capa
capa copied to clipboard
mandiant
Analyze just stops and does not give any output
C:\Users\admin\Downloads\capa-v9.2.1-windows>capa.exe cat.exe
⠦ analyzing program...
C:\Users\admin\Downloads\capa-v9.2.1-windows>
Context, this malware is packed in VMProtect and is heavily obfuscated , I don't know if that might have an impact on results
Description
Steps to Reproduce
Expected behavior:
Actual behavior:
Versions
Additional Information
Here is the debug output:
PS C:\Users\admin\Downloads\capa-v9.2.1-windows> cmd
Microsoft Windows [Version 10.0.26100.4061]
(c) Microsoft Corporation. All rights reserved.
C:\Users\admin\Downloads\capa-v9.2.1-windows>capa.exe cat.unpacked1.exe --debug
DEBUG capa: -------------------------------------------------------------------------------- main.py:475
DEBUG capa: Using default embedded rules. main.py:476
DEBUG capa: To provide your own rules, use the form: main.py:477
DEBUG capa: main.py:478
DEBUG capa: `capa.exe -r ./path/to/rules/ /path/to/mal.exe`. main.py:479
DEBUG capa: main.py:480
DEBUG capa: You can see the current default rule set here: main.py:481
DEBUG capa: main.py:482
DEBUG capa: https://github.com/mandiant/capa-rules main.py:483
DEBUG capa: -------------------------------------------------------------------------------- main.py:484
DEBUG capa.rules: reading rules from directory C:\Users\admin\AppData\Local\Temp\_MEI193282\rules __init__.py:2167
DEBUG capa.rules.cache: loading rule set from cache: cache.py:157
C:\Users\admin\AppData\Local\Temp\_MEI193282\cache\capa-587efddf.cache
DEBUG capa: successfully loaded 995 rules main.py:693
DEBUG capa.capabilities.common: analyzed file and extracted 142700 features common.py:53
DEBUG capa: -------------------------------------------------------------------------------- main.py:825
DEBUG capa: Using default embedded signatures. main.py:826
DEBUG capa: To provide your own signatures, use the form `capa.exe --signature ./path/to/signatures/ main.py:827
/path/to/mal.exe`.
DEBUG capa: -------------------------------------------------------------------------------- main.py:830
DEBUG capa.loader: reading signatures from directory C:\Users\admin\AppData\Local\Temp\_MEI193282\sigs loader.py:436
DEBUG capa.loader: found signature file: loader.py:449
C:\Users\admin\AppData\Local\Temp\_MEI193282\sigs\1_flare_msvc_rtf_32_64.sig
DEBUG capa.loader: found signature file: loader.py:449
C:\Users\admin\AppData\Local\Temp\_MEI193282\sigs\2_flare_msvc_atlmfc_32_64.sig
DEBUG capa.loader: found signature file: loader.py:449
C:\Users\admin\AppData\Local\Temp\_MEI193282\sigs\3_flare_common_libs.sig
DEBUG capa: format: pe main.py:867
DEBUG capa: backend: vivisect main.py:868
DEBUG viv_utils.idaloader: failed to import IDA Pro modules idaloader.py:24
DEBUG capa.loader: generating vivisect workspace for: cat.unpacked1.exe loader.py:160
DEBUG viv_utils.flirt: perf: flirt: parsing .sig: flirt.py:28
C:\Users\admin\AppData\Local\Temp\_MEI193282\sigs\1_flare_msvc_rtf_32_64.sig: 0.30s
DEBUG viv_utils.flirt: flirt: sig count: 210632 flirt.py:355
DEBUG viv_utils.flirt: perf: flirt: compiling sigs: 0.81s flirt.py:28
DEBUG viv_utils.flirt: registering viv function analyzer: FlirtFunctionAnalyzer flirt.py:361
(C:\Users\admin\AppData\Local\Temp\_MEI193282\sigs\1_flare_msvc_rtf_32_64.sig)
DEBUG viv_utils.flirt: perf: flirt: parsing .sig: flirt.py:28
C:\Users\admin\AppData\Local\Temp\_MEI193282\sigs\2_flare_msvc_atlmfc_32_64.sig: 0.59s
DEBUG viv_utils.flirt: flirt: sig count: 381783 flirt.py:355
DEBUG viv_utils.flirt: perf: flirt: compiling sigs: 1.38s flirt.py:28
DEBUG viv_utils.flirt: registering viv function analyzer: FlirtFunctionAnalyzer flirt.py:361
(C:\Users\admin\AppData\Local\Temp\_MEI193282\sigs\2_flare_msvc_atlmfc_32_64.sig)
DEBUG viv_utils.flirt: perf: flirt: parsing .sig: flirt.py:28
C:\Users\admin\AppData\Local\Temp\_MEI193282\sigs\3_flare_common_libs.sig: 0.20s
DEBUG viv_utils.flirt: flirt: sig count: 119337 flirt.py:355
DEBUG viv_utils.flirt: perf: flirt: compiling sigs: 0.47s flirt.py:28
DEBUG viv_utils.flirt: registering viv function analyzer: FlirtFunctionAnalyzer flirt.py:361
(C:\Users\admin\AppData\Local\Temp\_MEI193282\sigs\3_flare_common_libs.sig)
C:\Users\admin\Downloads\capa-v9.2.1-windows>
Thank you for the assistance.
Try unpack with this: https://github.com/Veysel072/VMPUnpacker Then do again for better debugging if you think reason is VMProtect.
@1ronman101 can you share the malware sample , I am interested in this issue .
Is that all the output? Seems weird that it just stops at that point or did you clip/terminate?
i have this exact issue, running it on a native machine and not vm please help resolve
