capa v3.1 releases: identify capabilities in executable files

by do son · Published July 20, 2020 · Updated January 12, 2022

capa

capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.

$ capa.exe suspicious.exe

+------------------------+--------------------------------------------------------------------------------+
| ATT&CK Tactic          | ATT&CK Technique                                                               |
|------------------------+--------------------------------------------------------------------------------|
| DEFENSE EVASION        | Obfuscated Files or Information [T1027]                                        |
| DISCOVERY              | Query Registry [T1012]                                                         |
|                        | System Information Discovery [T1082]                                           |
| EXECUTION              | Command and Scripting Interpreter::Windows Command Shell [T1059.003]           |
|                        | Shared Modules [T1129]                                                         |
| EXFILTRATION           | Exfiltration Over C2 Channel [T1041]                                           |
| PERSISTENCE            | Create or Modify System Process::Windows Service [T1543.003]                   |
+------------------------+--------------------------------------------------------------------------------+

+-------------------------------------------------------+-------------------------------------------------+
| CAPABILITY                                            | NAMESPACE                                       |
|-------------------------------------------------------+-------------------------------------------------|
| check for OutputDebugString error                     | anti-analysis/anti-debugging/debugger-detection |
| read and send data from client to server              | c2/file-transfer                                |
| execute shell command and capture output              | c2/shell                                        |
| receive data (2 matches)                              | communication                                   |
| send data (6 matches)                                 | communication                                   |
| connect to HTTP server (3 matches)                    | communication/http/client                       |
| send HTTP request (3 matches)                         | communication/http/client                       |
| create pipe                                           | communication/named-pipe/create                 |
| get socket status (2 matches)                         | communication/socket                            |
| receive data on socket (2 matches)                    | communication/socket/receive                    |
| send data on socket (3 matches)                       | communication/socket/send                       |
| connect TCP socket                                    | communication/socket/tcp                        |
| encode data using Base64                              | data-manipulation/encoding/base64               |
| encode data using XOR (6 matches)                     | data-manipulation/encoding/xor                  |
| run as a service                                      | executable/pe                                   |
| get common file path (3 matches)                      | host-interaction/file-system                    |
| read file                                             | host-interaction/file-system/read               |
| write file (2 matches)                                | host-interaction/file-system/write              |
| print debug messages (2 matches)                      | host-interaction/log/debug/write-event          |
| resolve DNS                                           | host-interaction/network/dns/resolve            |
| get hostname                                          | host-interaction/os/hostname                    |
| create a process with modified I/O handles and window | host-interaction/process/create                 |
| create process                                        | host-interaction/process/create                 |
| create registry key                                   | host-interaction/registry/create                |
| create service                                        | host-interaction/service/create                 |
| create thread                                         | host-interaction/thread/create                  |
| persist via Windows service                           | persistence/service                             |
+-------------------------------------------------------+-------------------------------------------------+

Changelog v3.1

This release improves the performance of capa while also adding 23 new rules and many code quality enhancements. We profiled capa’s CPU usage and optimized the way that it matches rules, such as by short circuiting when appropriate. According to our testing, the matching phase is approximately 66% faster than v3.0.3! We also added support for Python 3.10, aarch64 builds, and additional MAEC metadata in the rule headers.

This release adds 23 new rules, including nine by Jakub Jozwiak of Mandiant. @ryantxu1 and @dzbeck updated the ATT&CK and MBC mappings for many rules. Thank you!

New Features

engine: short circuit logic nodes for better performance #824 @williballenthin
engine: add optimizer the order faster nodes first #829 @williballenthin
engine: optimize rule evaluation by skipping rules that can’t match #830 @williballenthin
support python 3.10 #816 @williballenthin
support aarch64 #683 @williballenthin
rules: support maec/malware-family meta #841 @mr-tz
engine: better type annotations/exhaustiveness checking #839 @cl30

New Rules (23)

nursery/delete-windows-backup-catalog michael.hunhoff@mandiant.com
nursery/disable-automatic-windows-recovery-features michael.hunhoff@mandiant.com
nursery/capture-webcam-video @johnk3r
nursery/create-registry-key-via-stdregprov michael.hunhoff@mandiant.com
nursery/delete-registry-key-via-stdregprov michael.hunhoff@mandiant.com
nursery/delete-registry-value-via-stdregprov michael.hunhoff@mandiant.com
nursery/query-or-enumerate-registry-key-via-stdregprov michael.hunhoff@mandiant.com
nursery/query-or-enumerate-registry-value-via-stdregprov michael.hunhoff@mandiant.com
nursery/set-registry-value-via-stdregprov michael.hunhoff@mandiant.com
data-manipulation/compression/decompress-data-using-ucl jakub.jozwiak@mandiant.com
linking/static/wolfcrypt/linked-against-wolfcrypt jakub.jozwiak@mandiant.com
linking/static/wolfssl/linked-against-wolfssl jakub.jozwiak@mandiant.com
anti-analysis/packer/pespin/packed-with-pespin jakub.jozwiak@mandiant.com
load-code/shellcode/execute-shellcode-via-windows-fibers jakub.jozwiak@mandiant.com
load-code/shellcode/execute-shellcode-via-enumuilanguages jakub.jozwiak@mandiant.com
anti-analysis/packer/themida/packed-with-themida william.ballenthin@mandiant.com
load-code/shellcode/execute-shellcode-via-createthreadpoolwait jakub.jozwiak@mandiant.com
host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object jakub.jozwiak@mandiant.com
load-code/shellcode/execute-shellcode-via-copyfile2 jakub.jozwiak@mandiant.com
malware-family/plugx/match-known-plugx-module still@teamt5.org

Rule Changes

update ATT&CK mappings by @ryantxu1
update ATT&CK and MBC mappings by @dzbeck
aplib detection by @cdong1012
golang runtime detection by @stevemk14ebr

Bug Fixes

fix circular import error #825 @williballenthin
fix smda negative number extraction #430 @kn0wl3dge

capa explorer IDA Pro plugin

pin supported versions to >= 7.4 and < 8.0 #849 @mike-hunhoff

Development

add profiling infrastructure #828 @williballenthin
linter: detect shellcode extension #820 @mr-tz
show features script: add backend flag #430 @kn0wl3dge

Usage

See capa -h for all supported arguments and usage examples.

tips and tricks

only run selected rules

Use the -t option to run rules with the given metadata value (see the rule fields rule.meta.*). For example, capa -t william.ballenthin@mandiant.com runs rules that reference Willi’s email address (probably as the author), or capa -t communication runs rules with the namespace communication.

IDA Pro integrations

You can run capa from within IDA Pro. Run capa/main.py via File - Script file... (or ALT + F7). When running in IDA, capa uses IDA’s disassembly and file analysis as its backend. These results may vary from the standalone version that uses vivisect. IDA’s analysis is generally a bit faster and more thorough than vivisect’s, so you might prefer this mode.

When run under IDA, capa supports both Python 2 and Python 3 interpreters. If you encounter issues with your specific setup, please open a new Issue.

Additionally, capa comes with an IDA Pro plugin located in the capa/ida directory: the explorer.

capa explorer

The capa explorer allows you to interactively display and browse capabilities capa identified in a binary. As you select rules or logic, capa will highlight the addresses that support its analysis conclusions. We like to use capa to help find the most interesting parts of a program, such as where the C2 mechanism might be.

To install the plugin, you’ll need to be running IDA Pro 7.4 or 7.5 with either Python 2 or Python 3. Next make sure pip commands are run using the Python install that is configured for your IDA install:

Only if running Python 2.7, run command $ pip install https://github.com/williballenthin/vivisect/zipball/master
Run $ pip install . from capa root directory
Open IDA and navigate to File > Script file… or Alt+F7
Navigate to <capa_install_dir>\capa\ida\ and choose ida_capa_explorer.py