Explore

Installing CAPEv2 at KULeuven

Last edited 27 seconds ago by Lorenzo Marogna.

In this document I noted down all commands I used for installing CAPEv2 on an Ubuntu 22.04 LTS host with a Windows 10 guest system. In my setup, a student account on OpenStack was provided, from which I was able to launch different Ubuntu VMs with different flavors. I recommend to provide a flavor that supports a Windows VM running on top of Ubuntu for the configuration phase. I personally managed to have the system configured with 8Gb RAM and 4 VCPU (note that only half of these resources can actually be destinated to windows, which will then be really slow but apparently doable). Please use a volume of at least 100 GB, you will need about 50 GB only for windows.

Unfortunately, the installation of CAPE is not easy. Even following this or any other guide online thoroughly, you might (and probably will) encounter problems. Basic linux experience is expected. In case of not found commands, you can install them with the package manager, but you might need to fix some conflicts with installations performed by the scripts provided by CAPE. ChatGPT help was enough for me to eventually solve these problems.

The main source for installation problems and overview is the official

CAPEv2 documentation⁠

A good overview to follow is also

https://endsec.au/blog/building-an-automated-malware-sandbox-using-cape/⁠

, which gives less things for granted.

Preparing the Host

$ mkdir capeInstallation

$ cd capeInstallation

Download KVM script

$ wget https://raw.githubusercontent.com/kevoreilly/CAPEv2/refs/heads/master/installer/kvm-qemu.sh

Replace the ‘<WOOT>’ occurrences within the script itself with real hardware patterns.

$ sudo apt update

$ sudo apt install acpica-tools # contains necessary commands like acpidump and acpixtract

$ sudo acpidump > acpidump.out

$ acpixtract -a acpidump.out

$ iasl -d dsdt.dat

$ cat dsdt.dsl | grep DSDT

>>> Signature "DSDT"

>>> DefinitionBlock ("", "DSDT", 1, "BOCHS ", "BXPC ", 0x00000001)

# BXPC is the hardware pattern that I want to use next, change it with your pattern if different.

$ sed -i 's/<WOOT>/BXPC/g' kvm-qemu.sh

In order to install KVM itself, execute the following command:

$ sudo chmod a+x kvm-qemu.sh

$ sudo ./kvm-qemu.sh all ubuntu | tee kvm-qemu.log

# It might take a while to complete

(Reboot after installation)

$ sudo reboot

Install Virtual Machine Manager

$ cd capeInstallation

$ sudo ./kvm-qemu.sh virtmanager ubuntu | tee kvm-qemu-virt-manager.log

# It might take a while to complete

(Reboot after installation)

$ sudo reboot

Download CAPE script

$ cd capeInstallation

$ wget

https://raw.githubusercontent.com/kevoreilly/CAPEv2/refs/heads/master/installer/cape2.sh⁠⁠⁠

⁠

Install CAPE

$ sudo chmod a+x cape2.sh

$ sudo ./cape2.sh all cape | tee cape.log

# It might take a while to complete

You will find the installation of cape in /opt/CAPEv2 .

(Reboot after installation)

$ sudo reboot

Install dependencies

$ cd /opt/CAPEv2

$ poetry install

$ poetry env list

>>> capev2-t2x27zRb-py3.10 (Activated)

Run everything from poetry environment with Cape user:

$ sudo -u cape poetry run python3 cuckoo.py

This is the official command provided in the documentation. In case of error poetry: command not found , find the executable path

$ whereis poetry

>>> poetry: /etc/poetry /etc/poetry/bin/poetry

$ sudo -u cape /etc/poetry/bin/poetry run python3 cuckoo.py

For now, running

cuckoo.py⁠

will anyway give errors, because no window VM is currently running and the configuration files are not modified yet. For now, if the command sudo -u cape /etc/poetry/bin/poetry env list works, you can move on to prepare the guest.

MongoDB installation

Some people experienced problems to run the CAPE API withouth mongodb installed. If you experience problems, install MongoDB on your host machine:

https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-ubuntu/⁠

⁠

Preparing the Guest

Creation of the Virtual Machine

$ mkdir ~/vm

$ cd ~/vm

Download Windows 10 21H2 ISO:

$ wget https://archive.org/download/windows-10-english-21h2/Win10_21H2_English_x64.iso

Check the correctness of the download:

$ sha256sum Win10_21H2_English_x64.iso

>>> (7f6538f0eb33c30f0a5cbbf2f39973d4c8dea0d64f69bd18e406012f17a8234f)

$ mv Win10_21H2_English_x64.iso windows10.iso

Choose a hard drive image format that supports snapshots, such as QCOW2

$ sudo apt install qemu-utils

$ sudo qemu-img create -f qcow2 windows10.qcow2 50G

This will create a disk partition windows10.qcow2 in which you will be able to install the Windows OS windows10.iso .

The following command launches the Windows VM:

⁠

virtLaunch.sh

905 B

⁠

(You can create an empty file with touch virtLaunch.sh , open it with vim and paste the content)

$ sudo systemctl start libvirtd

$ sudo bash virtLaunch.sh

Context

libvirtd is a service running on ubuntu for virtualization. It is used by both virt-install and virsh, so it needs to be running when you use them in a command like in virtLaunch.sh . You can operate on this kind of services using the systemctl command:

$ sudo systemctl start libvirtd (starts the service libvirtd)

$ sudo systemctl restart libvirtd

$ sudo systemctl status libvirtd (it also provides the logs of errors and warning when virsh or virt-install tried to use libvirtd).

Error Host does not support any virtualization options

Check with $ sudo systemctl status libvirtd what the error is. I was receiving the following error message invalid argument: could not find capabilities for arch=x86_64.

Some errors in the scripts provided by cape are present at the time I am writing this (22/05/2025). It was necessary for me to install the following:

$ sudo apt install qemu-system-x86

and restart the libvirtd service:

$ sudo systemctl restart libvirtd

If the command succeeds, you’ll see the following:

Starting install...

Creating domain... | 00:00:00

Domain is still running. Installation may be in progress.

You can reconnect to the console to complete the installation process.

For managing your VM, these will be the commands that you’ll use the most:

$ virsh list —all

If it’s empty, also try $ virsh -c qemu:///system list --all

$ virsh start capewin10 # (it’s the name of the VM that you gave in the virtLaunch.sh.

$ virsh reboot capewin10

$ virsh shutdown capewin10

$ virsh destroy capewin10

$ virsh undefine capewin10 (the domain is deleted, you can re-launch virtLaunch.sh)

Installing Windows with cape agent on this Virtual Machine

We will need to have graphical access to the Windows machine, and we can do so using a VNC service.

On my MacOS, I used TigerVNC Viewer

https://tigervnc.org/⁠

. You will then be connecting to localhost:5900.

You also need to forward the connection from the ubuntu VM to your machine.

On my MacOS terminal:

$ ssh -J rXXXXXX@st.cs.kuleuven.be -L 5900:localhost:5900 -N -f ubuntu@XXX.XXX.XXX.XXX

Open VNC viewer and connect to localhost:5900 .

Obscure rebooting of the VM

In case the windows machine goes down unexpectedly (the VNC software just shuts down) you can restart the VM with virsh start capewin10 (or virsh -c qemu:///system start capewin10 if necessary)

install windows ( I don’t have a product key > custom installation , windows 10 Home, UnitedStates, ...). Disable all privacy settings to try and limit the amount of network noise during future analysis.

⁠

⁠

During installation, you might encounter OOBE erros. This worked for me:

https://answers.microsoft.com/en-us/windows/forum/all/windows-10-installer-oobe-errors/dede9cbb-a671-4056-b7dd-266f262557da⁠

⁠

If it’s asking you to use a Microsoft account, ask your supervisors what to do

Install 32 bit Python 3.10.6

https://www.python.org/downloads/release/python-3106/⁠

⁠

On ubuntu, start an http server to pass the file

agent.py⁠

to the windows VM. This file will be responsible for the communication with the CAPE server running on the host machine.

$ hostname -I # obtain the IP address of the current machine.

>>> 172.23.32.73 192.168.123.1

$ cd /opt/CAPEv2/agent

$ python3 -m http.server 8080

On windows, open a browser and navigate to 192.168.123.1:8080. From there you should be able to download the file. If you’re experiencing problems and you want to check wether the connection is working, you can also open windows powershell and use the commands like ping and curl to test the connection with the host machine.

Windows settings

Many options are available here, some of them are more important than others. Refer to the

official documentation⁠

and

this⁠

for suggestions.

Links:

Disable User Account Control

https://support.microsoft.com/en-us/windows/user-account-control-settings-d5b2046b-dcb8-54eb-f732-059f321afe18⁠

⁠

automatic login:

https://answers.microsoft.com/en-us/windows/forum/all/enabling-auto-sign-in-in-windows-10/61754c1c-f915-4f12-9e65-e765f255f2fa⁠

⁠

Set IP to static, manual (remember to set DNS and Gateway to your ubuntu vm ip, in my case 192.168.123.1 . Also note that, differently from tutorials, you might be ask to set the subnet mask length. On the ubuntu VM:

$ sudo apt install net-tools

$ ifconfig

>>> ...

>>> virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.123.1 netmask 255.255.255.0 broadcast 192.168.123.255

ether 52:54:00:fe:60:b5 txqueuelen 1000 (Ethernet)

RX packets 0 bytes 0 (0.0 B)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 26 bytes 6851 (6.8 KB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

>>> ...

Consider the netmask 255.255.255.0 . Converting each number to binary is 11111111.1111111.1111111.00000000. There are 24 ones in a row. 24 is the subnet mask length. Please note that the manual Ip should be in the range of your subnet. In my case, I choose 172.23.32.96 for no real reason. any number between 1 and 255 were perfectly fine alternatives to 96.

Firewall

Assess the correct functioning of the system. Specifically you want the following:

From windows powershell you can ping your host machine ip address.

From ubuntu you can ping the manually set Ip address ( in my case 172.23.32.96 ) of the windows VM.

If you reboot your windows VM (on ubuntu $ virsh reboot capewin10 ) the login is automatic and running curl 172.23.32.96:8000 results in {”message”: “CAPE Agent!”, “version”:”0.17”, “features”: [”execpu”, “execute”, “pinning”, “logs”, “largefile”, “unicodepath”, “mutex”], “is_user_admin”:true} or similar messages that indicate that agent.pyw (or anyway you renamed it) started automatically.

Complete the configuration of windows: at this point, you can decide how to setup your windows VM (e.g. to make it as realistic as possible). For example the author of

https://endsec.au/blog/building-an-automated-malware-sandbox-using-cape/⁠

shows how to install the office suite.

Make snapshot of VM to use this in CAPE:

$ sudo virsh snapshot-create-as --domain "capewin10" --name "static-ip"

Leave the windows machine running.

Configuration

You have to edit

auxiliary.conf⁠

cuckoo.conf⁠

, and

<machinery>.conf⁠

(kvm.conf) at least.

$ cd /opt/CAPEv2

To open a file and being able to modify it, use sudo access ( sudo nano conf/cuckoo.conf or sudo vim conf/cuckoo.conf ).

Cuckoo.conf

For the result server, using virbr0 (default KVM network), the host IP for me was 192.168.123.1. Check with ifconfig or hostname .

[resultserver]

ip = 192.168.123.1 # Change this to your host's IP

port = 2042

force_port = yes

[cuckoo]

memory_dump = on

[timeouts]

default = 300

[Database] (default)

connection = postgresql://cape:SuperPuperSecret@localhost:5432/cape

kvm.conf

[capewin10]

label = capewin10

platform = windows

ip = 192.168.122.196

arch = x86

tags = win10

snapshot = static-ip

routing.conf

[routing]

route = none

Run CAPE

Now everything should be ready for running cape. On ubuntu:

$ cd /opt/CAPEv2

$ sudo -u cape /etc/poetry/bin/poetry run python3 cuckoo.py

Resolve eventual errors until you see [INFO]: Waiting for analysis tasks or similar messages.

Ensure that you have port forwarding enabled on your ubuntu machine (option -L 8000:localhost:8000 when you connect to the VM with ssh ).

⁠

Loading www.jarredkenny.com⁠

⁠

Now you should be able to open your local browser and navigate to localhost:8000 and see the webpage.

You can submit analyses from here, a test file for this could be the following:

⁠

EICAR test fileLast edited: Tue, Mar 11, 2025 The EICAR Anti-Virus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization to test the response of computer antivirus programs. Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus. Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in more or less the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured. Neither the way in which the file is detected nor the wording with which it is flagged are standardized, and may differ from the way in which real malware is flagged, but should prevent it from executing as long as it meets the strict specification set by EICAR. The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or archived, and then the antivirus software can be run to see whether it can detect the test string in the compressed file. Many of the AMTSO Feature Settings Checks are based on the EICAR test string. See more en.wikipedia.org

⁠

eicar.com

69 B

⁠

Preparing the Host

Preparing the Guest

Creation of the Virtual Machine

Installing Windows with cape agent on this Virtual Machine

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.