diff --git a/docker/.env.example b/docker/.env.example deleted file mode 100644 index ac45eb4a119..00000000000 --- a/docker/.env.example +++ /dev/null @@ -1,8 +0,0 @@ -WEB_PORT=8000 -RESULT_PORT=2042 -PG_PORT=5432 -MONGO_PORT=27017 - -POSTGRES_USER=cape -POSTGRES_PASSWORD=cape -POSTGRES_DB=cape diff --git a/docker/Dockerfile b/docker/Dockerfile deleted file mode 100644 index 5e8975ddc89..00000000000 --- a/docker/Dockerfile +++ /dev/null @@ -1,36 +0,0 @@ -FROM python:3.11-bookworm - -RUN apt-get update \ - && apt-get install -y --no-install-recommends git libgraphviz-dev tcpdump libcap2-bin iproute2 libjansson-dev libmagic-dev \ - && rm -rf /var/lib/apt/lists/* - -RUN useradd -ms /bin/bash cape - -RUN pip install --no-cache-dir poetry - -RUN poetry config virtualenvs.create false - -RUN mkdir -p /etc/poetry/bin && ln -s $(which poetry) /etc/poetry/bin/poetry -RUN mkdir -p /opt && ln -s /cape /opt/CAPEv2 - -WORKDIR /cape - -COPY pyproject.toml poetry.lock* ./ - -RUN poetry install --no-interaction --no-ansi --no-root - -COPY . . - -RUN poetry install --no-interaction --no-ansi - -RUN pip install --no-cache-dir -U flare-floss -RUN bash extra/yara_installer.sh - -RUN bash docker/pcap.sh - -RUN bash conf/copy_configs.sh -RUN chown -R cape:cape /cape - -USER cape - -CMD ["bash", "docker/run.sh"] \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml deleted file mode 100644 index f94336ced5f..00000000000 --- a/docker/docker-compose.yml +++ /dev/null @@ -1,67 +0,0 @@ -services: - cape-db: - image: postgres:bookworm - hostname: cape-db - restart: unless-stopped - ports: - - "127.0.0.1:${PG_PORT:-5432}:5432" - environment: - POSTGRES_USER: ${POSTGRES_USER:-cape} - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-cape} - POSTGRES_DB: ${POSTGRES_DB:-cape} - PGDATA: /var/lib/postgresql/data/pgdata - volumes: - - cape-db-data:/var/lib/postgresql/data - healthcheck: - test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-cape} -d ${POSTGRES_DB:-cape}"] - interval: 5s - timeout: 5s - retries: 10 - start_period: 30s - - mongodb: - image: mongo:6 - command: ["--bind_ip_all"] - volumes: - - cape-mongo-data:/data/db - ports: - - "127.0.0.1:${MONGO_PORT:-27017}:27017" - restart: unless-stopped - healthcheck: - test: ["CMD", "mongosh", "--eval", "db.runCommand({ ping: 1 })"] - interval: 10s - timeout: 5s - retries: 12 - start_period: 20s - - cape-server: - build: - context: ../ - dockerfile: docker/Dockerfile - hostname: cape-server - restart: unless-stopped - depends_on: - cape-db: - condition: service_healthy - mongodb: - condition: service_healthy - environment: - - WEB_PORT=${WEB_PORT:-8000} - - POSTGRES_USER=${POSTGRES_USER:-cape} - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-cape} - - POSTGRES_DB=${POSTGRES_DB:-cape} - ports: - - "127.0.0.1:${RESULT_PORT:-2042}:2042" # result server - - "127.0.0.1:${WEB_PORT:-8000}:8000" # web ui - volumes: - - ../conf:/cape/conf - - ../custom/conf:/cape/custom/conf - - ../custom:/cape/custom - - ../storage:/cape/storage - cap_add: - - NET_ADMIN - - NET_RAW - -volumes: - cape-db-data: - cape-mongo-data: diff --git a/docker/pcap.sh b/docker/pcap.sh deleted file mode 100644 index a83b34c0315..00000000000 --- a/docker/pcap.sh +++ /dev/null @@ -1,4 +0,0 @@ -groupadd pcap -usermod -a -G pcap cape -chgrp pcap /usr/bin/tcpdump -setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump \ No newline at end of file diff --git a/docker/readme.md b/docker/readme.md deleted file mode 100644 index 7edb30667cf..00000000000 --- a/docker/readme.md +++ /dev/null @@ -1,4 +0,0 @@ -This is not official docker soluction! -Is community based contribution so use on your own risks! - -No support here from core devs! diff --git a/docker/run.sh b/docker/run.sh deleted file mode 100644 index dcb91965326..00000000000 --- a/docker/run.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash -set -e - -cd /cape - -# Initialize configs if mounted volume is empty -if [ ! -f "conf/cuckoo.conf" ]; then - echo "Initializing configuration files..." - bash conf/copy_configs.sh -fi - -# Configure Database connection for Docker environment -mkdir -p conf/cuckoo.conf.d -DB_CONF="conf/cuckoo.conf.d/00_docker_db.conf" -if [ ! -f "$DB_CONF" ]; then - echo "Creating Docker DB configuration..." - cat > "$DB_CONF" < 255: diff --git a/web/templates/submission/index.html b/web/templates/submission/index.html index f786652bb3e..fc1f4c9afc7 100644 --- a/web/templates/submission/index.html +++ b/web/templates/submission/index.html @@ -286,261 +286,199 @@
Advance
- +
-

Syntax is option1=val1,option2=val2,option3=val3, etc.

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionDescription
filenameRename the sample file
nameThis will force family extractor to run, Ex: name=trickbot
curdirChange from where execute sample, by default %TEMP%, Ex: curdir=%APPDATA% or - curdir=%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup -
executiondirSets directory to launch the file from. Need not be the same as the directory of sample file. Defaults to %TEMP% if both executiondir and curdir are not specified. Only supports full paths
freeRun without monitoring (disables many capabilities) Ex: free=1
force-sleepskipOverride default sleep skipping behavior: 0 disables all sleep skipping, 1 skips all sleeps.
full-logsBy default, logs prior to network activity for URL analyses and prior to access of the file in question for non-executable formats are suppressed. Set to 1 to disable log suppression.
force-flushFor performance reasons, logs are buffered before being sent back to the result server. We make every attempt to flush the buffer at critical points including when exceptions occur, but in some rare termination scenarios, logs may be lost. Set to 1 to force flushing of the log buffers after any non-duplicate API is called, set to 2 to force flushing of every log.
no-stealthSet to 1 to disable anti-anti-VM/sandbox code enabled by default.
buffer-maxWhen set to an integer of your choice, changes the maximum number of bytes that can be logged for most API buffers.
large-buffer-maxSome hooked APIs permit larger buffers to be logged. To change the limit for this, set this to an integer of your choice.
noreferDisables use of a fake referrer when performing URL analyses
fileWhen using the zip or rar package, set the name of the file to execute
passwordWhen using the zip or rar package, set the password to use for extraction. Also used when analyzing password-protected Office documents.
functionWhen using the dll package, set the name of the exported function/ordinal to execute. Can be multiple function/ordinals splited by colon. Ex: function=func1:func2
dllloaderWhen using the dll package, set the name of the process loading the DLL (defaults to rundll32.exe).
argumentsWhen using the dll, exe, or python packages, set the arguments to be passed to the executable or exported function.
appdataWhen using the exe package, set to 1 to run the executable out of the Application Data path instead of the Temp directory.
startbrowserSetting this option to 1 will launch a browser 30 seconds into the analysis (useful for some banking trojans).
browserdelaySets the number of seconds to wait before starting the browser with the startbrowser option. Defaults to 30 seconds.
urlWhen used with the startbrowser option, this will determine the URL the started browser will access.
debugSet to 1 to enable reporting of critical exceptions occurring during analysis, set to 2 to enable reporting of all exceptions.
disable_hook_contentSet to 1 to remove functionality of all hooks except those critical for monitoring other processes. Set to 2 to apply to all hooks.
hook-typeValid for 32-bit analyses only. Specifies the hook type to use: direct, indirect, or safe. Safe attempts a Detours-style hook.
serialSpoof the serial of the system volume as the provided hex value
single-processWhen set to 1 this will limit behaviour monitoring to the initial process only.
exclude-apisExclude the colon-separated list of APIs from being hooked
exclude-dllsExclude the colon-separated list of DLLs from being hooked
dropped-limitOverride the default dropped file limit of 100 files
compressionWhen set to 1 this will enable CAPE's extraction of compressed payloads
extractionWhen set to 1 this will enable CAPE's extraction of payloads from within each process
injectionWhen set to 1 this will enable CAPE's capture of injected payloads between processes
comboThis combines compression, injection and extraction with process dumps
dump-on-apiDump the calling module when a function from the colon-separated list of APIs is used
bp0Sets breakpoint 0 (processor/hardware) to a VA or RVA value (or module::export). Applies also to bp1-bp3.
file-offsetsBreakpoints in bp0-bp3 will be interpreted as PE file offsets rather than RVAs
break-on-returnSets breakpoints on the return address(es) from a colon-separated list of APIs
base-on-apiSets the base address to which breakpoints will be applied (and sets breakpoints)
depthSets the depth an instruction trace will step into (defaults to 0, requires Trace package)
countSets the number of instructions in a trace (defaults to 128, requires Trace package)
referrerSpecify the referrer to be used for URL tasks, overriding the default Google referrer
loop_detectionSet this option to 1 to enable loop detection (compress call logs - behavior analysis)
staticCheck if config can be extracted statically, if not, send to vm
Dl&Exec add headers examplednl_user_agent: "CAPE Sandbox", dnl_referer: google
servicedesc - for service packageService description
arguments - for service packageService arguments
store_memdumpWill force STORE memdump, only when submitting to analyzer node directly, as distributed cluster can modify this
pre_script_argsCommand line arguments for pre_script. Example: pre_script_args=file1 file2 file3
pre_script_timeoutpre_script_timeout will default to 60 seconds. Script will stop after timeout Example: pre_script_timeout=30
during_script_argsCommand line arguments for during_script. Example: during_script_args=file1 file2 file3
ignore_size_checkAllow ignore file size, must be enabled in conf/web.conf
pwshWhen using the ps1 package, prefer PowerShell Core (pwsh.exe) if available (defaults to powershell.exe)
unpackerEx: unpacker=2 - Add description here
check_shellcodeSetting check_shellcode=0 will disable checking for shellcode during package identification and extracting from archive
unhook-apisCapability to dynamically unhook previously hooked functions (unhook-apis option takes colon-separated list e.g. unhook-apis=NtSetInformationThread:NtDelayExecution)
ttdttd=1. TTD integration (Microsoft Time Travel Debugging). Requires binaries to be placed in correct folder
polarproxyRun PolarProxy to generate PCAP with decrypted TLS streams. Ex: polarproxy=1
tlsportTLS port for PolarProxy to MITM (Default: 443). Ex: tlsport=10443
mitmdumpRun mitmdump to generate HAR with decrypted TLS streams. Ex: mitmdump=1
+
+ + Syntax: option1=val1,option2=val2
+ +
+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OptionDescription
filenameRename the sample file
nameForce family extractor to run (e.g., name=trickbot)
curdirExecution directory (default %TEMP%)
executiondirDirectory to launch file from (default %TEMP%)
argumentsArguments for the executable or exported function
appdataRun executable from AppData instead of Temp
pwshPrefer PowerShell Core (pwsh.exe)
freeRun without monitoring (disables many capabilities)
ignore_size_checkAllow ignore file size (must be enabled in conf)
check_shellcodeDisable shellcode check during package ID (check_shellcode=0)
functionExported function/ordinal to execute (DLL)
dllloaderProcess loading the DLL (default rundll32.exe)
fileName of file to execute (Zip/Rar)
passwordPassword for extraction/Office
startbrowserLaunch browser 30s into analysis
browserdelaySeconds to wait before starting browser
urlURL for started browser
servicedescService description (Service package)
pre_script_argsArgs for pre_script
during_script_argsArgs for during_script
langOverride system language (LCID)
standaloneRun in standalone mode (no pipe)
monitorInject monitor into PID/Explorer
shutdown-mutexMutex name for shutdown signal
terminate-eventEvent name for termination signal
terminate-processesTerminate processes on event
first-process(Internal) First process in tree
startup-timeMS since system startup
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + +
OptionDescription
no-stealthDisable anti-anti-VM/sandbox tricks
force-sleepskip1 = Skip all sleeps, 0 = Disable sleep skipping
serialSpoof the system volume serial number
single-processLimit monitoring to initial process only
interactiveEnable interactive desktop mode
referrerFake referrer for URL analysis
noreferDisable fake referrer
file-of-interestSpecific file or URL being analyzed
pdfAdobe Reader specific hooks/behavior
sysvol_ctimelow/highSpoof creation time of system volume
fake-rdtscEnable fake RDTSC results
ntdll-protectEnable write protection on ntdll.dll code
ntdll-unhookEnable protection against ntdll unhooking
protected-pidsEnable protection for critical PIDs
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + + + +
OptionDescription
full-logsDisable log suppression
force-flush1 = Flush after non-duplicate API, 2 = Force flush every log
buffer-maxMax size for log buffer
large-buffer-maxMax size for large log buffers
api-rate-capLimit rate of API logging
api-capLimit total number of API logs
hook-typeHook type: direct, indirect, or safe (32-bit only)
syscallEnable syscall hooks (Win10+)
disable-hook-content1 = Remove payload of non-critical hooks, 2 = All hooks
exclude-apisColon-separated list of APIs to exclude from hooking
exclude-dllsColon-separated list of DLLs to exclude from hooking
unhook-apisDynamically unhook functions (colon-separated)
coverage-modulesColon-separated list of DLLs to include in monitoring (exclude from 'dll range' filtering)
zerohookDisable all hooks except essential
hook-protectEnable write protection on hook pages
log-exceptionsEnable logging of exceptions
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + + + +
OptionDescription
procdumpEnable process memory dumping on exit/timeout
procmemdumpEnable full process memory dumping
dump-on-apiDump calling module when specific APIs are called (colon-separated)
dump-config-regionDump memory regions suspected to contain C2 config
dump-cryptoDump buffers from Crypto APIs
dump-keysDump keys from CryptImportKey
amsidumpEnable AMSI buffer dumping (Win10+)
tlsdumpEnable dumping of TLS secrets
dropped-limitOverride default dropped file limit (100)
compressionEnable CAPE's extraction of compressed payloads
extractionEnable CAPE's extraction of payloads from within process
injectionEnable CAPE's capture of injected payloads
comboCombine compression, injection, and extraction
unpacker1 = Passive unpacking, 2 = Active unpacking
import-reconstructionAttempt import reconstruction on dumps
store_memdumpForce STORE memdump (submit to analyzer directly)
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + +
OptionDescription
debuggerEnable internal debugger engine
debug1 = Report critical exceptions, 2 = All exceptions
bp0...bp3Hardware breakpoints (Address or Module:Export)
bpSoftware breakpoints (colon-separated addresses)
break-on-returnBreak on return from specific APIs
base-on-apiSet base address for breakpoints based on API
file-offsetsInterpret breakpoints as file offsets
trace-allEnable full execution tracing
depthTrace depth limit (default 0)
countTrace instruction count limit (default 128)
loop_detectionEnable loop detection (compress call logs)
ttdTime Travel Debugging (ttd=1)
polarproxyRun PolarProxy (TLS PCAP)
mitmdumpRun mitmdump (TLS HAR)
+
+
+
+
@@ -598,15 +536,6 @@
Advance id="duringScript" name="during_script"> {% endif %} -
- -
-
-
Advance
- +
Advance
+
+ + +