Behavior Instances

From ema
Jump to: navigation, search

A Behavior Instance captures a specific instance of a Behavior, as exhibited by one or more malware instances or families.

Name Applicable Platform Associated Behavior Description
API Call: GetVolumeInformation BehaviorInstance-Windows.png compare host fingerprints Abusing this API call on Windows can give an attacker the GUID on a system drive. This can then be compared to a running host's GUID value and can execute malicious code if the GUID values are consistent.
API Call: IsDebuggerPresent BehaviorInstance-Windows.png detect debugger The kernel32!IsDebuggerPresent API call checks the Process Environment Block to see if the calling process is being debugged. This is one of the most basic and common ways of detecting debugging.
Control Graph Flattening BehaviorInstance.png defeat linear disassembler Flattening the control flow of each function by first breaking up the nesting of loops and if-statements, and then hiding each of them in a case of a large switch statement, that is wrapped inside the body of a loop.
CryptoAPI BehaviorInstance-Windows.png encrypt files The Microsoft CryptoAPI includes functions to encrypt and decrypt data; these are commonly imported and used by malware (particularly ransomware) to encrypt user data/files on a system.
Debugger Artifacts BehaviorInstance.png detect debugger Detects a debugger by its artifact (window title, device driver, exports, etc.)
DYLD_INSERT_LIBRARIES Exploitation BehaviorInstance-Mac OS X.png persist after system reboot In Mac OSX, DYLD_INSERT_LIBRARIES can be abused to load malicious libraries to ensure that a malicious library will persistently be loaded into a targeted process whenever that process is started.
Extended/Different Instruction Sets BehaviorInstance.png defeat emulator Emulators may be blocked through the use of different opcodes sets (ex: FPU, MMX, SSE).
Extra Loops/Time Locks BehaviorInstance.png defeat emulator Extra loops may be added to make time-constraint emulators give up.
Guard Pages BehaviorInstance.png inhibit memory dumping Blocks of code are encrypted individually, and decrypted temporarily only upon execution. One variant uses self-debugging to accomplish.
Guest Process Testing BehaviorInstance-Windows.png detect vm Virtual machines offer guest additions that can be installed to add functionality such as clipboard sharing. Detecting the process, via its name or other methods, responsible for these tasks is a technique employed by malware for detecting whether it is being executed in a virtual machine.
HTML5 Performance Object BehaviorInstance-Windows.png detect vm In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.
Injected DLL Testing BehaviorInstance-Windows.png detect sandbox Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means.
Instruction Overlap BehaviorInstance.png defeat linear disassembler Jumping after the first byte of an instruction. Confuses some disassemblers.
Interrupt Hooking BehaviorInstance.png prevent debugging Block interrupt 1 and/or 3 to prevent debuggers from working.
Kernel Extension (Kext) Rootkit BehaviorInstance-Mac OS X.png persist after system reboot On Macs, Kext (kernel extension) rootkits can be created via the Generic Kernel Extension template in XCode and exist in the kernel even after reboots.
Launch Daemon and Launch Agent Exploitation BehaviorInstance-Mac OS X.png persist after system reboot On Macs, launch daemons and launch agents can be abused to gain mailware persistence.
Launchd.conf Exploitation BehaviorInstance-Mac OS X.png persist after system reboot launchd is the first user-mode program to execute during OS X’s initialization. The launchd.conf file contains configuration parameters for launchd. As launchd.conf can contain arbitrary commands (via the bsexec command), malware can inject malicious instructions in order to achieve persistence.
Malicious Network Driver BehaviorInstance-Windows.png persist after system reboot Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are installed on the host machines, they can reinfect the server if it is restarted, can infect other machines on the network, and can redirect traffic on the network as they please.
Monitoring thread BehaviorInstance.png detect debugger Spawn a monitoring thread to detect tampering, breakpoints, etc.
Named System Object Checks BehaviorInstance-Windows.png detect vm Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.
OpCode Frequency Distribution BehaviorInstance.png fingerprint host Needs to be revisited
Private API Exploitation BehaviorInstance-iOS.png persist after system reboot On iOS, private APIs can be abused in the iOS system to implement malicious functionalities.
Process Environment Block (PEB) BehaviorInstance-Windows.png detect debugger The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, one of which is "BeingDebugged". Testing the value of this field in the PEB of a particular process can indicate whether the process is being debugged; this is equivalent to using the kernel32!IsDebuggerPresent API call.
Product Key/ID Testing BehaviorInstance-Windows.png detect sandbox Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.
Router Firmware Image Modification BehaviorInstance-iOS.png persist after system reboot Cisco routers can have their firmware images modified in order to maliciously infect and persist on end-user machines in a network. This is accomplished by using default or acquired credentials to gain access to a router and to install a backdoor.
Screen Resolution Testing BehaviorInstance-Linux.png detect sandbox Sandboxes aren't used in the same manner as a typical user environment, so most of the time the screen resolution stays at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox.
Self Debugging BehaviorInstance.png prevent debugging Debug itself to prevent another debugger to be attached.
Surreptitious Application Installation BehaviorInstance-Mac OS X.png persist after system reboot In OSX, application directories and files can be installed unbeknownst to the user. Web browsers and search engines can also be hijacked set to specific defaults. These files persist until the user manually deletes them.
Timing/Date Checks BehaviorInstance-Windows.png detect sandbox Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date.
Timing/Date Checks BehaviorInstance.png detect debugger Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date.
Timing/Delay Checks BehaviorInstance.png detect debugger Comparing time between two points to detect "unusual" execution, such as the (relative) massive delays introduced by debugging.
Timing/Up-time Check BehaviorInstance.png detect debugger Comparing single GetTickCount with some value to see if system has been started at least X amount ago.
UEFI Bootloader Injection BehaviorInstance-Mac OS X.png persist after os changes Mac's UEFI bootloader can be exploited in a number of ways via an EFI DXE driver that attacks the system as opposed to the supporting hardware.
Undocumented Opcodes BehaviorInstance.png defeat emulator Use of rare or undocumented opcodes to block non-exhaustive emulators.
Unusual/Undocumented API Calls BehaviorInstance.png defeat emulator Unusual APIs are called to block non-exhaustive emulators (particularly anti-virus).
Windows Shutdown Event BehaviorInstance-Windows.png persist after system reboot In Windows, the shutdown event triggered by WinLogon can be registered by an application to allow a malicious DLL a chance to execute every time a machine shuts down.