CAPE Sandbox installation from 0 to hero

Posted by Fareed Fauzi

Introduction

Note: As stated by CAPE dev, CAPE is strongly NOT recommend to use VirtualBox due to be super easy to detect by malware, use KVM as suggested in readme for amazing performance and anti-*. Refer step 4.

Based on its repository description in GitHub, CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of malware analysis to extract payloads and configurations from malware.

The goal of this blog post is to provide a step-by-step tutorial on the installation and configuration of the CAPE sandbox for beginners.

Step 1: Install Ubuntu

Download and install Ubuntu 20.04 LTS

You can either install the Ubuntu in your physical server or in the virtual machine.

If you're using virtual machine software, don't forget to enable "Virtualize Intel VT-x/EPT or AMD-V/RVI" for VMware or "Enable VT-x/AMD-V" for VirtualBox. Refer to Figures 1 and 2 below. The reason for this setting is because we're going to make a nested VM in our environment.

Figure 1: VMWare setting

Figure 2: VirtualBox setting

Step 2: Install requirements

Install python and python3-pip

$ sudo apt update
$ sudo apt install python3 -y
$ sudo apt install python3-pip -y

Install pillow with the latest version

pip3 install Pillow==8.0.1

Then download and run the base script. This script will install all libraries and services for us.

$ wget  https://raw.githubusercontent.com/doomedraven/Tools/master/Sandbox/cape2.sh
$ chmod a+x cape2.sh
$ sudo ./cape2.sh base cape

Figure 3: cape.sh running

Install MongoDB

$ sudo apt install -y mongodb

Step 3: Understand the configuration files

Before we start, we need to know and understand the functions of the important configuration files of CAPE.

Please read this doc about the configuration files.

Figure 4: Configuration doc

Step 4.a: Preparing the Guest (Manual way)

I've prepared ova files for the guest. Steps of installation explained in next section 4.b

Using VirtualBox (Option 1)

In this part, we're going to need Windows 7 ISO to be set up in our virtual machine. In our case, we going to use Virtual Box as our virtualization software. Run VirtualBox in sudo user.

$ sudo apt update
$ sudo apt install virtualbox virtualbox-ext-pack -y
$ sudo virtualbox

Install Windows 7

Create VM

Figure 5: Create VM

Download any Windows 7 ISO and install the Windows in the VirtualBox.

Figure 6: Installing Windows 7

Using KVM (Option 2)

$ sudo apt update -y
$ sudo apt install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils -y
$ sudo adduser ‘username’ libvirt
$ sudo adduser ‘username’ kvm
$ sudo systemctl enable --now libvirtd
$ sudo apt install virt-manager -y
$ sudo virt-manager

Follow VM installation here.

Install Python

Install Python 3.6 in the Windows 7 VM. Download here. Don't forget to include Python in PATH.

Install Pillow

Next, open cmd and install Pillow using command pip install Pillow==7.0. This is used for taking screenshots of the Windows desktop during the analysis.

Figure 7: Pillow installed

Install additional software

We might want to install additional software such as browsers, PDF readers, office suites, etc for fully functional features. Remember to disable the “auto-update” or “check for updates” feature of any additional software.

Here we will install:

1. Adobe Reader

2. Firefox

3. Office 2007

Disable UAC

Head into Control Panel and type UAC into the search box, or do it from the start menu. Then drag the slider down to the bottom.

Figure 8: Disabling UAC using GUI

Disable Firewall

Figure 9: Disabling Windows 7 firewall

Disable Windows Auto Update

Figure 10: Disabling Windows 7 Auto Update

Network configuration

Set the VM to Host-only Adapter and choose vboxnet0. 

Figure 11: Set to Host-Only

If vboxnet0 does not available, create a network at File > Host Network Manager.

Figure 12: Create a VM network

Configure the network like below:

- IP address：192.168.56.101

- Subnet mask：255.255.255.0

- Default gateway：192.168.56.1

- Preferred DNS server：8.8.8.8

- Alternate DNS server：8.8.4.4

Figure 13: Configure IP address

Make sure both the guest (Win7) and host (Ubuntu) can be ping each other.

Figure 14: Host ping guest

Figure 15: Guest ping host

Disable Noisy Network Services

1. Teredo

Open a command prompt as Administrator, and run:

netsh interface teredo set state disabled

2. Link-Local Multicast Name Resolution (LLMNR)

Open the Group Policy editor. Then navigate to Computer Configuration > Administrative Templates > Network > DNS Client, and open Turn off Multicast Name Resolution.

Set the policy to enabled.

Figure 16: Turn off MNR

3. Network Connectivity Status Indicator, Error Reporting, etc

Open the Group Policy. Then navigate to Computer Configuration > Administrative Templates > System > Internet Communication Management, and open Restrict Internet Communication.

Set the policy to enabled.

Figure 17: Enable Restrict Internet Communication

Install and run the Agent

Download the agent here. Copy the file into the Win7 VM.

Running (double click) the agent.py will launch the HTTP server which will be listening for connections.

If you want the script to be launched at Windows’ boot, just place the file in the Startup folder. The All Users startup folder should be C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.

Take VM snapshot

After start agent.py and minimize it, create a snapshot with the name "Snapshot1".

Figure 18: Take a snapshot

Step 4.b: Preparing the guest using pre-built VM

Download the OVA files at here. This bz2 compressed file contains both Win10 and Win7.

After extracted the files, import the OVAs file using vboxmanage command in your Ubuntu.

vboxmanage import Win10.ovavboxmanage import Win7.ova  

If vboxnet0 does not available, create a network at File > Host Network Manager.

 

Open the box, run agent.py reside in User Downloads folder.

 

Create Snapshot. Rename the snapshot like "snapshot1". This name will be use in the configuration explained in the next section.

Cuckoo Configurations

Don't forget to read the configurations documentaion to understand the configurations as yours might be different with my configuration. Important files to be configured in /opt/CAPEv2/conf:

• cuckoo.conf

Figure 19: Change "kvm" to "virtualbox

Figure 20: Change the IP to the vboxnet0 interface's IP

Figure 21: Change 5000 to 0

• auxiliary.conf
• Configure with your own requirement
• virtualbox.conf
• Change label, ip, snapshot name
  

Figure 22: Change to VM analysis name (win7)

 

 

• memory.conf

Figure 23: Change to our analysis VM name

• reporting.conf
• Configure with your own requirement
• web.conf

Figure 24: Enable scoring

Run Cuckoo and Webserver

Run cuckoo

$ cd /opt/CAPEv2/utils
$ sudo python3 community.py -cr
$ sudo pip3 install -U git+https://github.com/CAPESandbox/httpreplay
$ cd /opt/CAPEv2/
$ sudo python3 cuckoo.py

For web, in a new tab, run these command:

$ cd /opt/CAPEv2/web
$ sudo python3 manage.py migrate
$ sudo python3 manage.py runserver 0.0.0.0:8080

Submission

Download any malware sample on the internet and we can start to submit the sample using the dashboard.

Figure 25: CAPE analyzing our WannaCry sample

Figure 26: WannaCry infected our VM analysis

Figure 27: Analysis completed

Solving error

If your Linux cannot find the ResultServer like in the below figure:

Figure 28: CuckooCriticalError

1. Open VirtualBox
2. Run the analysis VM
3. Shutdown the VM and make it back to its last snapshot
4. Run back the cape script "sudo python3 cuckoo.py"

Sources:

1. Installing the CAPE Sandbox to Analyze Emotet | by soji256 | Medium
2. ctxis/CAPE: Malware Configuration And Payload Extraction (github.com)
3. Installation — CAPE Sandbox v2.1 Book (capev2.readthedocs.io)
4. kevoreilly/CAPEv2: Malware Configuration And Payload Extraction (github.com)