When it comes to analyzing malware, the main goal is to not only identify the type of malware but also understand its behavior when executed on a system. This can be achieved through manual analysis, which requires reverse engineering skills, or automated analysis tools. Intezer Analyze offers a solution that caters to both advanced reverse engineers and entry-level analysts, making the task of analyzing suspicious files easier.
Recently, a new feature was introduced in Intezer Analyze that extracts the capabilities of a file. These capabilities can then be mapped to known Tactics, Techniques, and Procedures (TTPs). This feature is powered by an open-source project called capa from FireEye, which analyzes Windows portable executable (PE) files to determine a file’s capability.
In addition to PE files, Intezer Analyze can also detect code reuse between Executable and Linkable Format (ELF) files. To support this, capa’s functionality has been extended to include ELF files, and rules for Linux ELFs have been created. The changes made to capa were also submitted back to the project, benefiting both Analyze users and capa users.
A powerful combination is the use of capabilities extracted by capa and the detection of malicious code reuse by Intezer Analyze. By correlating capabilities to code genes, analysts can identify shared code between different malware families. This allows for the attribution of new malware to previously known threats and helps determine shared functionality between different malware variants.
In conclusion, the integration of capabilities analysis in Intezer Analyze for both PE and ELF files provides a comprehensive approach to malware analysis. By leveraging code gene analysis and correlating it with file capabilities, analysts can gain deeper insights into malware behavior and connections between different malware families. This enhanced functionality was made possible by extending capa’s support for ELF files, showcasing the collaborative nature of open-source projects in the cybersecurity community.