Mandiant's CAPA + GoReSym to reinforce VT's capabilities
#1
Information 
Quote:
[Image: Logo_VT_Horizontal.png]

VirusTotal, the world’s largest crowdsourced threat intelligence platform, is made possible thanks to a large community of security practitioners and vendors who integrate into our platform their best security tools. We are happy to announce the inclusion of two remarkable additions, both already having wide acceptance in the security community: Capa and GoReSym from Mandiant’s FLARE team.

CAPA

Capa provides a human readable explanation of what a suspicious binary might do and describes the evidence that it found. This gives analysts a high level understanding without the need of going into time consuming Reverse Engineering. We now run Capa against all PE and ELF files submitted to VirusTotal and display the results under the behavior tab.

[Image: c_K_5JKdT2xN8LKiIujY8tw3p8XCsnbf-TUa03-d...kvA=s16000]

Here you can find an example:

https://www.virustotal.com/gui/file/5689...d/behavior

Because we map the Capa results into ATT&CK Tactics and Techniques, you can pivot across them, making it easy to find other malware samples with the same behaviors. You can also create YARA rules for VirusTotal LiveHunt to get notified when any new file matching the same ATT&CK Tactics and Techniques is uploaded to VirusTotal. For example:

import "vt"

rule capa_mitre_attack_techniques {
condition:

for 2 vt_behaviour_mitre_attack_techniques in vt.behaviour.mitre_attack_techniques: (
vt_behaviour_mitre_attack_techniques.id == "T1222" // set file attributes
or vt_behaviour_mitre_attack_techniques.id == "T1083" // get file system object information
)
}


When contributing to the Capa rules open source project, you’ll influence the behaviors and capabilities that VirusTotal extracts and indexes for all executables.

That’s a pretty big impact!

GoReSym

GoReSym is a very useful tool for analyzing Go samples, parsing the binary to extract all kinds of valuable metadata. Some of this information includes function names, the Go version used to compile a binary, compiler flags, and much more. The tool is designed to be resilient in the face of malformed binaries, such as those that result from manually unpacking malware samples. Below is an example of the kind of output you’ll now see from this tool in VirusTotal:

[Image: wWjroFbB2gIMafAOeIYg9eUXIK00Qwvt9e8b8Ii8...aQQ=s16000]

Here you can find an example:

https://www.virustotal.com/gui/file/7e26...0e/details
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
QOwnNotes 19.1.6
24.12.4 The wel...Kool — 12:56
INTEL Arc Graphics 32.0.101.6325/6253 dr...
Highlights Fix...harlan4096 — 11:06
GFYI [Official] Revo Uninstaller Pro v5...
"Share feedback...damien76 — 09:01
GFYI [Official] SpyShelter PRO v15 Chri...
Merry Christmas and ...damien76 — 08:56
GFYI [Official] IObit Christmas 2024 Bl...
Merry Christmas and ...damien76 — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>