CAPESandbox is an open-source automated malware analysis system that dynamically executes suspicious files in an isolated environment to observe their behavior and extract threat intelligence.

Is CAPESandbox free to use?

Yes, CAPESandbox is open-source software and is free to download and use. Commercial support or custom integrations might be available from third parties.

What types of files can CAPESandbox analyze?

It can analyze a wide range of file types, including Windows executables, DLLs, Office documents, PDFs, various script formats (PowerShell, VBScript, JavaScript), and URLs.

How does CAPESandbox differ from Cuckoo Sandbox?

CAPESandbox (CAPEv2) is a fork of Cuckoo Sandbox, maintaining a similar core architecture but introducing numerous enhancements, additional modules, and improved analysis capabilities for modern threats.

Can I integrate CAPESandbox with my existing security tools?

Yes, CAPESandbox provides a RESTful API that allows for programmatic interaction, making it suitable for integration with SIEM, SOAR, and other threat intelligence platforms.

What kind of information does CAPESandbox provide in its analysis reports?

Reports include behavioral logs, network traffic captures (PCAPs), memory dumps, screenshots, extracted indicators of compromise (IOCs), and detailed summaries of observed malicious activities.

CAPEsandbox — Automated Malware Analysis Sandbox

Overview

CAPEv2, commonly referred to as CAPESandbox, is an open-source, automated malware analysis system that builds upon the foundational architecture of Cuckoo Sandbox. It specializes in dynamic analysis, executing suspicious files within isolated virtual environments to observe their behavior, identify malicious activities, and extract critical threat intelligence. This platform is designed to provide detailed insights into how malware operates, including API calls, network communications, file system modifications, and process injections, without risking host systems.

The system is particularly beneficial for security researchers, threat intelligence teams, and incident response professionals who require a controlled environment to analyze unknown or suspected malicious samples. CAPESandbox's core functionality revolves around its ability to simulate various operating system environments and configurations, allowing for a comprehensive analysis of malware designed to target specific systems or exploit particular vulnerabilities. Its modular design supports extensive customization, enabling users to tailor analysis environments to mimic production systems or to trigger specific malware behaviors that might otherwise remain dormant.

Beyond basic execution, CAPESandbox focuses on enriching analysis results by integrating with various tools and techniques for deeper introspection. This includes memory forensics, network traffic capture and analysis, and the automatic extraction of indicators of compromise (IOCs) such as dropped files, registry keys, mutexes, and command-and-control (C2) server addresses. The platform's API facilitates programmatic interaction, allowing for the automation of sample submission, retrieval of analysis reports, and integration into existing security workflows, contributing to more efficient threat detection and response processes. Its open-source nature fosters community contributions, ensuring continuous development and adaptation to new malware threats, similar to other community-driven security tools like Wireshark for network protocol analysis.

CAPESandbox is positioned as a critical tool in the arsenal against evolving cyber threats, offering a robust and flexible solution for understanding malware behavior. Its design prioritizes customizability and extensibility, which are essential for addressing the diverse and sophisticated tactics employed by threat actors. By providing a comprehensive view of malware's operational characteristics, CAPESandbox assists organizations in strengthening their defensive postures and proactively mitigating risks.

Key features

Dynamic Malware Analysis: Executes suspicious files (executables, documents, scripts, URLs) in isolated virtual machines to observe their runtime behavior and interactions with the system (CAPESandbox Analysis Documentation).
Customizable Sandbox Environments: Allows users to define and configure virtual machine environments, including operating system versions, installed software, network settings, and user behaviors, to accurately simulate target environments and trigger specific malware actions.
Extensive Information Extraction: Automatically extracts critical indicators of compromise (IOCs), such as network connections, API calls, dropped files, registry modifications, mutexes, and process actions.
Threat Intelligence Generation: Produces detailed analysis reports that include behavioral logs, network captures (PCAPs), memory dumps, screenshots, and extracted artifacts, aiding in the generation of actionable threat intelligence.
Modular Architecture: Built on a modular plugin system that supports custom analysis modules, reporting formats, and integrations with external security tools.
API for Automation: Provides a RESTful API for programmatic submission of samples, management of analysis tasks, and retrieval of comprehensive analysis results, enabling integration with security orchestration, automation, and response (SOAR) platforms (CAPESandbox API Reference).
Support for Various File Types: Capable of analyzing a wide range of file formats, including Windows executables, DLLs, Office documents, PDFs, scripts (PowerShell, VBScript, JavaScript), and URLs.
Open-Source and Community-Driven: As an open-source project, CAPESandbox benefits from community contributions, ensuring continuous development, bug fixes, and adaptation to new threat vectors.

Pricing

CAPESandbox is distributed as open-source software, meaning the core platform is available for free. Costs may be associated with deployment, maintenance, and custom development or commercial support offerings provided by third-party vendors or integrators.

Offering	Description	Cost	As of Date
CAPESandbox Core	Open-source software for automated malware analysis, including all core features and community support.	Free	2026-05-28
Commercial Support/Integrations	May be offered by third-party vendors or consultants for deployment, customization, and enterprise-level support.	Variable (contact providers)	2026-05-28

Common integrations

Threat Intelligence Platforms: Integrates with platforms like MISP (Malware Information Sharing Platform) for sharing and consuming threat intelligence, enhancing collaborative security efforts.
Security Information and Event Management (SIEM) Systems: Analysis reports and extracted IOCs can be fed into SIEMs (e.g., Splunk, Elastic SIEM) for centralized logging, correlation, and alerting.
Security Orchestration, Automation, and Response (SOAR) Platforms: The CAPESandbox API allows for automated sample submission and result retrieval, enabling integration into SOAR playbooks for automated incident response workflows.
Endpoint Detection and Response (EDR) Solutions: Can complement EDR systems by providing deeper behavioral analysis of suspicious files detected on endpoints.
Network Security Tools: Network captures (PCAPs) generated during analysis can be further analyzed by network intrusion detection/prevention systems or traffic analysis tools.
VirusTotal: CAPESandbox can submit samples or hashes to VirusTotal for additional static analysis and community insights, providing a broader context for threat assessment (VirusTotal homepage).

Alternatives

Cuckoo Sandbox: The foundational project from which CAPESandbox forked, offering similar dynamic analysis capabilities and a strong open-source community.
Any.Run: A cloud-based interactive malware analysis service that allows users to interact with malware in real-time within a virtual machine.
VirusTotal: A Google-owned service that aggregates multiple antivirus engines and online scan services to check for viruses and other malware, primarily for static analysis and community threat intelligence.
Hybrid Analysis (by CrowdStrike): A free online service that performs hybrid analysis (static and dynamic) of files and URLs, providing detailed reports and threat intelligence.
VMRay Analyzer: A commercial malware analysis solution known for its agentless monitoring approach and advanced evasion detection capabilities.

Getting started

To interact with CAPESandbox programmatically, you can use its RESTful API. The following Python example demonstrates how to submit a file for analysis and then retrieve the results. This assumes CAPESandbox is running and accessible via its API endpoint.

First, ensure you have the requests library installed (pip install requests).

import requests
import time
import json

# Configuration
CAPE_API_URL = "http://127.0.0.1:8000/api/tasks/create/file/"
CAPE_RESULT_URL = "http://127.0.0.1:8000/api/tasks/report/{task_id}/"
# Replace with the actual path to your malware sample
SAMPLE_PATH = "/path/to/your/malware_sample.exe"

def submit_sample(file_path):
    """Submits a file to CAPESandbox for analysis."""
    print(f"Submitting file: {file_path}")
    with open(file_path, 'rb') as sample_file:
        files = {'file': (file_path.split('/')[-1], sample_file, 'application/octet-stream')}
        # You can add options like 'package', 'priority', 'timeout' here
        data = {'package': 'exe'}
        try:
            response = requests.post(CAPE_API_URL, files=files, data=data, verify=False)
            response.raise_for_status() # Raise an exception for HTTP errors
            task_id = response.json()['task_id']
            print(f"File submitted successfully. Task ID: {task_id}")
            return task_id
        except requests.exceptions.RequestException as e:
            print(f"Error submitting file: {e}")
            return None

def get_analysis_results(task_id):
    """Retrieves analysis results for a given task ID."""
    print(f"Polling for results for Task ID: {task_id}")
    while True:
        try:
            response = requests.get(CAPE_RESULT_URL.format(task_id=task_id), verify=False)
            response.raise_for_status()
            results = response.json()

            # Check if analysis is complete
            if results.get('status') == 'completed':
                print("Analysis completed.")
                return results
            elif results.get('status') == 'pending' or results.get('status') == 'running':
                print("Analysis still in progress... waiting 30 seconds.")
                time.sleep(30)
            else:
                print(f"Unexpected task status: {results.get('status')}")
                return None
        except requests.exceptions.RequestException as e:
            print(f"Error retrieving results: {e}")
            return None
        except json.JSONDecodeError:
            print("Failed to decode JSON response, server might be busy or returned an invalid response.")
            time.sleep(30)

if __name__ == "__main__":
    # !!! IMPORTANT: Replace with a safe, non-malicious file for testing if you don't have a sandbox setup !!!
    # For example, a benign text file or a known safe executable.
    # NEVER use actual malware on a system not specifically designed and isolated for it.
    # This example assumes a controlled environment.
    
    # Create a dummy file for demonstration purposes
    dummy_malware_path = "./dummy_sample.txt"
    with open(dummy_malware_path, "w") as f:
        f.write("This is a dummy file for CAPESandbox testing.\n")

    task_id = submit_sample(dummy_malware_path)

    if task_id:
        results = get_analysis_results(task_id)
        if results:
            print("\n--- Analysis Report Summary ---")
            # Example: Print some key findings
            if results.get('info', {}).get('score'):
                print(f"Malware Score: {results['info']['score']}")
            if results.get('behavior', {}).get('summary'):
                print("Behavioral Summary:")
                for item in results['behavior']['summary'][:3]: # Show first 3 summary items
                    print(f"- {item}")
            print(f"Full report available at: {CAPE_RESULT_URL.format(task_id=task_id).replace('/api/tasks/report/', '/analysis/')}")
        else:
            print("Failed to get analysis results.")
    else:
        print("Failed to submit sample.")

    # Clean up dummy file
    import os
    os.remove(dummy_malware_path)

This Python script first defines functions to submit a file to the CAPESandbox API and then to poll for its analysis results. The submit_sample function sends a file via a POST request, while get_analysis_results periodically checks the status of the analysis task until it's completed. The main block demonstrates how to use these functions, creating a dummy file for safe testing. In a real-world scenario, SAMPLE_PATH would point to the actual suspicious file. Always ensure that any malware analysis is performed in a completely isolated and secure environment to prevent contamination of production systems.

CAPEsandbox

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

## reviews

## comments

Overview

Key features

Pricing

Common integrations

Alternatives

Getting started

# frequently asked questions

# see also

## reviews

## comments