CapeSandbox

CAPE Sandbox is an open-source software for automating the analysis of suspicious files and URLs.

Forensics & Malware Analysis · Cape Sandbox

Configuration parameters

  • url — Server URL (required)
  • token_credentials — API Token
  • credentials — Username
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings

Commands (12)

  • cape-cuckoo-status-get

    Returns the overall status of the CAPE/Cuckoo system in a human-readable format. This command provides a quick overview of the sandbox's operational status.

  • cape-file-submit

    Submits a file to the CAPE Sandbox for analysis. This command supports PCAP files and automatically sets the `pcap` parameter to `1`. The command polls the CAPE server until the analysis task is complete, and then returns the task results. Note: Analysis scans may take a long time to complete and could cause a timeout. If a timeout occurs, use the !cape-tasks-list task_id=<task_id> command to check the status of your task.

  • cape-file-view

    View detailed information about a file that has been analyzed by CAPE Sandbox. You must specify at least one identifier - Task ID, MD5 hash, or SHA256 hash.

  • cape-machines-list

    Returns a list of available analysis machines configured in CAPE Sandbox. If a machine_name is provided, the command returns detailed information for that specific machine.

  • cape-pcap-file-download

    Download the PCAP (Packet Capture) network dump file associated with a specific CAPE Sandbox task ID. The PCAP file contains all network traffic captured during the analysis and can be analyzed with tools like Wireshark.

  • cape-sample-download

    Download a sample file from a CAPE Sandbox task. You must specify at least one identifier - Task ID, MD5 hash, SHA1 hash, or SHA256 hash. The downloaded file will be added to the War Room.

  • cape-task-delete

    Delete a CAPE Sandbox analysis task by its Task ID.

  • cape-task-poll

    Internal command used by cape-file-submit and cape-url-submit for polling status.

  • cape-task-report-get

    Retrieve the analysis report associated with a specified CAPE Sandbox task ID. If zip=true, the report will be returned as a downloadable ZIP file.

  • cape-task-screenshot-download

    Download screenshots captured during the analysis of a CAPE Sandbox task. Screenshots show the visual behavior of the analyzed file or URL. If a specific screenshot number is provided, only that single screenshot will be downloaded; otherwise, all available screenshots for the task will be downloaded.

  • cape-tasks-list

    Returns a list of CAPE Sandbox tasks. If a task_id is provided, the command returns the detailed information for that specific task.

  • cape-url-submit

    Submits a URL to the CAPE Sandbox for analysis. The command polls the CAPE server until the analysis task is complete, and then returns the analysis results. Note: Analysis scans may take a long time to complete and could cause a timeout. If a timeout occurs, use the !cape-tasks-list task_id=<task_id> command to check the status of your task.