Description
Description
I recently analyzed some Cobalt Strike shellcode (VT Link)
in Malcat, and its capa integration correctly identified several capabilities. However, running the standalone capa.exe with the same shellcode sample did not detect any capabilities.
Steps to Reproduce
- I loaded the shellcode into Malcat (I understand you may not have access to this product).
- I ran Malcat's capa integration to analyze the shellcode. This produced the following output:
- I ran the standalone
capa.execommand:capa.exe -r C:\Tools\capa-rules -f sc64 scwow.bin
**Note: ** I usedcapa.exeversion 7.40 and the latest rules from GitHub.
Expected behavior:
The standalone capa.exe should identify the same capabilities as Malcat’s capa integration.
Actual behavior:
The standalone capa.exe returned no capabilities found.
Versions
Malcat: Appears to use capa 4.0.1.
Standalone capa.exe: Version 7.40. I also downloaded and tested capa.exe version 4.0.1 to see if the issue was specific to newer versions, but it also identified no capabilities.
Capa Rules: Cross-checked rules like reference-http-user-agent-string.yml and resolve-function-by-parsing-pe-exports.yml between Malcat and the up-to-date versions on GitHub, with no identified significant differences.
All of this testing was done on a Windows 10 Enterprise VM.
If any additional screenshots or details are needed, please let me know. Thank you!