Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Parsing VMRay Log flog.txt for capa #2452

Open
r0ny123 opened this issue Oct 8, 2024 · 2 comments
Open

Support Parsing VMRay Log flog.txt for capa #2452

r0ny123 opened this issue Oct 8, 2024 · 2 comments
Labels
enhancement New feature or request vmray related to VMRay sandbox report analysis

Comments

@r0ny123
Copy link

r0ny123 commented Oct 8, 2024

Following up on the recent discussion, I suggest adding support for capa to parse the flog.txt file from the VMRay sandbox output. Since this file is freely available for download, it would help make capa more accessible to those who can’t get the full ZIP archive. While XML is easier to parse, supporting flog.txt would be a great addition.

@williballenthin
Copy link
Collaborator

Example of accessing a free log: VMRay website -> threat feed -> select entry -> full report -> Download Function Log

I'm not sure if these reports are indexed and easy to search for without a subscription.

image

the flog.txt file contains a list of process entries, each with a bunch of Region entries, like:

image

and then Thread entries, that look like an API trace:

image

its pretty unstructured, but can probably be parsed somewhat easily. The first example file I pulled was 11MB and 120k lines.

@williballenthin williballenthin added enhancement New feature or request vmray related to VMRay sandbox report analysis labels Oct 8, 2024
@williballenthin
Copy link
Collaborator

initial experiments over here: https://github.com/mandiant/capa/compare/feat/vmray-flog

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request vmray related to VMRay sandbox report analysis
Projects
None yet
Development

No branches or pull requests

2 participants