Tool Overview: How CAPA Works

Using CAPA:

  1. Open PowerShell (it may take time for the prompt to appear).
  2. Navigate to the correct directory: C:\Users\Administrator\Desktop\capa.
  3. Run capa or capa.exe, pointing to the binary file (e.g., cryptbot.bin).

After running the command, wait for the results, which may take several minutes. You can either continue the task or stop processing.

  1. What command-line option would you use if you need to check what other parameters you can use with the tool? Use the shortest format. -h
  2. 2. What command-line options are used to find detailed information on the malware's capabilities? Use the shortest format. -v
  3. 3. What command-line options do you use to find very verbose information about the malware's capabilities? Use the shortest format. -vv
  4. What PowerShell command will you use to read the content of a file? Get-Content

Dissecting CAPA Results Part 1: General Information, MITRE and MAEC

The results of running CAPA against cryptbot.bin will be discussed in subsequent tasks, dissecting the results per block and topic.

The first block contains basic information about the file:

  • Cryptographic algorithms: md5, sha1/256.
  • Static field: how CAPA performed its analysis on the file.
  • OS field: the operating system (OS) context for identified capabilities.
  • Arch field: whether the binary is related to x86 architecture.
  • Path: location of the analyzed file.

MITRE ATT&CK The MITRE ATT&CK framework documents the tactics and techniques employed by threat actors throughout a cyber-attack. It serves as a playbook for understanding attackers' methods, from initial access to maintaining presence and evading defenses.

CAPA uses the following format for the output:

  • Format: ATT&CK Tactic::ATT&CK Technique::Technique Identifier Example: Defense Evasion::Obfuscated Files or Information::T1027
  • Format: ATT&CK Tactic::ATT&CK Technique::ATT&CK Sub-Technique::Technique Identifier[.]Sub-technique Identifier Example: Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools T1027.005

Questions and Answers:

  1. What is the sha256 of cryptbot.bin? ae7bc6b6f6ecb206a7b957e4bb86e0d11845c5b2d9f7a00a482bef63b567ce4c
  2. What is the Technique Identifier of Obfuscated Files or Information? T1027
  3. What is the Sub-Technique Identifier of Obfuscated Files or Information::Indicator Removal from Tools? T1027.005
  4. When CAPA tags a file with this MAEC value, it indicates that it demonstrates behaviour similar to, but not limited to, Activating persistence mechanisms? launcher
  5. When CAPA tags a file with this MAEC value, it indicates that the file demonstrates behaviour similar to, but not limited to, Fetching additional payloads or resources from the internet? Downloader

Dissecting CAPA Results Part 2: Malware Behavior Catalogue

In this task, we will cover the following topics:

  1. MBC
  2. Objective
  3. Micro-Objective
  4. MBC Behaviors
  5. Micro-Behavior
  6. Methods

Malware Behavior Catalogue (MBC)

MBC supports malware analysis through labelling, similarity analysis, and standardized reporting, serving as a catalogue of malware objectives and behaviours. It links to ATT&CK methods and logs all behaviours and code features discovered during analysis. MBC behaviour names may not match ATT&CK techniques, and it does not duplicate ATT&CK information.

The MBC content can be represented in two formats:

  1. OBJECTIVE::Behavior::Method[Identifier] Example: ANTI-STATIC ANALYSIS::Executable Code Obfuscation::Argument Obfuscation [B0032.020] (Anti-static Analysis = OBJECTIVE, Executable Code Obfuscation = BEHAVIOR, Argument Obfuscation = METHOD, BOO32.020 = IDENTIFIER)
  2. OBJECTIVE::Behavior::[Identifier] Example: COMMUNICATION::HTTP Communication:: [C0002] (COMMUNICATION = OBJECTIVE, HTTP Communication = BEHAVIOR, C0002 = IDENTIFIER)

The first format includes an additional detail called METHOD, a sub-technique.

Answer the questions below

  1. What serves as a catalogue of malware objectives and behaviours? Malware Behavior Catalogue
  2. Which field is based on ATT&CK tactics in the context of malware behaviour? Objective
  3. What is the Identifier of "Create Process" micro-behavior? C0017
  4. What is the behaviour with an Identifier of B0009? Virtual Machine Detection
  5. Malware can be used to obfuscate data using base64 and XOR. What is the related micro-behavior for this? Encode Data
  6. Which micro-behavior refers to "Malware is capable of initiating HTTP communications"? HTTP Communication

Dissecting CAPA Results Part 3: Namespaces

We will discuss two main topics: Capability and Namespace, focusing on Namespace.

CAPA Output Overview

Namespaces

CAPA uses namespaces to group items with the same purpose.

Top-Level Namespace (TLN) and Explanation

  1. anti-analysis: Detects malware behaviors to evade analysis, like obfuscation and anti-debugging.
  2. collection: Relates to data-related rules for malware enumeration and exfiltration.
  3. communication: Pertains to communication behaviors in malware, including network interactions.
  4. compiler: Recognizes build environments or compilers used in executables.
  5. data-manipulation: Governs behaviors involved in altering data within executable files.

Additional Namespaces

  1. executable: Attributes in executable files, like PE sections.
  2. host-interaction: Interactions with the host system, including file operations.
  3. impact: Potential consequences of a program's behavior.
  4. internal: Rules for internal use within CAPA.
  5. lib: Building blocks for creating other rules.
  6. linking: Identifies behaviors involving linking external code during execution.
  7. load-code: Related to dynamically loading or executing code.
  8. malware-family: Links behaviors to specific malware families.
  9. nursery: Staging ground for unfinished rules.
  10. persistence: Maintains access within compromised systems.
  11. runtime: Identifies the platform on which the program runs.
  12. targeting: Interactions with ATMs.

Questions and Answers

  1. Which top-level Namespace contains a set of rules specifically designed to detect behaviours, including obfuscation, packing, and anti-debugging techniques exhibited by malware to evade analysis? anti-analysis
  2. Which namespace contains rules to detect virtual machine (VM) environments? anti-vm/vm-detection
  3. Which Top-Level Namespace contains rules related to behaviours associated with maintaining access or persistence within a compromised system? persistence
  4. Which namespace addresses techniques such as String Encryption, Code Obfuscation, Packing, and Anti-Debugging Tricks, which conceal or obscure the true purpose of the code? obfuscation
  5. Which Top-Level Namespace Is a staging ground for rules that are not quite polished? nursery

Dissecting CAPA Results Part 4: Capability

In this task, we will continue the discussion from the previous task.

Capability

Below is a table with the Capability and its related TLN, namespace, and the rules associated with the YAML file.

Now we're done dissecting the results from the sample run from the previous task!

Answer the questions below

  1. What rule yaml file was matched if the Capability or rule name is check HTTP status code? check-http-status-code.yml
  2. What is the name of the Capability if the rule YAML file is reference-anti-vm-strings.yml? reference anti-VM strings
  3. Which TLN or Top-Level Namespace includes the Capability or rule name run PowerShell expression? load-code
  4. Check the conditions inside the check-for-windows-sandbox-via-registry.yml rule file from this link. What is the value of the API that ends in Ex is it looking for? RegOpenKeyEx