FireEye’s Open-Source Tool – CAPA to Identify Malware Capabilities


FireEye’s launched an open-source tool ( CAPA ) for malware analysis for potentially PE files or shellcode. CAPA detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.

Installation steps:

Features of CAPA:

  • Detecting with inbuild rules describing additional malware capabilities and mapping it with ATT&CK techniques.
  • Static malware analysis with clear picture of malware instruction and execuction flow.
  • Host Interactiondescribes program functionality to interact with the file system, processes, and the registry.
  • Anti-Analysis describes packers, Anti-VM, Anti-Debugging, and other related techniques
  • Collection describes functionality used to steal data such as credentials or credit card information
  • Data Manipulation describes capabilities to encrypt, decrypt, and hash data
  • Communication describes data transfer techniques such as HTTP, DNS, and TCP

Working with CAPA:

  • Starting the tool to analyze malicious windows executable & check the malware Capabilities and its ATT&CK techniques.
CAPA Quickly Identifies the possible malware hashes, malware tactics on the host machine

Also Read : APT-Hunter – Threat Hunting Tool For Windows Event Logs

Malware functions are grabbed and listed down with meta information.

Passing the -vv flag

  • -vv flag (for very verbose), capa reports exactly where it found evidence of these capabilities.
  • it shows where within the binary an experienced analyst might study with IDA Pro or other malware disassembler tools.
  • It provides the Instruction information and malware entry addresess which can be later verifed in disassembler tools to retrive indicators of Comproimise.
Specific Functions are called at 0x4034d0 and widows environment variables are deleted
Sending HTTP Request on the TCP socket & Receives 2 files from the external Domains
HTTP GET method is used by malware to communicate with some malicious Domain
TCP sockets retrieve information from an HTTP connection
Enumerates Registry and creates a Key to be persistent on the host machine, calls windows advapi process & resolves DNS
Getting the OS information
Spawning a Suspicious process
Registry Values Set & Suspicious services started with advapi
Services started successfully by malware
Malware tries to call a function, Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL)information & have indirect calls
Windows Legitimate services are used as a persistent mechanism

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

Disassembler to Extract Indictors of Compromise

  • Let us verify some of above malware actions with Disassembler to retrive suspicious files downloaded & malware domain.
Cutter Opensource disassembler, Malware communicates with the domain ( www[.]l52m[.]com )
The function Fcn.004027e0 called and push instructions to the malware domain.
malicious domain www[.]l52m[.]com transfers C_C_C_C_C.exe file as a dropper
Another file, Vmware-vmx.exe
  • Similar way we can reverse and extract other information such as ( Process name , Registry entry values ,etc ) as part of static analsysis.
  • CAPA provides users with a unique tool to quickly analyse an executable sample , CAPA tool will recognize some features and patterns of malware that would help malware analysts for further investigations.

Happy Hunting !!!

Previous articleRace Condition Attack – How to Prevent Race condition vulnerabilities in your organization
Next articleClickjacking Attack – How to Detect & Prevent this Attack ?
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.


Please enter your comment!
Please enter your name here