Submit a file task to be analyzed by CAPE. Return object will be JSON.
curl -F file=@/path/to/file -F machine="VM-Name" -H "Authorization: Token YOU_TOKEN" http://example.tld/apiv2/tasks/create/file/
# In case of PCAP you need to add -F pcap=1
# Note: machine is optional. Header depends of the config if Token auth is enabled in api.conf
Download Service & Analyze
Yes
RPS: 1/s
RPM: 2/m
Download a file from VT or MalwareBazaar or other service for analysis. Return object will be JSON.
curl -F vtdl=hash -F machine="VM-Name" -H "Authorization: Token YOU_TOKEN" -F apikey="[VT API key]" http://example.tld/apiv2/tasks/create/vtdl/
# Note: machine is optional. Header depends of the config if Token auth is enabled
URL Create
Yes
RPS: 1/s
RPM: 2/m
Submit a URL task to be analyzed by CAPE. Return object will be JSON.
Search for Task ID's that's in MongoDB by various options. Return object will be JSON.
curl -d "option=[option]&argument=[argument]" http://example.tld/apiv2/tasks/extendedsearch/
# Searchable Options List:
# id : Task id
# name : Name of target file name
# type : Name of file type
# string : Match a string in the static analysis section
# ssdeep : Match an ssdeep hash
# crc32 : Match a CRC32 hash
# file : Match a file in the behavioral analysis summary
# command : Match an executed command
# resolvedapi : Match an API that a sample resolved
# key : Match a registry key in the behavioral analysis summary
# mutex : Match a mutex in the behavioral analysis summary
# domain : Match a resolved domain
# ip : Match a contacted IP Address
# signature : Match a CAPE signature description
# signame : Match a CAPE signature name
# detections: Match samples associated with malware family
# url : Match a URL target task (submitted URL task)
# imphash : Match an import hash
# iconhash: Match the exact hash of the icon associated with the PE
# iconfuzzy: Match a hash designed to match on similar-looking icons
# surialert : Match a suricata alert signature
# surihttp : Match suricata HTTP data
# suritls : Match suricata TLS data
# clamav : Match a Clam AV signature
# yaraname : Match a Yara signature name
# virustotal : Match a virustotal AV Signature
# comment : Match a comment posted to a specific task
# md5 : Targets with a specific MD5 hash
# sha1 : Targets with a specific SHA1 hash
# sha256 : Targets with a specific SHA256 hash
# sha512 : Targets with a specific SHA512 hash
# TTP: TTP number
Tasks List
Yes
RPS: 1/s
RPM: 5/m
View information about a range of Task ID's. Return object will be JSON
curl http://example.tld/apiv2/tasks/list/
curl http://example.tld/apiv2/tasks/list/[limit]/ (specify a limit of tasks to return)
curl http://example.tld/apiv2/tasks/list/[limit]/[offset]/ (specify a limit of tasks to return, offset by a specific amount)
# Accepts as params status to check for status and/or option to search by option LIKE
Task View
Yes
RPS: 1/s
RPM: 10/m
View information about a specific task including VM, sample, and error information. Return object will be JSON.
Delete a task from the database. Return object will be JSON.
curl http://example.tld/apiv2/tasks/delete/[task id]/[status]
curl http://example.tld/apiv2/tasks/delete/[task id],[task id]/[status]
curl http://example.tld/apiv2/tasks/delete/[start_task_id]-[end_task_id]/[status]
# Note: Specify the exact status when the job fails; leave blank if successful
Task Status
Yes
RPS: 4/s
RPM: None
Query the status of a Task by ID. Return object will be JSON.
Download a report generated for a specific task. Return object will be JSON, XML, or application/zip (zip).
curl http://example.tld/apiv2/tasks/get/report/[task id]/
curl http://example.tld/apiv2/tasks/get/report/[task id]/[format]/
curl http://example.tld/apiv2/tasks/get/report/[task id]/[format]/zip/
# Note: Format can be json/maec/maec5/metadata/lite/all.
# Note 2: extra formats: all/dist/dropped/lite - used for distributed cluster reporting
Task IOCs
Yes
RPS: 1/s
RPM: 4/m
View objects of the task report that may contain potential IOCs. Return object will be JSON.