{ "statistics": { "processing": [ { "name": "CAPE", "time": 1.164 }, { "name": "AnalysisInfo", "time": 0.046 }, { "name": "BehaviorAnalysis", "time": 0.001 }, { "name": "Debug", "time": 0.001 }, { "name": "NetworkAnalysis", "time": 0.001 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "deletes_files", "time": 0.0 }, { "name": "drops_files", "time": 0.0 }, { "name": "reads_files", "time": 0.0 }, { "name": "writes_files", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "binary_yara", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_country_distribution", "time": 0.0 }, { "name": "network_cnc_http", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.0 }, { "name": "network_excessive_udp", "time": 0.0 }, { "name": "network_http", "time": 0.0 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.0 }, { "name": "network_questionable_http_path", "time": 0.0 }, { "name": "network_questionable_https_path", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.0 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pdf_annot_urls_checker", "time": 0.0 }, { "name": "polymorphic", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "sigma_events", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "target": { "category": "file", "file": { "name": "test_sample.sh", "path": "/opt/CAPEv2/storage/binaries/e5ad7baa9070c36dc8507b8b3be3718cd9ab503375df418155414e17d3262093", "guest_paths": "", "size": 64, "crc32": "D5A9A67C", "md5": "d1573bad74ea2bf7a3049b95a078b09b", "sha1": "a60e6e08a52037b3b4b5155086b2db4fcc925af5", "sha256": "e5ad7baa9070c36dc8507b8b3be3718cd9ab503375df418155414e17d3262093", "sha512": "08eaba4ad8d76e00d1513f3207a88503f6e9507ba3d701541ddd2384f3931cd14e911841fad2358154250263b3397e686dc0e2e3eb2de5d6746dd48b30a7390f", "rh_hash": null, "ssdeep": "3:TKH/MAgqRte42sXEIKfZv:YNouhwv", "type": "Bourne-Again shell script, ASCII text executable", "yara": [], "cape_yara": [], "clamav": [], "tlsh": "T135A022E20C3382E003C02E8020A300002C02C03FA200BC208C8C0AC000023C8F80B038", "sha3_384": "b7a32d74d343ed6d2e0fa596f1015e401514e1e2d5f83cc83c013ba16724be4f767a6dbebf2be90b84549e196aa3104a", "yara_hash": "fe117167fbd534878f0d9e7ac29fa46e0f54b9514e7874201773b1e16ed71c1a", "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a", "data": "#!/bin/bash\necho 'CAPE test script running'\nhostname\nid\nls /tmp\n", "strings": [], "virustotal": { "error": true, "msg": "Unable to complete connection to VirusTotal. Status code: 429" }, "executed_tools": [ "overlay", "msi_extract", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 0, "cape_type": "" } }, "CAPE": { "payloads": [], "configs": [] }, "info": { "version": "2.5", "started": "2026-03-11 20:08:56", "ended": "2026-03-11 20:09:03", "duration": 7, "id": 3, "category": "file", "custom": "", "machine": { "id": 3, "status": "stopping", "name": "ubuntu24", "label": "ubuntu24", "platform": "linux", "manager": "KVM", "started_on": "2026-03-11 20:08:56", "shutdown_on": "2026-03-11 20:09:02" }, "package": "", "timeout": false, "tlp": null, "parent_sample": null, "options": {}, "source_url": null, "route": "", "user_id": 0, "CAPE_current_commit": "0e35d168c0209bbbce54132708d6139b1e04e531" }, "behavior": { "processes": [] }, "debug": { "log": "2026-03-11 20:08:59,002 [root] DEBUG: Starting analyzer from: /km4p7f9v\n2026-03-11 20:08:59,003 [root] DEBUG: Storing results at: /tmp/xEoCaKagnd\n2026-03-11 20:08:59,008 [root] DEBUG: Importing auxiliary module \"modules.auxiliary.filecollector\"...\n2026-03-11 20:08:59,016 [root] ERROR: Traceback (most recent call last):\n File \"/km4p7f9v/analyzer.py\", line 458, in \n success = analyzer.run()\n ^^^^^^^^^^^^^^\n File \"/km4p7f9v/analyzer.py\", line 271, in run\n __import__(name, globals(), locals(), [\"dummy\"], 0)\n File \"/km4p7f9v/modules/auxiliary/filecollector.py\", line 170, in \n class EventProcessor(pyinotify.ProcessEvent):\n ^^^^^^^^^\nNameError: name 'pyinotify' is not defined\nTraceback (most recent call last):\n File \"/km4p7f9v/analyzer.py\", line 458, in \n success = analyzer.run()\n ^^^^^^^^^^^^^^\n File \"/km4p7f9v/analyzer.py\", line 271, in run\n __import__(name, globals(), locals(), [\"dummy\"], 0)\n File \"/km4p7f9v/modules/auxiliary/filecollector.py\", line 170, in \n class EventProcessor(pyinotify.ProcessEvent):\n ^^^^^^^^^\nNameError: name 'pyinotify' is not defined\n", "errors": [] }, "network": { "pcap_sha256": "704e5e5b3234433c01fcfd1b20a306e77e985038120492dc53965c3edd38a4ea", "hosts": [], "domains": [], "tcp": [], "udp": [], "icmp": [], "http": [], "dns": [], "smtp": [], "irc": [], "dead_hosts": [] }, "url_analysis": {}, "procmemory": [], "signatures": [], "malscore": 0, "ttps": [], "malstatus": "Failed" }