CAPE (Malware Configuration And Payload Extraction) is a malware sandbox released on github around September 2016. Built on Cuckoo (More precisely, spender sandbox), it can automatically extract payload and configuration information from many well-known malware.
Currently CAPE has specific packages dumping configuration and payloads for the following malware families:
- PlugX
- EvilGrab
- Sedreco
- Cerber
- TrickBot
- Hancitor
- Ursnif
- QakBot
CAPE has config parsers/decoders for the following malware families, whose payloads are automatically extracted by a behavioural package:
- Emotet
- RedLeaf
- ChChes
- HttpBrowser
- Enfal
- PoisonIvy
- Screech
- TSCookie
- Dridex
- SmokeLoader
Many other malware families have their payloads automatically extracted by behavioural packages, for which CAPE uses Yara signatures to detect the payloads. This list is growing, and includes:
- Azorult, Formbook, Ryuk, Hermes, Shade, Remcos, Ramnit, Gootkit, QtBot, ZeroT, WanaCry, NetTraveler, Locky, BadRabbit, Magniber, Redsip, Kronos, PetrWrap, Kovter, Azer, Petya, Dreambot, Atlas, NanoLocker, Mole, Codoso, Cryptoshield, Loki, Jaff, IcedID, Scarab, Cutlet, RokRat, OlympicDestroyer, Gandcrab, Fareit, ZeusPanda, AgentTesla, Imminent, Arkei, Sorgu, tRat, T5000, TClient, TreasureHunter.
There is an online version, but it seems to be able to build locally, so I tried to analyze Emotet.
Build a CAPE Environment
We will build Ubuntu 18.04. 2 LTS on VMware as a Cuckoo host. Build a Python environment for Cuckoo (venv-cape) and a Windows 7 environment for Sandbox (VirtualBox) on Ubuntu.
Preparation for Ubuntu 18.04.2
Prepare a fresh Ubuntu 18.04. 2. If you are using CAPE, you will be able to prepare without any problems, so I will skip the steps, but I will explain it assuming that the environment is as follows.
Ubuntu18.04.2 (Cuckoo host)
- On VMware (VMware Workstation 15 Pro)
- Memory Size: 8GB
- CPU Cores : 4
- CPU ”Virtualize Intel VT-x/EPT or AMD-V/RVI” : ON
- HDD:80GB
- Network Adapter: NAT
- User Name: infected
- Ubuntu 18.04.2 LTS (iso image)
https://www.ubuntu.com/download/desktop
The “Virtualize Intel VT-x/EPT or AMD-V/RVI” is a setting for changing the number of CPU cores in VirtualBox in the virtual machine. If you do not change the number of cores, you do not need to change the setting.
Update Ubuntu
Update Ubuntu to the latest state.
sudo apt update
sudo apt upgrade -yPreparation for CAPE
# essential
sudo apt install -y git make automake vim
# These are required for commonly used utilities and modules.
sudo apt install -y python-dpkt python-jinja2 python-magic python-pymongo python-libvirt python-bottle python-pefile python-chardet swig libssl-dev clamav-daemon python-geoip geoip-database mono-utils
# for MongoDB
sudo apt install -y mongodb
# for Virtualenv
sudo apt install -y python python-pip python-setuptools python-virtualenv virtualenv
# for tcpdump
sudo apt install -y apparmor-utils
sudo aa-disable /usr/sbin/tcpdump
# for users who are not root (in this case, user name is "infected")
sudo usermod -a -G vboxusers infected
sudo groupadd pcap
sudo usermod -a -G pcap infected
sudo chgrp pcap /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
# for VirtualBox
sudo apt install -y virtualbox
sudo vboxmanage hostonlyif create
sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0Cuckoo uses SQLite3 as the default DB. It is recommended to change to MySQL or PostgreSQL mainly for performance reasons, but it seems to be no problem for small users, so we will proceed with standard SQLite3.
Preparing virtual machines for sandbox
Let’s build Windows 7 for the sandbox. Follow the build instructions at the link below. However, you should understand CAPE specific changes to make it work.
Changes for CAPE
- Replace agent.py for CAPE (https://raw.githubusercontent.com/ctxis/CAPE/master/agent/agent.py)
- Snapshot Name: cuckoo-cape
It seems that you can analyze Powershell in the sandbox by changing more settings and installing more packages. This time, however, we’re simply trying to figure out where Emotet is going, so that’s not what we’re talking about here.
CAPE Setup
virtualenv venv-cape
. venv-cape/bin/activateEnter this command to enter the isolated Python environment. The prompt is preceded by (venv-cape) on the screen.
From here, you must enter the command in an isolated environment. If you follow the steps listed, you will enter the commands in an isolated environment. If you are unable to follow the steps due to an unexpected situation, enter “. venv-cape/bin/activate” and return to an isolated environment before continuing. The following steps assume you are in an isolated environment.
# Cuckoo requires SQLAlchemy and Python BSON.
pip install sqlalchemy bson
# To have MAEC support.
pip install cybox==2.1.0.9
pip install maec==4.1.0.11
# for yara
sudo apt install -y libtool libjansson-dev libmagic-dev
pip install yara-python
wget https://github.com/VirusTotal/yara/archive/v3.10.0.tar.gz
tar -zxf v3.10.0.tar.gz
cd yara-3.10.0
./bootstrap.sh
./configure --enable-cuckoo --enable-magic
make
sudo make install
cd ../
# for Volatility
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py install
cd ../
pip install distorm3 pefile
# for CAPE
sudo apt install -y pkg-config libvirt-dev libfuzzy-dev libgeoip-dev
git clone https://github.com/ctxis/CAPE
cd CAPE/utils/
python ./community.py --force --rewrite --all
cd ../
pip install -r requirements.txt
cd ../
# run services
sudo service clamav-daemon start
sudo systemctl enable clamav-daemon
sudo service mongodb start
sudo systemctl enable mongodbModify the CAPE configuration file
Routing settings connect the sandbox environment to the Internet. If you do not connect, no modification is required.
vi CAPE/conf/cuckoo.conf[cuckoo]
#machinery = vmwareserver
machinery = virtualbox[resultserver]
#ip = 10.152.152.128
ip = 192.168.56.1[routing]
#route = none
route = internet
(snip)
#internet = none
internet = ens33
Configuration for capturing network packets.
vi CAPE/conf/auxiliary.conf[sniffer]
#interface = br0
interface = vboxnet0
Set to profile memory analysis as Windows 7.
vi CAPE/conf/memory.conf[basic]
#guest_profile = WinXPSP2x86
guest_profile = Win7SP1x86
This is the setting when you do not use VirusTotal.
vi CAPE/conf/processing.conf[virustotal]
#enabled = yes
enabled = no
Settings for VirtualBox.
vi CAPE/conf/virtualbox.conf[virtualbox]
#mode = gui
mode = headless[cuckoo1]
#label = cuckoo1
label = Win7SP1x86
(snip)
# snapshot = Snapshot1
snapshot = cuckoo-cape
(snip)
# interface = vboxnet0
interface = vboxnet0
Network Settings for CAPE
The network settings for CAPE are the same as for Cuckoo. See the linked article below for instructions.
Preparing Cuckoo-rooter
Run rooter.py in the background. If you enter sudo when prompted for a password, the command fails. If it fails, type sudo pkill -f rooter.py to kill the failed process.
# for ifconfig
sudo apt install -y net-tools
# for cuckoo-rooter (stop/start)
#sudo pkill -f rooter.py
sudo python CAPE/utils/rooter.py /tmp/cuckoo-rooter -g infected &Start CAPE
Now that everything is ready, start CAPE.
cd CAPE/
python cuckoo.py -dIf the following message appears, the camera is running normally.
2019-05-25 18:37:23,512 [modules.machinery.virtualbox] DEBUG: Getting status for Win7SP1x86
2019-05-25 18:37:23,640 [modules.machinery.virtualbox] DEBUG: Machine Win7SP1x86 status saved
2019-05-25 18:37:23,660 [lib.cuckoo.core.scheduler] INFO: Loaded 1 machine/s
2019-05-25 18:37:23,678 [lib.cuckoo.core.scheduler] INFO: Waiting for analysis tasks.Start another terminal and launch the Web interface.
# for venv-cape
. venv-cape/bin/activate# for Cuckoo web
cd CAPE/web/
python manage.py migrate
python manage.py runserver
If you see something like the following, you should be able to launch WebUI correctly.
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
Performing system checks...Go to http://127.0.0.1:8000/ to open the CAPE home page.
Click “Submit” at the top of the screen to go to the Analysis Settings page. From this page, you can set the file or URL you want to analyze. If you know the name of the malware family, select the appropriate package from the Analysis Package item. The automatic judgment by Yara is excellent, so if you are not sure, it will be analyzed with the default setting, so there should be no problem.
The image below shows the CAPE analysis of Emotet. It is automatically determined as Emotet, and you can see that the communication destination has been extracted.
Understanding CAPE Behavior
CAPE provides automatic detection of malware family names by Yara. If CAPE detects a malware family name when an analysis is performed without specifying a package, it will automatically reparse the package with the specified package. This behavior can be avoided by specifying No CAPE submissions (disable automatic job submission) as an option before the analysis.
Using CAPE After a Reboot
If you want to use CAPE after rebooting, you need to start vboxnet0 and cuckoo-rooter before starting CAPE. Note that starting WebUI will result in an error if you do not move the current directory.
sudo vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
. venv-cape/bin/activate
sudo python CAPE/utils/rooter.py /tmp/cuckoo-rooter -g infected &
cd CAPE/
python cuckoo.py -d
# From another terminal
. venv-cape/bin/activate
cd CAPE/web/
python manage.py runserverThanks.
References
About CAPE
- ctxis/CAPE: Malware Configuration And Payload Extraction
https://github.com/ctxis/CAPE - spender-sandbox/cuckoo-modified: Modified edition of cuckoo
https://github.com/spender-sandbox/cuckoo-modified
About CAPE Installation
- CAPE/requirements.rst at master · ctxis/CAPE
https://github.com/ctxis/CAPE/blob/master/docs/book/src/installation/host/requirements.rst - CAPE/docs/book/src/installation at master · ctxis/CAPE
https://github.com/ctxis/CAPE/tree/master/docs/book/src/installation - Cuckoo modified Installation
https://isec.ne.jp/wp-content/uploads/2017/08/26Cuckoo-modified.pdf - Installing and running Cuckoo malware analysis platform - Part 1 | secvision22
https://secvision22.wordpress.com/2016/11/21/installing-and-running-cuckoo-malware-analysis-platform-part-1/
About CAPE Installation
- Getting started - yara 3.4.0 documentation
https://yara.readthedocs.io/en/v3.4.0/gettingstarted.html - Compilation error with openssl · Issue #4 · spinkham/skipfish
https://github.com/spinkham/skipfish/issues/4 - Error installing from PIP · Issue #10 · VirusTotal/yara-python
https://github.com/VirusTotal/yara-python/issues/10 - Yara Error When Running Cuckoo Sandbox - Qiita (Japanese)
https://qiita.com/knqyf263/items/9354dc229b2b3d548460
Sites used to resolve errors
- upstream rooter · Issue #37 · ctxis/CAPE
https://github.com/ctxis/CAPE/issues/37 - Cuckoo-Rooter Startup Error · Issue #2489 · cuckoosandbox/cuckoo
https://github.com/cuckoosandbox/cuckoo/issues/2489 - python - pip geoip installing in ubuntu gcc error - Stack Overflow
https://stackoverflow.com/questions/25963409/pip-geoip-installing-in-ubuntu-gcc-error - (!)connect to /var/run/clamav/clamd.ctl failed, | Howtoforge - Linux Howtos and Tutorials
https://www.howtoforge.com/community/threads/connect-to-var-run-clamav-clamd-ctl-failed.73251/ - ‘pip install GeoIP’ fails on macOS: fatal error: ‘GeoIP.h’ file not found · Issue #24 · maxmind/geoip-api-python
https://github.com/maxmind/geoip-api-python/issues/24 - Cannot install ‘pydeep’ on MISP Docker container · Issue #2808 · MISP/MISP
https://github.com/MISP/MISP/issues/2808
Appendix
Unresolved: Failed to run signature RegBinary
The following errors may appear during the analysis:
2019-06-01 02:50:30,538 [lib.cuckoo.core.plugins] DEBUG: Analysis matched signature "antidebug_setunhandledexceptionfilter"
2019-06-01 02:52:33,021 [lib.cuckoo.core.plugins] ERROR: Failed to run signature RegBinary: unpack requires a string argument of length 2
Traceback (most recent call last):
File "/** CAPE DIR **/lib/cuckoo/core/plugins.py", line 482, in run
result = sig.on_call(call, proc)
File "/** CAPE DIR **/modules/signatures/CAPE.py", line 124, in on_call
self.reg_binary = IsPEImage(buf, size)
File "/** CAPE DIR **/modules/signatures/CAPE.py", line 50, in IsPEImage
machine_probe = struct.unpack("<H", buf[offset:offset+2])[0]
error: unpack requires a string argument of length 2Unresolved: Failed to run signature critical _ process & dep _ disable
The following errors may appear during the analysis. I think it comes out when the sample and the package don’t match.
2019-06-01 02:42:08,360 [lib.cuckoo.core.plugins] DEBUG: Analysis matched signature "antidebug_setunhandledexceptionfilter"
2019-06-01 02:42:08,428 [lib.cuckoo.core.plugins] ERROR: Failed to run signature critical_process: int() argument must be a string or a number, not 'NoneType'
Traceback (most recent call last):
File "/** CAPE DIR **/lib/cuckoo/core/plugins.py", line 482, in run
result = sig.on_call(call, proc)
File "/** CAPE DIR **/modules/signatures/critical_process.py", line 34, in on_call
value = int(self.get_argument(call, "Value"))
TypeError: int() argument must be a string or a number, not 'NoneType'
2019-06-01 02:42:08,429 [lib.cuckoo.core.plugins] ERROR: Failed to run signature dep_disable: int() argument must be a string or a number, not 'NoneType'
Traceback (most recent call last):
File "/** CAPE DIR **/lib/cuckoo/core/plugins.py", line 482, in run
result = sig.on_call(call, proc)
File "/** CAPE DIR **/modules/signatures/dep_disable.py", line 34, in on_call
value = int(self.get_argument(call, "Value"))
TypeError: int() argument must be a string or a number, not 'NoneType'Unresolved — Blank Reports Tab
It looks like it’s going to be displayed but nothing.
Original text
Build a CAPE Sandbox to analyze Emotet -setodaNote (Japanese)
https://soji256.hatenablog.jp/entry/2019/05/26/140145
Update History
- 2019/05/26 New.
- 2019/06/01 Fixed the command to boot CAPE after reboot. Review the entire installation procedure again and eliminate unnecessary steps. Added information about unresolved errors in the appendix.
- 2019/06/08 Changed the title from “Build a CAPE Sandbox to analyze Emotet”.
- 2020/03/03 Revised.
