service_manifest.yml

name: CAPE
version: $SERVICE_TAG
description: Provides dynamic malware analysis through sandboxing.

accepts: (executable/(windows|linux)|java|audiovisual|meta)/.*|document/(installer/windows|office/(excel|ole|powerpoint|rtf|unknown|word|mhtml|onenote)|pdf$)|code/(javascript|jscript|python|vbs|wsf|html|ps1|batch|hta|vbe|a3x)|shortcut/windows|archive/(chm|iso|rar|vhd|udf|zip|7-zip)|text/windows/registry|audiovisual/flash
rejects: empty|metadata/.*

stage: CORE
category: Dynamic Analysis

file_required: true
timeout: 800
disable_cache: false

enabled: false
is_external: false
licence_count: 0
privileged: true

recursion_prevention: ["Dynamic Analysis"]

config:
  # See README for in-depth descriptions of configuration values
  # CAPE host configurations

  remote_host_details:
    hosts:
      - ip: "127.0.0.1"
        port: 8000
        token: "sample_token"
        internet_connected: false
        inetsim_connected: false

  # REST API Timeouts and Attempts
  connection_timeout_in_seconds: 30
  rest_timeout_in_seconds: 120
  connection_attempts: 3

  # Are you using UWSGI with recycling workers?
  uwsgi_with_recycle: false

  # CAPE victim configurations
  allowed_images: []
  # This is used if the "auto" specific image will select multiple images and you want to override it with less images
  auto_architecture:
    win:
      x64: []
      x86: []
    ub:
      x64: []
      x86: []

  # CAPE analysis configurations
  default_analysis_timeout_in_seconds: 150
  max_dll_exports_exec: 5
  machinery_supports_memory_dumps: false
  reboot_supported: false
  extract_cape_dumps: false
  uses_https_proxy_in_sandbox: false
  suspicious_accepted_languages: []

  # CAPE reporting configurations
  recursion_limit: 10000

  # INetSim specifications
  random_ip_range: 192.0.2.0/24
  # This is a list of IPs that represent the locations where INetSim is serving DNS services
  inetsim_dns_servers: []

  # This is the value of the token key to be used in authorization for API requests
  token_key: Token

  # If your machinery deletes machines, (AWS/Azure), there is a chance that a certain machine may not be present
  # for a period of time. This configuration will raise a RecoverableError in that situation, after a certain
  # time period.
  retry_on_no_machine: false

  # Apply a limit of 1000 to APIs that the CAPE monitor logs (normally this value is 5000).
  limit_monitor_apis: false

  # Use the "antivm" packages for winword.exe and wscript.exe, which open a few applications prior to execution in the VM
  use_antivm_packages: false

  # This is a list of processtree_id values that will be added to the stock safelist found at safe_process_tree_leaf_hashes.py
  custom_processtree_id_safelist: []

  # The period/interval (in hours) in which signatures/YARA rules/configuration extractors are updated on the CAPE nest
  update_period: 24

submission_params:
  - default: 0
    name: analysis_timeout_in_seconds
    type: int
    value: 0

  # value = auto + auto_all + all + allowed_images
  # This has the third-highest precedence when submitting a file
  - default: "auto"
    name: specific_image
    type: list
    value: "auto"
    list: ["auto", "auto_all", "all"]

  - default: ""
    name: dll_function
    type: str
    value: ""

  - default: false
    name: dump_memory
    type: bool
    value: false

  - default: true
    name: force_sleepskip
    type: bool
    value: true

  - default: false
    name: no_monitor
    type: bool
    value: false

  - default: true
    name: simulate_user
    type: bool
    value: true

  - default: false
    name: reboot
    type: bool
    value: false

  - default: ""
    name: arguments
    type: str
    value: ""

  - default: ""
    name: custom_options
    type: str
    value: ""

  - default: ""
    name: clock
    type: str
    value: ""

  - default: ""
    name: package
    type: str
    value: ""

  - default: ""
    name: specific_machine
    type: str
    value: ""

  - default: "none"
    name: platform
    type: list
    value: "none"
    list: ["none", "windows", "linux"]

  # https://capev2.readthedocs.io/en/latest/installation/host/routing.html?highlight=per-analysis
  - default: "none"
    name: routing
    type: list
    value: "none"
    list: ["none", "inetsim", "drop", "internet", "tor", "vpn"]

  - default: false
    name: ignore_cape_cache
    type: bool
    value: false

  - default: ""
    name: password
    type: str
    value: ""

  # This is a dev feature to support passing arguments to a HollowsHunter auxiliary module
  - default: ""
    name: hh_args
    type: str
    value: ""

  - default: false
    name: monitored_and_unmonitored
    type: bool
    value: false

heuristics:
  - heur_id: 1
    name: Account
    score: 0
    filetype: "*"
    description: Adds or manipulates an administrative user account.

  - heur_id: 2
    attack_id: T1518.001
    name: Anti-analysis
    score: 0
    filetype: "*"
    description: Constructed to conceal or obfuscate itself to prevent analysis.

  - heur_id: 3
    attack_id: [T1518.001, T1562.001]
    name: Anti-av
    score: 0
    filetype: "*"
    description: Attempts to conceal itself from detection by antivirus.

  - heur_id: 4
    attack_id: [T1057, T1518.001]
    name: Anti-debug
    score: 0
    filetype: "*"
    description: Attempts to detect if it is being debugged.

  - heur_id: 5
    attack_id: T1497
    name: Anti-emulation
    score: 0
    filetype: "*"
    description: Detects the presence of an emulator.

  - heur_id: 6
    attack_id: T1497
    name: Anti-sandbox
    score: 0
    filetype: "*"
    description: Attempts to detect if it is in a sandbox.

  - heur_id: 7
    attack_id: [T1497, T1007]
    name: Anti-vm
    score: 0
    filetype: "*"
    description: Attempts to detect if it is being run in virtualized environment.

  - heur_id: 8
    name: Antivirus
    score: 0
    filetype: "*"
    description: AntiVirus hit. File is infected.

  - heur_id: 9
    name: Banker
    score: 0
    filetype: "*"
    description: Designed to gain access to confidential information stored or processed through online banking.

  - heur_id: 10
    name: Bootkit
    score: 0
    filetype: "*"
    description: Manipulates machine configurations that would affect the boot of the machine.

  - heur_id: 11
    name: Bot
    score: 0
    filetype: "*"
    description: Appears to be a bot or exhibits bot-like behaviour.

  - heur_id: 12
    name: Browser
    score: 0
    filetype: "*"
    description: Manipulates browser-settings in a suspicious way.

  - heur_id: 13
    attack_id: T1562.001
    name: Bypass
    score: 0
    filetype: "*"
    description: Attempts to bypass operating systems security controls (firewall, amsi, applocker, etc.)

  - heur_id: 14
    attack_id: T1071
    name: C2
    score: 0
    filetype: "*"
    description: Communicates with a server controlled by a malicious actor.

  - heur_id: 15
    name: Clickfraud
    score: 0
    filetype: "*"
    description: Manipulates browser settings to allow for insecure clicking.

  - heur_id: 16
    attack_id: T1059
    name: Command
    score: 0
    filetype: "*"
    description: A suspicious command was observed.

  - heur_id: 17
    name: Credential Access
    score: 0
    filetype: "*"
    description: Uses techniques to access credentials.

  - heur_id: 18
    name: Credential Dumping
    score: 0
    filetype: "*"
    description: Uses techniques to dump credentials.

  - heur_id: 19
    name: Cryptomining
    score: 0
    filetype: "*"
    description: Facilitates mining of cryptocurrency.

  - heur_id: 20
    name: Discovery
    score: 0
    filetype: "*"
    description: Uses techniques for discovery information about the system, the user, or the environment.

  - heur_id: 21
    name: Dns
    score: 0
    filetype: "*"
    description: Uses suspicious DNS queries.

  - heur_id: 22
    name: Dotnet
    score: 0
    filetype: "*"
    description: .NET code is used in a suspicious manner.

  - heur_id: 23
    name: Downloader
    score: 0
    filetype: "*"
    description: Trojan that downloads installs files.

  - heur_id: 24
    name: Dropper
    score: 0
    filetype: "*"
    description: Trojan that drops additional malware on an affected system.

  - heur_id: 25
    name: Encryption
    score: 0
    filetype: "*"
    description: Encryption algorithms are used for obfuscating data.

  - heur_id: 26
    name: Evasion
    score: 0
    filetype: "*"
    description: Techniques are used to avoid detection.

  - heur_id: 27
    name: Execution
    score: 0
    filetype: "*"
    description: Uses techniques to execute harmful code or create executables that could run harmful code.

  - heur_id: 28
    name: Exploit
    attack_id: [T1190, T1212, T1082, T1211, T1068]
    score: 0
    filetype: "*"
    description: Exploits an known software vulnerability or security flaw.

  - heur_id: 29
    name: Exploit Kit
    attack_id: T1059
    score: 0
    filetype: "*"
    description: Programs designed to crack or break computer and network security measures.

  - heur_id: 30
    name: Generic
    score: 0
    filetype: "*"
    description: Basic operating system objects are used in suspicious ways.

  - heur_id: 31
    attack_id: [T1003, T1005]
    name: Infostealer
    score: 0
    filetype: "*"
    description: Collects and disseminates information such as login details, usernames, passwords, etc.

  - heur_id: 32
    attack_id: T1055
    name: Injection
    score: 0
    max_score: 1000
    signature_score_map:
      hollowshunter_exe: 0
      hollowshunter_dll: 0
    filetype: "*"
    description: Input is not properly validated and gets processed by an interpreter as part of a command or query.

  - heur_id: 33
    name: Keylogger
    score: 0
    filetype: "*"
    description: Monitoring software detected.

  - heur_id: 34
    name: Lateral
    score: 0
    filetype: "*"
    description: Techniques used to move through environment and maintain access.

  - heur_id: 35
    attack_id: [T1071, T1129]
    name: Loader
    score: 0
    filetype: "*"
    description: Download and execute additional payloads on compromised machines.

  - heur_id: 36
    attack_id: T1112
    name: Locker
    score: 0
    filetype: "*"
    description: Prevents access to system data and files.

  - heur_id: 37
    name: Macro
    score: 0
    filetype: "*"
    description: A set of commands that automates a software to perform a certain action, found in Office macros.

  - heur_id: 38
    name: Malware
    score: 1000
    filetype: "*"
    description: The file uses techniques associated with malicious software.

  - heur_id: 39
    name: Martians
    score: 0
    filetype: "*"
    description: Command shell or script process was created by unexpected parent process.

  - heur_id: 40
    name: Masquerading
    score: 0
    filetype: "*"
    description: The name or location of an object is manipulated to evade defenses and observation.

  - heur_id: 41
    name: Network
    score: 0
    filetype: "*"
    description: Suspicious network traffic was observed.

  - heur_id: 42
    name: Office
    score: 0
    filetype: "*"
    description: Makes API calls not consistent with expected/standard behaviour.

  - heur_id: 43
    attack_id: T1027.002
    name: Packer
    score: 0
    filetype: "*"
    description: Compresses, encrypts, and/or modifies a malicious file's format.

  - heur_id: 44
    attack_id: [T1547.001, T1546.010, T1098]
    name: Persistence
    score: 0
    filetype: "*"
    description: Technique used to maintain presence in system(s) across interruptions that could cut off access.

  - heur_id: 45
    name: Phishing
    score: 0
    filetype: "*"
    description: Techniques were observed that attempted to obtain information from the user.

  - heur_id: 46
    attack_id: T1486
    name: Ransomware
    score: 0
    filetype: "*"
    description: Designed to block access to a system until a sum of money is paid.

  - heur_id: 47
    attack_id: T1219
    name: Rat
    score: 0
    filetype: "*"
    description: Designed to provide the capability of covert surveillance and/or unauthorized access to a target.

  - heur_id: 48
    attack_id: T1014
    name: Rootkit
    score: 0
    filetype: "*"
    description: Designed to provide continued privileged access to a system while actively hiding its presence.

  - heur_id: 51
    name: Static
    score: 0
    filetype: "*"
    description: A suspicious characteristic was discovered during static analysis.

  - heur_id: 52
    attack_id: [T1036, T1564.001, T1070]
    name: Stealth
    score: 0
    filetype: "*"
    description: Leverages/modifies internal processes and settings to conceal itself.

  - heur_id: 53
    name: Trojan
    score: 0
    filetype: "*"
    description: Presents itself as legitimate in attempt to infiltrate a system.

  - heur_id: 54
    name: Virus
    score: 0
    filetype: "*"
    description: Malicious software program.

  - heur_id: 55
    name: CAPE Yara Hit
    score: 0
    signature_score_map:
      # The following signatures are "nested" within the procmem_yara signature
      # If the score is 0, they are signatures that have the tendency to be a false positive
      # These signature names have to be lower-cased to survive the YAML parsing

      # Deprecated rules
      formbook: 0
      grum: 0
      lummastealer: 0
      metastealer: 0
      embedded_pe: 0
      embedded_win_api: 0
      shellcode_get_eip: 0
      shellcode_patterns: 0
      upx: 0
      zgrat: 0
      script_in_lnk: 0
      # The main signature that wraps these Yara rules must have its score set to 0
      procmem_yara: 0
    filetype: "*"
    description: A Yara rule in CAPE was raised

  - heur_id: 1000
    name: Domain detected
    score: 10
    filetype: "*"
    description: CAPE detected Domains

  - heur_id: 1002
    name: HTTP/HTTPS detected
    score: 10
    filetype: "*"
    description: CAPE detected HTTP/HTTPS requests

  - heur_id: 1003
    name: Access Remote File
    score: 10
    filetype: "*"
    description: CAPE detected an attempt to access a remote file

  - heur_id: 1004
    name: TCP/UDP Detected
    score: 10
    filetype: "*"
    description: CAPE detected traffic made over TCP/UDP

  - heur_id: 1005
    name: Non-HTTP Traffic over HTTP ports
    score: 10
    filetype: "*"
    description: CAPE detected non-HTTP traffic being made over HTTP ports (80, 443)

  - heur_id: 1006
    name: IOC found in Buffer
    score: 10
    filetype: "*"
    description: CAPE detected an IOC found in a buffer, either encrypted or decrypted

  - heur_id: 1007
    name: Suspicious User Agent
    score: 1
    filetype: "*"
    description: CAPE detected a suspicious user agent used for HTTP calls

  - heur_id: 1008
    name: Non-Standard DNS Server Used
    score: 1
    filetype: "*"
    description: CAPE detected a non-standard DNS server being used

  - heur_id: 1009
    name: Non-Standard DNS Query Used
    score: 1
    filetype: "*"
    description: CAPE detected a non-standard DNS query being used

  - heur_id: 1010
    name: TCP Detected
    score: 10
    filetype: "*"
    description: CAPE detected traffic made over TCP

  - heur_id: 1011
    name: UDP Detected
    score: 10
    filetype: "*"
    description: CAPE detected traffic made over UDP

  - heur_id: 1012
    name: Non-Standard HTTP Header Used
    score: 1
    filetype: "*"
    description: CAPE detected a non-standard HTTP header being used

  - heur_id: 1013
    name: Unseen IOCs found in API calls
    score: 1
    filetype: "*"
    description: CAPE detected IOCs that were not found in network calls

  - heur_id: 9999
    name: Unknown
    score: 0
    filetype: "*"
    description: Unknown signature detected by CAPE

docker_config:
  allow_internet_access: true
  image: ${REGISTRY}cccs/assemblyline-service-cape:$SERVICE_TAG
  cpu_cores: 1
  ram_mb: 2000

dependencies:
  updates:
    container:
      cpu_cores: 2.0
      ram_mb: 4096
      allow_internet_access: true
      command: ["python", "-m", "cape.update_server"]
      image: ${REGISTRY}cccs/assemblyline-service-cape:$SERVICE_TAG
      ports: ["5003"]
    run_as_core: True

# Update configuration block
update_config:
  generates_signatures: true
  # list of source object from where to fetch files for update and what will be the name of those files on disk
  sources:
    - uri: https://github.com/kevoreilly/CAPEv2.git
      pattern: .*\.yar
      name: internal-cape-yara
      sync: true
    - uri: https://github.com/CAPESandbox/community.git
      pattern: .*\.yar
      name: internal-cape-community-yara
      sync: true
  # interval in seconds at which the updater dependency runs
  update_interval_seconds: 86400 # 24 hours
  signature_delimiter: "file"
  # Should the downloaded files be used to create signatures in the system
  wait_for_update: false