Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for VMRay sandbox results for capa dynamic analysis #2148

Closed
10 tasks done
mr-tz opened this issue Jun 14, 2024 · 4 comments
Closed
10 tasks done

Add support for VMRay sandbox results for capa dynamic analysis #2148

mr-tz opened this issue Jun 14, 2024 · 4 comments
Labels
dynamic related to dynamic analysis flavor vmray related to VMRay sandbox report analysis
Milestone
v7.3

Comments

@mr-tz
Copy link
Collaborator

mr-tz commented Jun 14, 2024
edited
Loading

We're working on adding support to parse VMRay result files for capa dynamic processing.

To add this functionality tasks include:

  • identify relevant VMRay files, so far flog.xml and summary_v2.json
  • add the respective pydantic models to parse relevant data
  • add a VMRayExtractor
    • add base extractor
    • add scope extractors

Tasks
Beta Give feedback
@mr-tz mr-tz added dynamic related to dynamic analysis flavor vmray related to VMRay sandbox report analysis labels Jun 14, 2024
@mike-hunhoff
Copy link
Collaborator

The source file appears to be stored under <archive>/internal/static_anlayses/<sha256>/objects/files/<sha256>. We'll need to reference the source file to emit string features at the file scope as this information doesn't appear to be stored elsewhere

@mike-hunhoff
Copy link
Collaborator

The VMRay analysis archive contains memory dumps for all monitored processes. We should consider emitting features, e.g. string, from all or a subset of these memory dumps to help detect capabilities. Performance may be an issue here as VMRay generates MANY memory dumps during execution and most appear to be junk. We may be able to narrow our focus to the initial process created for the target sample, although we could be missing interesting data in the child processes.

@williballenthin williballenthin added this to the v7.2 milestone Jul 24, 2024
@mr-tz
Copy link
Collaborator Author

mr-tz commented Aug 27, 2024

closed via #2208

@mr-tz mr-tz closed this as completed Aug 27, 2024
@mr-tz
Copy link
Collaborator Author

mr-tz commented Aug 27, 2024

The VMRay analysis archive contains memory dumps for all monitored processes. We should consider emitting features, e.g. string, from all or a subset of these memory dumps to help detect capabilities. Performance may be an issue here as VMRay generates MANY memory dumps during execution and most appear to be junk. We may be able to narrow our focus to the initial process created for the target sample, although we could be missing interesting data in the child processes.

@mike-hunhoff should we track this separately?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dynamic related to dynamic analysis flavor vmray related to VMRay sandbox report analysis
Projects
None yet
Milestone
v7.3
Development

No branches or pull requests
3 participants
@williballenthin @mr-tz @mike-hunhoff