CAPEv2 vs FakeNet-NG
GitHub Stats
About CAPEv2
CAPEv2 (Config And Payload Extraction) is an open-source malware analysis sandbox forked from Cuckoo. It automates the process of detonating malware samples in instrumented virtual machines and extracting behavioral data. CAPEv2 captures API calls, network traffic, dropped files, registry changes, and process trees. Its signature feature is automated payload and configuration extraction from 200+ malware families (Emotet, TrickBot, QakBot, Cobalt Strike, etc.), recovering C2 URLs, encryption keys, and injected payloads. It supports Windows, Linux, and Android analysis VMs with YARA scanning, Suricata network detection, and detailed HTML/JSON reporting.
About FakeNet-NG
FakeNet-NG is a dynamic network analysis tool designed for malware analysis on Windows and Linux. It intercepts and redirects all network traffic to local listeners that simulate real internet services (HTTP, HTTPS, DNS, SMTP, FTP, IRC, and custom protocols). This allows analysts to observe malware network behavior without allowing actual internet connectivity, capturing C2 communications, download URLs, exfiltration attempts, and protocol patterns. FakeNet-NG supports SSL interception, custom response scripts, and integration with other analysis tools. It operates at the network driver level, catching traffic from all processes simultaneously.
Platform Support
Tags
CAPEv2 only
FakeNet-NG only