The Capabilities feature helps analysts quickly understand malware behavior and to investigate if the code shared with a certain malware is significant and vital to the malware’s functionality.
When faced with simultaneous threats, Capabilities also provide tips on which threat should be prioritized first based on potential impact to the company.
Table of Contents
- About this Feature
- How Does it Work?
- Correlating the Capability and The Code Genes
- Supported Formats
- Further Reading
About this Feature
Intezer Analyze detects Capabilities by scanning files statically with CAPA and matching the assembly to a collection of predefined rules covering the MITRE ATT&CK framework.
For example, it might suggest the malicious file is a backdoor capable of installing services or that it relies on HTTP to communicate.
How Does it Work?
This feature includes rules developed by Intezer based on genetic code analysis insights, as well as capabilities powered by CAPA, the open-source library from FireEye.
CAPA works statically on the assembly level, identifying recognizable patterns and API calls in executable files to explain what they are trying to do.
Correlating the Capability and The Code Genes
In the Capabilities table, you can find the “Found in Code From” column which links the capability and the classification of the code this capability is related to.
With this information, you can see if the code shared is used for an important part in both malware families, suggesting the tools sharing between both attacks.
To see this in action, let’s take a look at an example:
The image below shows an analysis of a module dropped by an OlympicDestroyer* sample. Looking at the analysis report, you can see that in addition to 34 code genes and 5 capabilities shared with other Olympic Destroyer samples, this sample also shows 4 code genes and 3 capabilities with malware under the TeleBots family.
Click on the Capabilities link to investigate if the code reuse with OlympicDestroyer and TeleBots is significant and vital to the malware’s functionality.
You can see that some of the techniques are using shared code between both Olympic Destroyer and Telebots, particularly functionality around memory allocation. The malware uses this capability to allocate a memory space where it can write and execute code.
* Olympic Destroyer is a famous malware within the malware reverse engineering community due to the number of false flags included by the malware author. In October 2020, the US Department of Justice (DoJ) charged six Russian intelligence officers for numerous cyber attacks. The indictment included the attack against PyeongChang Winter Olympics where Olympic Destroyer was used
Supported Formats
Capabilities are available for PE files, including automatically unpacked files, endpoint analysis and memory dump analysis.