def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.chars = "0123456789ABCDEFabcdef"
self.crypthash = str()
self.filehit = False
self.mutexhit = False
self.lastapi = str()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.ioc = {"explorerExeFileHandle": None,
"confFileName": None,
"openConfig": False,
"matchRegKey" : False,
"matchConfig" : False}
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.cryptoapis = False
self.networkapis = set()
self.syncapis = False
self.compname = self.get_environ_entry(self.get_initial_process(),
"ComputerName")
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.vawtrakauto = False
self.eventtrigger = False
self.eventcount = int()
self.malscore = int()
self.lastcall = str()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.saw_unhook = False
self.unhook_info = set()
self.is_url_analysis = False
if self.results["target"]["category"] != "file":
self.is_url_analysis = True
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.lastprocess = 0
self.handles = dict()
self.old_handles = []
self.saw_mimic = False
self.mimics = set()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
# get the path of the initial monitored executable
self.initialpath = None
initialproc = self.get_initial_process()
if initialproc:
self.initialpath = initialproc["module_path"].lower()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.allocated_addresses = []
self.alloc_apis = ["VirtualAllocEx", "NtAllocateVirtualMemory"]
self.protect_apis = ["NtProtectVirtualMemory", "VirtualProtectEx"]
self.write_constants = "PAGE_READWRITE", "PAGE_EXECUTE_WRITECOPY", "PAGE_WRITECOPY"
self.execute_constants = "PAGE_EXECUTE_WRITECOPY", "PAGE_EXECUTE_READ", "PAGE_EXECUTE"
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.ioc = {"initProcessName": None,
"countMoveFiles" : 0,
"matchRegKey" : False,
"writeExeFile" : False,
"createProcess" : False}
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.lastprocess = 0
self.systimeidx = 0
self.getsystimeidx = 0
self.exitidx = 0
self.curidx = 0
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.programs = set()
self.check = True
office_pkgs = ["ppt","doc","xls","eml","pdf"]
if any(e in self.results["info"]["package"] for e in office_pkgs):
self.check = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.exec_policy = False
self.user_profile = False
self.hidden_window = False
self.b64_encoded = False
self.filedownload = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.ignore = False
self.pname = []
if self.get_results("target", {}).get("category") == "file":
if "PE32 executable" in self.get_results("target", {})["file"]["type"]:
self.ignore = True
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
# get the path of the initial monitored executable
self.initialpath = None
processes = self.results["behavior"]["processes"]
if len(processes):
self.initialpath = processes[0]["module_path"].lower()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.cryptInfo = False
self.campaign = str()
self.buffers = set()
self.compname = self.get_environ_entry(self.get_initial_process(),
"ComputerName")
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.extcount = 0
self.c2s = set()
self.uristruct = False
self.urivars = ["sub", "addr", "size", "version", "os", "id", "inst_id"]
self.pat = r"(?:https?:\/\/)?(?:[\da-z\.-]+)\.(?:[0-9a-z\.]{2,6})" \
r"(?:\d{1,5})?(?:[\/\w\.-]*)\/?"
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.executed = []
self.exe = False
if self.get_results("target", {}).get("category") == "file":
f = self.get_results("target", {}).get("file", {})
if "PE32 executable" in f.get("type", ""):
self.exe = True
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.class_names = {
"Internet Explorer_Hidden": 0,
"IEFrame": 0,
"Chrome_WidgetWin_1": 0,
"MozillaWindowClass": 0,
}
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.decoys = []
self.office_proc_list =["wordview.exe","winword.exe","excel.exe","powerpnt.exe","outlook.exe","acrord32.exe","acrord64.exe"]
self.initialpath = None
initialproc = self.get_initial_process()
if initialproc:
self.initialpath = initialproc["module_path"].lower()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
# Named group to extract the URL of the cloned website.
self.rex = {
"saved from url": re.compile(r"\<!--\ssaved\sfrom\surl=\(\d+\)(?P<url>[^\s]+)", re.I),
"mirrored from": re.compile(r"<!--\smirrored\sfrom\s(?P<url>[^\s]+)\sby\sHTTrack", re.I),
}
self.hits = set()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.pathbuf = str()
self.keybuf = str()
self.configpath = (r"^[A-Za-z]:\\.*\\Mozilla\\Firefox\\Profiles\\.*\\"
"prefs\.js")
self.configkey = (r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\"
r"CurrentVersion\\Internet Settings\\AutoConfigURL")
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.urls = set()
self.badpid = str()
self.guidpat = "\{[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}\}"
self.whitelist = [
"http://download.oracle.com/",
]
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.volumes = set()
self.hashes = set()
self.found = 0
self.c2s = set()
self.payment = set()
self.keywords = ["id=", "act=", "lang="]
self.sigchanged = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.sections = set()
self.events = set()
self.injPid = int()
self.c2Pid = int()
self.lastConnect = str()
self.c2s = list()
self.ret = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.lures = [
("debug malware error", "Malware/Infection"),
("contact microsoft certified", "Malware/Infection"),
("non bootable situation", "Malware/Infection"),
("your paypal id or password was entered incorrectly", "PayPal"),
]
self.totalhits = 0
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.handles = dict()
self.lastprocess = 0
self.stealth_files = []
self.is_office = False
office_pkgs = ["ppt","doc","xls","eml"]
if any(e in self.results["info"]["package"] for e in office_pkgs):
self.is_office = True
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.pidTrack = dict()
self.readsSqlite = set()
self.suspicious = [
"PK11_CheckUserPassword",
"PK11_Authenticate",
"PK11SDR_Decrypt",
]
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.lastprocess = None
self.sharedsections = ["\\basenamedobjects\\shimsharedmemory",
"\\basenamedobjects\\windows_shell_global_counters",
"\\basenamedobjects\\msctf.shared.sfm.mih",
"\\basenamedobjects\\msctf.shared.sfm.amf",
"\\basenamedobjects\\urlzonessm_administrator",
"\\basenamedobjects\\urlzonessm_system"]
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.lastprocess = 0
self.lastres = None
self.processes = []
self.is_office = False
office_pkgs = ["ppt","doc","xls","eml","js"]
if any(e in self.results["info"]["package"] for e in office_pkgs):
self.is_office = True
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.c2s = []
self.badPid = 0
self.currentUrl = str()
self.found = False
self.keywords = ["guid", "build", "info", "ip", "type"]
self.netSequence = 0
self.suspended = dict()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.compressed_binary = False
self.config_copy = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.hidden = list()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.transaction_set = False
self.transaction_rollback = False
self.transacted_hollowing = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.filematches = set()
self.saw_stealer = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.handles = []
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.lastprocess = None
self.process_handles = None
self.write_handles = None
self.injection_detected = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.dropper = dict()
self.lasthost = str()
self.uris = set()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.users = dict()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.lasturl = str()
self.phishurls = set()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.saw_disable = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.matches = list()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.reg_evilgrab_keyname = False
self.reg_binary = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.appnames = []
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.lastprocess = None
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.malscore = int()
self.certBuffer = str()
self.countCertificates = int()
self.lastcall = str()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.lastprocess = None
self.write_detected = False
self.remote_thread = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.dll_loaded = False
self.loadctr = 0
self.list = []
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.styleRE = r".*\<style\>(?:[^\.]+)?\.(?P<styleName>[^\{]+).*\</style>"
self.iframeRE = r"\<iframe src=(?:(?:\"|')(?P<redir>[^\"']+)(?:\"|'))"
self.ret = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.lastprocess = 0
self.systimeidx = 0
self.exitidx = 0
self.curidx = 0
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.capturesc = False
self.savesc = False
self.wrtiesc = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.handles = dict()
self.lastprocess = 0
self.stoppedservices = []
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.saw_unhook = False
self.unhook_info = set()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.registry_writes = dict()
self.found_autorun = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.hidden_attrs = [2, 4]
self.open_dispositions = [1, 3]
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.encrypted_binary = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.reg_binary = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.check_dirs = set()
self.directories = set()
self.dirbuf = tuple()
self.lastapi = str()
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.found = False
def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.registry_writes = dict()
self.found_bootexecute = False
