TryHackMe — CAPA: The Basics | Cyber Security 101 (THM)

Tool Overview: How CAPA Works

Using CAPA:

1. Open PowerShell (it may take time for the prompt to appear).
2. Navigate to the correct directory: C:\Users\Administrator\Desktop\capa.
3. Run capa or capa.exe, pointing to the binary file (e.g., cryptbot.bin).

After running the command, wait for the results, which may take several minutes. You can either continue the task or stop processing.

1. What command-line option would you use if you need to check what other parameters you can use with the tool? Use the shortest format.
   -h
2. 2. What command-line options are used to find detailed information on the malware’s capabilities? Use the shortest format.
   -v
3. 3. What command-line options do you use to find very verbose information about the malware’s capabilities? Use the shortest format. -vv
4. What PowerShell command will you use to read the content of a file? Get-Content

Dissecting CAPA Results Part 1: General Information, MITRE and MAEC

The results of running CAPA against cryptbot.bin will be discussed in subsequent tasks, dissecting the results per block and topic.

The first block contains basic information about the file:

• Cryptographic algorithms: md5, sha1/256.
• Static field: how CAPA…