Agent skill

performing-automated-malware-analysis-with-cape

Deploy and operate CAPEv2 sandbox for automated malware analysis with behavioral monitoring, payload extraction, configuration parsing, and anti-evasion capabilities.

View SKILL.md on GitHub Repository
Stars 0
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/autohandai/community-skills/tree/main/performing-automated-malware-analysis-with-cape

SKILL.md

Performing Automated Malware Analysis with CAPE

Overview

CAPE (Config And Payload Extraction) is an open-source malware sandbox derived from Cuckoo that automates behavioral analysis, payload dumping, and configuration extraction. CAPEv2 features API hooking for behavioral instrumentation, captures files created/modified/deleted during execution, records network traffic in PCAP format, and includes 70+ custom configuration extractors (cape-parsers) for families like Emotet, TrickBot, Cobalt Strike, AsyncRAT, and Rhadamanthys. The signature system includes 1000+ behavioral signatures detecting evasion techniques, persistence, credential theft, and ransomware behavior. CAPE's debugger enables dynamic anti-evasion bypasses combining debugger actions within YARA signatures. Recommended deployment: Ubuntu LTS host with Windows 10 21H2 guest VM.

Prerequisites

  • Ubuntu 22.04 LTS server (8+ CPU cores, 32GB+ RAM, 500GB+ SSD)
  • KVM/QEMU virtualization support
  • Windows 10 21H2 guest image
  • Python 3.9+ with CAPEv2 dependencies
  • Network configuration for isolated analysis network

Practical Steps

Step 1: Submit and Analyze Samples via API

python
#!/usr/bin/env python3
"""CAPE sandbox API client for automated malware submission and analysis."""
import requests
import json
import time
import sys
from pathlib import Path


class CAPEClient:
    def __init__(self, base_url="http://localhost:8000", api_token=None):
        self.base_url = base_url.rstrip("/")
        self.headers = {}
        if api_token:
            self.headers["Authorization"] = f"Token {api_token}"

    def submit_file(self, filepath, options=None):
        """Submit a file for analysis."""
        url = f"{self.base_url}/apiv2/tasks/create/file/"
        files = {"file": open(filepath, "rb")}
        data = options or {}
        data.setdefault("timeout", 120)
        data.setdefault("enforce_timeout", False)

        resp = requests.post(url, files=files, data=data, headers=self.headers)
        resp.raise_for_status()
        result = resp.json()
        task_id = result.get("data", {}).get("task_ids", [None])[0]
        print(f"[+] Submitted {filepath} -> Task ID: {task_id}")
        return task_id

    def get_status(self, task_id):
        """Check task analysis status."""
        url = f"{self.base_url}/apiv2/tasks/status/{task_id}/"
        resp = requests.get(url, headers=self.headers)
        return resp.json().get("data", "unknown")

    def wait_for_completion(self, task_id, poll_interval=15, max_wait=600):
        """Wait for analysis to complete."""
        elapsed = 0
        while elapsed < max_wait:
            status = self.get_status(task_id)
            if status == "reported":
                print(f"[+] Task {task_id} completed")
                return True
            time.sleep(poll_interval)
            elapsed += poll_interval
            print(f"  Waiting... ({elapsed}s, status: {status})")
        return False

    def get_report(self, task_id):
        """Retrieve full analysis report."""
        url = f"{self.base_url}/apiv2/tasks/get/report/{task_id}/"
        resp = requests.get(url, headers=self.headers)
        return resp.json()

    def get_config(self, task_id):
        """Get extracted malware configuration."""
        report = self.get_report(task_id)
        configs = report.get("CAPE", {}).get("configs", [])
        return configs

    def get_dropped_files(self, task_id):
        """List files dropped during analysis."""
        report = self.get_report(task_id)
        return report.get("dropped", [])

    def get_network_iocs(self, task_id):
        """Extract network IOCs from analysis."""
        report = self.get_report(task_id)
        network = report.get("network", {})
        iocs = {
            "dns": [d.get("request") for d in network.get("dns", [])],
            "http": [h.get("uri") for h in network.get("http", [])],
            "tcp": [f"{h.get('dst')}:{h.get('dport')}"
                    for h in network.get("tcp", [])],
        }
        return iocs

    def analyze_sample(self, filepath):
        """Full automated analysis pipeline."""
        task_id = self.submit_file(filepath)
        if not task_id:
            return None

        if self.wait_for_completion(task_id):
            report = {
                "task_id": task_id,
                "config": self.get_config(task_id),
                "network_iocs": self.get_network_iocs(task_id),
                "dropped_files": len(self.get_dropped_files(task_id)),
            }
            return report
        return None


if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <malware_sample> [cape_url]")
        sys.exit(1)

    url = sys.argv[2] if len(sys.argv) > 2 else "http://localhost:8000"
    client = CAPEClient(url)
    result = client.analyze_sample(sys.argv[1])
    if result:
        print(json.dumps(result, indent=2))

Validation Criteria

  • Samples submitted and analyzed within configured timeout
  • Behavioral signatures triggered for known malware families
  • Malware configurations extracted by cape-parsers
  • Network traffic captured and IOCs extracted
  • Dropped files and payloads collected for further analysis
  • Anti-evasion bypasses effective against sandbox-aware malware

References

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

autohandai/community-skills

mapping-mitre-attack-techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

0 0
Explore
autohandai/community-skills

hunting-for-spearphishing-indicators

Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.

0 0
Explore
autohandai/community-skills

analyzing-malicious-url-with-urlscan

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat

0 0
Explore
autohandai/community-skills

implementing-zero-standing-privilege-with-cyberark

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.

0 0
Explore
autohandai/community-skills

implementing-pam-for-database-access

Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia

0 0
Explore
autohandai/community-skills

detecting-t1003-credential-dumping-with-edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

0 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results