ENNAENNA

CAPEv2

๐Ÿ’ฅ Exploitation ยท Python

CAPEv2 (Config And Payload Extraction) is an open-source malware analysis sandbox forked from Cuckoo. It automates the process of detonating malware samples in instrumented virtual machines and extracting behavioral data. CAPEv2 captures API calls, network traffic, dropped files, registry changes, and process trees. Its signature feature is automated payload and configuration extraction from 200+ malware families (Emotet, TrickBot, QakBot, Cobalt Strike, etc.), recovering C2 URLs, encryption keys, and injected payloads. It supports Windows, Linux, and Android analysis VMs with YARA scanning, Suricata network detection, and detailed HTML/JSON reporting.

3.2kstars
562forks
46issues
Updated today
+I use this
View on GitHubOfficial Website

Installation

$ git clone https://github.com/kevoreilly/CAPEv2.git && cd CAPEv2 && bash installer/cape2.sh

Use Cases

  • Automated malware detonation and behavior recording
  • Extracting C2 configurations from malware families
  • Generating IOCs from malware network activity
  • Building malware analysis pipelines with API integration

Tags

malware-sandboxbehavioral-analysisconfig-extractionautomated-analysisdetonationcapeconfigsdebugging-toolsmalwaremalware-analysismalware-researchreverse-engineeringsandboxunpacking

Details

Category
๐Ÿ’ฅ Exploitation
Language
Python
Platforms
๐Ÿงlinux

Links

GitHub Repository

github.com/kevoreilly/CAPEv2

Official Website

capev2.readthedocs.io

Releases

github.com/kevoreilly/CAPEv2/releases

Issues

github.com/kevoreilly/CAPEv2/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Community Reviews

Alternatives & Comparisons

Velociraptor

Go

Endpoint visibility and collection tool. Hunt for artifacts across thousands of endpoints simultaneously.

Compare CAPEv2 vs Velociraptor

IntelOwl

Python

Threat intelligence management platform integrating 100+ analyzers for enriching observables and malware samples.

Compare CAPEv2 vs IntelOwl

FakeNet-NG

Python

Mandiant's dynamic network analysis tool. Simulates internet services to capture malware C2 communications locally.

Compare CAPEv2 vs FakeNet-NG

More in Exploitation

Metasploit Framework

Ruby

The world's most used penetration testing framework. Exploit development, payload delivery, post-exploitation.

exploitpayloadpost-exploitation

BloodHound

Go

Active Directory attack path mapping. Visualizes privilege escalation paths using graph theory.

active-directorygraphprivilege-escalation

Impacket

Python

Collection of Python classes for working with network protocols. Essential for Windows/AD pentesting.

smbactive-directoryprotocol

CrackMapExec

Python

Swiss army knife for pentesting Active Directory. SMB, LDAP, MSSQL, WinRM enumeration and exploitation.

active-directorysmblateral-movement

Evil-WinRM

Ruby

Ultimate WinRM shell for pentesting. Upload/download, in-memory PowerShell, DLL injection, pass-the-hash.

winrmpowershellpass-the-hash

Covenant

C#

.NET C2 framework. Collaborative, web-based interface for red team operations and implant management.

c2red-teamdotnet