Post

CAPE sandbox for malware analysis

How to set up CAPE sandbox

Posted
By evilM0chi
6 min read
CAPE sandbox for malware analysis

Prerequisites

Set CPU to ‘host’

Ubuntu 24.04.2

CAPE Installation

Installing VNC clipboard for proxmox

1
2

ssh root@<ip of proxmox server>
qm set <vm id> -vga std,clipboard=vnc

Installing KVM

1
2
3
4
5

wget https://github.com/kevoreilly/CAPEv2/raw/refs/heads/master/installer/kvm-qemu.sh
sudo chmod a+x kvm-qemu.sh
sudo ./kvm-qemu.sh all <username> | tee kvm-qemu.log

sudo systemctl reboot

Installing CAPE

1
2
3
4
5

wget https://github.com/kevoreilly/CAPEv2/raw/refs/heads/master/installer/cape2.sh
sudo chmod a+x cape2.sh
sudo ./cape2.sh base cape | tee cape.log

sudo systemctl reboot

Installing Virtual Machine Manager

1
2
3

sudo ./kvm-qemu.sh virtmanager <username> | tee kvm-qemu-virt-manager.log

sudo systemctl reboot

Installing dependencies

1
2
3
4

cd /opt/CAPEv2
poetry install
poetry env list
sudo -u cape /etc/poetry/bin//poetry run extra/libvirt_installer.sh

Installing MongoDB

1
2
3
4
5
6
7
8
9
10
11
12
13

sudo apt-get install gnupg curl

curl -fsSL https://www.mongodb.org/static/pgp/server-8.0.asc | \
   sudo gpg -o /usr/share/keyrings/mongodb-server-8.0.gpg \
   --dearmor
   
echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-8.0.gpg ] https://repo.mongodb.org/apt/ubuntu noble/mongodb-org/8.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-8.0.list

sudo apt-get update
sudo apt-get install -y mongodb-org
sudo systemctl start mongod
sudo systemctl daemon-reload
sudo systemctl enable mongod

Editing config files

cuckoo.conf

1
2
3
4
5
6
7
8
9
10
11
12

cd /opt/CAPEv2/conf
sudo nano cuckoo.conf

#These are the fields to edit

#under [cuckoo]
memory_dump = yes
allow_static = yes
freespace = 1000

#under [resultserver]
ip = 192.168.122.1

kvm.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

sudo nano kvm.conf

#These are the fields to edit

#under [kvm]
machines = win10_1

#under [cape1]
[win10_1]
label = win10_1
ip = 192.168.122.3
arch = x64
snapshot = clean-agent

#under [cuckoo1]
ip = 192.168.122.3

Setting up Windows 10 VM

https://youtu.be/ZRrk2QRN7Lc?si=rD-0PVrTKsm8lpiK&t=265 Stop at 7:30

Note: Remember to change VM name to ‘win10_1’ from ‘win10’

Testing the tool

Creating a snapshot

1

sudo virsh snapshot-create-as win10_1 clean-agent "Snapshot before running malware"

Start CAPE

1
2
3

sudo -u cape /etc/poetry/bin//poetry run python3 cuckoo.py

#Go to 127.0.0.1:8000

KVM spoofing (anti-vm detection)

https://github.com/zhaodice/qemu-anti-detection?source=post_page—–beca4f7693a1————————————— https://github.com/A1exxander/KVM-Spoofing?tab=readme-ov-file https://medium.com/@rizqisetyokus/capev2-installation-and-configuration-on-ubuntu-desktop-24-04-2-beca4f7693a1

Default XML config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

<domain type="kvm">
  <name>win10</name>
  <uuid>dc7ec3f8-afeb-4a15-868b-61b8cec22a09</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://microsoft.com/win/10"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory>4194304</memory>
  <currentMemory>4194304</currentMemory>
  <vcpu>2</vcpu>
  <os>
    <type arch="x86_64" machine="q35">hvm</type>
    <boot dev="hd"/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <hyperv>
      <relaxed state="on"/>
      <vapic state="on"/>
      <spinlocks state="on" retries="8191"/>
      <vpindex state="on"/>
      <runtime state="on"/>
      <synic state="on"/>
      <stimer state="on"/>
      <frequencies state="on"/>
      <tlbflush state="on"/>
      <ipi state="on"/>
      <evmcs state="on"/>
      <avic state="on"/>
    </hyperv>
    <vmport state="off"/>
  </features>
  <cpu mode="host-passthrough"/>
  <clock offset="localtime">
    <timer name="rtc" tickpolicy="catchup"/>
    <timer name="pit" tickpolicy="delay"/>
    <timer name="hpet" present="no"/>
    <timer name="hypervclock" present="yes"/>
  </clock>
  <pm>
    <suspend-to-mem enabled="no"/>
    <suspend-to-disk enabled="no"/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type="file" device="disk">
      <driver name="qemu" type="qcow2"/>
      <source file="/home/ubuntung3/Downloads/win10_1.qcow2"/>
      <target dev="sda" bus="sata"/>
    </disk>
    <controller type="usb" model="qemu-xhci" ports="15"/>
    <controller type="pci" model="pcie-root"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <controller type="pci" model="pcie-root-port"/>
    <interface type="network">
      <source network="default"/>
      <mac address="52:54:00:06:0c:92"/>
      <model type="e1000e"/>
    </interface>
    <console type="pty"/>
    <channel type="spicevmc">
      <target type="virtio" name="com.redhat.spice.0"/>
    </channel>
    <input type="tablet" bus="usb"/>
    <graphics type="spice" port="-1" tlsPort="-1" autoport="yes">
      <image compression="off"/>
    </graphics>
    <sound model="ich9"/>
    <video>
      <model type="qxl"/>
    </video>
    <redirdev bus="usb" type="spicevmc"/>
    <redirdev bus="usb" type="spicevmc"/>
  </devices>
</domain>

XML config after

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

<domain xmlns:qemu="http://libvirt.org/schemas/domain/qemu/1.0" type="kvm">
  <name>win10_1</name>
  <uuid>1a5f3b20-a34c-4e41-a340-2dfe660ebc8c</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://microsoft.com/win/10"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit="KiB">4194304</memory>
  <currentMemory unit="KiB">4194304</currentMemory>
  <memoryBacking>
    <source type="memfd"/>
    <access mode="shared"/>
  </memoryBacking>
  <vcpu>2</vcpu>
  <os>
    <type arch="x86_64" machine="q35">hvm</type>
    <boot dev="hd"/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <hyperv mode="custom">
      <relaxed state="on"/>
      <vapic state="on"/>
      <spinlocks state="on" retries="8191"/>
      <vendor_id state="on" value="GenuineIntel"/>
    </hyperv>
    <kvm>
      <hidden state="on"/>
    </kvm>
    <vmport state="off"/>
    <smm state="on"/>
    <ioapic driver="kvm"/>
  </features>
  <cpu mode="host-passthrough" check="none" migratable="on">
    <feature policy="disable" name="hypervisor"/>
  </cpu>
  <clock offset="localtime">
    <timer name="rtc" tickpolicy="catchup"/>
    <timer name="pit" tickpolicy="delay"/>
    <timer name="hpet" present="no"/>
    <timer name="hypervclock" present="yes"/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled="no"/>
    <suspend-to-disk enabled="no"/>
  </pm>
  <devices>
  <emulator>/usr/bin/qemu-system-x86_64</emulator>
  <disk type="file" device="disk">
    <driver name="qemu" type="qcow2"/>
    <source file="/home/ubuntung3/Downloads/win10_1.qcow2"/>
    <target dev="sda" bus="sata"/>
  </disk>
  <controller type="usb" model="qemu-xhci" ports="15"/>
  <interface type="network">
    <source network="default"/>
    <model type="e1000e"/>
  </interface>
  <input type="tablet" bus="usb"/>
  <graphics type="spice" autoport="yes">
    <image compression="off"/>
  </graphics>
  <video>
    <model type="qxl"/>
  </video>
</devices>
  <qemu:commandline>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=0,version=UX305UA.201"/>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=1,manufacturer=ASUS,product=UX305UA,version=2021.1"/>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=2,manufacturer=Intel,version=2021.5,product=Intel i9-12900K"/>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=3,manufacturer=XBZJ"/>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=17,manufacturer=KINGSTON,loc_pfx=DDR5,speed=4800,serial=000000,part=0000"/>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=4,manufacturer=Intel,max-speed=4800,current-speed=4800"/>
    <qemu:arg value="-cpu"/>
    <qemu:arg value="host,family=6,model=158,stepping=2,model_id=Intel(R) Core(TM) i9-12900K CPU @ 2.60GHz,vmware-cpuid-freq=false,enforce=false,host-phys-bits=true,hypervisor=off"/>
    <qemu:arg value="-machine"/>
    <qemu:arg value="q35,kernel_irqchip=on"/>
  </qemu:commandline>
</domain>

Cloning Multiple VMs for analysis

Creating a Virtual Environment

1
2
3
4
5
6
7
8
9
10
11
12

#Create venv as root user
sudo su
python3 -m venv --system-site-packages myenv
source myenv/bin/activate

#Install needed packages
pip3 install randmac

sudo nano auxiliary.conf
disguise = yes
windows_static_route = yes
windows_static_route_gateway = yes

Using clone-machines.py to automate the process

https://capev2.readthedocs.io/en/latest/installation/guest/cloning.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

wget https://github.com/CAPESandbox/community/raw/refs/heads/master/utils/clone-machines.py

#Test output
python3 /home/ubuntung3/clone-machines.py \
  --dry-run \
  --original win10_1 \
  --original-disk /home/ubuntung3/Downloads/win10_1.qcow2 \
  --prefix win10_1 \
  --count 5 \
  --count-offset 1 \
  --ip 192.168.122.4 \
  --network-name default \
  --tags win10x64 \
  --snapshot-name clean-agent \
  --storage-path /home/ubuntung3/vms 

#Actual command
python3 /home/ubuntung3/clone-machines.py \
  --original win10_1 \
  --original-disk /home/ubuntung3/Downloads/win10_1.qcow2 \
  --prefix win10_1 \
  --count 5 \
  --count-offset 1 \
  --ip 192.168.122.4 \
  --network-name default \
  --tags win10x64 \
  --snapshot-name clean-agent \
  --storage-path /home/ubuntung3/vms \
  --yes
  
apt install python3-gi python3-gi-cairo gir1.2-gtk-3.0

Give static IPs instead of DHCP

1
2
3
4
5
6
7
8
9
10
11
12
13
14

sudo virsh net-dumpxml default > fixed-network.xml
nano fixed-network.xml

#Fields to change
<range start='192.168.122.100' end='192.168.122.254'/>
<host mac='52:54:00:2E:6F:52' name='win10_1' ip='192.168.122.3'/>

<SNIP> #just copy output from dry-run in previous command and paste here

<host mac='52:54:00:2E:6F:52' name='win10_1-6' ip='192.168.122.8'/>

sudo virsh net-define fixed-network.xml
sudo virsh net-destroy default
sudo virsh net-start default

Adding new VMs to kvm.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

sudo nano kvm.conf

[kvm]
machines = win10_1,win10_1-1,win10_1-2,win10_1-3,win10_1-4,win10_1-5

[win10_1-1]
label = win10_1-1
platform = windows
ip = 192.168.1.4
tags = win10x64,x64
snapshot = clean-agent
arch = x64

[win10_1-2]
label = win10_1-2
platform = windows
ip = 192.168.1.5
tags = win10x64,x64
snapshot = clean-agent
arch = x64

[win10_1-3]
label = win10_1-3
platform = windows
ip = 192.168.1.6
tags = win10x64,x64
snapshot = clean-agent
arch = x64

[win10_1-4]
label = win10_1-4
platform = windows
ip = 192.168.1.7
tags = win10x64,x64
snapshot = clean-agent
arch = x64

[win10_1-5]
label = win10_1-5
platform = windows
ip = 192.168.1.8
tags = win10x64,x64
snapshot = clean-agent
arch = x64
sandbox malware
This post is licensed under CC BY 4.0 by the author.

Trending Tags

malware phishing sandbox