- Pyattck v3.0.1 support
- If you are using alternative location to
/opt/CAPEv2and wants to useMITRE TTPsnext action is required:- you need to update value of
data_pathin configdata/mitre/config.yml
- you need to update value of
- Move MITRE ATT&CK from tab to collapse table after signatures
- Allow pass search patter in url:
analysis/search/detections:<family>/
- Add example how to add custom auth, see
web/web/middleware.py
- New dependecy
ujson- REQUIRED ACTION: ->
pip3 install ujson -U
- REQUIRED ACTION: ->
-
Default 5/m, it can be changed using Django Admin in user profile. ratelimit is deprecated
-
This was done with huge help from those writeups
-
REQUIRED ACTION: ->
cd web && python3 manage.py migrate
- Allow enable/disable all new users to activate them by hand
- Disable new users after email verification if set
manual_approveinconf/web.conf - REQUIRED ACTION: ->
pip3 install django-extensions
-
ToDo: pass yara file to exec yarascan
-
Thanks to Xabier Ugarte-Pedrero and dadokkio for their work
-
pip3 install volatility3, then checkconf/processing.conf->[memory]conf/memory.conffor the plugins
-
You will need to download
symbols, see volatility3 readme for details
- ratelimit 4 upgrade ->
pip3 install django-ratelimit -U
- Link task to user_id, to be able to ban spammers and bad users
- REQUIRED ACTION: ->
cd /opt/CAPEv2/utils/db_migration && alembic upgrade head - Instead of Volatility3 integration planned for today you got this, thanks spammers
- If registration enabled, allow to set manual approve of users and set them inactive by default
- APIv2 - Django REST Framework + Token AUTH
- just replace
/api/to/apiv2/in your urls
- just replace
- Current API will be removed in future, so move toward new one
- Updated API documentation
- New dependency:
pip3 install djangorestframework - REQUIRED ACTION: ->
cd /opt/CAPEv2/web/python3 manage.py migrate && python3 manage.py collectstatic
- To enable it see
[registration]inweb.conf - List of domains can be placed in
data/safelist/disposable_domain_list.txt - Allow enable ReCaptcha for user registration to avoid bots
- Integrated stopforumspam domain list
sed -i 's|#ja3-fingerprints: auto|ja3-fingerprints: yes|g' /etc/suricata/suricata.yaml && sudo systemctl restart suricata
- TLSH hashing - Trend Micro Locality Sensitive Hash
- sha3-384
[14-01-2021] Headers Quality
- Content Security Policy - writeup
- 2FA for Django Admin
- New dependency:
pip3 install django-otp qrcodeREQUIRED ACTION: ->cd /opt/CAPEv2/web/python3 manage.py migrateif no you will getno such table: otp_totp_totpdevice
- Adding bootstrap-social to simplify sign buttons integration
- Move SSO providers config to from
web/web/settings.pytoweb/web/local_settings.py [oauth]added toconf/web.conffor future on/off of the buttons- New dependency:
pip3 install django-settings-export
- Add Web signup/SSO, email verification - more details - Amazing writeup was used for integration
- ReCaptcha protected admin
- New dependencies ->
pip3 install django-allauth django-recaptcha==2.0.6 django-crispy-forms git+https://github.com/CAPESandbox/httpreplay.git - REQUIRED ACTION: ->
cd /opt/CAPEv2/web/python3 manage.py migrateif no you will getNo such table as django_sitepython3 manage.py collectstatic-> to enable django admin css -> requires web/web/local_settings.py modifiySTATIC_ROOT
- Allow download http(s) Request/Response and Response 48bytes hex preview
- auth_only in api.conf to allow apikey/autentificated users hit the rest api
- YARA integrated to capemon, this allows to bypass anti-* aka capemon scripting, more here
- Docs and more anti bypasses and examples coming soon
- TLS decrypt integration, huge thanks to Hatching team to release their code. WEBGUI integration isn't finished yet, but you already can see https requests there
- Safelists moved from network.py to
data/safelist/{domains,ips}.py
- Add uniq submission limitation, can be enabled in
conf/web.confto disable the same submission during X hours - Bingraph, FLARE CAPA, vba2graph on demand
- Added
on_demandfeature.- This funcions aim to speedup processing but allow to user to generate parts of analysis that takes some time to finish and not used frequently. Example scripted submissions
- Malduck integration
- Bootrstarp 4.5.3 & font awesome 5
- Statistics
- Tag_tasks - allows you tag your jobs
- self.pefiles: introduced to prcessing/signatures modules, you can get PEFILE object by sha256 self.pefiles.get(sha256)
- Pending page now is much useful and show hashes to easilly spot duplicated
- Submission of file or resubmission will show all the jobs and detection for that file
- Flare capa integrated under static tab for original binary, procdump and cape (should be enabled in processing.conf), Rules can be pulled from community, but we will leave it community driven to sync them. So you can copy them from https://github.com/fireeye/capa-rules and place under
data/flare-capa - More soon ;)
utils/cleaners.pyoption--delete-older-than-daysmoved to bulk remove 10 in 10, to improve performance and decrease IO
- cape.py rewrite so it affects
api/tasks/get/config/so before it was list of configs and it hascape_name, now its like[{malware_family:{config}}]
- static config extraction lookup in database before scan file with yara and extract
- resubmit added to CAPE/procdump tabs
- Huge code unification and cleanup between
submission/views.pyandapi/views.py - Improve error messages on bulk submission, for failed samples/hashes
- Physical machinery updated by @hariomenkel, you can read details in his writeup
- Static extraction fix, thanks for testing it @nikhilh-20
- Static endpoint now will return config apart of the task id
- Create zip files in memory (requires pyzipper) instead of using 7z and write them to temp folder
- Simplified parsing of arguments between submission/api views
- Created docs on how to test
CurtainandSuricata - Static extraction api added
- Curtain module updated
- Code clenup
- Massive useless IO improved, read config once instead of on each file submit
- Added ability to enable/disable some of 3rd part services for malware detection, like: VirusTotal, ClamAV, Suricata
- Enable ratelimit on download any file, to avoid scrapping, to change limits, edit:
api.conf->download_file - Error message for ratelimit can be configured in
web/web/settings.py - Fixed a lot of bugs/typos, thanks Flake8 + GitHub Actions :)
- Update suricata socket path in processing.conf as in cape2.sh from
/var/run/to/tmp/ - Fix pebble pool restart on timeout
- Zip package reintroduced but it should be only used with option
file=Xwhen we need side load files
- Scan extracted macro with yara from macro/CAPE folder
- Show url from where file was downloaded when using Download'n'Exec
- Zip package is depricate as it doesn't support AES etc, to upload with side files use file=X and submit in zip archive, for rest you have sflock <3
- Restore original dump file, don't dump inmediatelly
- CAPE tab now also loaded via ajax request
- Extended api search changed, now instead of return only ids, return some basic info, as detection, etc
- Rewrite /api/ ratelimit implementation to allow unlimited api for existing users(htpasswd), just set username and password as get/post arguments
- XLMMacroDeobfuscator from @DissectMalware integrated
- Yara now compiled once at processing start or reprocessing
- pyattck upgrade to >= 2.0.2
- moved many files from
/data/tocommunity->python3 utils/community.py -h
- Behavior data/tab is now loaded via ajax request, to speedup webgui
- Add parent sample details to analysis
- Add Yara author to webgui, useful when yara name overlap with private yara
- All not core yara moved to community repo
- Dark theme is default now, to set old one just do
- Backup current:
cp /opt/CAPEv2/web/templates/header.html /opt/CAPEv2/web/templates/header-dark.html - Set old theme:
cp /opt/CAPEv2/web/templates/header-light.html /opt/CAPEv2/web/templates/header.html
- Backup current:
- TLP implemented for analysis, thanks @enzok
- /configdownload/ is moved to /api/tasks/get/config/<task_id>/ or /api/tasks/get/config/<task_id>/Family/
- Anti-api-spamming feature in monitor
- webgui optimizations(mongo queries improved a lot), thanks MongoDB university for free cources :)
- CAPE 2.1 ;)
- A lot of small bug fixes, code cleanup, gui fixes, and monitor improvements
- Now insted if "None matched" we just hide field
- All VMs now are disabled on submission you need to enable it in web.conf
- To submit ZIP file for analisis you need to specify zip package, if no it will be extracted
- Big update of suricata name extraction/detection
- malscore now is off by default, can be enabled in conf/reporting.conf
- MalFamily renamed to detections
- community.py reintroduced to simplify everything
- now all signatures and not core modules are moved to specific repo, please see
python3 utils/community.py -h
- now all signatures and not core modules are moved to specific repo, please see
- SIGHUP handling to stop submitting tasks and stop cuckoo.py, useful for when you need to reload it without breaking running jobs
ps aux|grep "python3 cuckoo.py"|cut -d" " -f 5| xargs kill -1
- Add qemu.py with support for x64/x86/MIPS/MIPSEL/ARM/ARMWRT/ARM64/PowerPC/PowerPC64/Sparc/Sparc64
- Basic linux integration is done thanks to @enzok
- Bson data compression to remove api spamming, details, thanks @mabj
- Many bug fixes in cleaners.py, thanks @Enzok
- Fix local_settings
- move all in 1 dlls, example option to capemon: combo=1,extraction=1,injection=1,compression=1
- Fix ratelimit enabled/disabled in /api/
- Agent now by default set outout to StringIO to make it works with pythonw without extra args
- Screenshot deduplicacion algorithm is configurable now and default set to ahash, pr #10, thanks @wmetcalf
- Fixed pythonw compability problem, pr #7, thanks @wmetcalf
- Pillow 7 compatible, pr #9, thanks @wmetcalf
- Upgrade ClamAV support, pr #11, thanks @wmetcalf
- All cleaners from cuckoo.py and some from utils folder are moved to unique file utils/cleaners.py, see, -h @doomedraven
- distributed CAPE documentation updated
- m2crypto+swig replaced with cryptography library
- CAPEv2 is Python3 based
- Django 3 tested
- ASGI support - async "wsgi"
- All found memleaks fixed
- A lot of code improved and bug fixed
- Malware parsers/extractors moved to use upstream libraries instead of include them to the project, to simplify maintaining and code bug fixes
- User experience improved
- Still might contain some bugs, so please let us know if you see any
- Thanks NaxoneZ for all your bug reports and hard testing <3