Skip to content

Commit

Permalink
Add imagehash and upx to requirements.
Browse files Browse the repository at this point in the history
  • Loading branch information
@kevoreilly
kevoreilly committed Jun 14, 2017
1 parent 54a4bc0 commit 9552437
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 1 deletion.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ CAPE can detect a number of malware techniques or behaviours, as well as specifi

This detection then triggers a second run with a specific package, in order to extract the malware payload and possibly its configuration, for further analysis.

CAPE works by controlling malware via a bespoke debugger and API hooks. Detection to trigger a CAPE package can be based from on 'Cuckoo' (API) or Yara signatures. The debugger uses Yara signatures or API hooks to allow breakpoints to be set on individual instructions, memory regions or function calls. Once a region of interest is reached, it can be manipulated and dumped for processing and analysis, and possibly configuration parsing.
CAPE works by controlling malware via a bespoke debugger and API hooks. Detection to trigger a CAPE package can be based on 'Cuckoo' (API) or Yara signatures. The debugger uses Yara signatures or API hooks to allow breakpoints to be set on individual instructions, memory regions or function calls. Once a region of interest is reached, it can be manipulated and dumped for processing and analysis, and possibly configuration parsing.

The techniques or behaviours that CAPE detects and has packages for include:
- Process injection
Expand Down
2 changes: 2 additions & 0 deletions requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,5 @@ git+https://github.com/crackinglandia/pype32.git
git+https://github.com/jsocol/django-ratelimit
git+https://github.com/kbandla/pydeep.git
pyvmomi>=6.0
imagehash
upx

2 comments on commit 9552437

@enzok
Copy link
Contributor

@enzok enzok commented on 9552437 Jun 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the upx module just for Windows based cuckoo instances?

@kevoreilly
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No it's meant for Linux-based (or all) instances. The idea is that often an extracted payload will be packed with UPX, so it would be ideal to unpack it during the processing stage. This is what the analyst would then probably do anyway manually, so it saves this step, and allows the unpacked contents to be scanned with Yara and possibly parsed for configuration. I am also considering whether to automate the submission of files that are detected as UPX-derived but won't unpack using the UPX tool, as there is a UPX package for this.

Please sign in to comment.