Posts: 12,772
Threads: 8,830
Thanks Received: 8,729 in 6,890 posts
Thanks Given: 9,628
Joined: 12 September 18
27 January 23, 08:18
Quote:
VirusTotal, the world’s largest crowdsourced threat intelligence platform, is made possible thanks to a large community of security practitioners and vendors who integrate into our platform their best security tools. We are happy to announce the inclusion of two remarkable additions, both already having wide acceptance in the security community: Capa and GoReSym from Mandiant’s FLARE team.
CAPA
Capa provides a human readable explanation of what a suspicious binary might do and describes the evidence that it found. This gives analysts a high level understanding without the need of going into time consuming Reverse Engineering. We now run Capa against all PE and ELF files submitted to VirusTotal and display the results under the behavior tab.
![[Image: c_K_5JKdT2xN8LKiIujY8tw3p8XCsnbf-TUa03-d...kvA=s16000]](https://lh4.googleusercontent.com/c_K_5JKdT2xN8LKiIujY8tw3p8XCsnbf-TUa03-dwdisH3KhOLKMN_pXLHMZ8VOesEIX6ItJHzh-FLu6FyEZvN-s63vzAhV8FFdLaOsvJfetDo_14HFspruSg98kKqdqlf1_Lln4n-mdPyhHnVJy4FUs7qUpZsd8wCgf-PncwQ6VU2kPZhao8KBpdEdkgZuiBrnq5BZsv2Dy8Yc1UeP_8Pn0Iq0AgxMzyHnkvA=s16000)
Here you can find an example:
https://www.virustotal.com/gui/file/5689...d/behavior
Because we map the Capa results into ATT&CK Tactics and Techniques, you can pivot across them, making it easy to find other malware samples with the same behaviors. You can also create YARA rules for VirusTotal LiveHunt to get notified when any new file matching the same ATT&CK Tactics and Techniques is uploaded to VirusTotal. For example:
import "vt"
rule capa_mitre_attack_techniques {
condition:
for 2 vt_behaviour_mitre_attack_techniques in vt.behaviour.mitre_attack_techniques: (
vt_behaviour_mitre_attack_techniques.id == "T1222" // set file attributes
or vt_behaviour_mitre_attack_techniques.id == "T1083" // get file system object information
)
}
When contributing to the Capa rules open source project, you’ll influence the behaviors and capabilities that VirusTotal extracts and indexes for all executables.
That’s a pretty big impact!
GoReSym
GoReSym is a very useful tool for analyzing Go samples, parsing the binary to extract all kinds of valuable metadata. Some of this information includes function names, the Go version used to compile a binary, compiler flags, and much more. The tool is designed to be resilient in the face of malformed binaries, such as those that result from manually unpacking malware samples. Below is an example of the kind of output you’ll now see from this tool in VirusTotal:
![[Image: wWjroFbB2gIMafAOeIYg9eUXIK00Qwvt9e8b8Ii8...aQQ=s16000]](https://lh6.googleusercontent.com/wWjroFbB2gIMafAOeIYg9eUXIK00Qwvt9e8b8Ii8nUdbTtg60csNlR3fEhy6eCVoGQZx2S6FYhqRrddAXMmZ93O8VRrH9Yfk1bGNNM4RRrwmZ2E7Ur-mbsR2730kajPKR9dysxUi9DFQDcGF81A3lJsoSSAqHsUGDKeDZ55EJTqTgNA4sdHgL7UFzTmpfCvYclWMmFIT3QCBEsdcgS0rOBHNksHytZQu83gaQQ=s16000)
Here you can find an example:
https://www.virustotal.com/gui/file/7e26...0e/details
...
Continue Reading
Mandiant's CAPA + GoReSym to reinforce VT's capabilities
![[Image: Logo_VT_Horizontal.png]](https://1.bp.blogspot.com/-eNrJ344ipwk/XlaW63OVy9I/AAAAAAAAAF8/anLh0cnZwE8cYShNrki1m_Qm9Jx8Hw-5ACK4BGAYYCw/s1600/Logo_VT_Horizontal.png){kind=logo}
![[-]](https://www.geeks.fyi/images/collapse.png "[-]")
