Identifying Malware Capabilities & Intro to MITRE ATT&CK

https://github.com/mandiant/capa

capa ./malware.exe.malz

• Malware Behavioral Catalog (MBC) Objectives and Behaviors

  

  • similar to mitre classification, translate mitre to a malware analysis focus point

  GitHub - MBCProject/mbc-markdown: MBC content in markdown

• Capa Rule Output

  

  • most specific - give best information
  • More information with -v flag and -vv flag

capa ./malware.exe.malz -v

capa ./malware.exe.malz -v

Mitre ATT&CK

MITRE ATT&CK®

• list high level information to understand better the attaques
• Very common in the industry
• fluent in the ATT&CK framework for report writing as it can be an exceptionally useful
• rame findings and information in industry common terms

Combining Analysis Methods: PEStudio

• make all the previous analysis at the same time

• make the early stage of analysis simple and straightforward

  • MZ Windows portable executable (NB)

  

• Generate indicators

  

• Show the most suspicious

  • libraries

    

  • and strings ( → allows to sort and see hints about the usage of the string)

    

• size of the code section > raw_size > .texte