Capa Explorer Web: Web-based Program Ability Analysis Tools

Capa Explorer Web

The FLARE team at Mandiant created capa, a reverse engineering tool that automates the capability identification of programs. The capa analysis results can be visualized in an easy-to-use and interactive manner with the help of the capa Explorer Web UI.

What is Capa Explorer Web?

Capa Explorer Web is a web-based tool for investigating the capabilities that capa has found. With the help of this application, you can interactively browse and view capa findings in various ways.

As part of the Google Summer of Code (GSoC) project that the Mandiant FLARE team mentored in 2024, Soufiane Fariss (@s-ff) built this feature.

Context

Capa extracts characteristics from programs by analyzing them with a variety of backends, including Ghidra, CAPE, and IDA Pro. It then determines capabilities by comparing these attributes to expert-written guidelines. When a program’s extracted features satisfy the set of requirements stated in a capability rule, the program matches the rule.

The capa Explorer IDA plugin was the sole tool available for interactively exploring capa rule matches prior to the release of capa Explorer Web. Without IDA Pro, analysts lacked a graphical user interface for quickly reviewing capa results. This was particularly a problem for the examination of dynamic results, a function included in capa v7.0 for determining capabilities from sandbox traces, because of the volume of data.

Introducing capa Explorer Web

Results of a capa analysis can be seen in an easy-to-use and interactive manner using capa Explorer Web. Viewers are able to peruse rule matches and get the rationale for them. Results are searchable, filtered, and sorted by analysts. The interface provides many views, such as a function-centric view for static analysis, a process-tree view for dynamic analysis results, and a table view with rule match details.

Getting started

You can start examining capa results right away by visiting its GitHub website to access capa Explorer Web. You can download an HTML file that is standalone from the website for use offline. It’s an HTML file that can be accessed locally in a browser and functions without an Internet connection, much like CyberChef.

To begin creating a capa result document, simply do the following short steps:

Install the most recent standalone executable version of capa, for example.

Examine a sample, then store the JSON output: capa.exe -j /path/to/file > result.json

Launch Capa Explorer Web and import the JSON results file.

Loading capa Results

You can load capa result documents from local JSON files, including Gzipped files, using capa Explorer Web. Your browser does all of the processing; no data is sent to servers.

Displaying Rule Match Details in the Default Table View

The built-in web user interface (UI) shows recognized program capabilities as a rule match table. Expand, sort, filter, and search rule match details are available to users. This facilitates faster sample triage for analysts. Every rule match’s specific details, including matched characteristics and their addresses, are displayed in the table. Furthermore, users have the ability to examine and refine rule meta data like namespaces, related MITRE ATT&CK methods, and Malware Behavior Catalog (MBC) classifications.Image credit to Google Cloud

The above Figure shows how an analyst can examine a rule match’s specifics using capa Explorer Web. The characteristics that have been detected, together with their program position, can be viewed by expanding the “inject APC” match row. This knowledge can facilitate the process of identifying important behaviors and provide help for further research, such as when looking through sandbox traces, troubleshooting a sample, or decomposing a file.

Below Figure shows how analysts might use the results of capa’s dynamic analysis to find suspicious processes that behave maliciously. As an example, the ostensibly benign process “explorer.exe” is demonstrated to be utilizing the InternetCrackUrl API and passing in potentially harmful URLs as arguments, like hxxps://216.201.159[.]118:443/cHOPH1oQ.php. This notable feature also offers potential network-based signs for additional investigation, hinting at possible process injection.Image credit to Google Cloud

Rule Match Context

Additional explorer capability can be accessed by users by performing a right-click on a match row. This can involve looking at the rule source description, accessing the rule definition on the Capa Rules website, or using VirusTotal to look for samples that have this feature to obtain more comprehensive threat intelligence insights. To perform a VirusTotal lookup, a premium account is needed.

Alternative Views Grouping Functions and Processes

Organized according to their placement within the studied sample, the function and process capability views in capa Explorer Web provide detailed insights into the functionality of the programs. Reverse engineers can rapidly discover functions with key behavior by grouping rule matches by function address in the function capabilities view for static analysis results.

The process capabilities view shows information about Process ID (PID) and Parent Process ID (PPID) for dynamic analysis findings, arranging matches by process in a tree structure. The matching rule matches can be seen by hovering over a process column.

VirusTotal and capa Explorer Web integration

Since January 2023, capa has been incorporated into VirusTotal’s analysis. With its new user interface connection, users may examine capa findings straight from VirusTotal. This eliminates the requirement for you to obtain a sample and use CAPAC to analyze it locally. Open the capa Explorer Web by going to  Behavior > Download Artifacts > Open in CAPA Explorer. Use the Open in CAPA Explorer option next to Capabilities, or open in CAPA Explorer. For now, using this feature necessitates a paid subscription to VirusTotal.

Be aware that not every file has the results of the capa analysis available. Currently, the only executable types that capa supports for analysis are non-corrupted PE,.NET, and ELF x86/x64.

When examining a fresh sample on VirusTotal, an analyst has the option to navigate straight to Capa Explorer Web in order to pinpoint noteworthy areas inside the application. Prioritizing functions for in-depth code study in the chosen reverse engineering tool is made possible by this procedure.

Upcoming Projects

First intend to improve the process tree view mode of capa Explorer Web to better visualize the per-process matching. Furthermore, it is thinking adding extracted Indicators of Compromise (IoCs) for dynamic analysis to new perspectives. This might further improve the triage process by displaying extracted signs such as file locations, URLs, and registry keys.

Read more on govindhtech.com