Behaviors

From ema
Jump to: navigation, search

A Behavior corresponds to the specific purpose behind a particular snippet of code, as executed by a malware instance. Examples include keylogging, detecting a virtual machine, and installing a backdoor.

A Behavior may have attributes associated with it. For example, the steal browser history Behavior can be further specified by the 'targeted application' attribute.

Name Description Associated Attributes Associated Capabilities/ Subcapabilities Aliases
access premium service The 'access premium service' Behavior accesses a premium service, such as a premium SMS service. fraud
autonomous remote infection The 'autonomous remote infection' Behavior infects a remote machine autonomously, without the involvement of any end user (e.g., through the exploitation of a remote procedure call vulnerability). remote machine infection
block security websites The 'block security websites' Behavior prevents access from the system on which the malware instance is executing to one or more security vendor or security-related websites. security software degradation
capture keyboard input The 'capture keyboard input' Behavior captures data from the keyboard attached to the system on which the malware instance is running. Common: technique, Common: applicable platform authentication credentials theft, input peripheral capture keylogging, keystroke logging, keyboard capturing
check for payload The 'check for payload' Behavior queries a command and control server to check whether a new payload is available for download. Common: network protocol send data to c2 server
click fraud The 'click fraud' Behavior simulates legitimate user clicks on website advertisements for the purpose of revenue generation. fraud
compare host fingerprints The 'compare host fingerprints' Behavior compares a previously computed host fingerprint to one computed for the current system on which the malware instance is executing, to determine if the malware instance is still executing on the same system. Common: applicable platform environment awareness
control malware via remote command The 'control malware via remote command' Behavior executes commands issued to the malware instance from a remote source such as a command and control server, for the purpose of controlling its behavior. receive data from c2 server
crack passwords The 'crack passwords' Behavior consumes system resources for the purpose of password cracking. consume system resources
defeat call graph generation The 'defeat call graph generation' Behavior defeats accurate call graph generation during disassembly of the malware instance. anti-disassembly
defeat emulator Defeats or prevents the execution of the malware instance in an emulator. anti-emulation
defeat flow-oriented assembler The 'defeat flow-oriented disassembler' Behavior defeats disassembly of the malware instance in a flow-oriented (recursive traversal) disassembler. anti-disassembly
defeat linear disassembler The 'defeat linear disassembler' Behavior prevent the disassembly of the malware instance in a linear disassembler. anti-disassembly
denial of service The 'denial of service' Behavior causes the local machine on which the malware instance is executing and/or a remote network resource to be unavailable. compromise system availability DOS, DDOS
destroy hardware The 'destroy hardware' Behavior physically destroys a piece of hardware, e.g., by causing it to overheat. physical entity destruction
detect debugging The 'detect debugging' Behavior detects whether the malware instance is being executed inside of a debugger. Common: technique, Common: applicable platform anti-debugging
detect emulator Detects whether the malware instance is being executed in an emulator. anti-emulation
detect installed analysis tools Indicates that the malware instance attempts to detect whether certain analysis tools are present on the system on which it is executing. anti-behavioral analysis
detect sandbox environment The 'detect sandbox environment' Behavior detects whether the malware instance is being executed in a sandbox environment. Common: technique, Common: applicable platform, Anti-Behavioral Analysis: targeted sandbox anti-sandbox
detect VM environment The 'detect VM environment' Behavior detects whether the malware instance is being executed in a virtual machine (VM). Anti-Behavioral Analysis: targeted VM, Common: applicable platform, Common: technique anti-VM
disable kernel patch protection The ‘disable kernel patch protection’ Behavior bypasses or disables kernel patch protection mechanisms such as Windows' PatchGuard, enabling the malware instance to operate at the same level as the operating system kernel and kernel mode drivers (KMD). OS security feature degradation
disable OS security alerts The ‘disable OS security alerts’ Behavior disables operating system (OS) security alert messages that could lead to identification and/or notification of the presence of the malware instance. OS security feature degradation
disable system file overwrite protection The ‘disable system file overwrite protection’ Behavior disables system file overwrite protection mechanisms such as Windows file protection, thereby enabling system files to be modified or replaced. OS security feature degradation
encrypt files The 'encrypt files' Behavior encrypts one or more files on the system on which the malware instance is executing, to make them unavailable for use by the users of the system. Common: applicable platform, Common: encryption algorithm, Common: technique compromise data availability
encrypt self The 'encrypt self' Behavior encrypts the executing code (in memory) that belongs to the malware instance. Common: encryption algorithm self-modification
erase data The 'erase data' Behavior destroys data stored on a disk or in memory by erasure. virtual entity destruction wipe data
evade static heuristic Some AV can be easily fool by analyzing it. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious. anti-virus evasion
execute before/external to kernel/hypervisor The 'execute before/external to kernel/hypervisor' Behavior executes some or all of the malware instance's code before or external to the system's kernel or hypervisor (e.g., through the BIOS). hide executing code
execute non-main CPU code The 'execute non-main cpu code' Behavior executes some or all of the code of the malware instance on a secondary, non-CPU processor (e.g., a GPU). hide executing code
execute stealthy code The 'execute stealthy code' Behavior executes some or all of the code of the malware instance in a hidden manner (e.g., by injecting it into a benign process). hide executing code
feed misinformation during physical memory acquisition The 'feed misinformation during physical memory acquisition' Behavior reports inaccurate data when the contents of the physical memory of the system on which the malware instance is executing is retrieved. anti-memory forensics
fingerprint host The 'fingerprint host' Behavior creates a unique fingerprint for the system on which the malware instance is executing, e.g., based on the applications that are installed on the system. Common: applicable platform environment awareness
generate c2 domain name(s) The 'generate c2 domain name(s)' Behavior generates the domain name of the command and control server to which it connects to. determine c2 server
hide arbitrary virtual memory The 'hide arbitrary virtual memory' Behavior hides arbitrary segments of virtual memory belonging to the malware instance in order to prevent their retrieval. anti-memory forensics
hide kernel modules The 'hide kernel modules' Behavior hides the usage of any kernel modules by the malware instance. Common: applicable platform hide executing code
hide processes The 'hide processes' Behavior hides one or more of the processes in which the malware instance is executing. hide executing code
hide services The 'hide services' Behavior hides any system services that the malware instance creates or injects itself into. hide executing code
hide threads The 'hide threads' Behavior hides one or more threads that belong to the malware instance. hide executing code
hide userspace libraries The 'hide userspace libraries' Behavior hides the usage of userspace libraries by the malware instance. hide executing code
install legitimate software The 'install legitimate software' Behavior install legitimate (i.e. non-malware) software on the same system on which the malware instance is executing. install other components
install secondary malware The 'install secondary malware' Behavior installs another, different malware instance on the system on which the malware instance is executing. install other components
install secondary module The 'install secondary module' Behavior installs a secondary module (typically related to the malware instance itself) on the same system on which the malware instance is executing. install other components
intercept/manipulate network traffic The 'intercept/manipulate network traffic' Behavior intercepts and/or manipulates network traffic going to or originating from the system on which the malware instance is executing. data integrity violation
inventory security products The 'inventory security products' Behavior creates an inventory of the security products installed or running on a system. Common: applicable platform security software degradation
log activity The 'log activity' Behavior logs the activity of the malware instance. secondary operation
manipulate file system data The 'manipulate file system data' Behavior manipulates data stored on the file system of the system on which the malware instance is executing in order to compromise its integrity. data integrity violation
mine for cryptocurrency The 'mine for cryptocurrency' Behavior consumes system resources for cryptocurrency (e.g., Bitcoin, Litecoin, etc.) mining. Availability Violation: cryptocurrency type consume system resources
overload sandbox The 'overload sandbox' Behavior overloads a sandbox (e.g., by generating a flood of meaningless behavioral data) Anti-Behavioral Analysis: targeted sandbox anti-sandbox
persist after os changes The 'persist after os changes' Behavior continues the execution of the malware instance after the operating system under which it is executing is modified, such as being installed or reinstalled. Common: applicable platform continuous execution
persist after system reboot The 'persist after system reboot' Behavior continues the execution of the malware instance after a system reboot. Common: applicable platform continuous execution
prevent API unhooking The 'prevent api unhooking' Behavior prevent the API hooks installed by the malware instance from being removed. prevent artifact deletion
prevent concurrent execution Indicates that the malware checks to see if it is already running on a system, in order to prevent multiple instances of the malware running concurrently. secondary operation
prevent debugging The 'prevent debugging' Behavior prevents the execution of the malware instance in a debugger. anti-debugging
prevent file access The 'prevent file access' Behavior prevents access to the file system, including to specific files and/or directories associated with the malware instance. prevent artifact access
prevent file deletion The 'prevent file deletion' Behavior prevents files and/or directories associated with the malware instance from being deleted from a system. prevent artifact deletion
prevent memory access The 'prevent memory access' Behavior prevents access to system memory where the malware instance may be storing code or data. prevent artifact access
prevent native API hooking The 'prevent native api hooking' Behavior prevents other software from hooking native system APIs. security software evasion
prevent physical memory acquisition The 'prevent physical memory acquisition' Behavior prevents the contents of the physical memory of the system on which the malware instance is executing from being retrieved. anti-memory forensics
prevent registry access The 'prevent registry access' Behavior prevents access to the Windows registry, including to the entire registry and/or to particular registry keys/values. prevent artifact access
prevent registry deletion The 'prevent registry deletion' Behavior prevent Windows registry keys and/or values associated with the malware instance from being deleted from a system. prevent artifact deletion
re-instantiate self The 're-instantiate self' Behavior re-establishes the malware instance on the system after it is initially detected and partially removed. system re-infection
remove SMS warning messages The ‘remove SMS warning messages’ Behavior captures the message body of incoming SMS messages and aborts displaying messages that meets a certain criteria. service provider security feature degradation
request email address list The 'request email address list' Behavior requests the current list of email addresses, for sending email spam messages to, from the command and control server. Common: network protocol send data to c2 server
request email template The 'request email template' Behavior requests the current template, for use in generating email spam messages, from the command and control server. Common: network protocol send data to c2 server
send beacon The 'send beacon' Behavior sends 'beacon' data to a command and control server, indicating that it is still active on the host system and able to communicate. Command and Control: frequency, Command and Control: port number, Common: network protocol send data to c2 server heartbeat, send heartbeat data
send email message The 'send email message' Behavior sends an email message from the system on which the malware instance is executing to one or more recipients, most commonly for the purpose of spamming. Common: network protocol email spam
send system information The 'send system information' Behavior sends data regarding the system on which it is executing to a command and control server. Common: network protocol send data to c2 server
steal web/network credential The 'steal web/network credential' Behavior steals usernames, passwords, or other forms of web (e.g., for logging into a website) and/or network credentials. Common: technique, Common: applicable platform authentication credentials theft
stop execution of security software The 'stop execution of security program' Behavior stops the execution of one or more instances of security software that may already be executing on a system. Common: applicable platform security software degradation
suicide exit The 'suicide exit' Behavior terminates the execution of the malware instance based on some trigger condition or value. Secondary Operation: trigger type secondary operation
test SMTP connection The 'test smtp connection' Behavior tests whether an outgoing SMTP connection can be made from the system on which the malware instance is executing to some SMTP server, by sending a test SMTP transaction. email spam
update configuration The 'update configuration' Behavior updates the configuration of the malware instance using data received from a command and control server. receive data from c2 server