Testing capa the Malware analysis tool

Recently FireEye has released open-source malware analysis tool capa. It became very popular among malware analysts because of its ability to tell the capability of malware that’s what a portable executable file can do on executing on the windows machine.

I decided to test it on some custom malware samples to see how does it works. I chose one malware sample from thezoo, a repository of LIVE malwares.

I selected a binary file Trojan.Dropper.GEN

On checking virus total this one has a detection rate of 43/63

I did some basic behavior analysis on any.run and here is it’s summary of it.

On checking process graph it’s clear this binary file drop and executes multiple malicious files

So I started analysis with ailiao.exe with capa

On executing, capa give result about this binary file’s capabilities and also shows what ATT&CK Tactic and Technique the threat actor has used

We can see capa has reported that it matches 11 malicious activities which include connecting to an HTTP server, accepting command line. It’s result matches with the above report of any.run which is connect to an HTTP/connects to an URL.

Some results might look like false positive so I decided to make my own malware and test that with this tool.

Now I am going to test a spyware which on executing will create an autorun in the registry, capture the keystrokes, takes pictures from the webcam.

First I did a static analysis of my malware. Below is the import Address of the malware which I made to test capa.

Some notable import functions above are RegEnumKey which will query the subkey of the given registry. RegOpenKeyExA which opens a specified registry key by the program. RegQueryValueExA will get the value of the specified registry key defined by the program. Mostly registry changes are used to create Autoruns on windows machines by this malware.

fopen,fclose,fwrite tells that this program is creating other files or folder on the user’s machine.

On checking the malicious string this PE file contains the URL of the GitHub repository.

Above GitHub repository indicate us that this PE file can take a webcam snapshot

Moving ahead enumerating more strings I found the registry key which the malware accessing on executing.

A notable registry is HKEY_CURRENT_USER save the setting for currently logged in user such registry key is useful to save their modified settings such as running the malicious program on every windows startup (achieve persistense) such as HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.

Now let’s examine this PE with capa

And capa gave us the exact result which we got by our static analysis like write file, read file, get memory capacity which is GlobalMemoryStatusEx function, Open registry key, and Query registry value.

So in my test I found that capa is really handy tool when it come at static analysis of some malicious binary file and check what the malicious file can do on executing.