0xnhl

CAPA

/ Update
17 min read

CAPA (Common Analysis Platform for Artifacts) is a tool developed by the FireEye Mandiant team. It is designed to identify the capabilities present in executable files like Portable Executables (PE), ELF binaries, .NET modules, shellcode, and even sandbox reports.
It does so by analyzing the file and applying a set of rules that describe common behaviours, allowing it to determine what the program is capable of doing, such as network communicationfile manipulationprocess injection, and many more.

  • This helps in analyzing potentially malicious or dangerous software and proactively searching for potential threats using static analysis.
  • The beauty of CAPA is that it encapsulates years of reverse engineering knowledge into an automated tool, making it accessible even to those who may not be experts in reverse engineering.
  • This can be incredibly useful for analysts and security professionals, allowing them to quickly understand potentially malicious software’s functionality without manually reverse engineering the code.
  • This tool is particularly useful in malware analysis and threat hunting, where understanding a binary’s capabilities is crucial for incident response and defensive measures.

Usage#

capa.exe app.bin
powershell
OptionDescriptionSample Syntax
-h or --helpShow this help message and exit.capa -h
-v or --verboseEnable verbose result document.capa.exe .\cryptbot.bin -v
-vv or --vverboseEnable a very verbose result document.capa.exe .\cryptbot.bin -vv
-jJSON formatcapa.exe -j -vv .\cryptbot.bin > cryptbot_vv.json

Example Output

Output Analysis#

The first block contains basic information about the file. This includes the following:

  • The cryptographic algorithms, such as the md5, and sha1/256.
  • The analysis field tells us how CAPA performed its analysis on the file.
  • The os field reveals the operating system (OS) context for which the identified capabilities apply.
  • The arch field allows us to determine whether we are dealing with a binary related to x86 architecture.
  • The path where the analyzed file was located.

MITRE ATT&CK#

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a comprehensive global knowledge repository that meticulously documents the tactics and techniques employed by threat actors at every stage of a cyber-attack. It functions as a strategic playbook, providing detailed insights into attackers’ methods, from gaining initial access to maintaining a presenceescalating privilegesevading defensesmoving laterally within a network, and much more. 

CAPA uses this format for the output. Note that some results may or may not contain the Technique and Sub-technique Identifier.

FormatSampleExplanation
ATT&CK Tactic::ATT&CK Technique::Technique IdentifierDefense Evasion::Obfuscated Files or Information::T1027DEFENSE EVASION = ATT&CK Tactic
Obfuscated Files or Information = ATT&CK Technique
T1027 = Technique Identifier
ATT&CK Tactic::ATT&CK Technique::ATT&CK Sub-Technique::Technique Identifier[.]Sub-technique IdentifierDefense Evasion::Obfuscated Files or Information::Indicator Removal from Tools T1027.005DEFENSE EVASION = ATT&CK Tactic
Obfuscated Files or Information = ATT&CK Technique
Indicator Removal from Tools = ATT&CK Sub-Technique
T1027 = Technique Identifier
005 = Sub-Technique Identifier

MAEC#

Malware Attribute Enumeration and Characterization is a specialized language designed to encode and communicate complex details concerning malware. It contains an extensive range of attributes, including behaviours, artefacts, and interconnections among various instances of malware. This language functions as a standardized system for tracking and analyzing the complicated complexities of malware.

MAEC ValueDescription
LauncherExhibits behaviours that trigger specific actions similar to malware behaviour.
DownloaderExhibits behaviours wherein it downloads and executes other files, usually seen on more complex malware.
When CAPA tags a file with a “launcher” MAEC value, it indicates that the file demonstrates behaviour similar to but not limited to:
  • Dropping additional payloads
  • Activating persistence mechanisms
  • Connecting to command-and-control (C2) servers
  • Executing specific functions
    Some of these behaviours are also present in the Malware Behavior Catalogue (MBC)  and Capability block.

When CAPA tags a file with a “Downloader” MAEC value, it indicates that the file demonstrates behaviour similar but not limited to:

  • Fetching additional payloads or resources from the internet
  • pulling in updates
  • executing secondary stages
  • retrieving configuration files

Malware Behavior Catalogue (MBC)#

MBC is designed to support various aspects of malware analysis, such as labelling, similarity analysis, and standardized reporting. Essentially, it serves as a catalogue of malware objectives and behaviours. MBC can also link to ATT&CK methods and log all behaviours and code features discovered during malware analysis. It’s important to note that the names of MBC behaviours may or may not match the corresponding ATT&CK techniques. The information on behaviour pages complements the content on ATT&CK pages. In other words, when recording malware behaviours, MBC users will reference ATT&CK, but MBC does not duplicate ATT&CK information.

The content of MBC below can be represented in two formats.

FormatSampleExplanation
OBJECTIVE::Behavior::Method[Identifier]ANTI-STATIC ANALYSIS::Executable Code Obfuscation::Argument Obfuscation [B0032.020]Anti-static Analysis = OBJECTIVE
Executable Code Obfuscation = BEHAVIOR
Argument Obfuscation = METHOD
BOO32.020 = IDENTIFIER
OBJECTIVE::Behavior::[Identifier]COMMUNICATION::HTTP Communication:: [C0002]COMMUNICATION = OBJECTIVE
HTTP Communication = BEHAVIOR
C0002 = IDENTIFIER

The difference between the two formats is that the first format contains additional details called METHOD, which can also be coined as a sub-technique.

Objective#

The Objective are based on ATT&CK tactics in the context of malware behaviour, though not all are included. Furthermore, MBC has Anti-Behavioral and Anti-Static Analysis. These objectives are tailored for malware analysis with the use case of characterizing malware. See the table below for an explanation of each.

ObjectiveExplanation
Anti-Behavioral AnalysisMalware attempts to avoid detection by hindering behavioural analysis using tools like sandboxes or debuggers.
Anti-Static AnalysisMalware attempts to obstruct or add complexity to static analysis, making it more challenging for security professionals to identify and understand its malicious behaviours and intentions.
CollectionMalware focuses on identifying and gathering information from the targeted machine or network.
Command and ControlMalware typically establishes communication with compromised systems through various methods such as command and control servers, peer-to-peer networks, or other means. This communication allows the malware to control the compromised systems, enabling the attackers to execute commands, exfiltrate data, or carry out other malicious activities.
Credential AccessThe primary aim of malware is to steal account credentials, such as usernames and passwords.
Defense EvasionThe malware aims to bypass and circumvent the various detection and security mechanisms present within the system to avoid being detected or mitigated.
DiscoveryMalware Seeks to collect detailed information about the configuration and setup of the system or network environment, including hardware, software, and network infrastructure.
ExecutionMalware is designed to execute unauthorized commands or code on a targeted computer system without the user’s consent. This can include a wide range of harmful activities, such as stealing personal information, damaging files, or gaining unauthorized access to the system.
ExfiltrationMalware is designed to infiltrate computer systems or networks to steal and extract sensitive data. This can include personal information, financial details, and any other valuable data stored on the targeted system or network.
ImpactMalware aims to manipulate, disrupt, or damage computer systems and data. It can enter computers through infected emails, compromised websites, and other deceptive means, leading to financial loss, privacy breaches, and system instability.
Lateral MovementMalware seeks to spread through the network, either actively through machine access or passively, such as via malicious emails.
PersistenceMalware is intentionally developed with the capability to remain undetected and operational on a computer system for an extended period.
Privilege EscalationMalware seeks to infiltrate a computer system or network to gain elevated permissions or control. Once inside the target environment, malware can seek to escalate its privileges, access sensitive information, or take control of system resources for malicious purposes.

Micro-Objective#

 Micro-objectives are associated with micro-behaviors, which refer to an action or actions exhibited by potentially malicious software that isn’t necessarily malicious and may serve various objectives. Example binaries are such as those in messaging apps. However, it’s important to note that these behaviours are typically abused. That’s why CAPA might have flagged this behaviour.

Micro-ObjectiveDescription
PROCESSexhibiting behaviours related to processes such as but not limited to Creating Process, Setting Thread Context, Terminating Process, and Checking Mutex.
MEMORYexhibiting behaviours such as, but not limited to, Allocating Memory, Changing Memory Protection, and Freeing Memory.
COMMUNICATIONexhibiting behaviours such as (not limited to (DNS, FTP, HTTP, ICMP, SMTP) network traffic.
DATAexhibiting behaviours such as but not limited to Checking strings, compressing, decoding and encoding data

The final output of CAPA, Objective, and Micro-Objective are shown only under the Objective column.

MBC Behaviors#

The column MBC Behaviors contains behaviours and Micro-behaviors with or without its methods and identifiers. Please check the link MBC Summary(opens in new tab) for a listing of all MBC content.

ObjectiveBehaviorIdentifiersExplanation
ANTI-BEHAVIORAL ANALYSISLab Machine DetectionB0009The malware checks to see if it is running in a virtual environment. During its system reconnaissance, the malware examines various user and system artifacts.
ANTI-STATIC ANALYSISExecutable Code ObfuscationB0032Executable code has been intentionally obscured to prevent static code analysis. This is a specific behavior related to the executable code of a malware sample, including its data and text sections.
EXECUTIONCommand and Scripting InterpreterE1059Malware can exploit command and script interpreters to run malicious commands, scripts, or binaries. It targets built-in interpreters like cmd.exe or PowerShell on Windows or Bash on Unix-like systems. Attackers may also use other scripting languages like Python, Perl, or JavaScript.
DISCOVERYFile and Directory DiscoveryE1083Malware has the capability to search for specific files in particular locations by enumerating files and directories.
ANTI-STATIC ANALYSIS, DEFENSE EVASIONObfuscated Files or InformationE1027Malware can obfuscate files or information by encoding, encrypting, or otherwise, making them hard to analyze. It can also encode or encrypt malware samples itself.

Micro-Behavior#

The term “low-level behaviors” in malware analysis refers to actions exhibited by malware that aren’t necessarily malicious and may serve various objectives. These behaviors are often documented as “micro-behaviors” in the Malware Behavior Characteristics (MBC) analysis. Examples of such low-level behaviors include the creation of TCP sockets and evaluating specific conditions within strings. It’s important to note that just because a behavior is categorized as low-level does not mean it is harmless, as it may still be part of a larger malicious scheme.

Micro-ObjectiveMicro-BehaviorsIdentifiersExplanation
MEMORYAllocate MemoryC0007Malware frequently utilizes memory allocation as part of its strategy to unpack itself and execute its malicious activities.
PROCESSCreate ProcessC0017Malware creates a process via WMI or shellcode. It can also create a suspended process.
COMMUNICATIONHTTP CommunicationC0002Malware is capable of initiating HTTP communications.
DATACheck StringC0019Malware can inspect a string to identify specific characteristics, such as ASCII content, credit card numbers, and string length.
DATAEncode DataC0026Malware has the capability to encode data using base64 and XOR.
FILE SYSTEMCreate DirectoryC0046Malware can create a directory.
FILE SYSTEMDelete FileC0047Malware has the capability to delete a file.
FILE SYSTEMRead FileC0051Malware can read a file.
FILE SYSTEMWrites FileC0052Malware has the capability to write to a file.

Note that in the final output of CAPA, Behavior and Micro-Behavior are shown only under the Behavior column.

Methods#

Methods are tied to behaviors; therefore, to fully see all methods, please refer to each specific behavior/micro behavior of interest.

BehaviorMethods or sub-techniqueIdentifierExplanation
Executable Code ObfuscationArgument ObfuscationB0032.020Simple number or string arguments to API calls are calculated at runtime, making analysis more difficult.
Executable Code ObfuscationStack StringsB0032.017Build and decrypt strings on the stack at each use, then discard to avoid obvious references.
HTTP CommunicationRead HeaderC0002.014HTTP read header.
Encode DataBase64C0026.001Malware may encode data using Base64.
Encode DataXORC0026.002Malware may use XOR to encode data.
Obfuscated Files or InformationEncoding-Standard AlgorithmE1027.m02Encoding malware samples, files, or other information uses a standard algorithm (e.g., base64).

The content of the next block is represented in the below format.

FormatSampleExplanation
Capability(Rule Name)::TLN(Top-Level Namespace)/Namespacereference anti-VM strings::Anti-Analysis/anti-vm/vm-detectionReference anti-VM strings = Capability(Rule Name)
Anti-Analysis = TLN or Top-Level Namespace
anti-vm/vm-detection = Namespace

Namespaces#

CAPA uses namespaces to group items with the same purpose. 

Top-Level Namespace (TLN)Explanation
anti-analysiscontains a set of rules specifically designed to detect behaviours exhibited by malware to evade analysis. These behaviours include obfuscation, packing, and anti-debugging techniques.
collectioncontains a set of data-related rules that malware may enumerate and collect for exfiltration or other purposes. Think of it as the “data-gathering” aspect of malware behaviour.
communicationcontains a set of rules that pertain to different communication behaviours demonstrated by malware. This encompasses how malware interacts with networks, including data transmission and reception, command and control communications, and other network-related behaviours.
compilercontains a set of rules and configurations for recognizing specific build environments or compilers employed in generating executables. These namespaces essentially serve as the unique “signature” that identifies the compilation process of a program.
data-manipulationcontains a set of rules that govern the behaviours involved in altering data within executable files. This aspect can be considered the “data transformation” component of malware behaviour, encompassing actions such as String Encryption and Data Encoding.
executablecontains a set of rules pertaining to the attributes in executable files. These attributes include PE sections or debug info associated with the executable.
host-interactioncontains a set of rules related to behaviors involving interactions with the host system. This encompasses how malware interacts with its environment. Specifically, the rules in this namespace may capture behaviors related to reading, writing, or modifying files on disk, including creating, deleting, or modifying files and directories.”
impactcontains a set of rules related to the potential consequences or effects of a program’s behavior. Think of it as the aspect that focuses on the possible harm that this malware can cause. It may include behaviors related to establishing remote access, data exfiltration, destruction, or modification.”
internalRules contained within the system are not intended for direct use by analysts or for reporting. Instead, these rules are meant for internal purposes within the CAPA tool, serving as the behind-the-scenes aspect of rule development and execution.
libbuilding blocks to create other rules
linkingcontains rules to identify behaviors involving linking or dynamically loading external code or libraries during program execution. This is its primary function and is crucial for the program’s security. Understanding linking behavior is essential for several reasons. Malware often depends on external libraries or components (such as OpenSSL, Zlib, or other third-party libraries) to carry out specific tasks. Detecting these dependencies helps analysts understand the malware’s capabilities. External libraries also introduce an additional attack surface. If a vulnerability exists in a linked library, it can be exploited by the malware or defenders during analysis.
load-codecontains a set of rules and regulations related to the behaviors associated with dynamically loading or executing code during program execution. This concept can be equated to the “runtime code injection” aspect of malware behavior, which involves unauthorized code introduction during a program’s execution.
malware-familycontains a set of rules related to behaviors that are linked to particular malware families or groups. It serves as a way to identify the distinct characteristics or “signatures” associated with known malware families, allowing for more accurate detection and classification of potential threats.
nurserythis is a staging ground that contains rules for those who are not quite polished
persistencecontains rules related to behaviors associated with maintaining access or persistence within a compromised system. This namespace is essentially focused on understanding how malware can establish and maintain a presence within a compromised environment, allowing it to persist and carry out malicious activities over an extended period.
runtimecontains a set of rules that seek to identify the language or platform on which the program runs.
targetingcontains a set of rules related to behaviors exhibited by programs that interact with ATMs.

Let’s see how this works by checking the table below.

Top-Level Namespace (TLN)NamespacesRule YAML FileExplanation
Anti-Analysisanti-vm/vm-detectionreference-anti-vm-strings-targeting-virtualbox.yml

reference-anti-vm-strings-targeting-virtualpc.yml		“anti-vm/vm-detection” namespace contains rules to detect lab machine (VM) environments. These rules focus on identifying specific strings or patterns commonly used by malware to detect VMs while running. Using these rules, CAPA can identify if malware searches for VMware-specific registry keys, the presence of VMware tools, or other VM-related elements.
obfuscationobfuscated-with-dotfuscator.yml

obfuscated-with-smartassembly.yml		Malware often uses obfuscation techniques to make analysis more difficult. These include methods such as String Encryption, Code Obfuscation, Packing, and Anti-Debugging Tricks. The obfuscation namespace addresses these techniques, which conceal or obscure the true purpose of the code.

For this, we only used Anti-Analysis as the TLN or Top-Level Namespace. Under this TLN, we have grouped namespaces, such as anti-vm/vm-detection and obfuscation. Each namespace has a collection of rules inside them that are also grouped together. For anti-vm/vm-detection, we have rules, and it’s config file, such as:

  • reference-anti-vm-strings-targeting-virtualbox.yml
  • reference-anti-vm-strings-targeting-virtualpc.yml
    The same goes for the obfuscation namespace. We have rules that are grouped, such as:
  • obfuscated-with-dotfuscator.yml
  • obfuscated-with-smartassembly.yml

In addition to what was mentioned in the above table, there are still a few more namespaces under Anti-Analysis with corresponding rules. check out this link(opens in new tab).
Use this link(opens in new tab) if you are interested in the other TLN or Top-Level Namespaces, such as collection, compiler, persistence, linking, and impact.

Capability#

CapabilityTop-Level Namespace (TLN)NamespacesRule YAML fileNotes
reference anti-VM stringsAnti-Analysis(opens in new tab)anti-vm/vm-detectionreference-anti-vm-strings.ymlTo check all rules under this namespace, click here(opens in new tab)
reference anti-VM strings targeting VMWareAnti-Analysisanti-vm/vm-detectionreference-anti-vm-strings-targeting-vmware.ymlTo check all rules under this namespace, click here(opens in new tab)
reference anti-VM strings targeting VirtualBoxAnti-Analysisanti-vm/vm-detectionreference-anti-vm-strings-targeting-virtualbox.ymlYou may check the TLN(Top-Level Namespace).
reference HTTP User-Agent stringCommunication(opens in new tab)http/clientreference-http-user-agent-string.ymlTo check all rules under this namespace, click here(opens in new tab))
check HTTP status codeCommunicationhttpcheck-http-status-code.ymlTo check all rules under this namespace, click here(opens in new tab)
reference Base64 stringData Manipulation(opens in new tab)encoding/base64reference-base64-string.ymlTo check all rules under this namespace, click here(opens in new tab)
encode data using XORData Manipulationencoding/XORencode-data-using-xor.ymlTo check all rules under this namespace, click here(opens in new tab)
contain a thread local storage (.tls) sectionExecutable(opens in new tab)pe/section/tlscontain-a-thread-local-storage-tls-section.ymlYou may check the TLN(Top-Level Namespace) for more rules.
get common file pathHost-Interaction(opens in new tab)file-systemget-common-file-path.ymlYou may check the TLN(Top-Level Namespace) for more rules.
create directoryHost-Interactionfile-system/createcreate-directory.ymlYou may check the TLN(Top-Level Namespace) for more rules.
delete fileHost-Interactionfile-system/deletedelete-file.ymlTo check all rules under this namespace, click here(opens in new tab)
read file on WindowsHost-Interactionfile-system/readread-file-on-windows.ymlTo check all rules under this namespace, click here(opens in new tab)
write file on WindowsHost-Interactionfile-system/writewrite-file-on-windows.ymlTo check all rules under this namespace, click here(opens in new tab)
get thread local storage valueHost-Interactionprocessget-thread-local-storage-value.ymlThis rule is found under TLN Nursery(opens in new tab), a staging ground for unpolished rules.
allocate or change RWX memoryHost-Interactionprocess/injectallocate-or-change-rwx-memory.ymlTo check all rules under this namespace, click here(opens in new tab)
create process on WindowsHost-Interactionprocess createcreate-process-on-windows.ymlTo check all rules under this namespace, click here(opens in new tab)
reference cryptocurrency stringsImpact(opens in new tab)impact/cryptocurrencyreference-cryptocurrency-strings.ymlThis rule is found under TLN Nursery(opens in new tab), a staging ground for unpolished rules.
link function at runtime on WindowsLinking(opens in new tab)runtime-linkinglink-function-at-runtime-on-windows.ymlTo check all rules under this namespace, click here(opens in new tab)
parse PE headerload-code(opens in new tab)load-code/peparse-pe-header.yml

resolve-function-by-parsing-pe-exports.yml		To check all rules under this namespace, click here(opens in new tab)
resolve function by parsing PE exportsload-code(opens in new tab)load-code/peresolve-function-by-parsing-pe-exports.ymlTo check all rules under this namespace, click here(opens in new tab)
run PowerShell expressionload-code(opens in new tab)load-code/PowerShellrun-powershell-expression.ymlTo check all rules under this namespace, click here(opens in new tab)
schedule task via atpersistence(opens in new tab)scheduled-tasksschedule-task-via-at.ymlYou may check the TLN(Top-Level Namespace) for more rules.
schedule task via schtaskspersistence(opens in new tab)scheduled-tasksschedule-task-via-schtasks.ymlYou may check the TLN(Top-Level Namespace) for more rules.

The item under Capability has the same name as the YML files under the Rules, with the addition of a dash (-) character between spaces! Simple because Capability is the name of the rule.

Some exceptions here is when the Capability or rules are not located under its Namespace, It will be located under the Nursery TLN. This is the placeholder for rules that are not quite polished yet.

CAPA Web Explorer#

capa Explorer Web is a web-based tool to explore the capabilities identified by capa. This tool allows you to interactively browse and display capa results.

  • We can either use online version here on this link(mandiant.github.io/capa/explorer), or the offline version.
  • Look for the button Upload from local located at the bottom left of the page and select the file containing vverbose output formatted in json.
  • Using this we can review the capabilities and check what precisely within the rule was matched.
  • Another cool feature of this tool is its filter options and the Global Search box.
CAPA
https://nahil.xyz/vault/tools/capa/
Author Nahil Rasheed
Published at June 17, 2026
Copyright CC BY-NC-SA 4.0
Disclaimer This content is provided strictly for educational purposes only.

Caido

Chronicle