Cuckoo / CAPE Sandbox

Cuckoo / CAPE community

Automated dynamic malware analysis sandbox — detonate and observe.

Malware Analysis & Sandboxing Free & Open Source Platform / Suite Learning Linux

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

Cuckoo Sandbox is the original open-source automated malware analysis platform. The original Cuckoo project is essentially frozen; its actively maintained fork CAPE Sandbox (Config And Payload Extraction) is the modern choice and is widely used in enterprise SOCs.

A submission is detonated in an isolated VM (Windows / Linux / Android) while the sandbox records:

API call traces, dropped files, registry changes.
Network traffic (PCAP, DNS queries, contacted C2 domains).
Memory dumps and YARA matches.
Screenshots and behaviour score.

Use cases

Triaging suspicious attachments at scale
Extracting C2 config from packed samples (CAPE)
Generating PCAP for SIEM detection engineering