capa v1.3 releases: identify capabilities in executable files

by do son · Published July 20, 2020 · Updated September 14, 2020

capa

capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.

$ capa.exe suspicious.exe

+------------------------+--------------------------------------------------------------------------------+
| ATT&CK Tactic          | ATT&CK Technique                                                               |
|------------------------+--------------------------------------------------------------------------------|
| DEFENSE EVASION        | Obfuscated Files or Information [T1027]                                        |
| DISCOVERY              | Query Registry [T1012]                                                         |
|                        | System Information Discovery [T1082]                                           |
| EXECUTION              | Command and Scripting Interpreter::Windows Command Shell [T1059.003]           |
|                        | Shared Modules [T1129]                                                         |
| EXFILTRATION           | Exfiltration Over C2 Channel [T1041]                                           |
| PERSISTENCE            | Create or Modify System Process::Windows Service [T1543.003]                   |
+------------------------+--------------------------------------------------------------------------------+

+-------------------------------------------------------+-------------------------------------------------+
| CAPABILITY                                            | NAMESPACE                                       |
|-------------------------------------------------------+-------------------------------------------------|
| check for OutputDebugString error                     | anti-analysis/anti-debugging/debugger-detection |
| read and send data from client to server              | c2/file-transfer                                |
| execute shell command and capture output              | c2/shell                                        |
| receive data (2 matches)                              | communication                                   |
| send data (6 matches)                                 | communication                                   |
| connect to HTTP server (3 matches)                    | communication/http/client                       |
| send HTTP request (3 matches)                         | communication/http/client                       |
| create pipe                                           | communication/named-pipe/create                 |
| get socket status (2 matches)                         | communication/socket                            |
| receive data on socket (2 matches)                    | communication/socket/receive                    |
| send data on socket (3 matches)                       | communication/socket/send                       |
| connect TCP socket                                    | communication/socket/tcp                        |
| encode data using Base64                              | data-manipulation/encoding/base64               |
| encode data using XOR (6 matches)                     | data-manipulation/encoding/xor                  |
| run as a service                                      | executable/pe                                   |
| get common file path (3 matches)                      | host-interaction/file-system                    |
| read file                                             | host-interaction/file-system/read               |
| write file (2 matches)                                | host-interaction/file-system/write              |
| print debug messages (2 matches)                      | host-interaction/log/debug/write-event          |
| resolve DNS                                           | host-interaction/network/dns/resolve            |
| get hostname                                          | host-interaction/os/hostname                    |
| create a process with modified I/O handles and window | host-interaction/process/create                 |
| create process                                        | host-interaction/process/create                 |
| create registry key                                   | host-interaction/registry/create                |
| create service                                        | host-interaction/service/create                 |
| create thread                                         | host-interaction/thread/create                  |
| persist via Windows service                           | persistence/service                             |
+-------------------------------------------------------+-------------------------------------------------+

Changelog v1.3

This release brings newly updated mappings to the Malware Behavior Catalog version 2.0, many enhancements to the IDA Pro plugin, flare-capa on PyPI, a bunch of bug fixes to improve feature extraction, and four new rules.

Key changes to IDA Plugin

The IDA Pro integration is now distributed as a real plugin, instead of a script. This enables a few things:

keyboard shortcuts and file menu integration
updates distributed PyPI/pip install --upgrade without touching your %IDADIR%
generally doing thing the “right way”

How to get this new version? Its easy: download capa_explorer.py to your IDA plugins directory and update your capa installation (incidentally, this is a good opportunity to migrate to pip install flare-capa instead of git checkouts). Now you should see the plugin listed in the Edit > Plugins > FLARE capa explorer menu in IDA.

Please refer to the plugin readme for additional information on installing and using the IDA Pro plugin.

Please open an issue in this repository if you notice anything weird.

New features

ida plugin: now a real plugin, not a script @mike-hunhoff
core: distributed via PyPI as flare-capa @williballenthin
features: enable automatic A/W handling for imports @williballenthin @Ana06 #246
ida plugin: persist rules directory setting via ida-settings @williballenthin #268
ida plugin: add search bar to results view @williballenthin #285
ida plugin: add Analyze and Reset buttons to tree view @mike-hunhoff #304
ida plugin: add status label to tree view @mike-hunhoff
ida plugin: add progress indicator @mike-hunhoff, @mr-tz

New rules

compiled with py2exe @re-fox
resolve path using msvcrt @re-fox
decompress data using QuickLZ @edeca
encrypt data using sosemanuk @recvfrom

Bug fixes

rule: reduce FP in DNS resolution @toomanybananas
engine: report correct strings matched via regex @williballenthin #262
formatter: correctly format descriptions in two-line syntax @williballenthin @recvfrom #263
viv: better extract offsets from SibOper operands @williballenthin @edeca #276
import-to-ida: fix import error @cclauss
viv: don’t write settings to ~/.viv/viv.json @williballenthin @rakuy0 @weslambert #244
ida plugin: remove dependency loop that resulted in unnecessary overhead @mike-hunhoff #303
ida plugin: correctly highlight regex matches in IDA Disassembly view @mike-hunhoff #305
ida plugin: better handle rule directory prompt and failure case @stevemk14ebr @mike-hunhoff #309

Changes

rules: update meta mapping to MBC 2.0! @dzbeck
render: don’t display rules that are also matched by other rules @williballenthin @Ana06 #224
ida plugin: simplify tabs, removing summary and adding detail to results view @williballenthin #286
ida plugin: analysis is no longer automatically started when plugin is first opened @mike-hunhoff #304
ida plugin: user must manually select a capa rules directory before analysis can be performed @mike-hunhoff
ida plugin: user interface controls are disabled until analysis is performed @mike-hunhoff #304

usage

See capa -h for all supported arguments and usage examples.

tips and tricks

only run selected rules

Use the -t option to run rules with the given metadata value (see the rule fields rule.meta.*). For example, capa -t william.ballenthin@mandiant.com runs rules that reference Willi’s email address (probably as the author), or capa -t communication runs rules with the namespace communication.

IDA Pro integrations

You can run capa from within IDA Pro. Run capa/main.py via File - Script file... (or ALT + F7). When running in IDA, capa uses IDA’s disassembly and file analysis as its backend. These results may vary from the standalone version that uses vivisect. IDA’s analysis is generally a bit faster and more thorough than vivisect’s, so you might prefer this mode.

When run under IDA, capa supports both Python 2 and Python 3 interpreters. If you encounter issues with your specific setup, please open a new Issue.

Additionally, capa comes with an IDA Pro plugin located in the capa/ida directory: the explorer.

capa explorer

The capa explorer allows you to interactively display and browse capabilities capa identified in a binary. As you select rules or logic, capa will highlight the addresses that support its analysis conclusions. We like to use capa to help find the most interesting parts of a program, such as where the C2 mechanism might be.

To install the plugin, you’ll need to be running IDA Pro 7.4 or 7.5 with either Python 2 or Python 3. Next make sure pip commands are run using the Python install that is configured for your IDA install:

Only if running Python 2.7, run command $ pip install https://github.com/williballenthin/vivisect/zipball/master
Run $ pip install . from capa root directory
Open IDA and navigate to File > Script file… or Alt+F7
Navigate to <capa_install_dir>\capa\ida\ and choose ida_capa_explorer.py

capa v1.3 releases: identify capabilities in executable files

Search

Suggested Reading

capa v1.3 releases: identify capabilities in executable files

capa

Changelog v1.3

Key changes to IDA Plugin

New features

New rules

Bug fixes

Changes

usage

tips and tricks

only run selected rules

IDA Pro integrations

capa explorer

Download

Search

Suggested Reading