- Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
When running analysis, many files are created by the sample. I expect these files to be captured, saved to files.json, and placed into the files directory.
Current Behavior
In my scenario, files are created and logged, but the associated PID is None. For example:
2026-01-04 01:12:21,482 [root] INFO: Added new file to list with pid None and path C:\Users\JasonT\.cache\pkg\837cb201a460a44d025689218d3b0e588ae3edbcd6ab11f415b147b5331cc843\ref-napi\appveyor.yml
This occurs for all files created by the sample. It seems like CAPEv2 is unable to identify any child processes created by the submitted sample. In addition to failing to associate the files with the sample, these files are not included in files.json and are not present in the files directory. For other samples, dropped files are properly recorded and any sub-processes are recorded.
Steps to Reproduce
Using my setup, simply submit the binary (included in the context section) and wait for analysis and processing to complete. You will see in the report that while many files are accessed and modified (all of which are not present in the clean snapshot of the VM), there are no dropped files reported and there is no way to download the files placed by the sample.
I have not tested on other CAPEv2 instances, so this behavior may be unique to my setup.
Context
I am running Ubuntu 24.04 as the host, and Windows 10 21H2 as the guest. I have installed CAPEv2 on the host via the installer scripts, and I have prepared the guest by removing windows defender, disabling windows update, and running the choco setup script.
I would be happy to share any relevant config files in full if asked! Collecting dropped files is enabled in the CAPE processing config file, and I have made the maximum file size for uploading and processing very large.
Malware sample zipped, password is just password. You can upload the EXE directly to any CAPEv2 instance for analysis.
Failure Logs
analysis.log
Thanks!
About accounts on capesandbox.com
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
When running analysis, many files are created by the sample. I expect these files to be captured, saved to
files.json, and placed into thefilesdirectory.Current Behavior
In my scenario, files are created and logged, but the associated PID is
None. For example:This occurs for all files created by the sample. It seems like CAPEv2 is unable to identify any child processes created by the submitted sample. In addition to failing to associate the files with the sample, these files are not included in
files.jsonand are not present in thefilesdirectory. For other samples, dropped files are properly recorded and any sub-processes are recorded.Steps to Reproduce
Using my setup, simply submit the binary (included in the context section) and wait for analysis and processing to complete. You will see in the report that while many files are accessed and modified (all of which are not present in the clean snapshot of the VM), there are no dropped files reported and there is no way to download the files placed by the sample.
I have not tested on other CAPEv2 instances, so this behavior may be unique to my setup.
Context
I am running Ubuntu 24.04 as the host, and Windows 10 21H2 as the guest. I have installed CAPEv2 on the host via the installer scripts, and I have prepared the guest by removing windows defender, disabling windows update, and running the choco setup script.
I would be happy to share any relevant config files in full if asked! Collecting dropped files is enabled in the CAPE processing config file, and I have made the maximum file size for uploading and processing very large.
Malware sample zipped, password is just
password. You can upload the EXE directly to any CAPEv2 instance for analysis.Failure Logs
analysis.log
Thanks!