Gate" 7 | 8 | strings: 9 | $gate_v1 = {6A 33 E8 00 00 00 00 83 04 24 05 CB} 10 | $gate_v2 = {9A 00 00 00 00 33 00 89 EC 5D C3 48 83 EC 20 E8 00 00 00 00 48 83 C4 20 CB} 11 | $gate_v3 = {5A 66 BB 33 00 66 53 50 89 E0 83 C4 06 FF 28} 12 | 13 | condition: 14 | ($gate_v1 or $gate_v2 or $gate_v3) 15 | } 16 | -------------------------------------------------------------------------------- /data/yara/binaries/Themida.yar: -------------------------------------------------------------------------------- 1 | rule Themida 2 | { 3 | meta: 4 | author = "kevoreilly" 5 | description = "Themida Packer" 6 | packed = "6337ff4cf413f56cc6c9a8e67f24b8d7f94f620eae06ac9f0b113b5ba82ea176" 7 | strings: 8 | $code = {FC 31 C9 49 89 CA 31 C0 31 DB AC 30 C8 88 E9 88 D5 88 F2 B6 08 66 D1 EB 66 D1 D8 73 09} 9 | condition: 10 | uint16(0) == 0x5A4D and all of them 11 | } 12 | -------------------------------------------------------------------------------- /data/yara/macro/test: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/data/yara/macro/test -------------------------------------------------------------------------------- /data/yara/memory/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/data/yara/memory/.gitignore -------------------------------------------------------------------------------- /data/yara/monitor/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/data/yara/monitor/.gitkeep -------------------------------------------------------------------------------- /data/yara/monitor/yara: -------------------------------------------------------------------------------- 1 | analyzer/windows/data/yara/ -------------------------------------------------------------------------------- /data/yara/urls/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/data/yara/urls/.gitignore -------------------------------------------------------------------------------- /dev_utils/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /dev_utils/readme.md: -------------------------------------------------------------------------------- 1 | #### This folder will contain some scripts/snippets to help with faster dev and testing 2 | -------------------------------------------------------------------------------- /docs/README: -------------------------------------------------------------------------------- 1 | README 2 | 3 | The documentation for installing, using and customizing Cuckoo Sandbox is 4 | available under different forms and formats. 5 | 6 | Under "docs/book/" you can find the complete Cuckoo Sandbox Book in three 7 | different formats: 8 | * HTML 9 | * PDF 10 | * Text 11 | 12 | Under "docs/books/src" you'll find the Sphinx sources used to build the book. 13 | 14 | Under "epydoc/" you'll find the Python documentation of Cuckoo's libs and apis 15 | generated by Epydoc. This directory contains two sub-directories: "host" and 16 | "guest", containing references for Cuckoo's Host and Guest components 17 | respectively. 18 | -------------------------------------------------------------------------------- /docs/book/src/_images/logo/cape.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/logo/cape.png -------------------------------------------------------------------------------- /docs/book/src/_images/schemas/architecture-main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/schemas/architecture-main.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/create_kvm_snapshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/create_kvm_snapshot.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/creating_isolated_network_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/creating_isolated_network_0.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/creating_isolated_network_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/creating_isolated_network_1.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/creating_isolated_network_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/creating_isolated_network_2.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/creating_isolated_network_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/creating_isolated_network_3.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/creating_isolated_network_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/creating_isolated_network_4.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/creating_isolated_network_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/creating_isolated_network_5.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/creating_task_scheduler_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/creating_task_scheduler_0.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/creating_task_scheduler_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/creating_task_scheduler_1.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/creating_task_scheduler_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/creating_task_scheduler_2.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/debugger2disassembler.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/debugger2disassembler.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/fog_host_management.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/fog_host_management.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/fog_image_management.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/fog_image_management.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/fog_scheduled_job.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/fog_scheduled_job.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/guest_win10_disable_firewall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/guest_win10_disable_firewall.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/guest_win10_disable_firewall_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/guest_win10_disable_firewall_1.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/guest_win10_disable_updates.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/guest_win10_disable_updates.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/guest_win10_static_IP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/guest_win10_static_IP.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/guest_win10_static_IP_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/guest_win10_static_IP_1.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/guest_win10_static_IP_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/guest_win10_static_IP_2.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/guest_win10_static_IP_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/guest_win10_static_IP_3.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/internal_external_snapshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/internal_external_snapshot.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/libvirt_error_virtmanager.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/libvirt_error_virtmanager.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/login_error_user_usersprofile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/login_error_user_usersprofile.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/no_signatures.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/no_signatures.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/python_guest_win10_installation_PATH.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/python_guest_win10_installation_PATH.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/rooter_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/rooter_0.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/running_agentpy_within_guest_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/running_agentpy_within_guest_0.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/running_agentpy_within_guest_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/running_agentpy_within_guest_1.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/shared_folders.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/shared_folders.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/signatures.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/signatures.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/troubleshooting_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/troubleshooting_0.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/troubleshooting_error_0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/troubleshooting_error_0.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/troubleshooting_error_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/troubleshooting_error_1.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/troubleshooting_error_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/troubleshooting_error_2.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/troubleshooting_error_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/troubleshooting_error_3.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/windows_network.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/windows_network.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/windows_registry.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/windows_registry.png -------------------------------------------------------------------------------- /docs/book/src/_images/screenshots/windows_security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_images/screenshots/windows_security.png -------------------------------------------------------------------------------- /docs/book/src/_static/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/docs/book/src/_static/.gitkeep -------------------------------------------------------------------------------- /docs/book/src/customization/index.rst: -------------------------------------------------------------------------------- 1 | .. Customization chapter frontpage 2 | 3 | Customization 4 | ============= 5 | 6 | This chapter explains how to customize CAPE. 7 | CAPE is written in a modular architecture built to be as customizable as it can, 8 | to fit the needs of all users. 9 | 10 | .. toctree:: 11 | 12 | auxiliary 13 | machinery 14 | packages 15 | processing 16 | signatures 17 | reporting 18 | -------------------------------------------------------------------------------- /docs/book/src/development/current_module_improvement.rst: -------------------------------------------------------------------------------- 1 | ==================== 2 | Development examples 3 | ==================== 4 | 5 | Curtain 6 | ======= 7 | 8 | .. code-block:: python 9 | 10 | from modules.processing.curtain import deobfuscate 11 | blob = """here""" 12 | print(deobfuscate(blob)) 13 | 14 | Suricata name detection 15 | ======================= 16 | 17 | .. code-block:: python 18 | 19 | import os, sys 20 | CUCKOO_ROOT = os.path.join(os.path.abspath(os.path.dirname(__file__)), "..") 21 | sys.path.append(CUCKOO_ROOT) 22 | 23 | from lib.cuckoo.common.suricata_detection import get_suricata_family 24 | # Signature example: "ET MALWARE Sharik/Smoke CnC Beacon 11" 25 | print(get_suricata_family(signature_string)) 26 | -------------------------------------------------------------------------------- /docs/book/src/development/index.rst: -------------------------------------------------------------------------------- 1 | .. Development chapter frontpage 2 | 3 | Development 4 | =========== 5 | 6 | This chapter explains how to write CAPE's code and how to contribute. 7 | 8 | .. toctree:: 9 | 10 | development_notes 11 | code_style 12 | current_module_improvement 13 | -------------------------------------------------------------------------------- /docs/book/src/installation/guest/index.rst: -------------------------------------------------------------------------------- 1 | .. _preparing_the_guest: 2 | 3 | =================== 4 | Preparing the Guest 5 | =================== 6 | 7 | At this point, you should have configured the CAPE host component and you 8 | should have designed and defined the number and the names of the virtual 9 | machines you are going to use for malware execution. 10 | 11 | Now it's time to create such machines and configure them properly. 12 | 13 | .. toctree:: 14 | 15 | creation 16 | requirements 17 | agent 18 | additional_configuration 19 | network 20 | troubleshooting 21 | saving 22 | cloning 23 | linux 24 | -------------------------------------------------------------------------------- /docs/book/src/installation/host/index.rst: -------------------------------------------------------------------------------- 1 | ================== 2 | Preparing the Host 3 | ================== 4 | 5 | Even though it's reported to run on other operating systems too, CAPE is 6 | originally supposed to run on a *GNU/Linux* native system. 7 | For this documentation, we chose the **latest Ubuntu LTS** as the 8 | reference system for the commands examples. 9 | 10 | .. toctree:: 11 | 12 | installation 13 | configuration 14 | routing 15 | cloud 16 | -------------------------------------------------------------------------------- /docs/book/src/installation/index.rst: -------------------------------------------------------------------------------- 1 | .. Installation chapter frontpage 2 | 3 | Installation 4 | ============ 5 | 6 | This chapter explains how to install CAPE. 7 | 8 | .. note:: 9 | 10 | This documentation refers to *Host* as the underlying operating system on 11 | which you are running CAPE (generally being a GNU/Linux distribution) and 12 | to *Guest* as the Windows virtual machine used to run the isolated analysis. 13 | 14 | .. toctree:: 15 | 16 | host/index 17 | guest/index 18 | guest_physical/index 19 | upgrade 20 | -------------------------------------------------------------------------------- /docs/book/src/integrations/index.rst: -------------------------------------------------------------------------------- 1 | .. Integrations chapter frontpage 2 | 3 | Integrations 4 | ============= 5 | 6 | This chapter explains how to integrate external/3rd party services to CAPE. 7 | CAPE is written in a modular architecture built to be as customizable as it can, 8 | to fit the needs of all users. 9 | 10 | .. toctree:: 11 | 12 | box-js 13 | curtain 14 | librenms 15 | suricata 16 | -------------------------------------------------------------------------------- /docs/book/src/introduction/index.rst: -------------------------------------------------------------------------------- 1 | .. Introduction chapter frontpage 2 | 3 | Introduction 4 | ============ 5 | 6 | This is an introductory chapter to CAPE Sandbox. 7 | It explains some basic malware analysis concepts, what CAPE is, and how it can fit 8 | into malware analysis. 9 | 10 | .. toctree:: 11 | 12 | sandboxing 13 | what 14 | license 15 | -------------------------------------------------------------------------------- /docs/book/src/usage/index.rst: -------------------------------------------------------------------------------- 1 | .. Usage chapter frontpage 2 | 3 | Usage 4 | ===== 5 | 6 | This chapter explains how to use CAPE. 7 | 8 | .. toctree:: 9 | 10 | start 11 | internals 12 | submit 13 | web 14 | api 15 | dist 16 | cluster_administration 17 | packages 18 | results 19 | clean 20 | rooter 21 | utilities 22 | performance 23 | monitor 24 | interactive_desktop 25 | patterns_replacement 26 | -------------------------------------------------------------------------------- /docs/requirements.txt: -------------------------------------------------------------------------------- 1 | sphinx-rtd-theme==2.0.0 2 | -------------------------------------------------------------------------------- /extra/browser_extension/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "manifest_version": 2, 3 | "name": "Hello Extension", 4 | "version": "1.33.7", 5 | "description": "Lorem ipsum dolor sit amet, consectetur adipiscing elit", 6 | "permissions": [ 7 | "webRequest", 8 | "webRequestBlocking", 9 | "", 10 | "downloads", 11 | "http://localhost:8000/*" 12 | ], 13 | "browser_specific_settings": { 14 | "gecko": { 15 | "id": "me@domain.com" 16 | } 17 | }, 18 | "background": { 19 | "scripts": ["background.js"], 20 | "persistent": true 21 | } 22 | } 23 | 24 | -------------------------------------------------------------------------------- /extra/guac related/fstab.in: -------------------------------------------------------------------------------- 1 | # guacd writes recording file with owner read/write permissions only 2 | # using bindfs as work around, unless someone can provide an easier solution 3 | 4 | /opt/guacrecordings /opt/www/guacrecordings fuse.bindfs perms=0000:u+rwD:g+rwD:o+rD 0 0 -------------------------------------------------------------------------------- /extra/services/moloch: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ### BEGIN INIT INFO 3 | # Provides: moloch 4 | # Required-Start: $remote_fs $syslog 5 | # Required-Stop: $remote_fs $syslog 6 | # Default-Start: 2 3 4 5 7 | # Default-Stop: 8 | # Short-Description: moloch 9 | ### END INIT INFO 10 | 11 | case "$1" in 12 | start) 13 | su cuckoo -c "cd /data/moloch/bin/ && ./run_es.sh" 14 | sleep 10 15 | su cuckoo -c "cd /data/moloch/bin/ && screen -d -m ./run_viewer.sh" 16 | ;; 17 | stop) 18 | pkill -f "elasticsearch-0.90.10.jar" 19 | pkill -f "/data/moloch/bin/node viewer.js -c /data/moloch/etc/config.ini" 20 | ;; 21 | 22 | restart) 23 | $0 stop 24 | sleep 10 25 | $0 start 26 | ;; 27 | 28 | esac 29 | exit 0 30 | -------------------------------------------------------------------------------- /extra/whitelist_ips.txt: -------------------------------------------------------------------------------- 1 | # CloudFlare's DNS server 2 | 1.1.1.1 3 | 1.0.0.1 4 | # Google's DNS server 5 | 8.8.8.8 6 | 8.8.4.4 7 | -------------------------------------------------------------------------------- /extra/whitelist_network.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/extra/whitelist_network.txt -------------------------------------------------------------------------------- /extra/yara_installer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -ex 3 | 4 | # run this via... 5 | # cd /opt/CAPEv2/ ; sudo -u cape /etc/poetry/bin/poetry run extra/yara_installer.sh 6 | 7 | if [ ! -d /tmp/yara-python ]; then 8 | git clone --recursive https://github.com/VirusTotal/yara-python /tmp/yara-python 9 | fi 10 | 11 | cd /tmp/yara-python 12 | 13 | /etc/poetry/bin/poetry --directory /opt/CAPEv2 run python setup.py build --enable-cuckoo --enable-magic --enable-profiling 14 | /etc/poetry/bin/poetry --directory /opt/CAPEv2 run pip install . 15 | 16 | cd .. 17 | 18 | if [ -d yara-python ]; then 19 | rm -rf yara-python 20 | fi -------------------------------------------------------------------------------- /installer/README.md: -------------------------------------------------------------------------------- 1 | # From @doomedraven with love. 2 | * Use `sudo cape2.sh -h` 3 | -------------------------------------------------------------------------------- /lib/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /lib/cuckoo/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /lib/cuckoo/common/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /lib/cuckoo/common/cents/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/lib/cuckoo/common/cents/__init__.py -------------------------------------------------------------------------------- /lib/cuckoo/common/constants.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import os 6 | 7 | _current_dir = os.path.abspath(os.path.dirname(__file__)) 8 | CUCKOO_ROOT = os.path.normpath(os.path.join(_current_dir, "..", "..", "..")) 9 | 10 | CUSTOM_ROOT = os.path.join(CUCKOO_ROOT, "custom") 11 | CUSTOM_CONF_DIR = os.path.join(CUSTOM_ROOT, "conf") 12 | 13 | ANALYSIS_BASE_PATH = os.path.join(CUCKOO_ROOT, "storage") 14 | 15 | CUCKOO_VERSION = "2.4-CAPE" 16 | CUCKOO_GUEST_PORT = 8000 17 | CUCKOO_GUEST_INIT = 0x001 18 | CUCKOO_GUEST_RUNNING = 0x002 19 | CUCKOO_GUEST_COMPLETED = 0x003 20 | CUCKOO_GUEST_FAILED = 0x004 21 | -------------------------------------------------------------------------------- /lib/cuckoo/common/decoders/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /lib/cuckoo/common/defines.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | REG_NONE = 0 6 | REG_SZ = 1 7 | REG_EXPAND_SZ = 2 8 | REG_BINARY = 3 9 | REG_DWORD_LITTLE_ENDIAN = 4 10 | REG_DWORD = 4 11 | REG_DWORD_BIG_ENDIAN = 5 12 | 13 | PAGE_NOACCESS = 0x00000001 14 | PAGE_READONLY = 0x00000002 15 | PAGE_READWRITE = 0x00000004 16 | PAGE_WRITECOPY = 0x00000008 17 | PAGE_EXECUTE = 0x00000010 18 | PAGE_EXECUTE_READ = 0x00000020 19 | PAGE_EXECUTE_READWRITE = 0x00000040 20 | PAGE_EXECUTE_WRITECOPY = 0x00000080 21 | PAGE_GUARD = 0x00000100 22 | PAGE_NOCACHE = 0x00000200 23 | PAGE_WRITECOMBINE = 0x00000400 24 | -------------------------------------------------------------------------------- /lib/cuckoo/common/dictionary.py: -------------------------------------------------------------------------------- 1 | import copy 2 | 3 | 4 | class Dictionary(dict): 5 | """Cuckoo custom dict.""" 6 | 7 | def __deepcopy__(self, memo=None): 8 | new = self.__class__() 9 | for key, value in self.items(): 10 | new[key] = copy.deepcopy(value, memo=memo) 11 | return new 12 | 13 | def __getattr__(self, key): 14 | return self.get(key) 15 | 16 | __setattr__ = dict.__setitem__ 17 | __delattr__ = dict.__delitem__ 18 | -------------------------------------------------------------------------------- /lib/cuckoo/common/integrations/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /lib/cuckoo/common/webadmin_utils.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2015 KillerInstinct, Optiv, Inc. (brad.spengler@optiv.com) 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from django.contrib.auth.models import User 6 | 7 | 8 | # admin utils 9 | def disable_user(user_id: int) -> bool: 10 | """ 11 | Disables a user by setting their 'is_active' status to False. 12 | 13 | Args: 14 | user_id (int): The ID of the user to disable. 15 | 16 | Returns: 17 | bool: True if the user was successfully disabled, False otherwise. 18 | """ 19 | user = User.objects.get(id=user_id) 20 | if user: 21 | user.is_active = False 22 | user.save() 23 | return True 24 | return False 25 | -------------------------------------------------------------------------------- /lib/cuckoo/core/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/auxiliary/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/feeds/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/machinery/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/processing/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/reporting/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/reporting/mitre.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | import logging 6 | 7 | from lib.cuckoo.common.abstracts import Report 8 | from lib.cuckoo.common.integrations.mitre import mitre_generate_attck 9 | 10 | log = logging.getLogger(__name__) 11 | 12 | 13 | class MITRE_TTPS(Report): 14 | def run(self, results): 15 | if not results.get("ttps") or not hasattr(self, "mitre"): 16 | return 17 | 18 | attck = mitre_generate_attck(results, self.mitre) 19 | if attck: 20 | results["mitre_attck"] = attck 21 | -------------------------------------------------------------------------------- /modules/signatures/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/signatures/all/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/signatures/linux/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /modules/signatures/windows/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /systemd/cape-dist.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=CAPE distributed 3 | Documentation=https://github.com/kevoreilly/CAPEv2 4 | 5 | [Service] 6 | WorkingDirectory=/opt/CAPEv2/utils/ 7 | ExecStart=/etc/poetry/bin/poetry run python dist.py -ef 8 | User=cape 9 | Group=cape 10 | Restart=always 11 | RestartSec=5m 12 | LimitNOFILE=100000 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /systemd/cape-fstab.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=CAPE fstab utils 3 | Documentation=https://github.com/kevoreilly/CAPEv2 4 | 5 | [Service] 6 | WorkingDirectory=/opt/CAPEv2/utils/ 7 | ExecStartPre=/etc/poetry/bin/poetry config cache-dir /opt/CAPEv2/.cache/pypoetry 8 | ExecStart=/etc/poetry/bin/poetry run python fstab.py -g cape 9 | User=root 10 | Group=root 11 | Restart=always 12 | RestartSec=5m 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /systemd/cape-processor.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=CAPE report processor 3 | Documentation=https://github.com/kevoreilly/CAPEv2 4 | Wants=cape.service 5 | After=cape-rooter.service 6 | 7 | [Service] 8 | WorkingDirectory=/opt/CAPEv2/utils/ 9 | ExecStart=/etc/poetry/bin/poetry run python process.py -p7 auto -pt 900 10 | User=cape 11 | Group=cape 12 | Restart=always 13 | RestartSec=5m 14 | LimitNOFILE=100000 15 | 16 | [Install] 17 | WantedBy=multi-user.target 18 | -------------------------------------------------------------------------------- /systemd/cape-rooter.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=CAPE rooter 3 | Documentation=https://github.com/kevoreilly/CAPEv2 4 | Wants=network-online.target 5 | After=syslog.target network.target 6 | 7 | [Service] 8 | WorkingDirectory=/opt/CAPEv2/utils/ 9 | ExecStartPre=/etc/poetry/bin/poetry config cache-dir /opt/CAPEv2/.cache/pypoetry 10 | ExecStart=/etc/poetry/bin/poetry run python rooter.py -g cape 11 | User=root 12 | Group=root 13 | Restart=always 14 | RestartSec=5m 15 | 16 | [Install] 17 | WantedBy=multi-user.target 18 | -------------------------------------------------------------------------------- /systemd/cape-web.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=CAPE WSGI app 3 | Documentation=https://github.com/kevoreilly/CAPEv2 4 | Wants=cape-rooter.service 5 | After=cape-rooter.service 6 | 7 | [Service] 8 | WorkingDirectory=/opt/CAPEv2/web 9 | ExecStart=/etc/poetry/bin/poetry run python manage.py runserver_plus 0.0.0.0:8000 --traceback --keep-meta-shutdown 10 | User=cape 11 | Group=cape 12 | Restart=always 13 | RestartSec=5m 14 | # In case if you behind of proxy, set your proxy in /etc/environment and uncomment next line 15 | # EnvironmentFile=/etc/environment 16 | 17 | [Install] 18 | WantedBy=multi-user.target 19 | -------------------------------------------------------------------------------- /systemd/cape.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=CAPE 3 | Documentation=https://github.com/kevoreilly/CAPEv2 4 | Wants=cape-rooter.service 5 | After=cape-rooter.service 6 | 7 | [Service] 8 | WorkingDirectory=/opt/CAPEv2/ 9 | ExecStart=/etc/poetry/bin/poetry run python cuckoo.py 10 | User=cape 11 | Group=cape 12 | Restart=always 13 | RestartSec=5m 14 | # send SIGKILL if analysis is still ongoing 4m after SIGTERM 15 | TimeoutStopSec=4m 16 | LimitNOFILE=100000 17 | 18 | [Install] 19 | WantedBy=multi-user.target 20 | -------------------------------------------------------------------------------- /systemd/guac-web.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Guacamole ASGI app 3 | 4 | [Service] 5 | WorkingDirectory=/opt/CAPEv2/web 6 | ExecStart=/etc/poetry/bin/poetry run gunicorn --bind 127.0.0.1:8008 web.asgi -t 180 -w 4 -k uvicorn.workers.UvicornWorker --capture-output --enable-stdio-inheritance 7 | User=cape 8 | Group=cape 9 | Restart=always 10 | RestartSec=5m 11 | 12 | [Install] 13 | WantedBy=multi-user.target 14 | -------------------------------------------------------------------------------- /systemd/suricata-update.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=suricata-update 3 | 4 | [Service] 5 | User=root 6 | Group=root 7 | Type=oneshot 8 | ExecStart=suricata-update --suricata /usr/bin/suricata --suricata-conf /etc/suricata/suricata.yaml -o /etc/suricata/rules/ 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | -------------------------------------------------------------------------------- /systemd/suricata-update.timer: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Run suricata-update hourly and at boot 3 | 4 | [Timer] 5 | OnBootSec=15min 6 | OnUnitActiveSec=1h 7 | unit=suricata-update.service 8 | 9 | [Install] 10 | WantedBy=timers.target 11 | -------------------------------------------------------------------------------- /tests/readme.md: -------------------------------------------------------------------------------- 1 | ### To run tests you must: 2 | 3 | * Edit `tcr_misc.py` to change `SAMPLE_STORAGE` where samples are, we maybe will place them on github in different repo later 4 | 5 | * set `PYTHONPATH` 6 | ``` 7 | export PYTHONPATH=$PYTHONPATH:/opt/CAPEv2 8 | python3 -m pytest 9 | ``` 10 | -------------------------------------------------------------------------------- /tests/reporter_tests.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | 6 | from lib.cuckoo.common.abstracts import Report 7 | 8 | 9 | class ReportMock(Report): 10 | def run(self, data): 11 | return 12 | 13 | 14 | class ReportAlterMock(Report): 15 | """Corrupts results dict.""" 16 | 17 | def run(self, data): 18 | data["foo"] = "notbar" 19 | -------------------------------------------------------------------------------- /tests/sniffer_tests.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /tests/test_behavior.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.cuckoo.common.config import Config 6 | from modules.processing.behavior import ParseProcessLog 7 | 8 | cfg = Config("processing") 9 | 10 | 11 | class TestParseProcessLog: 12 | def test_init(self): 13 | assert ( 14 | str(ParseProcessLog("CAPEv2/tests/test_bson.bson", cfg.behavior)) 15 | == "" 16 | ) 17 | -------------------------------------------------------------------------------- /tests/test_bson.bson: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/tests/test_bson.bson -------------------------------------------------------------------------------- /tests/test_cleaners_utils.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.cuckoo.common import cleaners_utils 6 | 7 | 8 | def test_free_space_monitor(mocker): 9 | # Will not enter main loop 10 | cleaners_utils.free_space_monitor(return_value=True) 11 | -------------------------------------------------------------------------------- /tests/test_colors.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.cuckoo.common.colors import black, blue, bold, color, cyan, green, magenta, red, white, yellow # noqa: F401 6 | 7 | 8 | def test_return_text(): 9 | """Test colorized text contains the input string.""" 10 | assert "foo" in color("foo", 11) 11 | 12 | 13 | def test_style(): 14 | style = {"black": 30, "red": 31, "green": 32, "yellow": 33, "blue": 34, "magenta": 35, "cyan": 36, "white": 37, "bold": 1} 15 | 16 | for s in style: 17 | fn = globals()[s] 18 | assert fn("test") == "\x1b[%smtest\x1b[0m" % style[s] 19 | -------------------------------------------------------------------------------- /tests/test_logo.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from lib.cuckoo.common import logo 6 | 7 | 8 | def test_logo(capsys): 9 | logo.logo() 10 | captured = capsys.readouterr() 11 | assert "CAPE: Config and Payload Extraction" in captured.out 12 | -------------------------------------------------------------------------------- /tests/zip_compound/files/example_config.json: -------------------------------------------------------------------------------- 1 | { 2 | "path_to_extract":{ 3 | "a.exe":"%USERPROFILE%\\Desktop\\a\\b\\c", 4 | "folder_b": "%appdata%" 5 | }, 6 | "target_file":"a.exe" 7 | } 8 | -------------------------------------------------------------------------------- /tests/zip_compound/files/misconfiguration.json: -------------------------------------------------------------------------------- 1 | { 2 | "path_to_extract":{ 3 | "test_executable.exe":"%USERPROFILE%\\Desktop\\a\\b\\c" 4 | } 5 | "target_file":"test_exec.exe" 6 | } 7 | -------------------------------------------------------------------------------- /tests/zip_compound/test_extract_path.py: -------------------------------------------------------------------------------- 1 | import logging 2 | import os 3 | import sys 4 | 5 | logging.basicConfig(level=logging.DEBUG) 6 | 7 | testfile_dir = os.path.dirname(__file__) 8 | testfile_dir = os.path.join(testfile_dir, "..", "..", "analyzer", "windows") 9 | sys.path.append(testfile_dir) 10 | 11 | import modules.packages.zip as zip 12 | 13 | extract_dir = os.path.expandvars("%USERPROFILE%\\Desktop") 14 | 15 | 16 | def test_zip_Extraction(): 17 | zip_obj = zip.Zip() 18 | zip_obj.extract_zip("./files/test_zip.zip", extract_dir) 19 | 20 | 21 | def test_zip_JSON(): 22 | zip_obj = zip.Zip() 23 | f = zip_obj.process_unzipped_contents(extract_dir, "test_executable.exe") 24 | print(f) 25 | -------------------------------------------------------------------------------- /utils/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/utils/__init__.py -------------------------------------------------------------------------------- /utils/community_blocklist.py: -------------------------------------------------------------------------------- 1 | # Just add path inside of the list. Ex: "signatures/my_amazing_signature.py" 2 | blocklist = { 3 | "feeds": [], 4 | "signatures": [], 5 | "processing": [], 6 | "reporting": [], 7 | "machinery": [], 8 | "analyzer": [], 9 | "data": [], 10 | } 11 | -------------------------------------------------------------------------------- /utils/db_migration/script.py.mako: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | """${message} 6 | 7 | Revision ID: ${up_revision} 8 | Revises: ${down_revision} 9 | Create Date: ${create_date} 10 | 11 | """ 12 | 13 | # revision identifiers, used by Alembic. 14 | revision = ${repr(up_revision)} 15 | down_revision = ${repr(down_revision)} 16 | 17 | from alembic import op 18 | import sqlalchemy as sa 19 | ${imports if imports else ""} 20 | 21 | def upgrade(): 22 | ${upgrades if upgrades else "pass"} 23 | 24 | 25 | def downgrade(): 26 | ${downgrades if downgrades else "pass"} 27 | -------------------------------------------------------------------------------- /utils/db_migration/versions/2_3_2_custom_auth_usernames.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | """2_3_2_custom_auth_usernames 6 | 7 | Revision ID: 6dc79a3ee6e4 8 | Revises: 703266a6bbc5 9 | Create Date: 2021-06-17 08:01:32.057197 10 | 11 | """ 12 | 13 | # revision identifiers, used by Alembic. 14 | revision = "6dc79a3ee6e4" 15 | down_revision = "703266a6bbc5" 16 | 17 | import sqlalchemy as sa 18 | from alembic import op 19 | 20 | 21 | def upgrade(): 22 | op.add_column("tasks", sa.Column("username", sa.String(length=256), nullable=True)) 23 | 24 | 25 | def downgrade(): 26 | op.drop_column("tasks", "username") 27 | -------------------------------------------------------------------------------- /utils/db_migration/versions/2_3_task2user_id.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | """2.3_task2user_id 6 | 7 | Revision ID: 6ab863a3b510 8 | Revises: c554ed5f32a0 9 | Create Date: 2021-02-02 07:28:09.576652 10 | 11 | """ 12 | 13 | # revision identifiers, used by Alembic. 14 | revision = "6ab863a3b510" 15 | down_revision = "c554ed5f32a0" 16 | 17 | 18 | import sqlalchemy as sa 19 | from alembic import op 20 | 21 | 22 | def upgrade(): 23 | op.add_column("tasks", sa.Column("user_id", sa.Integer, nullable=True)) 24 | 25 | 26 | def downgrade(): 27 | op.drop_column("tasks", "user_id") 28 | -------------------------------------------------------------------------------- /utils/db_migration/versions/add_source_url.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | """add_source_url 6 | 7 | Revision ID: 2996ec5ea15c 8 | Revises: 7331c4d994fd 9 | Create Date: 2020-06-24 08:41:33.661473 10 | 11 | """ 12 | 13 | # revision identifiers, used by Alembic. 14 | revision = "2996ec5ea15c" 15 | down_revision = "7331c4d994fd" 16 | 17 | import sqlalchemy as sa 18 | from alembic import op 19 | 20 | 21 | def upgrade(): 22 | op.add_column("samples", sa.Column("source_url", sa.String(length=2000), nullable=True)) 23 | 24 | 25 | def downgrade(): 26 | op.drop_column("samples", "source_url") 27 | -------------------------------------------------------------------------------- /utils/db_migration_dist/script.py.mako: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | """${message} 6 | 7 | Revision ID: ${up_revision} 8 | Revises: ${down_revision} 9 | Create Date: ${create_date} 10 | 11 | """ 12 | 13 | # revision identifiers, used by Alembic. 14 | revision = ${repr(up_revision)} 15 | down_revision = ${repr(down_revision)} 16 | 17 | from alembic import op 18 | import sqlalchemy as sa 19 | 20 | ${imports if imports else ""} 21 | 22 | def upgrade(): 23 | ${upgrades if upgrades else "pass"} 24 | 25 | 26 | def downgrade(): 27 | ${downgrades if downgrades else "pass"} 28 | -------------------------------------------------------------------------------- /utils/db_migration_dist/versions/dist_1.3.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | """dist_1.3 6 | 7 | Revision ID: 83fd58842164 8 | Revises: b0fa23c3c9c0 9 | Create Date: 2024-02-29 08:04:50.292044 10 | 11 | """ 12 | 13 | # revision identifiers, used by Alembic. 14 | revision = "83fd58842164" 15 | down_revision = "b0fa23c3c9c0" 16 | 17 | import sqlalchemy as sa 18 | from alembic import op 19 | 20 | 21 | def upgrade(): 22 | op.add_column("task", sa.Column("tlp", sa.String(length=6), nullable=True)) 23 | 24 | 25 | def downgrade(): 26 | op.drop_column("task", "tlp") 27 | -------------------------------------------------------------------------------- /utils/db_migration_dist/versions/dist_1_1.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | """dist_1.1 6 | 7 | Revision ID: 431b7f0b3240 8 | Revises: None 9 | Create Date: 2021-03-08 13:39:01.310802 10 | 11 | """ 12 | 13 | # revision identifiers, used by Alembic. 14 | revision = "431b7f0b3240" 15 | down_revision = None 16 | 17 | import sqlalchemy as sa 18 | from alembic import op 19 | 20 | 21 | def upgrade(): 22 | op.add_column("task", sa.Column("route", sa.String(length=128), nullable=True)) 23 | 24 | 25 | def downgrade(): 26 | op.drop_column("task", "route") 27 | -------------------------------------------------------------------------------- /utils/down.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import os 4 | import subprocess 5 | 6 | if __name__ == "__main__": 7 | config_name = os.environ.get("config") 8 | local_ip = os.environ.get("ifconfig_local") 9 | vpn_gateway = os.environ.get("route_vpn_gateway") 10 | dev = os.environ.get("dev") 11 | ip_table = dev[3:] 12 | print("ip rule del from {} table {}".format(local_ip, ip_table)) 13 | print("ip route del default via {} dev {} table {}".format(vpn_gateway, dev, ip_table)) 14 | subprocess.call(["ip", "rule", "del", "from", local_ip, "table", ip_table]) 15 | -------------------------------------------------------------------------------- /utils/tcpdumpwrapper.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Copyright 2015 Optiv, Inc. (brad.spengler@optiv.com) 4 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 5 | # See the file 'docs/LICENSE' for copying permission. 6 | 7 | import os 8 | import sys 9 | import time 10 | 11 | iface = "" 12 | for idx, arg in enumerate(sys.argv): 13 | if arg == "-i" and idx < len(sys.argv) - 1: 14 | iface = sys.argv[idx + 1] 15 | 16 | for i in range(30): 17 | f = open("/proc/net/dev", "rb") 18 | for line in f: 19 | dev = line.split(":", 1)[0] 20 | if dev == iface: 21 | break 22 | f.close() 23 | time.sleep(0.5) 24 | 25 | os.execve("/usr/sbin/tcpdump", sys.argv, os.environ) 26 | -------------------------------------------------------------------------------- /web/analysis/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /web/analysis/forms.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from django import forms 6 | from submission.models import Comment, Tag 7 | 8 | 9 | class CommentForm(forms.ModelForm): 10 | class Meta: 11 | model = Comment 12 | fields = ["message"] 13 | 14 | 15 | class TagForm(forms.ModelForm): 16 | class Meta: 17 | model = Tag 18 | fields = ["name"] 19 | -------------------------------------------------------------------------------- /web/analysis/templatetags/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /web/analysis/templatetags/pdf_tags.py: -------------------------------------------------------------------------------- 1 | from django import template 2 | 3 | register = template.Library() 4 | 5 | 6 | @register.filter(name="datefmt") 7 | def datefmt(value): 8 | formatted = ( 9 | value[2:6] 10 | + "/" 11 | + value[6:8] 12 | + "/" 13 | + value[8:10] 14 | + " " 15 | + value[10:12] 16 | + ":" 17 | + value[12:14] 18 | + ":" 19 | + value[14:16] 20 | + " GMT" 21 | + value[16:19] 22 | ) 23 | return formatted 24 | -------------------------------------------------------------------------------- /web/apiv2/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/apiv2/__init__.py -------------------------------------------------------------------------------- /web/captcha_admin/admin.py: -------------------------------------------------------------------------------- 1 | from django.contrib import admin 2 | 3 | from .forms import AdminAuthenticationForm 4 | from .mixins import AdminSiteRegistryFix 5 | 6 | 7 | class AdminSite(admin.AdminSite, AdminSiteRegistryFix): 8 | login_form = AdminAuthenticationForm 9 | login_template = "admin/captcha_login.html" 10 | 11 | 12 | site = AdminSite() 13 | admin.site = site 14 | -------------------------------------------------------------------------------- /web/captcha_admin/apps.py: -------------------------------------------------------------------------------- 1 | from django.contrib.admin.apps import AdminConfig as _AdminConfig 2 | 3 | 4 | class AdminConfig(_AdminConfig): 5 | """ 6 | Inherit Django AdminConfig. We want the autodiscover feature. Do not define your default_site according to the 7 | Django docs. Otherwise, we will end up with a recursive import error when loading this module. 8 | """ 9 | 10 | pass 11 | -------------------------------------------------------------------------------- /web/captcha_admin/forms.py: -------------------------------------------------------------------------------- 1 | from captcha.fields import ReCaptchaField 2 | from captcha.widgets import ReCaptchaV3 3 | from django.contrib.admin.forms import AdminAuthenticationForm as _AdminAuthenticationForm 4 | 5 | 6 | class AdminAuthenticationForm(_AdminAuthenticationForm): 7 | captcha = ReCaptchaField(widget=ReCaptchaV3) 8 | -------------------------------------------------------------------------------- /web/captcha_admin/mixins.py: -------------------------------------------------------------------------------- 1 | from django.contrib.admin.sites import site as default_site 2 | 3 | 4 | class AdminSiteRegistryFix: 5 | """ 6 | This fix links the '_registry' property to the original AdminSites 7 | '_registry' property. This is necessary, because of the character of 8 | the admins 'autodiscover' function. Otherwise the admin site will say, 9 | that you haven't permission to edit anything. 10 | """ 11 | 12 | def _registry_getter(self): 13 | return default_site._registry 14 | 15 | def _registry_setter(self, value): 16 | default_site._registry = value 17 | 18 | _registry = property(_registry_getter, _registry_setter) 19 | -------------------------------------------------------------------------------- /web/captcha_admin/models.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/captcha_admin/models.py -------------------------------------------------------------------------------- /web/compare/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file "docs/LICENSE" for copying permission. 4 | -------------------------------------------------------------------------------- /web/compare/urls.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file "docs/LICENSE" for copying permission. 4 | 5 | from django.urls import re_path 6 | 7 | from compare import views 8 | 9 | urlpatterns = [ 10 | re_path(r"^(?P\d+)/$", views.left, name="compare_left"), 11 | re_path(r"^(?P\d+)/(?P\d+)/$", views.both, name="compare_both"), 12 | re_path(r"^(?P\d+)/(?P\w+)/$", views.hash, name="compare_hash"), 13 | ] 14 | -------------------------------------------------------------------------------- /web/dashboard/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/dashboard/__init__.py -------------------------------------------------------------------------------- /web/dashboard/urls.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file "docs/LICENSE" for copying permission. 4 | 5 | from django.urls import re_path 6 | 7 | from dashboard import views 8 | 9 | urlpatterns = [ 10 | re_path(r"^$", views.index), 11 | ] 12 | -------------------------------------------------------------------------------- /web/guac/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/guac/__init__.py -------------------------------------------------------------------------------- /web/guac/routing.py: -------------------------------------------------------------------------------- 1 | from django.urls import re_path 2 | 3 | from .consumers import GuacamoleWebSocketConsumer 4 | 5 | websocket_urlpatterns = [ 6 | re_path( 7 | r"guac/websocket-tunnel/(?P\w+)", 8 | GuacamoleWebSocketConsumer.as_asgi(), 9 | ), 10 | ] 11 | -------------------------------------------------------------------------------- /web/guac/urls.py: -------------------------------------------------------------------------------- 1 | from django.urls import re_path 2 | 3 | from guac import views 4 | 5 | urlpatterns = [ 6 | re_path(r"^(?P\d+)/(?P[\w=]+)/$", views.index, name="index"), 7 | ] 8 | -------------------------------------------------------------------------------- /web/manage.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2010-2015 Cuckoo Foundation. 3 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 4 | # See the file 'docs/LICENSE' for copying permission. 5 | 6 | import os 7 | import sys 8 | 9 | if __name__ == "__main__": 10 | os.environ.setdefault("DJANGO_SETTINGS_MODULE", "web.settings") 11 | 12 | from django.core.management import execute_from_command_line 13 | 14 | execute_from_command_line(sys.argv) 15 | -------------------------------------------------------------------------------- /web/static/django_extensions/img/indicator.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/django_extensions/img/indicator.gif -------------------------------------------------------------------------------- /web/static/generated/README: -------------------------------------------------------------------------------- 1 | Statistics images generated by server are stored here 2 | -------------------------------------------------------------------------------- /web/static/graphic/background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/graphic/background.png -------------------------------------------------------------------------------- /web/static/graphic/cape.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/graphic/cape.png -------------------------------------------------------------------------------- /web/static/img/cape.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/img/cape.png -------------------------------------------------------------------------------- /web/static/img/close.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/img/close.png -------------------------------------------------------------------------------- /web/static/img/github_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/img/github_login.png -------------------------------------------------------------------------------- /web/static/img/google_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/img/google_login.png -------------------------------------------------------------------------------- /web/static/img/loading.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/img/loading.gif -------------------------------------------------------------------------------- /web/static/img/next.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/img/next.png -------------------------------------------------------------------------------- /web/static/img/prev.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/img/prev.png -------------------------------------------------------------------------------- /web/static/webfonts/fa-brands-400.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/webfonts/fa-brands-400.ttf -------------------------------------------------------------------------------- /web/static/webfonts/fa-brands-400.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/webfonts/fa-brands-400.woff2 -------------------------------------------------------------------------------- /web/static/webfonts/fa-regular-400.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/webfonts/fa-regular-400.ttf -------------------------------------------------------------------------------- /web/static/webfonts/fa-regular-400.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/webfonts/fa-regular-400.woff2 -------------------------------------------------------------------------------- /web/static/webfonts/fa-solid-900.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/webfonts/fa-solid-900.ttf -------------------------------------------------------------------------------- /web/static/webfonts/fa-solid-900.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/webfonts/fa-solid-900.woff2 -------------------------------------------------------------------------------- /web/static/webfonts/fa-v4compatibility.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/webfonts/fa-v4compatibility.ttf -------------------------------------------------------------------------------- /web/static/webfonts/fa-v4compatibility.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/static/webfonts/fa-v4compatibility.woff2 -------------------------------------------------------------------------------- /web/submission/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /web/submission/urls.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | 5 | from django.urls import re_path 6 | 7 | from submission import views 8 | 9 | urlpatterns = [ 10 | re_path(r"^$", views.index, name="submission"), 11 | re_path(r"^resubmit/(?P\d+)/(?P[\w\d]{64})/$", views.index, name="submission"), 12 | re_path(r"status/(?P\d+)/$", views.status, name="submission_status"), 13 | re_path(r"remote_session/(?P\d+)/$", views.remote_session, name="remote_session"), 14 | ] 15 | -------------------------------------------------------------------------------- /web/templates/account/account_inactive.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% load i18n %} 4 | 5 | {% block head_title %}{% trans "Account Inactive" %}{% endblock %} 6 | 7 | {% block content %} 8 |

{% trans "Account Inactive" %}

9 | 10 |

{% trans "This account is inactive/Admin set manual approve." %}

11 | {% endblock %} 12 | -------------------------------------------------------------------------------- /web/templates/account/login.html: -------------------------------------------------------------------------------- 1 | {% extends 'base.html' %} 2 | {% load i18n %} 3 | {% load crispy_forms_tags %} 4 | {% block title %}Log In{% endblock title %} 5 | {% block content %} 6 |
7 |

{% trans "Sign In" %}

8 |

9 | {% blocktrans %}If you have not created an account yet, then please Sign up first. 10 | {% endblocktrans %} 11 |

12 |
13 | {% csrf_token %} 14 | {{ form|crispy }} 15 | {% trans "Forgot password?" %} 16 |
17 |
18 | {% endblock content %} 19 | -------------------------------------------------------------------------------- /web/templates/account/logout.html: -------------------------------------------------------------------------------- 1 | {% extends 'base.html' %} 2 | {% load crispy_forms_tags %} 3 | {% block title %}Log Out{% endblock %} 4 | {% block content %} 5 |
6 |

Log Out

7 |

Are you sure you want to log out?

8 |
9 | {% csrf_token %} 10 | {{ form|crispy }} 11 | 12 |
13 |
14 | {% endblock content %} 15 | -------------------------------------------------------------------------------- /web/templates/account/password_change.html: -------------------------------------------------------------------------------- 1 | {% extends 'base.html' %} 2 | {% load i18n %} 3 | 4 | {% block head_title %}{% trans "Change Password" %}{% endblock %} 5 | 6 | {% block content %} 7 |

{% trans "Change Password" %}

8 | 9 |
10 | {% csrf_token %} 11 | {{ form.as_p }} 12 | 13 | {% trans "Forgot Password?" %} 14 |
15 | {% endblock %} 16 | -------------------------------------------------------------------------------- /web/templates/account/password_reset_done.html: -------------------------------------------------------------------------------- 1 | {% extends 'base.html' %} 2 | 3 | {% load i18n %} 4 | {% load account %} 5 | 6 | {% block head_title %}{% trans "Password Reset" %}{% endblock %} 7 | 8 | {% block content %} 9 |

{% trans "Password Reset" %}

10 | 11 | {% if user.is_authenticated %} 12 | {% include "account/snippets/already_logged_in.html" %} 13 | {% endif %} 14 | 15 |

{% blocktrans %}We have sent you an e-mail. Please contact us if you do not receive it within a few minutes.{% endblocktrans %}

16 | {% endblock %} 17 | -------------------------------------------------------------------------------- /web/templates/account/password_reset_from_key_done.html: -------------------------------------------------------------------------------- 1 | {% extends 'base.html' %} 2 | {% load i18n %} 3 | {% block head_title %}{% trans "Change Password" %}{% endblock %} 4 | 5 | {% block content %} 6 |

{% trans "Change Password" %}

7 |

{% trans 'Your password is now changed.' %}

8 | {% endblock %} 9 | -------------------------------------------------------------------------------- /web/templates/account/signup_closed.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% load i18n %} 4 | 5 | {% block head_title %}{% trans "Sign Up Closed" %}{% endblock %} 6 | 7 | {% block content %} 8 |

{% trans "Sign Up Closed" %}

9 | 10 |

{% trans "We are sorry, but the sign up is currently closed." %}

11 | {% endblock %} 12 | -------------------------------------------------------------------------------- /web/templates/account/verification_sent.html: -------------------------------------------------------------------------------- 1 | {% extends 'base.html' %} 2 | {% load i18n %} 3 | 4 | {% block head_title %}{% trans "Verify Your E-mail Address" %}{% endblock %} 5 | 6 | {% block content %} 7 |

{% trans "Verify Your E-mail Address" %}

8 | 9 |

{% blocktrans %}We have sent an e-mail to you for verification. Follow the link provided to finalize the signup process. Please contact us if you do not receive it within a few minutes.{% endblocktrans %}

10 | 11 | {% endblock %} 12 | -------------------------------------------------------------------------------- /web/templates/admin/base_site.html: -------------------------------------------------------------------------------- 1 | {% extends "admin/base_site.html" %} 2 | {% load static %} 3 | {% block extrahead %} 4 | 5 | {% endblock %} 6 | -------------------------------------------------------------------------------- /web/templates/analysis/CAPE/index.html: -------------------------------------------------------------------------------- 1 | {% load key_tags %} 2 | 3 | {% if CAPE.payloads %} 4 | {% if settings.ZIPPED_DOWNLOAD_ALL and tab_name in 'dropped,procdump,CAPE' %} 5 |
Download All Files
6 |
7 | {% endif %} 8 | 9 | {% for file in CAPE.payloads|dictsortreversed:"size" %} 10 | {% include "analysis/generic/_file_info.html" %} 11 | {% endfor %} 12 | {% else %} 13 |
Sorry! No CAPE files.
14 | {% endif %} 15 | -------------------------------------------------------------------------------- /web/templates/analysis/antivirus.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 | 4 | {% include "analysis/generic/_virustotal.html" %} 5 | {% endblock %} 6 | -------------------------------------------------------------------------------- /web/templates/analysis/behavior/_chunk.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | {% for call in chunk.calls %} 16 | 17 | {% include "analysis/behavior/_api_call.html" %} 18 | 19 | {% endfor %} 20 | 21 |
TimeTIDCallerAPIArgumentsStatusReturnRepeated
22 | -------------------------------------------------------------------------------- /web/templates/analysis/behavior/_tree.html: -------------------------------------------------------------------------------- 1 | {% load generic_tags %} 2 | {% load analysis_tags %} 3 | 4 |

Process Tree

5 |
    6 | {% for process in behavior.processtree|proctreetolist %} 7 | {% if process.startchildren %} 8 |
      9 | {% elif process.endchildren %} 10 |
    11 | {% else %} 12 |
  • 13 | {{process.name}} {{process.pid}} 14 | {% if process.commandline %} 15 | {{ process.commandline }} 16 | {% endif %} 17 | {% if detections2pid|get_detection_by_pid:process.pid %} 18 | {{ detections2pid|get_detection_by_pid:process.pid }} 19 | {% endif %} 20 |
    • 21 | {% endif %} 22 | {% endfor %} 23 |
24 | -------------------------------------------------------------------------------- /web/templates/analysis/behavior/index.html: -------------------------------------------------------------------------------- 1 | {% if behavior %} 2 | {% include "analysis/behavior/_tree.html" %} 3 |
4 | {% include "analysis/behavior/_processes.html" %} 5 | {% else %} 6 |
Sorry! No behavior.
7 | {% endif %} 8 | -------------------------------------------------------------------------------- /web/templates/analysis/dropped/index.html: -------------------------------------------------------------------------------- 1 | {% load key_tags %} 2 | 3 | {% if dropped|length > 0 %} 4 | {% if settings.ZIPPED_DOWNLOAD_ALL and tab_name in 'dropped,procdump,CAPE' %} 5 |
Download All Files
6 |
7 | {% endif %} 8 | {% for file in dropped %} 9 | {% include "analysis/generic/_file_info.html" %} 10 | {% endfor %} 11 | {% else %} 12 |
Sorry! No dropped files.
13 | {% endif %} 14 | -------------------------------------------------------------------------------- /web/templates/analysis/generic/_java.html: -------------------------------------------------------------------------------- 1 |
2 |
3 | {% if file.java and file.java.decompiled %} 4 | 
{{file.java.decompiled}}
5 | {% endif %} 6 |
7 |
8 | -------------------------------------------------------------------------------- /web/templates/analysis/generic/_xlmmacro.html: -------------------------------------------------------------------------------- 1 |
2 |
3 |

XLM Macro

4 | 
 5 |             {% for line in file.office.XLMMacroDeobfuscator.Code %}
 6 |                 {{line}}
 7 |             {% endfor %}
 8 |
9 |
10 |
11 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_apihooks.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | {% for hook in memory.apihooks.data %} 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | {% endfor %} 21 | 22 |
PIDProcess NameVictim FunctionHook TypeHooking Module
{{hook.process_id}}{{hook.process_name}}{{hook.victim_function}}{{hook.hook_type}}{{hook.hooking_module}}
23 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_callbacks.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | {% for x in memory.callbacks %} 12 | 13 | 14 | 15 | 16 | 17 | 18 | {% endfor %} 19 | 20 |
ModuleCallbackTypeDetails
{{x.Module}}{{x.Callback}}{{x.Type}}{{x.Details}}
21 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_getsids.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 9 | 10 | 11 | {% for getsids in memory.getsids %} 12 | 13 | 14 | 15 | 16 | 17 | 18 | {% endfor %} 19 | 20 |
PIDProcessSIDName 8 |
{{getsids.PID}}{{getsids.Process}}{{getsids.SID}}{{getsids.Name}}
21 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_idt.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for x in memory.idt.data %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 | 24 |
CPUIndexSelectorAddressModuleSection
{{x.cpu_number}}{{x.index}}{{x.selector}}{{x.address}}{{x.module}}{{x.section}}
25 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_malfind.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for mal in memory.malfind %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 | 24 |
PIDProcess NameStartEndTagProtection
{{mal.PID}}{{mal.Process}}ToDoToDo{{mal.Tag}}{{mal.Protection}}
25 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_modscan.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | {% for mod in memory.modscan %} 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | {% endfor %} 21 | 22 |
Base AddressOffsetNameFileSize
{{mod.Base}}{{mod.Offset}}{{mod.Name}}{{mod.Path}}{{mod.Size}}
23 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_mutantscan.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | {% for mutex in memory.mutantscan %} 10 | 11 | 12 | 13 | 14 | {% endfor %} 15 | 16 |
OffsetName
{{mutex.Offset}}{{mutex.Name}}
17 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_privs.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 8 | 9 | 10 | 11 | 12 | {% for privs in memory.privs %} 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | {% endfor %} 21 | 22 |
PIDProcessPrivilege 7 | AttributesDescription
{{privs.PID}}{{privs.Process}}{{privs.Privilege}}{{privs.Attributes}}{{privs.Description}}
23 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_sockscan.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for sock in memory.sockscan.data %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 | 24 |
OffsetPIDLocal AddressLocal PortProtocolCreation Time
{{sock.offset}}{{sock.process_id}}{{sock.address}}{{sock.port}}{{sock.protocol}}{{sock.create_time}}
25 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_ssdt.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | {% for x in memory.ssdt %} 12 | 13 | 14 | 15 | 16 | 17 | 18 | {% endfor %} 19 | 20 |
IndexSyscall AddrSyscall ModnameSyscall Name
{{x.Index}}{{x.Address}}{{x.Module}}{{x.Symbol}}
21 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_timers.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | {% for x in memory.timers.data %} 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | {% endfor %} 23 | 24 |
OffsetDue TimePeriodSignaledRoutineModule
{{x.offset}}{{x.due_time}}{{x.period}}{{x.signaled}}{{x.routine}}{{x.module}}
25 | -------------------------------------------------------------------------------- /web/templates/analysis/memory/_yarascan.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | {% for x in memory.yarascan.data %} 11 | 12 | 13 | 14 | 15 | 16 | {% endfor %} 17 | 18 |
OwnerRuleHexdump
{{x.owner}}{{x.rule}}
{{x.hexdump}}
19 | -------------------------------------------------------------------------------- /web/templates/analysis/network/_icmp.html: -------------------------------------------------------------------------------- 1 | {% if network.icmp %} 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | {% for packet in network.icmp %} 10 | 11 | 12 | 13 | 14 | 15 | 16 | {% endfor %} 17 |
SourceDestinationICMP TypeData
{{packet.src}}{{packet.dst}}{{packet.type}}{{packet.data}}
18 | {% else %} 19 |

No ICMP traffic performed.

20 | {% endif %} 21 | -------------------------------------------------------------------------------- /web/templates/analysis/network/_irc.html: -------------------------------------------------------------------------------- 1 |

IRC traffic

2 | {% if network.irc %} 3 | 4 | 5 | 6 | 7 | 8 | 9 | {% for irc in network.irc %} 10 | 11 | 12 | 13 | 14 | 15 | {% endfor %} 16 |
CommandParamsType
{{irc.command}}{{irc.params}}{{irc.type}}
17 | {% else %} 18 |

No IRC requests performed.

19 | {% endif %} 20 | -------------------------------------------------------------------------------- /web/templates/analysis/overview/_screenshots.html: -------------------------------------------------------------------------------- 1 |
2 |

Screenshots

3 | {% if analysis.shots %} 4 |
5 | {% for shot in analysis.shots %} 6 | 7 | 8 | 9 | {% endfor %} 10 |
11 | {% else %} 12 | No screenshots available. 13 | {% endif %} 14 |
15 | -------------------------------------------------------------------------------- /web/templates/analysis/overview/_url.html: -------------------------------------------------------------------------------- 1 |
2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 |

URL Details

{{analysis.url_analysis.url}}
14 |
15 | -------------------------------------------------------------------------------- /web/templates/analysis/overview/_usage.html: -------------------------------------------------------------------------------- 1 |
2 |

Usage

3 |
4 | 5 |
6 |
7 | -------------------------------------------------------------------------------- /web/templates/analysis/procdump/index.html: -------------------------------------------------------------------------------- 1 | 2 | {% if procdump|length > 0 %} 3 | {% if settings.ZIPPED_DOWNLOAD_ALL and tab_name in 'dropped,procdump,CAPE' %} 4 |
Download All Files
5 |
6 | {% endif %} 7 | {% for file in procdump %} 8 | {% include "analysis/generic/_file_info.html" %} 9 | {% endfor %} 10 | {% else %} 11 |
Sorry! No process dumps.
12 | {% endif %} 13 | -------------------------------------------------------------------------------- /web/templates/analysis/strace/_api_call.html: -------------------------------------------------------------------------------- 1 | {{call.timestamp}} 2 | {{call.api}} 3 | 4 | {% for argument in call.arguments %} 5 | {{argument.name}}: 6 | {{argument.value}} 7 |
8 | {% endfor %} 9 | 10 | 17 | {{call.return}} 18 | -------------------------------------------------------------------------------- /web/templates/analysis/strace/_chunk.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | {% for call in chunk.calls %} 13 | 14 | {% include "analysis/strace/_api_call.html" %} 15 | 16 | {% endfor %} 17 | 18 |
TimestampSyscallArgumentsReturn Value
19 | -------------------------------------------------------------------------------- /web/templates/analysis/strace/_syscall.html: -------------------------------------------------------------------------------- 1 | {{process.time}} 2 | {{process.pid}} 3 | {{process.syscall}} 4 | 5 | {% for argument in process.arguments %} 6 | {{argument.name}}: 7 | {{argument.value}} 8 |
9 | {% endfor %} 10 | 11 | {{process.retval}} 12 | -------------------------------------------------------------------------------- /web/templates/analysis/strace/_tree.html: -------------------------------------------------------------------------------- 1 | {% load generic_tags %} 2 | 3 |

Process Tree

4 |
    5 | {% for process in strace.processtree|proctreetolist %} 6 | {% if process.startchildren %} 7 |
      8 | {% elif process.endchildren %} 9 |
    10 | {% else %} 11 |
  • 12 | {{process.pid}} 13 | {% if process.name %} 14 | {{process.name}} 15 | {% endif %} 16 |
    • 17 | {% endif %} 18 | {% endfor %} 19 |
20 | -------------------------------------------------------------------------------- /web/templates/analysis/strace/index.html: -------------------------------------------------------------------------------- 1 | {% if strace %} 2 | {% include "analysis/strace/_tree.html" %} 3 |
4 | {% include "analysis/strace/_processes.html" %} 5 | {% else %} 6 |
Sorry! No strace.
7 | {% endif %} 8 | -------------------------------------------------------------------------------- /web/templates/analysis/surialert.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 | 4 | {% include "analysis/network/_suricata_alerts.html" %} 5 | {% endblock %} 6 | -------------------------------------------------------------------------------- /web/templates/analysis/surifiles.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 | 4 | {% include "analysis/network/_suricata_files.html" %} 5 | {% endblock %} 6 | -------------------------------------------------------------------------------- /web/templates/analysis/surihttp.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 | 4 | {% include "analysis/network/_suricata_http.html" %} 5 | {% endblock %} 6 | -------------------------------------------------------------------------------- /web/templates/analysis/suritls.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 | 4 | {% include "analysis/network/_suricata_tls.html" %} 5 | {% endblock %} 6 | -------------------------------------------------------------------------------- /web/templates/auth/base_site.html: -------------------------------------------------------------------------------- 1 | {% extends "auth/base.html" %} 2 | 3 | {% block title %} 4 | {{ title }} | {{ site_title|default:_('CAPE Sandbox') }} 5 | {% endblock %} 6 | 7 | {% block branding %} 8 |

{{ site_header|default:_('CAPE Sandbox') }}

9 | {% endblock %} 10 | 11 | {% block nav-global %}{% endblock %} 12 | -------------------------------------------------------------------------------- /web/templates/auth/logout.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% load i18n %} 3 | 4 | {% block content %} 5 |

{% trans "Logged out" %}

6 | {% endblock %} 7 | -------------------------------------------------------------------------------- /web/templates/base.html: -------------------------------------------------------------------------------- 1 | {%include "header.html" %} 2 |
3 | {% autoescape on %} 4 | {% block content %}{% endblock %} 5 | {% endautoescape %} 6 |
7 | {%include "footer.html" %} 8 | -------------------------------------------------------------------------------- /web/templates/error.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 |
ERROR :-(
{{error}}
4 | {% if errors %} 5 |

Submission Failed!

6 |
    7 | {% for block in errors %} 8 | {% for k, v in block.items %} 9 |
  • {{k}} - {{v}}
    • 10 | {% endfor %} 11 | {% endfor %} 12 |
13 |
14 | {% endif %} 15 | {% endblock %} 16 | -------------------------------------------------------------------------------- /web/templates/robots.txt: -------------------------------------------------------------------------------- 1 | User-agent: Yandex 2 | Disallow: / 3 | User-agent: Zoominfobot 4 | Disallow: / 5 | User-agent: SeznamBot 6 | Disallow: / 7 | User-agent: SemrushBot 8 | Disallow: / 9 | User-agent: MJ12bot 10 | Disallow: / 11 | User-agent: Barkrowler 12 | Disallow: / 13 | User-agent: Googlebot-Image 14 | Disallow: / 15 | User-agent: PetalBot 16 | Disallow: / 17 | User-agent: sogou spider 18 | Disallow: / 19 | User-agent: sogou+spider 20 | Disallow: / 21 | User-agent: * 22 | Disallow: /file/ 23 | Disallow: /compare/ 24 | Disallow: /submit/ 25 | Disallow: /analysis/[\w_]/ 26 | -------------------------------------------------------------------------------- /web/templates/socialaccount/authentication_error.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% load i18n %} 4 | 5 | {% block head_title %}{% trans "Social Network Login Failure" %}{% endblock %} 6 | 7 | {% block content %} 8 |

{% trans "Social Network Login Failure" %}

9 | 10 |

{% trans "An error occurred while attempting to login via your social network account." %}

11 | {% endblock %} 12 | -------------------------------------------------------------------------------- /web/templates/socialaccount/login_cancelled.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% load i18n %} 4 | 5 | {% block head_title %}{% trans "Login Cancelled" %}{% endblock %} 6 | 7 | {% block content %} 8 | 9 |

{% trans "Login Cancelled" %}

10 | 11 | {% url 'account_login' as login_url %} 12 | 13 |

{% blocktrans %}You decided to cancel logging in to our site using one of your existing accounts. If this was a mistake, please proceed to sign in.{% endblocktrans %}

14 | 15 | {% endblock %} 16 | -------------------------------------------------------------------------------- /web/templates/standalone_error.html: -------------------------------------------------------------------------------- 1 |
ERROR :-(
{{error}}
2 | -------------------------------------------------------------------------------- /web/templates/submission/remote_status.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 | 4 | {% if running %} 5 | 8 | {% else %} 9 | 10 |
11 |

Hang on...

12 |

The task is not running yet. This page will refresh every 5 seconds.

13 |
14 |
15 |
16 |
17 | {% endif %} 18 | {% endblock %} 19 | -------------------------------------------------------------------------------- /web/templates/success.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 | 4 |

Submission complete!

5 | The following tasks were added successfully: 6 | {% for task in tasks %} 7 | {{task}} 8 | {% endfor %}. 9 | Click on the links to monitor the status of the submission. 10 |
11 | {% endblock %} 12 | -------------------------------------------------------------------------------- /web/templates/success_simple.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 | 4 |
{{message}}
5 | {% endblock %} 6 | -------------------------------------------------------------------------------- /web/templates/success_vtup.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block content %} 3 | 4 |

VirusTotal submission complete!

5 |
6 | {{permalink}} 7 |

8 | Click on the link to view the submission. 9 |
10 | {% endblock %} 11 | -------------------------------------------------------------------------------- /web/users/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/users/__init__.py -------------------------------------------------------------------------------- /web/users/apps.py: -------------------------------------------------------------------------------- 1 | from django.apps import AppConfig 2 | 3 | 4 | class UsersConfig(AppConfig): 5 | name = "users" 6 | -------------------------------------------------------------------------------- /web/users/migrations/0002_reports.py: -------------------------------------------------------------------------------- 1 | # Generated by Django 4.1 on 2022-11-24 08:39 2 | # https://realpython.com/django-migrations-a-primer/ 3 | 4 | from django.db import migrations, models 5 | 6 | 7 | class Migration(migrations.Migration): 8 | dependencies = [ 9 | ("users", "0001_initial"), 10 | ] 11 | 12 | operations = [ 13 | migrations.AddField( 14 | model_name="userprofile", 15 | name="reports", 16 | field=models.BooleanField(default=False), 17 | ), 18 | ] 19 | -------------------------------------------------------------------------------- /web/users/migrations/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kevoreilly/CAPEv2/0907c41b708f02a3fda8abf0b065751a825b900c/web/users/migrations/__init__.py -------------------------------------------------------------------------------- /web/users/models.py: -------------------------------------------------------------------------------- 1 | from django.contrib.auth.models import User 2 | from django.db import models 3 | from django.db.models.signals import post_save 4 | from django.dispatch import receiver 5 | 6 | 7 | class UserProfile(models.Model): 8 | user = models.OneToOneField(User, on_delete=models.CASCADE) 9 | subscription = models.CharField(max_length=50, default="5/m") 10 | reports = models.BooleanField(default=False) 11 | 12 | def __str__(self): 13 | return self.user.username 14 | 15 | 16 | @receiver(post_save, sender=User) 17 | def create_or_update_user_profile(sender, instance, created, **kwargs): 18 | if created: 19 | UserProfile.objects.create(user=instance) 20 | if hasattr(instance, "userprofile"): 21 | instance.userprofile.save() 22 | -------------------------------------------------------------------------------- /web/users/tests.py: -------------------------------------------------------------------------------- 1 | # Create your tests here. 2 | -------------------------------------------------------------------------------- /web/users/views.py: -------------------------------------------------------------------------------- 1 | # Create your views here. 2 | -------------------------------------------------------------------------------- /web/web/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2010-2015 Cuckoo Foundation. 2 | # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 3 | # See the file 'docs/LICENSE' for copying permission. 4 | -------------------------------------------------------------------------------- /web/web/allauth_forms.py: -------------------------------------------------------------------------------- 1 | from django import forms 2 | from django_recaptcha.fields import ReCaptchaField 3 | from django_recaptcha.widgets import ReCaptchaV2Checkbox 4 | 5 | 6 | class CaptchedSignUpForm(forms.Form): 7 | captcha = ReCaptchaField(widget=ReCaptchaV2Checkbox) 8 | 9 | def signup(self, request, user): 10 | pass 11 | -------------------------------------------------------------------------------- /web/web/guac_urls.py: -------------------------------------------------------------------------------- 1 | from django.conf import settings 2 | from django.conf.urls.static import static 3 | from django.urls import include, re_path 4 | 5 | urlpatterns = [ 6 | re_path(r"^guac/", include("guac.urls")), 7 | ] + static(settings.STATIC_URL, document_root=settings.STATIC_ROOT) 8 | -------------------------------------------------------------------------------- /web/web/middleware/__init__.py: -------------------------------------------------------------------------------- 1 | from .custom_auth import CustomAuth # noqa 2 | from .db_transaction import DBTransactionMiddleware # noqa 3 | -------------------------------------------------------------------------------- /web/web/middleware/db_transaction.py: -------------------------------------------------------------------------------- 1 | from lib.cuckoo.core.database import Database 2 | 3 | 4 | class DBTransactionMiddleware: 5 | def __init__(self, get_response): 6 | self.get_response = get_response 7 | 8 | def __call__(self, request): 9 | db = Database() 10 | with db.session.begin(): 11 | resp = self.get_response(request) 12 | db.session.remove() 13 | return resp 14 | -------------------------------------------------------------------------------- /web/web/views.py: -------------------------------------------------------------------------------- 1 | from django.conf import settings 2 | from django.shortcuts import redirect, render 3 | 4 | try: 5 | from django_ratelimit.exceptions import Ratelimited 6 | except ImportError: 7 | try: 8 | from ratelimit.exceptions import Ratelimited 9 | except ImportError: 10 | print("missed dependency: poetry run pip install django-ratelimit -U") 11 | 12 | 13 | def handler403(request, exception=None): 14 | if isinstance(exception, Ratelimited): 15 | return render(request, "error.html", {"error": settings.RATELIMIT_ERROR_MSG}, status=429) 16 | return render(request, "error.html", {"error": "Forbidden"}, status=403) 17 | 18 | 19 | def handler404(request, exception=None): 20 | return redirect("/") 21 | --------------------------------------------------------------------------------