Submit · CAPE Sandbox

Analysis Package

Machine

Machine Tags

Available tags: fedora linux ubuntu x64

Network Routing

Timeout (seconds)

Linux Options

Syntax: option1=val1,option2=val2

Option	Description
`filename`	Rename the sample file
`file`	When using the archive package, set the name of the file to execute
`password`	When using the archive package, set the password to use for extraction/decryption. Also used when analyzing password-protected Office documents.
`arguments`	Arguments to be passed to the sample (or opened file, if applicable)
`timeout`	Analysis timeout (in seconds)
`enforce_timeout`	Enforce the timeout even if the process finishes early
`clock`	Set the VM clock (YYYYMMDDhhmm or seconds since epoch)
`package`	Analysis package to use

Option	Description
`free`	Run analysis without the monitor (no behavioral analysis)
`procmemdump`	Dump process memory
`simul_human`	Simulate human interaction (mouse movements, clicks)
`human_click_interval`	Interval between simulated clicks
`human_mouse_speed`	Speed of simulated mouse movements

Option	Description
`enable_syslog`	Enable syslog capturing
`syslog_port`	Port for syslog capturing (default: 514)

Option	Description
`memory`	Dump full VM memory

Option	Description
`debug`	Enable debugging features

Options

Syntax: option1=val1,option2=val2

Option	Description
`filename`	Rename the sample file
`name`	Force family extractor to run (e.g., name=trickbot)
`curdir`	Execution directory (default %TEMP%)
`executiondir`	Directory to launch file from (default %TEMP%)
`arguments`	Arguments for the executable or exported function
`appdata`	Run executable from AppData instead of Temp
`pwsh`	Prefer PowerShell Core (pwsh.exe)
`free`	Run without monitoring (disables many capabilities)
`ignore_size_check`	Allow ignore file size (must be enabled in conf)
`check_shellcode`	Disable shellcode check during package ID (check_shellcode=0)
`function`	Exported function/ordinal to execute (DLL)
`dllloader`	Process loading the DLL (default rundll32.exe)
`file`	Name of file to execute (Zip/Rar)
`password`	Password for extraction/Office
`startbrowser`	Launch browser 30s into analysis
`browserdelay`	Seconds to wait before starting browser
`url`	URL for started browser
`servicedesc`	Service description (Service package)
`pre_script_args`	Args for pre_script
`during_script_args`	Args for during_script
`lang`	Override system language (LCID)
`standalone`	Run in standalone mode (no pipe)
`monitor`	Inject monitor into PID/Explorer
`shutdown-mutex`	Mutex name for shutdown signal
`terminate-event`	Event name for termination signal
`terminate-processes`	Terminate processes on event
`first-process`	(Internal) First process in tree
`startup-time`	MS since system startup

Option	Description
`no-stealth`	Disable anti-anti-VM/sandbox tricks
`force-sleepskip`	1 = Skip all sleeps, 0 = Disable sleep skipping
`serial`	Spoof the system volume serial number
`single-process`	Limit monitoring to initial process only
`interactive`	Enable interactive desktop mode
`referrer`	Fake referrer for URL analysis
`norefer`	Disable fake referrer
`file-of-interest`	Specific file or URL being analyzed
`pdf`	Adobe Reader specific hooks/behavior
`sysvol_ctimelow/high`	Spoof creation time of system volume
`fake-rdtsc`	Enable fake RDTSC results
`ntdll-protect`	Enable write protection on ntdll.dll code
`ntdll-unhook`	Enable protection against ntdll unhooking
`protected-pids`	Enable protection for critical PIDs

Option	Description
`full-logs`	Disable log suppression
`force-flush`	1 = Flush after non-duplicate API, 2 = Force flush every log
`buffer-max`	Max size for log buffer
`large-buffer-max`	Max size for large log buffers
`api-rate-cap`	Limit rate of API logging
`api-cap`	Limit total number of API logs
`hook-type`	Hook type: direct, indirect, or safe (32-bit only)
`syscall`	Enable syscall hooks (Win10+)
`disable-hook-content`	1 = Remove payload of non-critical hooks, 2 = All hooks
`exclude-apis`	Colon-separated list of APIs to exclude from hooking
`exclude-dlls`	Colon-separated list of DLLs to exclude from hooking
`unhook-apis`	Dynamically unhook functions (colon-separated)
`coverage-modules`	Colon-separated list of DLLs to include in monitoring (exclude from 'dll range' filtering)
`zerohook`	Disable all hooks except essential
`hook-protect`	Enable write protection on hook pages
`log-exceptions`	Enable logging of exceptions

Option	Description
`procdump`	Enable process memory dumping on exit/timeout
`procmemdump`	Enable full process memory dumping
`dump-on-api`	Dump calling module when specific APIs are called (colon-separated)
`dump-config-region`	Dump memory regions suspected to contain C2 config
`dump-crypto`	Dump buffers from Crypto APIs
`dump-keys`	Dump keys from CryptImportKey
`amsidump`	Enable AMSI buffer dumping (Win10+)
`tlsdump`	Enable dumping of TLS secrets
`dropped-limit`	Override default dropped file limit (100)
`compression`	Enable CAPE's extraction of compressed payloads
`extraction`	Enable CAPE's extraction of payloads from within process
`injection`	Enable CAPE's capture of injected payloads
`combo`	Combine compression, injection, and extraction
`unpacker`	1 = Passive unpacking, 2 = Active unpacking
`import-reconstruction`	Attempt import reconstruction on dumps
`store_memdump`	Force STORE memdump (submit to analyzer directly)

Option	Description
`debugger`	Enable internal debugger engine
`debug`	1 = Report critical exceptions, 2 = All exceptions
`bp0...bp3`	Hardware breakpoints (Address or Module:Export)
`bp`	Software breakpoints (colon-separated addresses)
`break-on-return`	Break on return from specific APIs
`base-on-api`	Set base address for breakpoints based on API
`file-offsets`	Interpret breakpoints as file offsets
`trace-all`	Enable full execution tracing
`depth`	Trace depth limit (default 0)
`count`	Trace instruction count limit (default 128)
`loop_detection`	Enable loop detection (compress call logs)
`ttd`	Time Travel Debugging (ttd=1)
`polarproxy`	Run PolarProxy (TLS PCAP)
`mitmdump`	Run mitmdump (TLS HAR)