al-khaser vs CAPEv2
GitHub Stats
About al-khaser
al-khaser is a proof-of-concept application that implements numerous malware evasion techniques in a single codebase. It serves as a reference for security researchers studying how malware detects virtual machines, sandboxes, debuggers, and analysis environments. Techniques include timing attacks, CPU feature detection, registry checks, process enumeration, hardware fingerprinting, and API hooking detection. Each technique is implemented, documented, and testable independently. Security teams use al-khaser to validate that their analysis environments and sandboxes are resistant to common evasion methods employed by real-world malware.
About CAPEv2
CAPEv2 (Config And Payload Extraction) is an open-source malware analysis sandbox forked from Cuckoo. It automates the process of detonating malware samples in instrumented virtual machines and extracting behavioral data. CAPEv2 captures API calls, network traffic, dropped files, registry changes, and process trees. Its signature feature is automated payload and configuration extraction from 200+ malware families (Emotet, TrickBot, QakBot, Cobalt Strike, etc.), recovering C2 URLs, encryption keys, and injected payloads. It supports Windows, Linux, and Android analysis VMs with YARA scanning, Suricata network detection, and detailed HTML/JSON reporting.
Platform Support
Tags
al-khaser only
CAPEv2 only