For static analysis results, the function capabilities view groups rule matches by function address, allowing reverse engineers to quickly identify functions with key behavior (see Figure 6). The interface offers different views including a table view with rule match details (see Figure 1), a function-centric view for static analysis, and a process-tree view for dynamic analysis results. To open capa Explorer Web from VirusTotal navigate to: Behavior > Download Artifacts > Open in CAPA Explorer (see Figure 8) or use Open in CAPA explorer next to Capabilities (see Figure 9). Figure 4 demonstrates how analysts can leverage capa's dynamic analysis results to identify suspicious processes which exhibit malicious behavior. This includes viewing the rule source definition as shown in Figure 5, opening the rule definition in the capa rules website, or searching for samples with this capability in VirusTotal to gain broader threat intelligence insights. The function and process capability views in capa Explorer Web offer granular insights into program functionality, organized by their location within the analyzed sample. For dynamic analysis results, the process capabilities view organizes matches by process in a tree structure, showing Process ID (PID) and Parent Process ID (PPID) information (see Figure 7). capa Explorer Web is accessible online at our GitHub page, and you can start analyzing capa results immediately (see Figure 2). Figure 3 illustrates how an analyst can use capa Explorer Web to study the details of a rule match. For future enhancements of capa Explorer Web, we plan to first enhance the process tree view mode to improve visualization of per-process matches. capa Explorer Web offers an intuitive and interactive visualization of capa analysis results. The capa Explorer Web UI provides an intuitive and interactive way to visualize the capa analysis results. Before the release of capa Explorer Web, the capa Explorer IDA plugin was the only way to interactively explore capa rule matches. capa Explorer Web allows you to interactively browse and display capa results in multiple viewing modes. When reviewing a new sample on VirusTotal, an analyst can pivot directly into capa Explorer Web to identify interesting locations within the program. Due to the large amount of data this was especially a shortcoming for the exploration of dynamic results, a feature introduced in capa v7.0 for detecting capabilities from sandbox traces. In this blog post we introduce capa Explorer Web, a browser-based tool to display the capabilities found by capa. For instance, the process "explorer.exe" (a seemingly benign name) is shown invoking the InternetCrackUrl API with potentially malicious URLs as arguments, such as hxxps://216.201.159[.]118:443/cHOPH1oQ.php. This noteworthy functionality hints at possible process injection, and here even provides potential network-based indicators for further analysis. capa, developed by Mandiant's FLARE team, is a reverse engineering tool that automates the identification of program capabilities. Expanding the “inject APC” match row shows which features capa identified including their location in the program. capa Explorer Web allows you to load capa result documents from local JSON files, including Gzipped files. Note that not all files have capa analysis results available. Our new UI integration enables users to explore capa results directly from VirusTotal. capa has been integrated as part of VirusTotal's analysis since January 2023. Analysts without access to IDA Pro had no graphical interface to easily inspect capa results. Users can expand, sort, filter, and search rule match details (see Figure 3). capa currently only supports analysis of non-corrupted PE, .NET, and ELF x86/x64 executables.
This Cyber News was published on cloud.google.com. Publication date: Tue, 01 Oct 2024 14:43:17 +0000