All public logs

Jump to navigation Jump to search

Combined display of all available logs of ema. You can narrow down the view by selecting a log type, the username (case-sensitive), or the affected page (also case-sensitive).

Logs
(newest | oldest) View (newer 50 | ) (20 | 50 | 100 | 250 | 500)
  • 16:07, 30 September 2020 127.0.0.1 talk created page smw/schema:Group:Exif special properties (Semantic Extra Special Properties import)
  • 16:07, 30 September 2020 127.0.0.1 talk created page smw/schema:Group:Extra special properties (Semantic Extra Special Properties import)
  • 16:07, 30 September 2020 127.0.0.1 talk created page smw/schema:Group:Schema properties (Semantic MediaWiki group import)
  • 20:01, 14 November 2018 Dbeck talk contribs deleted page c2 communication (content was: "{{Behavior |Name=code insertion |Description=Inserting code to impede disassembly. '''Examples:''' * Dead Code Insertion: Inclusion of "dead" code in the malware instance with no real functionality but with the intent of impeding disas...")
  • 12:40, 22 October 2018 Dbeck talk contribs restored page & Generate Fraudulent Advertising Revenue (mobile) (10 revisions)
  • 12:16, 18 October 2018 Dbeck talk contribs deleted page Ema-1226 (content was: "{{Behavior |Name=prevent native API hooking |Description=The 'prevent native api hooking' Behavior prevents other software from hooking native system APIs. |Associated Capabilities=Ema-1028 }}")
  • 12:12, 18 October 2018 Dbeck talk contribs deleted page Ema-1183 (content was: "{{Behavior |Name=prevent memory access |Description=The 'prevent memory access' Behavior prevents access to system memory where the malware instance may be storing code or data. |Associated Capabilities=Ema-1028 }}")
  • 11:53, 18 October 2018 Dbeck talk contribs deleted page Ema-1182 (content was: "{{Behavior |Name=prevent registry deletion |Description=The 'prevent registry deletion' Behavior prevent Windows registry keys and/or values associated with the malware instance from being deleted from a system. |Associated Capabilities=...")
  • 11:50, 18 October 2018 Dbeck talk contribs deleted page Ema-1185 (content was: "{{Behavior |Name=prevent registry access |Description=The 'prevent registry access' Behavior prevents access to the Windows registry, including to the entire registry and/or to particular registry keys/values. |Associated Capabilities=Em...")
  • 11:48, 18 October 2018 Dbeck talk contribs deleted page Ema-1181 (content was: "{{Behavior |Name=prevent file deletion |Description=The 'prevent file deletion' Behavior prevents files and/or directories associated with the malware instance from being deleted from a system. |Associated Capabilities=Ema-1028 }}")
  • 11:47, 18 October 2018 Dbeck talk contribs deleted page Ema-1184 (content was: "{{Behavior |Name=prevent file access |Description=The 'prevent file access' Behavior prevents access to the file system, including to specific files and/or directories associated with the malware instance. |Associated Capabilities=Ema-10...")
  • 11:46, 18 October 2018 Dbeck talk contribs deleted page Ema-1180 (content was: "{{Behavior |Name=prevent API unhooking |Description=The 'prevent api unhooking' Behavior prevent the API hooks installed by the malware instance from being removed. |Associated Capabilities=Ema-1028 }}")
  • 11:42, 18 October 2018 Dbeck talk contribs deleted page Ema-1222 (content was: "{{Behavior |Name=hide userspace libraries: Rootkit |Description=The 'hide userspace libraries' Behavior hides the usage of userspace libraries by the malware instance. |Associated Capabilities=Ema-1028 }}")
  • 11:42, 18 October 2018 Dbeck talk contribs deleted page Ema-1218 (content was: "{{Behavior |Name=hide threads: Rootkit |Description=The 'hide threads' Behavior hides one or more threads that belong to the malware instance. |Associated Capabilities=Ema-1028 }}")
  • 11:42, 18 October 2018 Dbeck talk contribs deleted page Ema-1219 (content was: "{{Behavior |Name=hide services: Rootkit |Description=The 'hide services' Behavior hides any system services that the malware instance creates or injects itself into. |Associated Capabilities=Ema-1028 }}")
  • 11:40, 18 October 2018 Dbeck talk contribs deleted page Ema-1149 (content was: "{{Behavior |Name=disable system file overwrite protection: Disabling Security Tools |Description=The ‘disable system file overwrite protection’ Behavior disables system file overwrite protection mechanisms such as Windows file protec...")
  • 16:54, 17 October 2018 Dbeck talk contribs deleted page Ema-1223 (content was: "{{Behavior |Name=execute stealthy code |Description=The 'execute stealthy code' Behavior executes some or all of the code of the malware instance in a hidden manner (e.g., by injecting it into a benign process). |Associated Capabilities=...")
  • 16:52, 17 October 2018 Dbeck talk contribs deleted page Ema-1252 (content was: "{{Behavior |Name=evade static heuristic |Description=Some AV can be easily fool by analyzing it. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as...")
  • 16:15, 14 October 2018 Dbeck talk contribs deleted page Ema-1134 (content was: "{{Behavior |Name=log activity |Description=The 'log activity' Behavior logs the activity of the malware instance. |Associated Capabilities=Ema-1011 |References= }}")
  • 15:57, 14 October 2018 Dbeck talk contribs deleted page Ema-1209 (content was: "{{Behavior |Name=persist after system reboot |Description=The 'persist after system reboot' Behavior continues the execution of the malware instance after a system reboot. |Associated Attributes=Attribute:27 |Associated Capabilities=Ema-...")
  • 15:57, 14 October 2018 Dbeck talk contribs deleted page Ema-1074 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Router Firmware Image Modification |Description=Cisco routers can have their firmware images modified in order to maliciously infect and persist on end-user machines in a network. T...")
  • 15:48, 14 October 2018 Dbeck talk contribs deleted page Ema-1071 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Private API Exploitation |Description=On iOS, private APIs can be abused in the iOS system to implement malicious functionalities. |Privilege Level=User space |Supporting Details={{...")
  • 15:29, 14 October 2018 Dbeck talk contribs deleted page + private api exploitation (Mobile) (content was: "{{Behavior |Name=UEFI Bootloader Injection |Description=Mac's UEFI bootloader can be exploited in a number of ways via an EFI DXE driver tha...", and the only contributor was "Dbeck" (talk))
  • 15:26, 14 October 2018 Dbeck talk contribs deleted page Ema-1073 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Windows Shutdown Event |Description=In Windows, the shutdown event triggered by WinLogon can be registered by an application to allow a malicious DLL a chance to execute every time...")
  • 15:22, 14 October 2018 Dbeck talk contribs deleted page Ema-1104 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Malicious Network Driver |Description=Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are inst...")
  • 15:00, 14 October 2018 Dbeck talk contribs deleted page Ema-1085 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=+ Surreptitious Application Installation |Description=In OSX, application directories and files can be installed unbeknownst to the user. Web browsers and search engines can also be...")
  • 14:45, 14 October 2018 Dbeck talk contribs deleted page Ema-1083 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Kernel Extension (Kext) Rootkit |Description=On Macs, Kext (kernel extension) rootkits can be created via the Generic Kernel Extension template in XCode and exist in the kernel even...")
  • 14:43, 14 October 2018 Dbeck talk contribs deleted page Ema-1077 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Launchd.conf Exploitation |Description=launchd is the first user-mode program to execute during OS X’s initialization. The launchd.conf file contains configuration parameters for...")
  • 14:41, 14 October 2018 Dbeck talk contribs deleted page Ema-1082 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=Launch Daemon and Launch Agent Exploitation |Description=On Macs, launch daemons and launch agents can be abused to gain mailware persistence. |Privilege Level=User space |Supportin...")
  • 14:36, 14 October 2018 Dbeck talk contribs deleted page Ema-1075 (content was: "{{Behavior Instance |Associated Behavior=Ema-1209 |Name=DYLD_INSERT_LIBRARIES Exploitation |Description=In Mac OSX, DYLD_INSERT_LIBRARIES can be abused to load malicious libraries to ensure that a malicious library will persistently be l...")
  • 14:27, 14 October 2018 Dbeck talk contribs deleted page Ema-1216 (content was: "{{Behavior |Name=autonomous remote infection |Description=The 'autonomous remote infection' Behavior infects a remote machine autonomously, without the involvement of any end user (e.g., through the exploitation of a remote procedure cal...")
  • 14:17, 14 October 2018 Dbeck talk contribs deleted page Ema-1137 (content was: "{{Behavior |Name=install legitimate software |Description=The 'install legitimate software' Behavior install legitimate (i.e. non-malware) software on the same system on which the malware instance is executing. |Associated Capabilities=E...")
  • 21:07, 11 October 2018 Dbeck talk contribs deleted page Ema-1212 (content was: "{{Behavior |Name=re-instantiate self |Description=The 're-instantiate self' Behavior re-establishes the malware instance on the system after it is initially detected and partially removed. |Associated Capabilities=Ema-1016 }}")
  • 14:21, 9 October 2018 Dbeck talk contribs deleted page Ema-1136 (content was: "{{Behavior |Name=install secondary module |Description=The 'install secondary module' Behavior installs a secondary module (typically related to the malware instance itself) on the same system on which the malware instance is executing....")
  • 19:44, 3 October 2018 Dbeck talk contribs deleted page Ema-1165 (content was: "{{Behavior |Name=XXX-encrypt self |Description=The 'encrypt self' Behavior encrypts the executing code (in memory) that belongs to the malware instance. |Associated Attributes=Attribute:6 |Associated Capabilities=Ema-1028 }}")
  • 19:24, 3 October 2018 Dbeck talk contribs restored page api hooking (11 revisions)
  • 14:55, 3 October 2018 Dbeck talk contribs deleted page & Generate Fraudulent Advertising Revenue (mobile) (content was: "{{Behavior |Name=XXX-click fraud |Description=The 'click fraud' Behavior simulates legitimate user clicks on website advertisements for the purpose of revenue generation. |Associated Capabilities=Ema-1002 |References={{Reference |Date=20...")
  • 14:50, 3 October 2018 Dbeck talk contribs deleted page Ema-1240 (content was: "{{Behavior |Name=update configuration |Description=The 'update configuration' Behavior updates the configuration of the malware instance using data received from a command and control server. |Associated Capabilities=Ema-1017 }}")
  • 14:34, 3 October 2018 Dbeck talk contribs deleted page Ema-1120 (content was: "{{Behavior |Name=host fingerprint |Description=Compare a previously computed host fingerprint to one computed for the current system on which the malware instance is executing, to determine if the malware instance is still executing on t...")
  • 14:34, 3 October 2018 Dbeck talk contribs deleted page Ema-1095 (content was: "{{Behavior Instance |Associated Behavior=Ema-1120 |Name=API Call: GetVolumeInformation |Description=Abusing this API call on Windows can give an attacker the GUID on a system drive. This can then be compared to a running host's GUID valu...")
  • 14:22, 3 October 2018 Dbeck talk contribs deleted page + surreptitious application installation (content was: "{{Behavior |Name=XXX-hardware detection |Description=Malware can inspect the hardware of the OS/"box" that it is running on and use this to determine whether it's being executed on a sandbox. This includes: * Memory size: Most modern ma...")
  • 14:21, 3 October 2018 Dbeck talk contribs deleted page & Hooking (content was: "{{Behavior |Name=user interaction detection |Description=Malware can detect if there is any "user" activity on the sandbox, such as the movement of the mouse cursor or a non-default wallpaper. Can also determine a user environment (vs a...")
  • 11:57, 3 October 2018 Dbeck talk contribs deleted page Ema-1038 (content was: "{{Behavior |Name=instruction overlap |Description=Jumping after the first byte of an instruction. Confuses some disassemblers. |Associated C...", and the only contributor was "Dbeck" (talk))
  • 11:56, 3 October 2018 Dbeck talk contribs deleted page Ema-1036 (content was: "{{Behavior |Name=imports by hash |Description=DLL loaded and then each export name is parsed until it matches a specific hash, instead of a...", and the only contributor was "Dbeck" (talk))
  • 22:08, 2 October 2018 Dbeck talk contribs deleted page Ema-1044 (content was: "{{Behavior |Name=stack strings |Description=Strings are built and decrypted on the stack at each use, then discarded (to avoid obvious refer...", and the only contributor was "Dbeck" (talk))
  • 22:06, 2 October 2018 Dbeck talk contribs deleted page + windows shutdown event (content was: "{{Behavior |Name=import compression |Description=Imports are stored and loaded with a more compact import table format. Each DLL needed by t...", and the only contributor was "Dbeck" (talk))
  • 13:15, 2 October 2018 Dbeck talk contribs deleted page & Software Packing (content was: "{{Behavior |Name=execution delay |Description=This technique is used for delaying execution of the malicious code. Stalling code is typically executed before any malicious behavior. The attacker’s aim is to delay the execution of the m...")
  • 22:17, 27 September 2018 Dbeck talk contribs restored page embedded file hooking (6 revisions)
  • 22:16, 27 September 2018 Dbeck talk contribs deleted page + malicious network driver (content was: "{{Behavior |Name=test |Description=test |Associated Capabilities=Ema-1026 }}", and the only contributor was "Dbeck" (talk))
  • 13:19, 23 September 2018 Dbeck talk contribs deleted page Ema-1236 (content was: "{{Behavior |Name=c2 host communication |Description=The 'c2 host communication' includes: * 'check for payload' - checks whether a new payload is available for download. * 'request email address list' - requests the current list of emai...")
(newest | oldest) View (newer 50 | ) (20 | 50 | 100 | 250 | 500)