CAPA: The Basics | Try Hack Me writeup / walkthrough

Task 1 - Introduction

Q1. I'm excited to learn more about CAPA!

No Answer Needed

Task 2 - Tool Overview: How CAPA Works

Q1. What command-line option would you use if you need to check what other parameters you can use with the tool? Use the shortest format.

Downoad the given task file. The file contains the output of capa. You can use the given machine using rdp , then use capa to get the similar output. But in my case machine was bit slower so I used the given text file.

In capa we can use -h flag to get some help for using the tool.

Answer 👉 -h

Q2. What command-line options are used to find detailed information on the malware's capabilities? Use the shortest format.

You can use -v flag to get some detailed output.

Answer 👉 -v

Q3. What command-line options do you use to find very verbose information about the malware's capabilities? Use the shortest format.

Use -vv for more detailed output than -v

Answer 👉 -vv

Q4. What PowerShell command will you use to read the content of a file?

In Powershell you can use Get-Content to get the output of a file.

Answer 👉 Get-Content

Task 3 - Dissecting CAPA Results Part 1: General Information, MITRE and MAEC

Q1. What is the sha256 of cryptbot.bin?

Open the downloaded file or look into the output.

Answer 👉 ae7bc6b6f6ecb206a7b957e4bb86e0d11845c5b2d9f7a00a482bef63b567ce4c

Q2. What is the Technique Identifier of Obfuscated Files or Information?

Look into ATT&CK Technique. You will get the technique identifier.

Answer 👉 T1027

Q3. What is the Sub-Technique Identifier of Obfuscated Files or Information::Indicator Removal from Tools?

In the same ATT&CK Technique section you can see, the subtechnique.

Answer 👉 T1027.005

Q4. When CAPA tags a file with this MAEC value, it indicates that it demonstrates behaviour similar to, but not limited to, Activating persistence mechanisms?

Answer 👉 launcher

Q5. When CAPA tags a file with this MAEC value, it indicates that the file demonstrates behaviour similar to, but not limited to, Fetching additional payloads or resources from the internet?

Answer 👉 Downloader

Task 4 - Dissecting CAPA Results Part 2: Malware Behavior Catalogue

Q1. What serves as a catalogue of malware objectives and behaviours?

Answer 👉 Malware Behavior Catalogue

Q2. Which field is based on ATT&CK tactics in the context of malware behaviour?

Answer 👉 Objective

Q3. What is the Identifier of "Create Process" micro-behavior?

In the last of MBC table , you can see the identifier of Create Process.

Answer 👉 C0017

Q4. What is the behaviour with an Identifier of B0009?

In the MBC table you can find the behaviour of above identifier.

Answer 👉 Virtual Machine Detection

Q5. Malware can be used to obfuscate data using base64 and XOR. What is the related micro-behavior for this?

Answer 👉 Encode Data

Q6. Which micro-behavior refers to "Malware is capable of initiating HTTP communications"?

Answer 👉 HTTP Communication

Task 5 - Dissecting CAPA Results Part 3: Namespaces

Q1. Which top-level Namespace contains a set of rules specifically designed to detect behaviours, including obfuscation, packing, and anti-debugging techniques exhibited by malware to evade analysis?

In capability and namespace section you can get the Top-level Namespace that contains above rules.

Answer 👉 anti-analysis

Q2. Which namespace contains rules to detect virtual machine (VM) environments? Note that this is not the TLN or Top-Level Namespace.

In the previour answer you can see the name of namespace. Output is in[Top-Level_Namespace] / [Namespace] format.

Answer 👉 anti-vm/vm-detection

Q3. Which Top-Level Namespace contains rules related to behaviours associated with maintaining access or persistence within a compromised system? This namespace is focused on understanding how malware can establish and maintain a presence within a compromised environment, allowing it to persist and carry out malicious activities over an extended period.

Find the Top-Level Namespace that is relatead to persistence or maintaing access.

Answer 👉 persistence

Q4. Which namespace addresses techniques such as String Encryption, Code Obfuscation, Packing, and Anti-Debugging Tricks, which conceal or obscure the true purpose of the code?

This time we have to find namespace (Not TLN) that is related to String Encryption, Code Obfuscation, Packing ...

Answer 👉 obfuscation

Q5. Which Top-Level Namespace Is a staging ground for rules that are not quite polished?

Answer 👉 Nursery

Q6. Proceed to the next task for the 2nd part of the discussion!

No Answer Needed

Task 6 - Dissecting CAPA Results Part 4: Capability

Q1. What rule yaml file was matched if the Capability or rule name is check HTTP status code?

Read the section carefully , you can get the the answers ...

Answer 👉 check-http-status-code.yml

Q2. What is the name of the Capability if the rule YAML file is reference-anti-vm-strings

Answer 👉 reference anti-VM strings

Q3. Which TLN or Top-Level Namespace includes the Capability or rule name run PowerShell expression?

Answer 👉 load-code

Q4. Check the conditions inside the check-for-windows-sandbox-via-registry.yml rule file from this link. What is the value of the API that ends in Ex is it looking for?

Open the given url , which points to a yaml rule. In which you can find that API that ends with ex.

Answer 👉 RegOpenKeyEx

Task 7 - More Information, more fun!

Q1. Which parameter allows you to output the result of CAPA into a .json file?

In capa , we can use the -j flag to get the output into a json file.
syntax - capa -j output.json badfile.exe

Answer 👉 -j

Q2. What tool allows you to interactively explore CAPA results in your web browser?

Capa provides a interactive web interface in which you can explore your output.

Answer 👉 CAPA Web Explorer

Q3. Which feature of this CAPA Web Explorer allows you to filter options or results?

In CAPA web explorer you can use the clobal search box to filter options / results.

Answer 👉 Global Search Box

Task 8 - Conclusion

Q1. This room was fantastic! Let's proceed with other rooms for continuous learning!

No Answer Needed

Prev Next

(If you have any type of query / Question / suggestion .. feel free to ask below. We would be happy to connect you. Have a great day buddy!!)

CAPA: The Basics | Try Hack Me writeup / walkthrough

Task 1 - Introduction

Q1. I'm excited to learn more about CAPA!

Task 2 - Tool Overview: How CAPA Works

Q1. What command-line option would you use if you need to check what other parameters you can use with the tool? Use the shortest format.

Q2. What command-line options are used to find detailed information on the malware's capabilities? Use the shortest format.

Q3. What command-line options do you use to find very verbose information about the malware's capabilities? Use the shortest format.

Q4. What PowerShell command will you use to read the content of a file?

Task 3 - Dissecting CAPA Results Part 1: General Information, MITRE and MAEC

Q1. What is the sha256 of cryptbot.bin?

Q2. What is the Technique Identifier of Obfuscated Files or Information?

Q3. What is the Sub-Technique Identifier of Obfuscated Files or Information::Indicator Removal from Tools?

Q4. When CAPA tags a file with this MAEC value, it indicates that it demonstrates behaviour similar to, but not limited to, Activating persistence mechanisms?

Q5. When CAPA tags a file with this MAEC value, it indicates that the file demonstrates behaviour similar to, but not limited to, Fetching additional payloads or resources from the internet?

Task 4 - Dissecting CAPA Results Part 2: Malware Behavior Catalogue

Q1. What serves as a catalogue of malware objectives and behaviours?

Q2. Which field is based on ATT&CK tactics in the context of malware behaviour?

Q3. What is the Identifier of "Create Process" micro-behavior?

Q4. What is the behaviour with an Identifier of B0009?

Q5. Malware can be used to obfuscate data using base64 and XOR. What is the related micro-behavior for this?

Q6. Which micro-behavior refers to "Malware is capable of initiating HTTP communications"?

Task 5 - Dissecting CAPA Results Part 3: Namespaces

Q1. Which top-level Namespace contains a set of rules specifically designed to detect behaviours, including obfuscation, packing, and anti-debugging techniques exhibited by malware to evade analysis?

Q2. Which namespace contains rules to detect virtual machine (VM) environments? Note that this is not the TLN or Top-Level Namespace.

Q4. Which namespace addresses techniques such as String Encryption, Code Obfuscation, Packing, and Anti-Debugging Tricks, which conceal or obscure the true purpose of the code?

Q5. Which Top-Level Namespace Is a staging ground for rules that are not quite polished?

Q6. Proceed to the next task for the 2nd part of the discussion!

Task 6 - Dissecting CAPA Results Part 4: Capability

Q1. What rule yaml file was matched if the Capability or rule name is check HTTP status code?

Q2. What is the name of the Capability if the rule YAML file is reference-anti-vm-strings

Q3. Which TLN or Top-Level Namespace includes the Capability or rule name run PowerShell expression?

Q4. Check the conditions inside the check-for-windows-sandbox-via-registry.yml rule file from this link. What is the value of the API that ends in Ex is it looking for?

Task 7 - More Information, more fun!

Q1. Which parameter allows you to output the result of CAPA into a .json file?

Q2. What tool allows you to interactively explore CAPA results in your web browser?

Q3. Which feature of this CAPA Web Explorer allows you to filter options or results?

Task 8 - Conclusion

Q1. This room was fantastic! Let's proceed with other rooms for continuous learning!

📝 Feedback

📞 Contact Us