CAPA for Triage Malware Analysis
What is Capa?
According to Mandiant, Capa is an open-source tool for analyzing malicious programs. Capa provides a framework for the community to encode, recognize, and share behaviors that we’ve seen in malware. Capa detects capabilities in executable files. It can run against a PE, ELF, .NET module, or shellcode file and it tells what it thinks the program can do and actually it can be good for Initialize Malware Analysis. To identify the malware, Capa has a couple of rules (capa rules) from YARA to help the analyst to understand a capability that may be implemented in a program.
Dirty Session
- Download the Capa v.5.1.0 and select the Operating system you using (I used the newest version when I make this post): https://github.com/mandiant/capa/releases/tag/v5.1.0
- Download the real malware for testing like in MalwareBazaar
- Extract the Capa first and malware first with password : infected.
2. Now I want to analyze the malware with capa, the malware file name is af93184558add5c5f7c3551e94f2fbecde5aeba5141be7d29f4577b67551a35a.exe and it is in malware folder. it can running and analyze quickly with command.
capa malware/af93184558add5c5f7c3551e94f2fbecde5aeba5141be7d29f4577b67551a35a.exe
as you can see the result contains the hash, technique attack based on MITRE ATT&CK, and the capability of the malware itself.
You can detailed information results on identified capabilities in Capa and check what Capa rules triggered for analyzing the malware using the command :
capa malware/af93184558add5c5f7c3551e94f2fbecde5aeba5141be7d29f4577b67551a35a.exe -vv
You check in help command for more Capa capabilities.
Capa -h
Virus Total detection with this malware : https://www.virustotal.com/gui/file/af93184558add5c5f7c3551e94f2fbecde5aeba5141be7d29f4577b67551a35a/detection
With this CAPA tool, It helps to initial analysis of suspicious files also it can provide valuable information for forensic analysts, incident responders, and reverse engineers.
That’s all for now, Thank you and Stay Secure!
