What is capa?
capa is a new tool recently developed by FireEye. This tool makes some reverse engineering tasks tremendously easy and quick by automatically detecting capabilities of executable files (eg. PE files or shellcode). The tool scans files for known signatures based on capa rules and outputs detected tactics, techniques and procedures described in Mitre ATT&CK (knowledge base for malware capabilities).
When researchers conduct quick incident response and immediately understand how a piece of malware operates, then a tool like this can be very useful. In-depth reverse engineering of the malicious code might take too long. On the other hand, using capa gives a good suggestion about what the malware‘s real capabilities are and where to look in the code to examine a certain malware feature in more detail.
LIFARS’ Cyber Resilience and Response Subscription Program provides the manpower and expertise to immediately respond and remediate to cyber incidents and breaches, in addition to providing a full array of services to increase your company’s cyber resiliency.
Other tools, like PEView, can perform a similar task and provide the examiner with the list of functions that the executable calls. However, capa puts similar findings into context and specifies what the executable is capable of. These capabilities may include privilege escalation, defense evasion, lateral movement, exfiltration, etc. If the piece of code possesses these capabilities, capa will specify the method of execution of these tasks.
capa detects capabilities using so-called capa rules, which have a structure similar to yara rules. These rules are created from real malware samples, whose capabilities have previously been analyzed by reverse engineers. If somebody has analyzed an interesting piece of malware, he/she can contribute those findings to society by creating a new capa rule. You too can contribute to the capa project by following the guidelines for rule writing published on their GitHub page. Below, you can see an example of such a rule.
We analyzed a shellcode used in a recent attack by group FIN6 with capa and we obtained the following result. As you can see, the result states shellcode’s capabilities quite clearly. Within seconds, the tool produces outcomes that would take a lot of time for the reverse engineer to find.
We consider this tool as an easy-to-use open-source framework that can help with forensics, incident response and reverse engineering. It also underlines the need for a cybersecurity community cooperation and makes use of other researcher’s findings during their investigations.