def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.chars = "0123456789ABCDEFabcdef" self.crypthash = str() self.filehit = False self.mutexhit = False self.lastapi = str()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.ioc = {"explorerExeFileHandle": None, "confFileName": None, "openConfig": False, "matchRegKey" : False, "matchConfig" : False}
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.cryptoapis = False self.networkapis = set() self.syncapis = False self.compname = self.get_environ_entry(self.get_initial_process(), "ComputerName")
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.vawtrakauto = False self.eventtrigger = False self.eventcount = int() self.malscore = int() self.lastcall = str()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.saw_unhook = False self.unhook_info = set() self.is_url_analysis = False if self.results["target"]["category"] != "file": self.is_url_analysis = True
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.lastprocess = 0 self.handles = dict() self.old_handles = [] self.saw_mimic = False self.mimics = set()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) # get the path of the initial monitored executable self.initialpath = None initialproc = self.get_initial_process() if initialproc: self.initialpath = initialproc["module_path"].lower()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.allocated_addresses = [] self.alloc_apis = ["VirtualAllocEx", "NtAllocateVirtualMemory"] self.protect_apis = ["NtProtectVirtualMemory", "VirtualProtectEx"] self.write_constants = "PAGE_READWRITE", "PAGE_EXECUTE_WRITECOPY", "PAGE_WRITECOPY" self.execute_constants = "PAGE_EXECUTE_WRITECOPY", "PAGE_EXECUTE_READ", "PAGE_EXECUTE"
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.ioc = {"initProcessName": None, "countMoveFiles" : 0, "matchRegKey" : False, "writeExeFile" : False, "createProcess" : False}
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.lastprocess = 0 self.systimeidx = 0 self.getsystimeidx = 0 self.exitidx = 0 self.curidx = 0
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.programs = set() self.check = True office_pkgs = ["ppt","doc","xls","eml","pdf"] if any(e in self.results["info"]["package"] for e in office_pkgs): self.check = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.exec_policy = False self.user_profile = False self.hidden_window = False self.b64_encoded = False self.filedownload = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.ignore = False self.pname = [] if self.get_results("target", {}).get("category") == "file": if "PE32 executable" in self.get_results("target", {})["file"]["type"]: self.ignore = True
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) # get the path of the initial monitored executable self.initialpath = None processes = self.results["behavior"]["processes"] if len(processes): self.initialpath = processes[0]["module_path"].lower()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.cryptInfo = False self.campaign = str() self.buffers = set() self.compname = self.get_environ_entry(self.get_initial_process(), "ComputerName")
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.extcount = 0 self.c2s = set() self.uristruct = False self.urivars = ["sub", "addr", "size", "version", "os", "id", "inst_id"] self.pat = r"(?:https?:\/\/)?(?:[\da-z\.-]+)\.(?:[0-9a-z\.]{2,6})" \ r"(?:\d{1,5})?(?:[\/\w\.-]*)\/?"
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.executed = [] self.exe = False if self.get_results("target", {}).get("category") == "file": f = self.get_results("target", {}).get("file", {}) if "PE32 executable" in f.get("type", ""): self.exe = True
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.class_names = { "Internet Explorer_Hidden": 0, "IEFrame": 0, "Chrome_WidgetWin_1": 0, "MozillaWindowClass": 0, }
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.decoys = [] self.office_proc_list =["wordview.exe","winword.exe","excel.exe","powerpnt.exe","outlook.exe","acrord32.exe","acrord64.exe"] self.initialpath = None initialproc = self.get_initial_process() if initialproc: self.initialpath = initialproc["module_path"].lower()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) # Named group to extract the URL of the cloned website. self.rex = { "saved from url": re.compile(r"\<!--\ssaved\sfrom\surl=\(\d+\)(?P<url>[^\s]+)", re.I), "mirrored from": re.compile(r"<!--\smirrored\sfrom\s(?P<url>[^\s]+)\sby\sHTTrack", re.I), } self.hits = set()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.pathbuf = str() self.keybuf = str() self.configpath = (r"^[A-Za-z]:\\.*\\Mozilla\\Firefox\\Profiles\\.*\\" "prefs\.js") self.configkey = (r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\" r"CurrentVersion\\Internet Settings\\AutoConfigURL")
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.urls = set() self.badpid = str() self.guidpat = "\{[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}\}" self.whitelist = [ "http://download.oracle.com/", ]
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.volumes = set() self.hashes = set() self.found = 0 self.c2s = set() self.payment = set() self.keywords = ["id=", "act=", "lang="] self.sigchanged = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.sections = set() self.events = set() self.injPid = int() self.c2Pid = int() self.lastConnect = str() self.c2s = list() self.ret = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.lures = [ ("debug malware error", "Malware/Infection"), ("contact microsoft certified", "Malware/Infection"), ("non bootable situation", "Malware/Infection"), ("your paypal id or password was entered incorrectly", "PayPal"), ] self.totalhits = 0
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.handles = dict() self.lastprocess = 0 self.stealth_files = [] self.is_office = False office_pkgs = ["ppt","doc","xls","eml"] if any(e in self.results["info"]["package"] for e in office_pkgs): self.is_office = True
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.pidTrack = dict() self.readsSqlite = set() self.suspicious = [ "PK11_CheckUserPassword", "PK11_Authenticate", "PK11SDR_Decrypt", ]
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.lastprocess = None self.sharedsections = ["\\basenamedobjects\\shimsharedmemory", "\\basenamedobjects\\windows_shell_global_counters", "\\basenamedobjects\\msctf.shared.sfm.mih", "\\basenamedobjects\\msctf.shared.sfm.amf", "\\basenamedobjects\\urlzonessm_administrator", "\\basenamedobjects\\urlzonessm_system"]
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.lastprocess = 0 self.lastres = None self.processes = [] self.is_office = False office_pkgs = ["ppt","doc","xls","eml","js"] if any(e in self.results["info"]["package"] for e in office_pkgs): self.is_office = True
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.c2s = [] self.badPid = 0 self.currentUrl = str() self.found = False self.keywords = ["guid", "build", "info", "ip", "type"] self.netSequence = 0 self.suspended = dict()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.compressed_binary = False self.config_copy = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.hidden = list()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.transaction_set = False self.transaction_rollback = False self.transacted_hollowing = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.filematches = set() self.saw_stealer = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.handles = []
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.lastprocess = None self.process_handles = None self.write_handles = None self.injection_detected = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.dropper = dict() self.lasthost = str() self.uris = set()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.users = dict()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs)
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.lasturl = str() self.phishurls = set()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.saw_disable = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.matches = list()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.reg_evilgrab_keyname = False self.reg_binary = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.appnames = []
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.lastprocess = None
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.malscore = int() self.certBuffer = str() self.countCertificates = int() self.lastcall = str()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.lastprocess = None self.write_detected = False self.remote_thread = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.dll_loaded = False self.loadctr = 0 self.list = []
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.styleRE = r".*\<style\>(?:[^\.]+)?\.(?P<styleName>[^\{]+).*\</style>" self.iframeRE = r"\<iframe src=(?:(?:\"|')(?P<redir>[^\"']+)(?:\"|'))" self.ret = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.lastprocess = 0 self.systimeidx = 0 self.exitidx = 0 self.curidx = 0
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.capturesc = False self.savesc = False self.wrtiesc = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.handles = dict() self.lastprocess = 0 self.stoppedservices = []
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.saw_unhook = False self.unhook_info = set()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.registry_writes = dict() self.found_autorun = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.hidden_attrs = [2, 4] self.open_dispositions = [1, 3]
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.encrypted_binary = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.reg_binary = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.check_dirs = set() self.directories = set() self.dirbuf = tuple() self.lastapi = str()
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.found = False
def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.registry_writes = dict() self.found_bootexecute = False