CAPE – Malware Configuration And Payload Extraction

CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of malware analysis with the goal of extracting payloads and configuration from malware. This allows CAPE to detect malware based on payload signatures, as well as automating many of the goals of malware reverse engineering and threat intelligence.

CAPE - Malware Configuration And Payload Extraction
CAPE – Malware Configuration And Payload Extraction

The techniques or behaviours that the tool detects and has packages for include:

  • Process injection
    • Shellcode injection
    • DLL injection
    • Process Hollowing
    • Process Doppelganging
  • Decompression of executable modules in memory
  • Extraction of executable modules or shellcode in memory

Packages for these behaviours will dump the payloads being injected, extracted or decompressed for further analysis. This is often the malware payload in unpacked form.

Currently the tool has specific packages dumping configuration and payloads for the following malware families: PlugX, EvilGrab, Sedreco ,Cerber ,TrickBot ,Hancitor ,Ursnif , QakBot.

Many other malware families have their payloads automatically extracted by behavioural packages, for which CAPE uses Yara signatures to detect the payloads.

You can read more and use the tool over here: https://github.com/ctxis/CAPE

Share