The purpose of this project is to automatically analyze malware in CAPE and then convert CAPE data into STIX 2.1 data.
CAPE (Config And Payload Extraction) is a malware sandbox. It was derived from Cuckoo with the goal of adding automated malware unpacking and config extraction. Automated unpacking allows classification based on Yara signatures to complement network (Suricata) and behavior (API) signatures.
There is a free community instance online which anyone can use: CAPE Sandbox
When working with the CAPE2STIX repository, there are a few important notes to keep in mind.
First, the documentation lays out the start-to-finish instructions for setup and usage. This README contains links to other markdown files, all of which are best read in a markdown display, such as Github's web-view or VSCode's markdown preview.
Second, This project contains git submodules. Use the following commands to ensure all submodules are available
git clone --recursive
cd cape2stix/
git submodule update --init --recursiveOnce the repository is cloned with submodules, users will be able to set up the pipeline AMA/CAPE2STIX environment. The deployment pipeline is as follows:
- Automated Malware Analysis Deployment: create a CAPE sandbox system, complete with N number of virtual machines to analyze malware samples
- CAPE-Web: Run malware samples in CAPE
- Export CAPE reports
- cape2stix: Convert CAPE reports to STIX
- Neo4j: submit converted STIX reports to a neo4j database
ama_deploy/ is the directory containing all setup for building CAPE from scratch using virtual machine images. In addition to deploying CAPE, it also contains the functionality to setup the cape2stix and neo4j docker containers. See ama_deploy documentation for further instructions. Users can return to this page after exporting malware reports from CAPE-Web; the user will then be ready to use the cape2stix converter.
The assumed target for deployment is ubuntu 22LTS or similar.
cape2stix can convert CAPE reports to STIX 2.1 and submit them to a neo4j database. Installation can be done either manually or automatically.
The assumed target for deployment is ubuntu 22LTS or similar.
Manual setup is preferred for smale-scale conversion without database submission. Users will need to install and run poetry
python3 -m pip install poetry # install poetry
poetry install # install dependencies under poetry environment
poetry shell # enter the poetry environmentA virtual environment will be created that can now be accessed by running poetry shell. This should be used to run all Python scripts
ama_deploy/run.py can build and deploy the docker containers necessary for cape2stix and the neo4j database. For more information on how to use this tool, see the ama_deploy documentation
convert.py is a script that will convert a JSON report generated by CAPEv2 to a STIX bundle The usage of the script can be seen below.
usage: convert.py [-h] [--log_level {warn,debug,info}] [--disallow_custom] [--small] (-u | -f FILE)
CAPE json conversion to STIX. Using mainly the report.json output
optional arguments:
-h, --help show this help message and exit
--log_level {warn,debug,info}
--disallow_custom
--small
-u run tests with base file
-f FILE, --file FILE path to file ie: ./report.json
Example usage:
python3 cape2stix/scripts/convert.py -f input/test.json --log_level info
The resulting STIX JSON file will be placed in output.
Note: this needs to run from the repository's top level directory
Converted STIX should be stored in a Neo4j database. For more information on database setup, please see our Neo4j documentation
- when running
poetry install, poetry may generate errors. Ignore these unless they cause the command to fail altogether