This is a guest entry written by Mike Hunhoff, Moritz Raabe, and Willi Ballenthin from the Mandiant FLARE Team. Their views and opinions are their own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the authors.
capa explorer is an IDA Pro plugin that automatically identifies capabilities in programs using an extensible set of rules. With capa explorer, you can inspect matches and focus your reverse engineering on the most relevant code. The plugin highlights common malware functionality, can identify algorithms, and helps you write new capa detection rules. We love using capa explorer because it integrates the Mandiant FLARE team’s capa functionality seamlessly into IDA Pro.
Once installed, you can open capa explorer in IDA Pro by navigating to Edit > Plugins > FLARE capa explorer or using the keyboard shortcut Alt – F5. See the end of this post for details on how to install capa explorer and how to configure the rules path initially. capa explorer has two views accessible via the tabs located at the top of the plugin window:
capa explorer’s Program Analysis displays the capabilities that were matched in a program. (see Figure 1)
This view enables you to:
To start analysis, click the Analyze button located at the bottom of the plugin pane. capa explorer caches the analysis results in your database so you can instantly load matches during subsequent invocations. The Settings button enables you to configure various plugin options, including the path to your capa rules and the behavior at startup (start analysis automatically or manually).
capa explorer’s Rule Generator provides an interactive interface that enables you to easily write new capa rules using features extracted directly from a program (see Figure 2).
As you write a rule, the Rule Generator automatically verifies the rule is syntactically correct and matches as expected. You can save the rule directly to your local file system using the Save button. The Settings button enables you to configure Rule Generator settings including the rule author name and default rule scope. For an extensive writeup on using the Rule Generator to easily write and test new capa rules, see our previous blog post.
Let’s look at two examples of typical malware analysis workflows. These will show how capa explorer quickly focuses reverse engineering on the most relevant and interesting parts of a program. The examples include both a Windows PE file and a Linux ELF file to demonstrate how capa explorer’s results abstract over platform differences and can help to analyze both familiar and unfamiliar file formats.
capa explorer yields hundreds of matches for this sample. Due to the program size the initial analysis takes a moment but is still faster than by hand. The results shown under Program Analysis quickly highlight suspicious capabilities and point us to the associated code locations. Among the capa results, we see a match for “contain an embedded PE file”. Figure 4 shows the expanded details with a match at virtual address 0x140108050.
Double-clicking the highlighted address navigates IDA’s Disassembly view to the location of the embedded PE file. There is one cross reference to the embedded PE file bytes from the function at virtual address 0x140032FB0.
We pivot to the identified function and select Limit results to current function. This filters the results to show only capabilities found in the function currently displayed in IDA’s Disassembly view. The results quickly highlight further suspicious behavior found in the current function. Figure 5 shows capa explorer’s summary of the function’s key capabilities.
Additional analysis in IDA confirms that the function creates a new directory, copies the file colorcpl.exe to this directory, and writes the embedded PE file to colorui.dll. Subsequently, the sample executes the file colorcpl.exe, which in turn loads the dropped DLL. Additionally, the function schedules a task to establish persistence. See this Mandiant blog post for further analysis of this trojanized PuTTY application and related samples.
This is just one approach to dissecting suspected trojanized files using capa explorer. Another technique we have used successfully is comparing capa matches for a known good file against matches for a suspected trojanized file. In the above example, the known good file does not contain capa hits for an embedded PE file, the directory and file creation, or the task scheduling used for persistence.
We find that Show matches by function helps us to understand what a function may do at a high level. For example, capa explorer shows that the function located at virtual address 0x4047E0 implements capabilities for collecting system information (see Figure 7).
The search bar above the results pane lets us quickly focus on specific matches. For example, searching for “file-system” reveals functions that may read or write files (see Figure 8). Inspecting these locations further helps identify relevant host-based indicators like accessed files.
By searching for “communication” we see that the program may communicate using raw sockets and which functions implement the sending and receiving of data (see Figure 9). Here further analysis can quickly uncover network-based indicators.
Finally, searching for “process” reveals that the sample may create new and stop existing processes (see Figure 10).
We navigate IDA’s disassembly view to the function at virtual address 0x4041D0, deselect Show matches by function, and select Limit results to current function to view the function’s matches. Expanding each entry provides an assembly level breakdown detailing how the match was made. To quickly see the relevant code parts, we can select the checkbox next to an entry and capa explorer will highlight the corresponding address in IDA’s Disassembly view (see Figure 11). The Reset Selections button located at the bottom of the plugin pane removes these selections and highlights.
You can use Python pip to install capa and its dependencies from PyPI:
pip install flare-capaWhen you first analyze a program capa explorer requires you to specify a directory path containing capa rules. capa explorer provides a GitHub link (located in the rules prompt and under settings) from which you can download and extract the official capa rules that are compatible with your plugin version. The rules directory path that you provide is saved for future runs and can be updated in the capa explorer settings.
Check out capa explorer’s documentation on GitHub for additional usage details and the most recent installation steps.
We hope capa explorer is as helpful to you as it is to us. We would love to hear about your experience using the plugin. What does capa explorer do well? What needs to be improved? Feel free to open an issue with your feedback on our GitHub repository.
As maintainers of the official capa rules repository the Mandiant FLARE team invites anyone to contribute rules, ideas, and feedback. Your input can improve the analysis of thousands of reverse engineers and security analysts around the world.