Capa is designed to identify capabilities within executable files.
This versatile tool analyzes various file types—including PE, ELF, .NET modules, shellcode, and sandbox reports—to determine a program’s functionalities, such as operating as a backdoor, installing services, or using HTTP for communication.
Capa offers both a command-line interface and a web interface for interactive result inspection. It also seamlessly integrates with sandboxes like CAPE, DRAKVUF, and VMRay for dynamic analysis, and with disassemblers such as IDA Pro and Ghidra, empowering analysts to conduct in-depth investigations directly within their preferred environments.