Behaviors
From ema
A Behavior corresponds to the specific purpose behind a particular snippet of code, as executed by a malware instance. Examples include keylogging, detecting a virtual machine, and installing a backdoor.
A Behavior may have attributes associated with it. For example, the steal browser history Behavior can be further specified by the 'targeted application' attribute.
| Name | Description | Associated Attributes | Associated Capabilities/ Subcapabilities | Aliases |
|---|---|---|---|---|
| access premium service | The 'access premium service' Behavior accesses a premium service, such as a premium SMS service. | fraud | ||
| autonomous remote infection | The 'autonomous remote infection' Behavior infects a remote machine autonomously, without the involvement of any end user (e.g., through the exploitation of a remote procedure call vulnerability). | remote machine infection | ||
| block security websites | The 'block security websites' Behavior prevents access from the system on which the malware instance is executing to one or more security vendor or security-related websites. | security software degradation | ||
| capture keyboard input | The 'capture keyboard input' Behavior captures data from the keyboard attached to the system on which the malware instance is running. | Common: technique, Common: applicable platform | authentication credentials theft, input peripheral capture | keylogging, keystroke logging, keyboard capturing |
| check for payload | The 'check for payload' Behavior queries a command and control server to check whether a new payload is available for download. | Common: network protocol | send data to c2 server | |
| click fraud | The 'click fraud' Behavior simulates legitimate user clicks on website advertisements for the purpose of revenue generation. | fraud | ||
| compare host fingerprints | The 'compare host fingerprints' Behavior compares a previously computed host fingerprint to one computed for the current system on which the malware instance is executing, to determine if the malware instance is still executing on the same system. | Common: applicable platform | environment awareness | |
| control malware via remote command | The 'control malware via remote command' Behavior executes commands issued to the malware instance from a remote source such as a command and control server, for the purpose of controlling its behavior. | receive data from c2 server | ||
| crack passwords | The 'crack passwords' Behavior consumes system resources for the purpose of password cracking. | consume system resources | ||
| defeat call graph generation | The 'defeat call graph generation' Behavior defeats accurate call graph generation during disassembly of the malware instance. | anti-disassembly | ||
| defeat emulator | Defeats or prevents the execution of the malware instance in an emulator. | anti-emulation | ||
| defeat flow-oriented assembler | The 'defeat flow-oriented disassembler' Behavior defeats disassembly of the malware instance in a flow-oriented (recursive traversal) disassembler. | anti-disassembly | ||
| defeat linear disassembler | The 'defeat linear disassembler' Behavior prevent the disassembly of the malware instance in a linear disassembler. | anti-disassembly | ||
| denial of service | The 'denial of service' Behavior causes the local machine on which the malware instance is executing and/or a remote network resource to be unavailable. | compromise system availability | DOS, DDOS | |
| destroy hardware | The 'destroy hardware' Behavior physically destroys a piece of hardware, e.g., by causing it to overheat. | physical entity destruction | ||
| detect debugging | The 'detect debugging' Behavior detects whether the malware instance is being executed inside of a debugger. | Common: technique, Common: applicable platform | anti-debugging | |
| detect emulator | Detects whether the malware instance is being executed in an emulator. | anti-emulation | ||
| detect installed analysis tools | Indicates that the malware instance attempts to detect whether certain analysis tools are present on the system on which it is executing. | anti-behavioral analysis | ||
| detect sandbox environment | The 'detect sandbox environment' Behavior detects whether the malware instance is being executed in a sandbox environment. | Common: technique, Common: applicable platform, Anti-Behavioral Analysis: targeted sandbox | anti-sandbox | |
| detect VM environment | The 'detect VM environment' Behavior detects whether the malware instance is being executed in a virtual machine (VM). | Anti-Behavioral Analysis: targeted VM, Common: applicable platform, Common: technique | anti-VM | |
| disable kernel patch protection | The ‘disable kernel patch protection’ Behavior bypasses or disables kernel patch protection mechanisms such as Windows' PatchGuard, enabling the malware instance to operate at the same level as the operating system kernel and kernel mode drivers (KMD). | OS security feature degradation | ||
| disable OS security alerts | The ‘disable OS security alerts’ Behavior disables operating system (OS) security alert messages that could lead to identification and/or notification of the presence of the malware instance. | OS security feature degradation | ||
| disable system file overwrite protection | The ‘disable system file overwrite protection’ Behavior disables system file overwrite protection mechanisms such as Windows file protection, thereby enabling system files to be modified or replaced. | OS security feature degradation | ||
| encrypt files | The 'encrypt files' Behavior encrypts one or more files on the system on which the malware instance is executing, to make them unavailable for use by the users of the system. | Common: applicable platform, Common: encryption algorithm, Common: technique | compromise data availability | |
| encrypt self | The 'encrypt self' Behavior encrypts the executing code (in memory) that belongs to the malware instance. | Common: encryption algorithm | self-modification | |
| erase data | The 'erase data' Behavior destroys data stored on a disk or in memory by erasure. | virtual entity destruction | wipe data | |
| evade static heuristic | Some AV can be easily fool by analyzing it. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious. | anti-virus evasion | ||
| execute before/external to kernel/hypervisor | The 'execute before/external to kernel/hypervisor' Behavior executes some or all of the malware instance's code before or external to the system's kernel or hypervisor (e.g., through the BIOS). | hide executing code | ||
| execute non-main CPU code | The 'execute non-main cpu code' Behavior executes some or all of the code of the malware instance on a secondary, non-CPU processor (e.g., a GPU). | hide executing code | ||
| execute stealthy code | The 'execute stealthy code' Behavior executes some or all of the code of the malware instance in a hidden manner (e.g., by injecting it into a benign process). | hide executing code | ||
| feed misinformation during physical memory acquisition | The 'feed misinformation during physical memory acquisition' Behavior reports inaccurate data when the contents of the physical memory of the system on which the malware instance is executing is retrieved. | anti-memory forensics | ||
| fingerprint host | The 'fingerprint host' Behavior creates a unique fingerprint for the system on which the malware instance is executing, e.g., based on the applications that are installed on the system. | Common: applicable platform | environment awareness | |
| generate c2 domain name(s) | The 'generate c2 domain name(s)' Behavior generates the domain name of the command and control server to which it connects to. | determine c2 server | ||
| hide arbitrary virtual memory | The 'hide arbitrary virtual memory' Behavior hides arbitrary segments of virtual memory belonging to the malware instance in order to prevent their retrieval. | anti-memory forensics | ||
| hide kernel modules | The 'hide kernel modules' Behavior hides the usage of any kernel modules by the malware instance. | Common: applicable platform | hide executing code | |
| hide processes | The 'hide processes' Behavior hides one or more of the processes in which the malware instance is executing. | hide executing code | ||
| hide services | The 'hide services' Behavior hides any system services that the malware instance creates or injects itself into. | hide executing code | ||
| hide threads | The 'hide threads' Behavior hides one or more threads that belong to the malware instance. | hide executing code | ||
| hide userspace libraries | The 'hide userspace libraries' Behavior hides the usage of userspace libraries by the malware instance. | hide executing code | ||
| install legitimate software | The 'install legitimate software' Behavior install legitimate (i.e. non-malware) software on the same system on which the malware instance is executing. | install other components | ||
| install secondary malware | The 'install secondary malware' Behavior installs another, different malware instance on the system on which the malware instance is executing. | install other components | ||
| install secondary module | The 'install secondary module' Behavior installs a secondary module (typically related to the malware instance itself) on the same system on which the malware instance is executing. | install other components | ||
| intercept/manipulate network traffic | The 'intercept/manipulate network traffic' Behavior intercepts and/or manipulates network traffic going to or originating from the system on which the malware instance is executing. | data integrity violation | ||
| inventory security products | The 'inventory security products' Behavior creates an inventory of the security products installed or running on a system. | Common: applicable platform | security software degradation | |
| log activity | The 'log activity' Behavior logs the activity of the malware instance. | secondary operation | ||
| manipulate file system data | The 'manipulate file system data' Behavior manipulates data stored on the file system of the system on which the malware instance is executing in order to compromise its integrity. | data integrity violation | ||
| mine for cryptocurrency | The 'mine for cryptocurrency' Behavior consumes system resources for cryptocurrency (e.g., Bitcoin, Litecoin, etc.) mining. | Availability Violation: cryptocurrency type | consume system resources | |
| overload sandbox | The 'overload sandbox' Behavior overloads a sandbox (e.g., by generating a flood of meaningless behavioral data) | Anti-Behavioral Analysis: targeted sandbox | anti-sandbox | |
| persist after os changes | The 'persist after os changes' Behavior continues the execution of the malware instance after the operating system under which it is executing is modified, such as being installed or reinstalled. | Common: applicable platform | continuous execution | |
| persist after system reboot | The 'persist after system reboot' Behavior continues the execution of the malware instance after a system reboot. | Common: applicable platform | continuous execution | |
| prevent API unhooking | The 'prevent api unhooking' Behavior prevent the API hooks installed by the malware instance from being removed. | prevent artifact deletion | ||
| prevent concurrent execution | Indicates that the malware checks to see if it is already running on a system, in order to prevent multiple instances of the malware running concurrently. | secondary operation | ||
| prevent debugging | The 'prevent debugging' Behavior prevents the execution of the malware instance in a debugger. | anti-debugging | ||
| prevent file access | The 'prevent file access' Behavior prevents access to the file system, including to specific files and/or directories associated with the malware instance. | prevent artifact access | ||
| prevent file deletion | The 'prevent file deletion' Behavior prevents files and/or directories associated with the malware instance from being deleted from a system. | prevent artifact deletion | ||
| prevent memory access | The 'prevent memory access' Behavior prevents access to system memory where the malware instance may be storing code or data. | prevent artifact access | ||
| prevent native API hooking | The 'prevent native api hooking' Behavior prevents other software from hooking native system APIs. | security software evasion | ||
| prevent physical memory acquisition | The 'prevent physical memory acquisition' Behavior prevents the contents of the physical memory of the system on which the malware instance is executing from being retrieved. | anti-memory forensics | ||
| prevent registry access | The 'prevent registry access' Behavior prevents access to the Windows registry, including to the entire registry and/or to particular registry keys/values. | prevent artifact access | ||
| prevent registry deletion | The 'prevent registry deletion' Behavior prevent Windows registry keys and/or values associated with the malware instance from being deleted from a system. | prevent artifact deletion | ||
| re-instantiate self | The 're-instantiate self' Behavior re-establishes the malware instance on the system after it is initially detected and partially removed. | system re-infection | ||
| remove SMS warning messages | The ‘remove SMS warning messages’ Behavior captures the message body of incoming SMS messages and aborts displaying messages that meets a certain criteria. | service provider security feature degradation | ||
| request email address list | The 'request email address list' Behavior requests the current list of email addresses, for sending email spam messages to, from the command and control server. | Common: network protocol | send data to c2 server | |
| request email template | The 'request email template' Behavior requests the current template, for use in generating email spam messages, from the command and control server. | Common: network protocol | send data to c2 server | |
| send beacon | The 'send beacon' Behavior sends 'beacon' data to a command and control server, indicating that it is still active on the host system and able to communicate. | Command and Control: frequency, Command and Control: port number, Common: network protocol | send data to c2 server | heartbeat, send heartbeat data |
| send email message | The 'send email message' Behavior sends an email message from the system on which the malware instance is executing to one or more recipients, most commonly for the purpose of spamming. | Common: network protocol | email spam | |
| send system information | The 'send system information' Behavior sends data regarding the system on which it is executing to a command and control server. | Common: network protocol | send data to c2 server | |
| steal web/network credential | The 'steal web/network credential' Behavior steals usernames, passwords, or other forms of web (e.g., for logging into a website) and/or network credentials. | Common: technique, Common: applicable platform | authentication credentials theft | |
| stop execution of security software | The 'stop execution of security program' Behavior stops the execution of one or more instances of security software that may already be executing on a system. | Common: applicable platform | security software degradation | |
| suicide exit | The 'suicide exit' Behavior terminates the execution of the malware instance based on some trigger condition or value. | Secondary Operation: trigger type | secondary operation | |
| test SMTP connection | The 'test smtp connection' Behavior tests whether an outgoing SMTP connection can be made from the system on which the malware instance is executing to some SMTP server, by sending a test SMTP transaction. | email spam | ||
| update configuration | The 'update configuration' Behavior updates the configuration of the malware instance using data received from a command and control server. | receive data from c2 server |
