Today we learned some Capa and got into an investigation to find out information of malware samples.
We started with CAPA, a tool used to analyze malware samples. CAPA scans executable files and tells you what kinds of behaviours or capabilities the malware has. It’s especially useful because it maps its findings to well-known frameworks like:
- MITRE ATT&CK – a knowledge base of tactics and techniques used by attackers. CAPA helps identify which of these techniques a malware sample might be using.
- MBC (Malware Behavior Catalog) – similar to MITRE, but more focused on the objective and behaviour of malware (like “credential dumping” or “process injection”).
- CAPA also highlights specific capabilities of the malware, such as creating files, communicating over a network, or modifying registry keys.
Later, we had an introduction to Ghidra, which is a reverse engineering tool developed by the NSA. It’s a bit overwhelming at first. That’s because Ghidra works at a low level, analyzing programs in assembly language, which is the raw machine code that processors understand. Without a solid grasp of programming especially in C, it can feel confusing.
In the afternoon, we started a hands-on malware investigation challenge, which I really enjoyed. These kinds of tasks are fun because they push you to think critically, choose the right tools, and follow the clues.
I used Remnux, a Linux toolkit built specifically for malware analysis. Before jumping in, I looked at the investigation questions and picked the tools I thought would help the most:
- PE-tree – visualizes the internal structure of Windows executable files (PE files). It was the most helpful tool for me during the challenge.
- CAPA – to identify the malware’s behaviours and capabilities.
- strings – to extract readable text from the binary, like file paths, URLs, or commands hidden inside.
- VirusTotal – to check the file’s reputation and scan results from multiple antivirus engines.
- MalwareBazaar – to gather more context and info about the sample.
Even though the challenge sounded difficult at first, it went smoother than I expected but still challenging.
Since I had some extra time, I tried the optional room on advanced static analysis. I regret even clicking on it. That room was just too much for me. The content focused on low-level code and reverse engineering skills especially understanding assembly and how C code gets compiled. This room is definitely for the future when i learn more about C.
