CAPA:FLARE VM Open Source Tool
Capa is a program that detects malicious capabilities in suspicious programs by using a set of rules. These rules are meant to be as high-level and human readable as possible. For example, Capa will examine a binary, identify an API call or string of interest, and match this piece of information against a rule that is called “receive data” or “connect to a URL”. It translates the technical information in a binary into a simple, human-readable piece of information.
The program’s primary strength is how it leverages rules. Capa has a default rule set, but also has an open-source repository of rules where anyone can contribute.
You can see the Capa rule repository here: https://github.com/mandiant/capa-rules
Let’s learn more about this tool by using it on the binary we’ve already performed static analysis on, Malware.Unknown.exe.malz.
On FlareVM, run capa -h to see the usage menu:
Immediately, we see some boiler-plate information about the binary, like its hashes. But then, we get some interesting high-level information about the program.
The first block in the output labeled “ATT&CK Tactic – ATT&CK Technique” is worth examining in depth.
Capa Output
Capa has examined the binary, pulled out interesting information from the binary, matched it against its default rule set, and matched some suspected capabilities to items from the MITRE ATT&CK Framework.We get a match for the ATT&CK item “T1129 – Shared Modules”.
Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.
This basically means that the malware is loading DLLs to perform malicious activity. That’s not particularly revealing! Let’s keep moving.
Malware Behavioral Catalog (MBC)
The next output is the Malware Behavioral Catalog (MBC) Objectives and Behaviors. This is a similar classification system to MITRE ATT&CK but focuses on malware specifically.
MBC translates MITRE ATT&CK items into terms that focus on the malware analysis use case. So understandably, we do get some useful output from this section:
Here, Capa has identified items of interest in the binary, matched them to rules based on MBC items, and returned the results. We’ve accurately identified that the Malware.Unknown.exe.malz sample has the capability to
- Send and receive data
- Do so over HTTP
- Create and terminate processes
For a preliminary round of triage, that’s pretty good! But let’s keep going; the best is yet to come.
Capability
The final block identifies Capa rule matches against the default Capa rule set. This is the most specific of the three outputs and gives us the best information for triage:
Like in the MBC output, the Capa rule output identifies that the malware can connect to a URL, send and receive data, and manipulate processes. At surface, there isn’t much more information here than what we already have. But we do see the number of matches and the namespace for the rules in this output.
We understand the specifics of basic static analysis, we can turn to a tool like Capa to do a lot of the heavy lifting for us during triage. Capa can give us high-level information about what may be going on in the sample of interest. It’s usually never enough information to draw a definitive conclusion.