Behaviors

From ema
Jump to: navigation, search

A Behavior corresponds to the specific purpose behind a particular snippet of code, as executed by a malware instance. Examples include keylogging, detecting a virtual machine, and installing a backdoor.

A Behavior may have attributes associated with it. For example, the steal browser history Behavior can be further specified by the 'targeted application' attribute.

Name Description Associated Attributes Associated Capabilities/ Subcapabilities Aliases
access premium service The 'access premium service' Behavior accesses a premium service, such as a premium SMS service. fraud
autonomous remote infection The 'autonomous remote infection' Behavior infects a remote machine autonomously, without the involvement of any end user (e.g., through the exploitation of a remote procedure call vulnerability). remote machine infection
block security websites The 'block security websites' Behavior prevents access from the system on which the malware instance is executing to one or more security vendor or security-related websites. security software degradation
capture camera input The 'capture camera input' Behavior captures data from a system's camera, including from embedded cameras (i.e. on mobile devices) and/or attached webcams. input peripheral capture
capture file system The 'capture file system' Behavior captures data from a file system. system state data capture file system dump
capture GPS data The 'capture gps data' Behavior captures GPS data from the system on which the malware instance is executing. system interface data capture
capture keyboard input The 'capture keyboard input' Behavior captures data from the keyboard attached to the system on which the malware instance is running. Common: technique, Common: applicable platform authentication credentials theft, input peripheral capture keylogging, keystroke logging, keyboard capturing
capture microphone input The 'capture microphone input' Behavior capture data from a system's microphone, including from embedded microphones (i.e. on mobile devices) and those that may be attached externally. input peripheral capture
capture mouse input The 'capture mouse input' Behavior captures data from a system's mouse. input peripheral capture
capture printer output The 'capture printer output' Behavior captures data sent to a system's printer, either locally or remotely. output peripheral capture
capture system memory The 'capture system memory' Behavior captures data from a system's RAM. Common: applicable platform system state data capture memory dump
capture system network traffic The 'capture system network traffic' Behavior captures network traffic from the system on which the malware instance is executing. system interface data capture packet capture, network traffic capture, traffic capture
capture system screenshot The 'capture system screenshot' Behavior captures images of what is currently being displayed on a system's screen, either locally (i.e. on a display) or remotely via a remote desktop protocol. output peripheral capture, authentication credentials theft screen capture
capture touchscreen input The 'capture touchscreen input' Behavior captures data from a system's touchscreen. input peripheral capture
check for payload The 'check for payload' Behavior queries a command and control server to check whether a new payload is available for download. Common: network protocol send data to c2 server
check language The 'check language' Behavior checks the language of the host system on which it executes. host configuration probing
click fraud The 'click fraud' Behavior simulates legitimate user clicks on website advertisements for the purpose of revenue generation. fraud
compare host fingerprints The 'compare host fingerprints' Behavior compares a previously computed host fingerprint to one computed for the current system on which the malware instance is executing, to determine if the malware instance is still executing on the same system. Common: applicable platform environment awareness
compromise remote machine The 'compromise remote machine' Behavior gains control of a remote machine through compromise, e.g., by exploiting a particular vulnerability. remote machine access
control local machine via remote command The 'control local machine via remote command' Behavior controls the machine on which the malware instance is executing, through one or more remotely sent commands. Common: network protocol local machine control
control malware via remote command The 'control malware via remote command' Behavior executes commands issued to the malware instance from a remote source such as a command and control server, for the purpose of controlling its behavior. receive data from c2 server
crack passwords The 'crack passwords' Behavior consumes system resources for the purpose of password cracking. consume system resources
defeat call graph generation The 'defeat call graph generation' Behavior defeats accurate call graph generation during disassembly of the malware instance. anti-disassembly
defeat emulator Defeats or prevents the execution of the malware instance in an emulator. anti-emulation
defeat flow-oriented assembler The 'defeat flow-oriented disassembler' Behavior defeats disassembly of the malware instance in a flow-oriented (recursive traversal) disassembler. anti-disassembly
defeat linear disassembler The 'defeat linear disassembler' Behavior prevent the disassembly of the malware instance in a linear disassembler. anti-disassembly
degrade security program The 'degrade security program' Behavior degrades one or more security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters. Security Degradation: targeted program
denial of service The 'denial of service' Behavior causes the local machine on which the malware instance is executing and/or a remote network resource to be unavailable. compromise system availability DOS, DDOS
destroy hardware The 'destroy hardware' Behavior physically destroys a piece of hardware, e.g., by causing it to overheat. physical entity destruction
detect debugging The 'detect debugging' Behavior detects whether the malware instance is being executed inside of a debugger. Common: technique, Common: applicable platform anti-debugging
detect emulator Detects whether the malware instance is being executed in an emulator. anti-emulation
detect installed analysis tools Indicates that the malware instance attempts to detect whether certain analysis tools are present on the system on which it is executing. anti-behavioral analysis
detect installed anti-virus tools Indicates that the malware instance attempts to detect whether certain anti-virus tools are present on the system on which it is executing. security software degradation
detect sandbox environment The 'detect sandbox environment' Behavior detects whether the malware instance is being executed in a sandbox environment. Common: technique, Common: applicable platform, Anti-Behavioral Analysis: targeted sandbox anti-sandbox
detect VM environment The 'detect VM environment' Behavior detects whether the malware instance is being executed in a virtual machine (VM). Anti-Behavioral Analysis: targeted VM, Common: applicable platform, Common: technique anti-VM
determine host IP address The 'determine host ip address' Behavior determines the IP address of the host system on which the malware instance is executing. host configuration probing
disable access rights checking The ‘disable access rights checking’ Behavior bypasses, disables, or modifies access tokens or access control lists, thereby enabling the malware instance to read, write, or execute a file with one or more of these controls set. access control degradation
disable firewall The ‘disable firewall’ Behavior evades or disables the host-based firewall running on the system on which the malware instance is executing. access control degradation
disable kernel patch protection The ‘disable kernel patch protection’ Behavior bypasses or disables kernel patch protection mechanisms such as Windows' PatchGuard, enabling the malware instance to operate at the same level as the operating system kernel and kernel mode drivers (KMD). OS security feature degradation
disable OS security alerts The ‘disable OS security alerts’ Behavior disables operating system (OS) security alert messages that could lead to identification and/or notification of the presence of the malware instance. OS security feature degradation
disable privilege limiting The 'disable privilege limiting' Behavior bypasses or disables mechanisms that limit the privileges that can be granted to a user or entity. access control degradation
disable service pack/patch installation The 'disable service pack/patch installation' Behavior disables the system's ability to install service packs and/or patches. system update degradation
disable system file overwrite protection The ‘disable system file overwrite protection’ Behavior disables system file overwrite protection mechanisms such as Windows file protection, thereby enabling system files to be modified or replaced. OS security feature degradation
disable update services/daemons The 'disable update services/daemons' Behavior disables system update services or daemons that may be already be running on the system on which the malware instance is executing. system update degradation
disable user account control The ‘disable user account control’ Behavior bypasses or disables Windows' user account control (UAC), enabling the malware instance and/or its component to execute with elevated privileges. OS security feature degradation
drop/retrieve debug log file The 'drop/retrieve debug log file' Behavior generates and retrieves a log file of errors relating to the execution of the malware instance. information gathering for improvement
elevate privilege The 'elevate privilege' Behavior elevates the privilege level under which the malware instance is executing. privilege escalation vertical privilege escalation
encrypt data The 'encrypt data' Behavior encrypts data that will be exfiltrated. Common: encryption algorithm data obfuscation
encrypt files The 'encrypt files' Behavior encrypts one or more files on the system on which the malware instance is executing, to make them unavailable for use by the users of the system. Common: applicable platform, Common: encryption algorithm, Common: technique compromise data availability
encrypt self The 'encrypt self' Behavior encrypts the executing code (in memory) that belongs to the malware instance. Common: encryption algorithm self-modification
erase data The 'erase data' Behavior destroys data stored on a disk or in memory by erasure. virtual entity destruction wipe data
evade static heuristic Some AV can be easily fool by analyzing it. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious. anti-virus evasion
execute before/external to kernel/hypervisor The 'execute before/external to kernel/hypervisor' Behavior executes some or all of the malware instance's code before or external to the system's kernel or hypervisor (e.g., through the BIOS). hide executing code
execute non-main CPU code The 'execute non-main cpu code' Behavior executes some or all of the code of the malware instance on a secondary, non-CPU processor (e.g., a GPU). hide executing code
execute stealthy code The 'execute stealthy code' Behavior executes some or all of the code of the malware instance in a hidden manner (e.g., by injecting it into a benign process). hide executing code
exfiltrate data via covert channel The 'exfiltrate data via covert channel' Behavior exfiltrates data using a covert channel, such as a DNS tunnel or NTP. data exfiltration
exfiltrate data via dumpster dive The 'exfiltrate via dumpster dive' Behavior exfiltrates data via dumpster dive - i.e, encoded data printed by malware is viewed as garbage and thrown away to then be physically picked up. data exfiltration
exfiltrate data via fax The 'exfiltrate data via fax' Behavior exfiltrates data using a fax system. data exfiltration
exfiltrate data via network The 'exfiltrate data via network' Behavior exfiltrates data through the computer network connected to the system on which the malware instance is executing. Common: network protocol data exfiltration
exfiltrate data via physical media The 'exfiltrate data via physical media' Behavior exfiltrates data by writing it to physical media (e.g., to a USB flash drive). data exfiltration
exfiltrate data via VoIP/phone The 'exfiltrate data via VoIP/phone' Behavior behaviors exfiltrate data (encoded as audio) using a phone system, such as through voice over IP (VoIP). data exfiltration
feed misinformation during physical memory acquisition The 'feed misinformation during physical memory acquisition' Behavior reports inaccurate data when the contents of the physical memory of the system on which the malware instance is executing is retrieved. anti-memory forensics
file system instantiation Indicates that the malware instance instantiates itself on the file system of the machine that it is infecting, in one or more locations. infection/propagation
fingerprint host The 'fingerprint host' Behavior creates a unique fingerprint for the system on which the malware instance is executing, e.g., based on the applications that are installed on the system. Common: applicable platform environment awareness
generate c2 domain name(s) The 'generate c2 domain name(s)' Behavior generates the domain name of the command and control server to which it connects to. determine c2 server
hide arbitrary virtual memory The 'hide arbitrary virtual memory' Behavior hides arbitrary segments of virtual memory belonging to the malware instance in order to prevent their retrieval. anti-memory forensics
hide data in other formats The 'hide data in other formats' Behavior hides data that will be exfiltrated in other formats (e.g., image files). Data Exfiltration: file type data obfuscation steganography
hide file system artifacts The 'hide file system artifacts' Behavior hides one or more file system artifacts (e.g., files and/or directories) associated with the malware instance. hide artifacts
hide kernel modules The 'hide kernel modules' Behavior hides the usage of any kernel modules by the malware instance. Common: applicable platform hide executing code
hide network traffic The 'hide network traffic' Behavior hides network traffic associated with the malware instance. hide artifacts
hide open network ports The 'hide open network ports' Behavior hides one or more open network ports associated with the malware instance. hide artifacts
hide processes The 'hide processes' Behavior hides one or more of the processes in which the malware instance is executing. hide executing code
hide registry artifacts The 'hide registry artifacts' Behavior hides one or more Windows registry artifacts (e.g., keys and/or values) associated with the malware instance. hide artifacts
hide services The 'hide services' Behavior hides any system services that the malware instance creates or injects itself into. hide executing code
hide threads The 'hide threads' Behavior hides one or more threads that belong to the malware instance. hide executing code
hide userspace libraries The 'hide userspace libraries' Behavior hides the usage of userspace libraries by the malware instance. hide executing code
identify file The 'identify file' Behavior identifies one or more files on a local, removable, and/or network drive for infection. Infection Propagation: targeted file type, Infection Propagation: targeted file architecture type file infection
identify OS The 'identify os' Behavior identifies the operating system under which the malware instance is executing. host configuration probing
identify target machines The 'identify target machine(s)' Behavior identifies one or more machines to be targeted for infection via some remote means (e.g., via email or the network). remote machine infection find target machines, recon targets
impersonate user The 'impersonate user' Behavior impersonates another user in order to operate within a different security context. Privilege Escalation: user privilege escalation type privilege escalation horizontal privilege escalation
install backdoor The 'install backdoor' Behavior installs a backdoor on the system on which the malware instance is executing, capable of providing covert remote access to the system. machine access/control
install legitimate software The 'install legitimate software' Behavior install legitimate (i.e. non-malware) software on the same system on which the malware instance is executing. install other components
install secondary malware The 'install secondary malware' Behavior installs another, different malware instance on the system on which the malware instance is executing. install other components
install secondary module The 'install secondary module' Behavior installs a secondary module (typically related to the malware instance itself) on the same system on which the malware instance is executing. install other components
intercept/manipulate network traffic The 'intercept/manipulate network traffic' Behavior intercepts and/or manipulates network traffic going to or originating from the system on which the malware instance is executing. data integrity violation
inventory security products The 'inventory security products' Behavior creates an inventory of the security products installed or running on a system. Common: applicable platform security software degradation
inventory system applications The 'inventory system applications' Behavior inventories the applications installed on the system on which the malware instance is executing. host configuration probing
inventory victims The 'inventory victims' Behavior keeps an inventory of the victims that are remotely infected by the malware instance. remote machine infection
limit application type/version The 'limit application type/version' Behavior limits the type or version of an application that runs on a system in order to ensure that the malware instance is able to continue executing. ensure compatibility
log activity The 'log activity' Behavior logs the activity of the malware instance. secondary operation
manipulate file system data The 'manipulate file system data' Behavior manipulates data stored on the file system of the system on which the malware instance is executing in order to compromise its integrity. data integrity violation
map local network The 'map local network' Behavior maps the layout of the local network environment in which the malware instance is executing. network environment probing
mine for cryptocurrency The 'mine for cryptocurrency' Behavior consumes system resources for cryptocurrency (e.g., Bitcoin, Litecoin, etc.) mining. Availability Violation: cryptocurrency type consume system resources
modify file The 'modify file' Behavior modifies a file in some other manner than writing code to it, such as packing it (in terms of binary executable packing). Infection Propagation: targeted file type, Infection Propagation: targeted file architecture type, Infection Propagation: file modification type file infection
modify security software configuration The 'modify security software configuration' Behavior modifies the configuration of one or more instances of security software (e.g., anti-virus) running on a system in order to negatively impact their usefulness and ability to detect the malware instance. Security Degradation: targeted program security software degradation
move data to staging server The 'move data to staging server' Behavior moves data to be exfiltrated to a particular server, to prepare it for exfiltration. data staging
obfuscate artifact properties The 'obfuscate artifact properties' Behavior hides the properties of one or more artifacts associated with the malware instance (e.g., by altering file system timestamps). Common: applicable platform hide artifacts timestomping
overload sandbox The 'overload sandbox' Behavior overloads a sandbox (e.g., by generating a flood of meaningless behavioral data) Anti-Behavioral Analysis: targeted sandbox anti-sandbox
package data The 'package data' Behavior packages data for exfiltration, e.g., by adding it to an archive file. Data Exfiltration: archive type data staging
persist after hardware changes The 'persist after hardware changes' Behavior continues the execution of the malware instance after hardware changes to the system on which it is executing have been made, such as replacement of the hard drive on which the operating system was residing. continuous execution
persist after os changes The 'persist after os changes' Behavior continues the execution of the malware instance after the operating system under which it is executing is modified, such as being installed or reinstalled. Common: applicable platform continuous execution
persist after system reboot The 'persist after system reboot' Behavior continues the execution of the malware instance after a system reboot. Common: applicable platform continuous execution
prevent API unhooking The 'prevent api unhooking' Behavior prevent the API hooks installed by the malware instance from being removed. prevent artifact deletion
prevent concurrent execution Indicates that the malware checks to see if it is already running on a system, in order to prevent multiple instances of the malware running concurrently. secondary operation
prevent debugging The 'prevent debugging' Behavior prevents the execution of the malware instance in a debugger. anti-debugging
prevent file access The 'prevent file access' Behavior prevents access to the file system, including to specific files and/or directories associated with the malware instance. prevent artifact access
prevent file deletion The 'prevent file deletion' Behavior prevents files and/or directories associated with the malware instance from being deleted from a system. prevent artifact deletion
prevent memory access The 'prevent memory access' Behavior prevents access to system memory where the malware instance may be storing code or data. prevent artifact access
prevent native API hooking The 'prevent native api hooking' Behavior prevents other software from hooking native system APIs. security software evasion
prevent physical memory acquisition The 'prevent physical memory acquisition' Behavior prevents the contents of the physical memory of the system on which the malware instance is executing from being retrieved. anti-memory forensics
prevent registry access The 'prevent registry access' Behavior prevents access to the Windows registry, including to the entire registry and/or to particular registry keys/values. prevent artifact access
prevent registry deletion The 'prevent registry deletion' Behavior prevent Windows registry keys and/or values associated with the malware instance from being deleted from a system. prevent artifact deletion
prevent security software from executing The 'prevent security software from executing' Behavior prevents one or more instances of security software from executing on a system. Security Degradation: targeted program security software degradation
re-instantiate self The 're-instantiate self' Behavior re-establishes the malware instance on the system after it is initially detected and partially removed. system re-infection
remove self The 'remove self' Behavior removes the malware instance from the system on which it is executing. clean traces of infection
remove SMS warning messages The ‘remove SMS warning messages’ Behavior captures the message body of incoming SMS messages and aborts displaying messages that meets a certain criteria. service provider security feature degradation
remove system artifacts The 'remove system artifacts' Behavior removes artifacts associated with the malware instance (e.g., files, directories, Windows registry keys, etc.) from the system on which it is executing. clean traces of infection
request email address list The 'request email address list' Behavior requests the current list of email addresses, for sending email spam messages to, from the command and control server. Common: network protocol send data to c2 server
request email template The 'request email template' Behavior requests the current template, for use in generating email spam messages, from the command and control server. Common: network protocol send data to c2 server
search for remote machines The 'search for remote machines' Behavior searches for one or more remote machines to target. machine access/control
send beacon The 'send beacon' Behavior sends 'beacon' data to a command and control server, indicating that it is still active on the host system and able to communicate. Command and Control: frequency, Command and Control: port number, Common: network protocol send data to c2 server heartbeat, send heartbeat data
send email message The 'send email message' Behavior sends an email message from the system on which the malware instance is executing to one or more recipients, most commonly for the purpose of spamming. Common: network protocol email spam
send system information The 'send system information' Behavior sends data regarding the system on which it is executing to a command and control server. Common: network protocol send data to c2 server
social-engineering based remote infection The 'social-engineering based remote infection' Behavior infects remote machines via some method that involves social engineering (e.g., sending an email with a malicious attachment). Infection Propagation: infection targeting remote machine infection
steal browser cache The 'steal browser cache' Behavior steals a user's browser cache. Data Theft: targeted application user data theft
steal browser cookies The 'steal browser cookies' Behavior steals one or more browser cookies stored on the system on which the malware instance is executing. authentication credentials theft
steal browser history The 'steal browser history' Behavior steals a user's browser history. user data theft
steal contact list data The 'steal contact list data' Behavior steals a user's contact list. user data theft
steal cryptocurrency data The 'steal cryptocurrency data' Behavior steals cryptocurrency data that may be stored on a system (e.g., Bitcoin wallets). stored information theft
steal database content The 'steal database content' Behavior steals content from a database that the malware instance may be able to access. stored information theft
steal dialed phone numbers The 'steal dialed phone numbers' Behavior steals the list of phone numbers that a user has dialed (i.e. on a mobile device). user data theft
steal digital certificates The 'steal digital certificates' Behavior steals one or more digital private keys that may be present on the system on which the malware instance is executing, to then use to hijack the corresponding digital certificates, e.g., those used in public-key infrastructure (PKI). authentication credentials theft
steal documents The 'steal documents' Behavior steals document files (e.g., PDF) stored on a system. stored information theft
steal email data The 'steal email data' Behavior steals a user's email data. Data Theft: targeted application, Data Theft: targeted website user data theft
steal images The 'steal images' Behavior steals image files that may be stored on a system. stored information theft
steal password hashes The 'steal password hashes' Behavior steals password hashes. authentication credentials theft
steal PKI key The 'steal PKI key' Behavior steals one or more public key infrastructure (PKI) keys. authentication credentials theft
steal referrer URLs The 'steal referrer URLs' Behavior steals HTTP referrer information (URL of the webpage that linked to the resource being requested). user data theft
steal serial numbers The 'steal serial numbers' Behavior steals serial numbers stored on a system. stored information theft
steal SMS database The 'steal SMS database' Behavior steals a user's short message service (SMS) (text messaging) database (i.e. on a mobile device). user data theft
steal web/network credential The 'steal web/network credential' Behavior steals usernames, passwords, or other forms of web (e.g., for logging into a website) and/or network credentials. Common: technique, Common: applicable platform authentication credentials theft
stop execution of security software The 'stop execution of security program' Behavior stops the execution of one or more instances of security software that may already be executing on a system. Common: applicable platform security software degradation
suicide exit The 'suicide exit' Behavior terminates the execution of the malware instance based on some trigger condition or value. Secondary Operation: trigger type secondary operation
test for firewall The 'test for firewall' Behavior tests whether the network environment in which the malware instance is executing contains a hardware or software firewall. network environment probing
test for internet connectivity The 'test for internet connectivity' Behavior tests whether the network environment in which the malware instance is executing is connected to the internet. network environment probing
test for network drives The 'test for network drives' Behavior tests for network drives that may be present in the network environment in which the malware instance is executing. network environment probing
test for proxy The 'test for proxy' Behavior tests whether the network environment in which the malware instance is executing contains a hardware or software proxy. network environment probing
test SMTP connection The 'test smtp connection' Behavior tests whether an outgoing SMTP connection can be made from the system on which the malware instance is executing to some SMTP server, by sending a test SMTP transaction. email spam
update configuration The 'update configuration' Behavior updates the configuration of the malware instance using data received from a command and control server. receive data from c2 server
validate data The 'validate data' Behavior validates the integrity of data received from a command and control server. receive data from c2 server
write code into file The 'write code into file' Behavior writes code into one or more files. Infection Propagation: targeted file type, Infection Propagation: targeted file architecture type, Infection Propagation: file infection type file infection