Plugin focus: Capa Explorer

This is a guest entry written by Mike Hunhoff, Moritz Raabe, and Willi Ballenthin from the Mandiant FLARE Team. Their views and opinions are their own and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to the authors.

capa explorer: Focus Your Reverse Engineering Efforts in IDA Pro 

capa explorer is an IDA Pro plugin that automatically identifies capabilities in programs using an extensible set of rules. With capa explorer, you can inspect matches and focus your reverse engineering on the most relevant code. The plugin highlights common malware functionality, can identify algorithms, and helps you write new capa detection rules. 

We love using capa explorer because it integrates the Mandiant FLARE
team’s capa functionality seamlessly into IDA Pro. 

Using capa explorer

Once installed, you can open capa explorer in IDA Pro by navigating to Edit > Plugins > FLARE capa explorer or using the keyboard shortcut Alt – F5. See the end of this post for details on how to install capa explorer and how to configure the rules path initially. 

capa explorer has two views accessible via the tabs located at the top of the plugin window: 

  1. Program Analysis to see identified capabilities 
  2. Rule Generator to write new capa rules 
If you only want to find program capabilities, you will use the Program Analysis view.

Program Analysis

capa explorer’s Program Analysis displays the capabilities that were matched in a program. (see Figure 1)

This view enables you to: 

  • Filter for specific capability matches via the search bar
  • Navigate IDA’s Disassembly view to the location of each match by double-clicking the address
  • Limit matches to the function currently displayed in IDA’s Disassembly view 
  • Show matches by function
  • And more\…

Figure 1: Program Analysis view showing capa matches and their locations
Figure 1: Program Analysis view showing capa matches and their locations

To start analysis, click the Analyze button located at the bottom of the plugin pane. capa explorer caches the analysis results in your database so you can instantly load matches during subsequent invocations. The Settings button enables you to configure various plugin options, including the path to your capa rules and the behavior at startup (start analysis automatically or manually). 

Program Analysis

capa explorer’s Rule Generator provides an interactive interface that enables you to easily write new capa rules using features extracted directly from a program (see Figure 2). 

Figure 2: Rule Generator view to write and test capa Figure 2: Rule Generator view to write and test capa rules

As you write a rule, the Rule Generator automatically verifies the rule is syntactically correct and matches as expected. You can save the rule directly to your local file system using the Save button. The Settings button enables you to configure Rule Generator settings including the rule author name and default rule scope. For an extensive writeup on using the Rule Generator to easily write and test new capa rules, see our previous blog post

Exploring program capabilities

 

Let’s look at two examples of typical malware analysis workflows. These will show how capa explorer quickly focuses reverse engineering on the most relevant and interesting parts of a program. The examples include both a Windows PE file and a Linux ELF file to demonstrate how capa explorer’s results abstract over platform differences and can help to analyze both familiar and unfamiliar file formats.

Example 1: Trojanized PuTTY Executable 

The file putty.exe is a 3.83 MB 64-bit Windows PE file with over 2600 functions. The program is based on the PuTTY source code but may contain malicious functionality. Manually analyzing a large and complex file can be very time consuming. We use capa explorer within IDA Pro to quickly identify
and analyze suspicious capabilities. Our recommended setup displays IDA’s Disassembly view and capa explorer side by side as shown in Figure 3

Figure 3: IDA's Disassembly view and capa explorer side by side Figure 3: IDA’s Disassembly view and capa explorer side by side

capa explorer yields hundreds of matches for this sample. Due to the program size the initial analysis takes a moment but is still faster than by hand. The results shown under Program Analysis quickly highlight suspicious capabilities and point us to the associated code locations. Among the capa results, we see a match for “contain an embedded PE file”. Figure 4 shows the expanded details with a match at virtual address 0x140108050.

  Figure 4: Breakdown of suspicious 'contain an embedded PE file' match Figure 4: Breakdown of suspicious “contain an embedded PE file” match

Double-clicking the highlighted address navigates IDA’s Disassembly view to the location of the embedded PE file. There is one cross reference to the embedded PE file bytes from the function at virtual address 0x140032FB0.

We pivot to the identified function and select Limit results to current function. This filters the results to show only capabilities found in the function currently displayed in IDA’s Disassembly view. The results quickly highlight further suspicious behavior found in the current function. Figure 5 shows capa explorer’s summary of the function’s key capabilities.

  Figure 5: capa results for the function starting at virtual address 0x140032FB0 Figure 5: capa results for the function starting at virtual address 0x140032FB0

Additional analysis in IDA confirms that the function creates a new directory, copies the file colorcpl.exe to this directory, and writes the embedded PE file to colorui.dll. Subsequently, the sample executes the file colorcpl.exe, which in turn loads the dropped DLL. Additionally, the function schedules a task to establish persistence. See this Mandiant blog post for further analysis of this trojanized PuTTY application and related samples. 

This is just one approach to dissecting suspected trojanized files using capa explorer. Another technique we have used successfully is comparing capa matches for a known good file against matches for a suspected trojanized file. In the above example, the known good file does not contain capa hits for an embedded PE file, the directory and file creation, or the task scheduling used for persistence.

Example 2: Linux Backdoor

The ELF file is a Linux backdoor that supports a small set of commands. We analyze the program with capa explorer and get a quick overview of the file’s capabilities by selecting Show matches by function. This groups the rule matches by distinct function and helps us rapidly identify key
functions and program capabilities (see Figure 6). 

Figure 6: capa results grouped by function for an ELF backdoor Figure 6: capa results grouped by function for an ELF backdoor

We find that Show matches by function helps us to understand what a function may do at a high level. For example, capa explorer shows that the function located at virtual address 0x4047E0 implements capabilities for collecting system information (see Figure 7). 

Figure 7: capa results indicate system information collection in the function located at 0x4047E0 Figure 7: capa results indicate system information collection in the function located at 0x4047E0

The search bar above the results pane lets us quickly focus on specific matches. For example, searching for “file-system” reveals functions that may read or write files (see Figure 8). Inspecting these locations further helps identify relevant host-based indicators like accessed files. 

Figure 8: filtering capa results for 'file-system' to quickly extract host-based indicators Figure 8: filtering capa results for “file-system” to quickly extract host-based indicators

By searching for “communication” we see that the program may communicate using raw sockets and which functions implement the sending and receiving of data (see Figure 9). Here further analysis can quickly uncover network-based indicators. 

Figure 9: filtering capa results for 'communication' to identify network-based indicators Figure 9: filtering capa results for “communication” to identify network-based indicators

Finally, searching for “process” reveals that the sample may create new and stop existing processes (see Figure 10). 

Figure 10: filtering capa results for 'process' Figure 10: filtering capa results for “process”

We navigate IDA’s disassembly view to the function at virtual address 0x4041D0, deselect Show matches by function, and select Limit results to current function to view the function’s matches. Expanding each entry provides an assembly level breakdown detailing how the match was made. To quickly see the relevant code parts, we can select the checkbox next to an entry and capa explorer will highlight the corresponding address in IDA’s Disassembly view (see Figure 11). The Reset Selections button located at the bottom of the plugin pane removes these selections and highlights. 

Figure 11: expanding capa results and highlighting features for an identified capability Figure 11: expanding capa results and highlighting features for an identified capability

Installation and Configuration 

You can use Python pip to install capa and its dependencies from PyPI: 

  1. Using the Python interpreter configured for your IDA installation, run pip install flare-capa
  2. Copy the capa_explorer.py plugin file to your IDA plugins directory

When you first analyze a program capa explorer requires you to specify a directory path containing capa rules. capa explorer provides a GitHub link (located in the rules prompt and under settings) from which you can download and extract the official capa rules that are compatible with your plugin version. The rules directory path that you provide is saved for future runs and can be updated in the capa explorer settings.

Check out capa explorer’s documentation on GitHub for additional usage details and the most recent installation steps.

Now it’s Your Turn

 

We hope capa explorer is as helpful to you as it is to us. We would love to hear about your experience using the plugin. What does capa explorer do well? What needs to be improved? Feel free to open an issue with your feedback on our GitHub repository.

As maintainers of the official capa rules repository the Mandiant FLARE team invites anyone to contribute rules, ideas, and feedback. Your input can improve the analysis of thousands of reverse engineers and security analysts around the world.

Article Link: Plugin focus: Capa Explorer – Hex Rays