Behavior Instances

From ema
Jump to: navigation, search

A Behavior Instance captures a specific instance of a Behavior, as exhibited by one or more malware instances or families.

Name Applicable Platform Associated Behavior Description
API Call: DeviceIoControlFile BehaviorInstance-Windows.png steal web/network credential Hooking Nt/ZwDeviceIoControlFile can allow for network sniffing by inspecting the data on a network interface, through its device driver.
API Call: getInstalledPackages BehaviorInstance-Android.png inventory security products getInstalledPackages is used to get the list of installed Packages on the device, and is then compared against a list of security products using a regular expression or other method.
API Call: GetVolumeInformation BehaviorInstance-Windows.png compare host fingerprints Abusing this API call on Windows can give an attacker the GUID on a system drive. This can then be compared to a running host's GUID value and can execute malicious code if the GUID values are consistent.
API Call: HttpSendRequest BehaviorInstance-Windows.png steal web/network credential Hooking HttpSendRequest can allow for the sniffing of data contained inside HTTP requests, which may include web/network credentials.
API Call: IsDebuggerPresent BehaviorInstance-Windows.png detect debugging The kernel32!IsDebuggerPresent API call checks the Process Environment Block to see if the calling process is being debugged. This is one of the most basic and common ways of detecting debugging.
API Call: restartPackage BehaviorInstance-Android.png stop execution of security software Calling restartPackage on an already executing piece of security software can stop its its execution on a device.
API Call: SomeAPI BehaviorInstance-Linux.png capture system memory Some description.
API Call: TranslateMessage BehaviorInstance-Windows.png capture keyboard input The capture keyboard input behavior is implemented by hooking the user32!TranslateMessage API call. As an example (from SpyEye), in response to each WM_KEYDOWN message, the hook procedure calls GetKeyboardState and ToUnicode(lpMsg → wParam), then appends the corresponding wide character to a buffer.
Control Graph Flattening BehaviorInstance.png defeat linear disassembler Flattening the control flow of each function by first breaking up the nesting of loops and if-statements, and then hiding each of them in a case of a large switch statement, that is wrapped inside the body of a loop.
Cron Job Exploitation BehaviorInstance-Mac OS X.png persist after system reboot On Macs, Cron jobs can be abused to execute malicious code.
CryptoAPI BehaviorInstance-Windows.png encrypt files The Microsoft CryptoAPI includes functions to encrypt and decrypt data; these are commonly imported and used by malware (particularly ransomware) to encrypt user data/files on a system.
Debugger Artifacts BehaviorInstance.png detect debugging Detects a debugger by its artifact (window title, device driver, exports, etc.)
DLL Search Order Hijacking BehaviorInstance-Windows.png persist after system reboot In Windows, it is possible to keep malware persistence without the Windows registry by hijacking the DLL search order.

This entails placing a malicious DLL higher in the DLL search order in order to execute the malicious DLL prior to executing the legitimate DLL not contained in the KnownDll object.

DYLD_INSERT_LIBRARIES Exploitation BehaviorInstance-Mac OS X.png persist after system reboot In Mac OSX, DYLD_INSERT_LIBRARIES can be abused to load malicious libraries to ensure that a malicious library will persistently be loaded into a targeted process whenever that process is started.
Encrypted Autostart Registry Key BehaviorInstance-Windows.png persist after system reboot In Windows, an encrypted autostart registry key can be created, which when decrypted can install and run PowerShell code without leaving trace files.
Extended/Different Instruction Sets BehaviorInstance.png defeat emulator Emulators may be blocked through the use of different opcodes sets (ex: FPU, MMX, SSE).
Extra Loops/Time Locks BehaviorInstance.png defeat emulator Extra loops may be added to make time-constraint emulators give up.
File Association Hijacking BehaviorInstance-Windows.png persist after system reboot On Windows systems, file associations can be abused to open files in malicious programs or to execute malicious code on a system. The malicious programs act as wrappers around a real program and are called prior to the trusted program being executed. These wrappers are hidden to the user unless the carefully inspect the directory paths of the trusted program.
Guard Pages BehaviorInstance.png prevent physical memory acquisition Blocks of code are encrypted individually, and decrypted temporarily only upon execution. One variant uses self-debugging to accomplish.
Guest Process Testing BehaviorInstance-Windows.png detect VM environment Virtual machines offer guest additions that can be installed to add functionality such as clipboard sharing. Detecting the process, via its name or other methods, responsible for these tasks is a technique employed by malware for detecting whether it is being executed in a virtual machine.
HTML5 Performance Object BehaviorInstance-Windows.png detect VM environment In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.
Injected DLL Testing BehaviorInstance-Windows.png detect sandbox environment Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means.
Instruction Overlap BehaviorInstance.png defeat linear disassembler Jumping after the first byte of an instruction. Confuses some disassemblers.
Kernel Extension (Kext) Rootkit BehaviorInstance-Mac OS X.png persist after system reboot On Macs, Kext (kernel extension) rootkits can be created via the Generic Kernel Extension template in XCode and exist in the kernel even after reboots.
Launch Daemon and Launch Agent Exploitation BehaviorInstance-Mac OS X.png persist after system reboot On Macs, launch daemons and launch agents can be abused to gain mailware persistence.
Launchd.conf Exploitation BehaviorInstance-Mac OS X.png persist after system reboot launchd is the first user-mode program to execute during OS X’s initialization. The launchd.conf file contains configuration parameters for launchd. As launchd.conf can contain arbitrary commands (via the bsexec command), malware can inject malicious instructions in order to achieve persistence.
Login Items BehaviorInstance-Mac OS X.png persist after system reboot On Macs, login items can be abused to create autostart applications which execute malicious code.
Login/Logout Hooks BehaviorInstance-Mac OS X.png persist after system reboot In Mac OSX, login/logout hooks can be created to automatically execute commands or scripts upon a user logging into or out of a system.
MACE Value Manipulation BehaviorInstance-Windows.png obfuscate artifact properties On Windows systems, MACE values can be deleted or modified in order to disguise malicious files and programs. This is done by changing the timestamp values of a file to make them appear non-suspicious.
Malicious Network Driver BehaviorInstance-Windows.png persist after system reboot Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are installed on the host machines, they can reinfect the server if it is restarted, can infect other machines on the network, and can redirect traffic on the network as they please.
Named System Object Checks BehaviorInstance-Windows.png detect VM environment Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.
OpCode Frequency Distribution BehaviorInstance.png fingerprint host Needs to be revisited
Private API Exploitation BehaviorInstance-iOS.png persist after system reboot On iOS, private APIs can be abused in the iOS system to implement malicious functionalities.
Process Environment Block (PEB) BehaviorInstance-Windows.png detect debugging The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, one of which is "BeingDebugged". Testing the value of this field in the PEB of a particular process can indicate whether the process is being debugged; this is equivalent to using the kernel32!IsDebuggerPresent API call.
Product Key/ID Testing BehaviorInstance-Windows.png detect sandbox environment Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.
Rc.common Exploitation BehaviorInstance-Mac OS X.png persist after system reboot RC scripts are used in another BSD-flavoured persistence technique that works on OS X, allowing scripts or commands to automatically be executed. For example, the rc.common file can be edited to insert arbitrary commands that will automatically execute when OS X starts.
Router Firmware Image Modification BehaviorInstance-iOS.png persist after system reboot Cisco routers can have their firmware images modified in order to maliciously infect and persist on end-user machines in a network. This is accomplished by using default or acquired credentials to gain access to a router and to install a backdoor.
Startup Item Exploitation BehaviorInstance-Mac OS X.png persist after system reboot In Mac OSX, startup items allow a command or script to automatically be executed during OSX initialization. These items can be abused by executing malicious code and programs.
Surreptitious Application Installation BehaviorInstance-Mac OS X.png persist after system reboot In OSX, application directories and files can be installed unbeknownst to the user. Web browsers and search engines can also be hijacked set to specific defaults. These files persist until the user manually deletes them.
Timing/Date Checks BehaviorInstance-Windows.png detect sandbox environment Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date.
Timing/Delay Checks BehaviorInstance.png detect debugging Comparing time between two points to detect "unusual" execution, such as the (relative) massive delays introduced by debugging.
UEFI Bootloader Injection BehaviorInstance-Mac OS X.png persist after os changes Mac's UEFI bootloader can be exploited in a number of ways via an EFI DXE driver that attacks the system as opposed to the supporting hardware.
Undocumented Opcodes BehaviorInstance.png defeat emulator Use of rare or undocumented opcodes to block non-exhaustive emulators.
Unusual/Undocumented API Calls BehaviorInstance.png defeat emulator Unusual APIs are called to block non-exhaustive emulators (particularly anti-virus).
Web Injection BehaviorInstance-Mac OS X.png autonomous remote infection On Macs, unpatched versions of applications can be exploited via malicious websites.
Windows Shutdown Event BehaviorInstance-Windows.png persist after system reboot In Windows, the shutdown event triggered by WinLogon can be registered by an application to allow a malicious DLL a chance to execute every time a machine shuts down.
Windows Task Scheduler Spawning BehaviorInstance-Windows.png persist after system reboot In Windows, the Windows Task Scheduler can be exploited to spawn a persistent malware which can be used to both steal various types of information, as well as spy on Government organizations and private institutions