Behaviors
From ema
A Behavior corresponds to the specific purpose behind a particular snippet of code, as executed by a malware instance. Examples include keylogging, detecting a virtual machine, and installing a backdoor.
A Behavior may have attributes associated with it. For example, the steal browser history Behavior can be further specified by the 'targeted application' attribute.
| Name | Description | Associated Attributes | Associated Capabilities/ Subcapabilities | Aliases |
|---|---|---|---|---|
| access premium service | The 'access premium service' Behavior accesses a premium service, such as a premium SMS service. | fraud | ||
| autonomous remote infection | The 'autonomous remote infection' Behavior infects a remote machine autonomously, without the involvement of any end user (e.g., through the exploitation of a remote procedure call vulnerability). | remote machine infection | ||
| block security websites | The 'block security websites' Behavior prevents access from the system on which the malware instance is executing to one or more security vendor or security-related websites. | security software degradation | ||
| capture camera input | The 'capture camera input' Behavior captures data from a system's camera, including from embedded cameras (i.e. on mobile devices) and/or attached webcams. | input peripheral capture | ||
| capture file system | The 'capture file system' Behavior captures data from a file system. | system state data capture | file system dump | |
| capture GPS data | The 'capture gps data' Behavior captures GPS data from the system on which the malware instance is executing. | system interface data capture | ||
| capture keyboard input | The 'capture keyboard input' Behavior captures data from the keyboard attached to the system on which the malware instance is running. | Common: technique, Common: applicable platform | authentication credentials theft, input peripheral capture | keylogging, keystroke logging, keyboard capturing |
| capture microphone input | The 'capture microphone input' Behavior capture data from a system's microphone, including from embedded microphones (i.e. on mobile devices) and those that may be attached externally. | input peripheral capture | ||
| capture mouse input | The 'capture mouse input' Behavior captures data from a system's mouse. | input peripheral capture | ||
| capture printer output | The 'capture printer output' Behavior captures data sent to a system's printer, either locally or remotely. | output peripheral capture | ||
| capture system memory | The 'capture system memory' Behavior captures data from a system's RAM. | Common: applicable platform | system state data capture | memory dump |
| capture system network traffic | The 'capture system network traffic' Behavior captures network traffic from the system on which the malware instance is executing. | system interface data capture | packet capture, network traffic capture, traffic capture | |
| capture system screenshot | The 'capture system screenshot' Behavior captures images of what is currently being displayed on a system's screen, either locally (i.e. on a display) or remotely via a remote desktop protocol. | output peripheral capture, authentication credentials theft | screen capture | |
| capture touchscreen input | The 'capture touchscreen input' Behavior captures data from a system's touchscreen. | input peripheral capture | ||
| check for payload | The 'check for payload' Behavior queries a command and control server to check whether a new payload is available for download. | Common: network protocol | send data to c2 server | |
| check language | The 'check language' Behavior checks the language of the host system on which it executes. | host configuration probing | ||
| click fraud | The 'click fraud' Behavior simulates legitimate user clicks on website advertisements for the purpose of revenue generation. | fraud | ||
| compare host fingerprints | The 'compare host fingerprints' Behavior compares a previously computed host fingerprint to one computed for the current system on which the malware instance is executing, to determine if the malware instance is still executing on the same system. | Common: applicable platform | environment awareness | |
| compromise remote machine | The 'compromise remote machine' Behavior gains control of a remote machine through compromise, e.g., by exploiting a particular vulnerability. | remote machine access | ||
| control local machine via remote command | The 'control local machine via remote command' Behavior controls the machine on which the malware instance is executing, through one or more remotely sent commands. | Common: network protocol | local machine control | |
| control malware via remote command | The 'control malware via remote command' Behavior executes commands issued to the malware instance from a remote source such as a command and control server, for the purpose of controlling its behavior. | receive data from c2 server | ||
| crack passwords | The 'crack passwords' Behavior consumes system resources for the purpose of password cracking. | consume system resources | ||
| defeat call graph generation | The 'defeat call graph generation' Behavior defeats accurate call graph generation during disassembly of the malware instance. | anti-disassembly | ||
| defeat emulator | Defeats or prevents the execution of the malware instance in an emulator. | anti-emulation | ||
| defeat flow-oriented assembler | The 'defeat flow-oriented disassembler' Behavior defeats disassembly of the malware instance in a flow-oriented (recursive traversal) disassembler. | anti-disassembly | ||
| defeat linear disassembler | The 'defeat linear disassembler' Behavior prevent the disassembly of the malware instance in a linear disassembler. | anti-disassembly | ||
| degrade security program | The 'degrade security program' Behavior degrades one or more security programs running on a system, either by stopping them from executing or by making changes to their code or configuration parameters. | Security Degradation: targeted program | ||
| denial of service | The 'denial of service' Behavior causes the local machine on which the malware instance is executing and/or a remote network resource to be unavailable. | compromise system availability | DOS, DDOS | |
| destroy hardware | The 'destroy hardware' Behavior physically destroys a piece of hardware, e.g., by causing it to overheat. | physical entity destruction | ||
| detect debugging | The 'detect debugging' Behavior detects whether the malware instance is being executed inside of a debugger. | Common: technique, Common: applicable platform | anti-debugging | |
| detect emulator | Detects whether the malware instance is being executed in an emulator. | anti-emulation | ||
| detect installed analysis tools | Indicates that the malware instance attempts to detect whether certain analysis tools are present on the system on which it is executing. | anti-behavioral analysis | ||
| detect installed anti-virus tools | Indicates that the malware instance attempts to detect whether certain anti-virus tools are present on the system on which it is executing. | security software degradation | ||
| detect sandbox environment | The 'detect sandbox environment' Behavior detects whether the malware instance is being executed in a sandbox environment. | Common: technique, Common: applicable platform, Anti-Behavioral Analysis: targeted sandbox | anti-sandbox | |
| detect VM environment | The 'detect VM environment' Behavior detects whether the malware instance is being executed in a virtual machine (VM). | Anti-Behavioral Analysis: targeted VM, Common: applicable platform, Common: technique | anti-VM | |
| determine host IP address | The 'determine host ip address' Behavior determines the IP address of the host system on which the malware instance is executing. | host configuration probing | ||
| disable access rights checking | The ‘disable access rights checking’ Behavior bypasses, disables, or modifies access tokens or access control lists, thereby enabling the malware instance to read, write, or execute a file with one or more of these controls set. | access control degradation | ||
| disable firewall | The ‘disable firewall’ Behavior evades or disables the host-based firewall running on the system on which the malware instance is executing. | access control degradation | ||
| disable kernel patch protection | The ‘disable kernel patch protection’ Behavior bypasses or disables kernel patch protection mechanisms such as Windows' PatchGuard, enabling the malware instance to operate at the same level as the operating system kernel and kernel mode drivers (KMD). | OS security feature degradation | ||
| disable OS security alerts | The ‘disable OS security alerts’ Behavior disables operating system (OS) security alert messages that could lead to identification and/or notification of the presence of the malware instance. | OS security feature degradation | ||
| disable privilege limiting | The 'disable privilege limiting' Behavior bypasses or disables mechanisms that limit the privileges that can be granted to a user or entity. | access control degradation | ||
| disable service pack/patch installation | The 'disable service pack/patch installation' Behavior disables the system's ability to install service packs and/or patches. | system update degradation | ||
| disable system file overwrite protection | The ‘disable system file overwrite protection’ Behavior disables system file overwrite protection mechanisms such as Windows file protection, thereby enabling system files to be modified or replaced. | OS security feature degradation | ||
| disable update services/daemons | The 'disable update services/daemons' Behavior disables system update services or daemons that may be already be running on the system on which the malware instance is executing. | system update degradation | ||
| disable user account control | The ‘disable user account control’ Behavior bypasses or disables Windows' user account control (UAC), enabling the malware instance and/or its component to execute with elevated privileges. | OS security feature degradation | ||
| drop/retrieve debug log file | The 'drop/retrieve debug log file' Behavior generates and retrieves a log file of errors relating to the execution of the malware instance. | information gathering for improvement | ||
| elevate privilege | The 'elevate privilege' Behavior elevates the privilege level under which the malware instance is executing. | privilege escalation | vertical privilege escalation | |
| encrypt data | The 'encrypt data' Behavior encrypts data that will be exfiltrated. | Common: encryption algorithm | data obfuscation | |
| encrypt files | The 'encrypt files' Behavior encrypts one or more files on the system on which the malware instance is executing, to make them unavailable for use by the users of the system. | Common: applicable platform, Common: encryption algorithm, Common: technique | compromise data availability | |
| encrypt self | The 'encrypt self' Behavior encrypts the executing code (in memory) that belongs to the malware instance. | Common: encryption algorithm | self-modification | |
| erase data | The 'erase data' Behavior destroys data stored on a disk or in memory by erasure. | virtual entity destruction | wipe data | |
| evade static heuristic | Some AV can be easily fool by analyzing it. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious. | anti-virus evasion | ||
| execute before/external to kernel/hypervisor | The 'execute before/external to kernel/hypervisor' Behavior executes some or all of the malware instance's code before or external to the system's kernel or hypervisor (e.g., through the BIOS). | hide executing code | ||
| execute non-main CPU code | The 'execute non-main cpu code' Behavior executes some or all of the code of the malware instance on a secondary, non-CPU processor (e.g., a GPU). | hide executing code | ||
| execute stealthy code | The 'execute stealthy code' Behavior executes some or all of the code of the malware instance in a hidden manner (e.g., by injecting it into a benign process). | hide executing code | ||
| exfiltrate data via covert channel | The 'exfiltrate data via covert channel' Behavior exfiltrates data using a covert channel, such as a DNS tunnel or NTP. | data exfiltration | ||
| exfiltrate data via dumpster dive | The 'exfiltrate via dumpster dive' Behavior exfiltrates data via dumpster dive - i.e, encoded data printed by malware is viewed as garbage and thrown away to then be physically picked up. | data exfiltration | ||
| exfiltrate data via fax | The 'exfiltrate data via fax' Behavior exfiltrates data using a fax system. | data exfiltration | ||
| exfiltrate data via network | The 'exfiltrate data via network' Behavior exfiltrates data through the computer network connected to the system on which the malware instance is executing. | Common: network protocol | data exfiltration | |
| exfiltrate data via physical media | The 'exfiltrate data via physical media' Behavior exfiltrates data by writing it to physical media (e.g., to a USB flash drive). | data exfiltration | ||
| exfiltrate data via VoIP/phone | The 'exfiltrate data via VoIP/phone' Behavior behaviors exfiltrate data (encoded as audio) using a phone system, such as through voice over IP (VoIP). | data exfiltration | ||
| feed misinformation during physical memory acquisition | The 'feed misinformation during physical memory acquisition' Behavior reports inaccurate data when the contents of the physical memory of the system on which the malware instance is executing is retrieved. | anti-memory forensics | ||
| file system instantiation | Indicates that the malware instance instantiates itself on the file system of the machine that it is infecting, in one or more locations. | infection/propagation | ||
| fingerprint host | The 'fingerprint host' Behavior creates a unique fingerprint for the system on which the malware instance is executing, e.g., based on the applications that are installed on the system. | Common: applicable platform | environment awareness | |
| generate c2 domain name(s) | The 'generate c2 domain name(s)' Behavior generates the domain name of the command and control server to which it connects to. | determine c2 server | ||
| hide arbitrary virtual memory | The 'hide arbitrary virtual memory' Behavior hides arbitrary segments of virtual memory belonging to the malware instance in order to prevent their retrieval. | anti-memory forensics | ||
| hide data in other formats | The 'hide data in other formats' Behavior hides data that will be exfiltrated in other formats (e.g., image files). | Data Exfiltration: file type | data obfuscation | steganography |
| hide file system artifacts | The 'hide file system artifacts' Behavior hides one or more file system artifacts (e.g., files and/or directories) associated with the malware instance. | hide artifacts | ||
| hide kernel modules | The 'hide kernel modules' Behavior hides the usage of any kernel modules by the malware instance. | Common: applicable platform | hide executing code | |
| hide network traffic | The 'hide network traffic' Behavior hides network traffic associated with the malware instance. | hide artifacts | ||
| hide open network ports | The 'hide open network ports' Behavior hides one or more open network ports associated with the malware instance. | hide artifacts | ||
| hide processes | The 'hide processes' Behavior hides one or more of the processes in which the malware instance is executing. | hide executing code | ||
| hide registry artifacts | The 'hide registry artifacts' Behavior hides one or more Windows registry artifacts (e.g., keys and/or values) associated with the malware instance. | hide artifacts | ||
| hide services | The 'hide services' Behavior hides any system services that the malware instance creates or injects itself into. | hide executing code | ||
| hide threads | The 'hide threads' Behavior hides one or more threads that belong to the malware instance. | hide executing code | ||
| hide userspace libraries | The 'hide userspace libraries' Behavior hides the usage of userspace libraries by the malware instance. | hide executing code | ||
| identify file | The 'identify file' Behavior identifies one or more files on a local, removable, and/or network drive for infection. | Infection Propagation: targeted file type, Infection Propagation: targeted file architecture type | file infection | |
| identify OS | The 'identify os' Behavior identifies the operating system under which the malware instance is executing. | host configuration probing | ||
| identify target machines | The 'identify target machine(s)' Behavior identifies one or more machines to be targeted for infection via some remote means (e.g., via email or the network). | remote machine infection | find target machines, recon targets | |
| impersonate user | The 'impersonate user' Behavior impersonates another user in order to operate within a different security context. | Privilege Escalation: user privilege escalation type | privilege escalation | horizontal privilege escalation |
| install backdoor | The 'install backdoor' Behavior installs a backdoor on the system on which the malware instance is executing, capable of providing covert remote access to the system. | machine access/control | ||
| install legitimate software | The 'install legitimate software' Behavior install legitimate (i.e. non-malware) software on the same system on which the malware instance is executing. | install other components | ||
| install secondary malware | The 'install secondary malware' Behavior installs another, different malware instance on the system on which the malware instance is executing. | install other components | ||
| install secondary module | The 'install secondary module' Behavior installs a secondary module (typically related to the malware instance itself) on the same system on which the malware instance is executing. | install other components | ||
| intercept/manipulate network traffic | The 'intercept/manipulate network traffic' Behavior intercepts and/or manipulates network traffic going to or originating from the system on which the malware instance is executing. | data integrity violation | ||
| inventory security products | The 'inventory security products' Behavior creates an inventory of the security products installed or running on a system. | Common: applicable platform | security software degradation | |
| inventory system applications | The 'inventory system applications' Behavior inventories the applications installed on the system on which the malware instance is executing. | host configuration probing | ||
| inventory victims | The 'inventory victims' Behavior keeps an inventory of the victims that are remotely infected by the malware instance. | remote machine infection | ||
| limit application type/version | The 'limit application type/version' Behavior limits the type or version of an application that runs on a system in order to ensure that the malware instance is able to continue executing. | ensure compatibility | ||
| log activity | The 'log activity' Behavior logs the activity of the malware instance. | secondary operation | ||
| manipulate file system data | The 'manipulate file system data' Behavior manipulates data stored on the file system of the system on which the malware instance is executing in order to compromise its integrity. | data integrity violation | ||
| map local network | The 'map local network' Behavior maps the layout of the local network environment in which the malware instance is executing. | network environment probing | ||
| mine for cryptocurrency | The 'mine for cryptocurrency' Behavior consumes system resources for cryptocurrency (e.g., Bitcoin, Litecoin, etc.) mining. | Availability Violation: cryptocurrency type | consume system resources | |
| modify file | The 'modify file' Behavior modifies a file in some other manner than writing code to it, such as packing it (in terms of binary executable packing). | Infection Propagation: targeted file type, Infection Propagation: targeted file architecture type, Infection Propagation: file modification type | file infection | |
| modify security software configuration | The 'modify security software configuration' Behavior modifies the configuration of one or more instances of security software (e.g., anti-virus) running on a system in order to negatively impact their usefulness and ability to detect the malware instance. | Security Degradation: targeted program | security software degradation | |
| move data to staging server | The 'move data to staging server' Behavior moves data to be exfiltrated to a particular server, to prepare it for exfiltration. | data staging | ||
| obfuscate artifact properties | The 'obfuscate artifact properties' Behavior hides the properties of one or more artifacts associated with the malware instance (e.g., by altering file system timestamps). | Common: applicable platform | hide artifacts | timestomping |
| overload sandbox | The 'overload sandbox' Behavior overloads a sandbox (e.g., by generating a flood of meaningless behavioral data) | Anti-Behavioral Analysis: targeted sandbox | anti-sandbox | |
| package data | The 'package data' Behavior packages data for exfiltration, e.g., by adding it to an archive file. | Data Exfiltration: archive type | data staging | |
| persist after hardware changes | The 'persist after hardware changes' Behavior continues the execution of the malware instance after hardware changes to the system on which it is executing have been made, such as replacement of the hard drive on which the operating system was residing. | continuous execution | ||
| persist after os changes | The 'persist after os changes' Behavior continues the execution of the malware instance after the operating system under which it is executing is modified, such as being installed or reinstalled. | Common: applicable platform | continuous execution | |
| persist after system reboot | The 'persist after system reboot' Behavior continues the execution of the malware instance after a system reboot. | Common: applicable platform | continuous execution | |
| prevent API unhooking | The 'prevent api unhooking' Behavior prevent the API hooks installed by the malware instance from being removed. | prevent artifact deletion | ||
| prevent concurrent execution | Indicates that the malware checks to see if it is already running on a system, in order to prevent multiple instances of the malware running concurrently. | secondary operation | ||
| prevent debugging | The 'prevent debugging' Behavior prevents the execution of the malware instance in a debugger. | anti-debugging | ||
| prevent file access | The 'prevent file access' Behavior prevents access to the file system, including to specific files and/or directories associated with the malware instance. | prevent artifact access | ||
| prevent file deletion | The 'prevent file deletion' Behavior prevents files and/or directories associated with the malware instance from being deleted from a system. | prevent artifact deletion | ||
| prevent memory access | The 'prevent memory access' Behavior prevents access to system memory where the malware instance may be storing code or data. | prevent artifact access | ||
| prevent native API hooking | The 'prevent native api hooking' Behavior prevents other software from hooking native system APIs. | security software evasion | ||
| prevent physical memory acquisition | The 'prevent physical memory acquisition' Behavior prevents the contents of the physical memory of the system on which the malware instance is executing from being retrieved. | anti-memory forensics | ||
| prevent registry access | The 'prevent registry access' Behavior prevents access to the Windows registry, including to the entire registry and/or to particular registry keys/values. | prevent artifact access | ||
| prevent registry deletion | The 'prevent registry deletion' Behavior prevent Windows registry keys and/or values associated with the malware instance from being deleted from a system. | prevent artifact deletion | ||
| prevent security software from executing | The 'prevent security software from executing' Behavior prevents one or more instances of security software from executing on a system. | Security Degradation: targeted program | security software degradation | |
| re-instantiate self | The 're-instantiate self' Behavior re-establishes the malware instance on the system after it is initially detected and partially removed. | system re-infection | ||
| remove self | The 'remove self' Behavior removes the malware instance from the system on which it is executing. | clean traces of infection | ||
| remove SMS warning messages | The ‘remove SMS warning messages’ Behavior captures the message body of incoming SMS messages and aborts displaying messages that meets a certain criteria. | service provider security feature degradation | ||
| remove system artifacts | The 'remove system artifacts' Behavior removes artifacts associated with the malware instance (e.g., files, directories, Windows registry keys, etc.) from the system on which it is executing. | clean traces of infection | ||
| request email address list | The 'request email address list' Behavior requests the current list of email addresses, for sending email spam messages to, from the command and control server. | Common: network protocol | send data to c2 server | |
| request email template | The 'request email template' Behavior requests the current template, for use in generating email spam messages, from the command and control server. | Common: network protocol | send data to c2 server | |
| search for remote machines | The 'search for remote machines' Behavior searches for one or more remote machines to target. | machine access/control | ||
| send beacon | The 'send beacon' Behavior sends 'beacon' data to a command and control server, indicating that it is still active on the host system and able to communicate. | Command and Control: frequency, Command and Control: port number, Common: network protocol | send data to c2 server | heartbeat, send heartbeat data |
| send email message | The 'send email message' Behavior sends an email message from the system on which the malware instance is executing to one or more recipients, most commonly for the purpose of spamming. | Common: network protocol | email spam | |
| send system information | The 'send system information' Behavior sends data regarding the system on which it is executing to a command and control server. | Common: network protocol | send data to c2 server | |
| social-engineering based remote infection | The 'social-engineering based remote infection' Behavior infects remote machines via some method that involves social engineering (e.g., sending an email with a malicious attachment). | Infection Propagation: infection targeting | remote machine infection | |
| steal browser cache | The 'steal browser cache' Behavior steals a user's browser cache. | Data Theft: targeted application | user data theft | |
| steal browser cookies | The 'steal browser cookies' Behavior steals one or more browser cookies stored on the system on which the malware instance is executing. | authentication credentials theft | ||
| steal browser history | The 'steal browser history' Behavior steals a user's browser history. | user data theft | ||
| steal contact list data | The 'steal contact list data' Behavior steals a user's contact list. | user data theft | ||
| steal cryptocurrency data | The 'steal cryptocurrency data' Behavior steals cryptocurrency data that may be stored on a system (e.g., Bitcoin wallets). | stored information theft | ||
| steal database content | The 'steal database content' Behavior steals content from a database that the malware instance may be able to access. | stored information theft | ||
| steal dialed phone numbers | The 'steal dialed phone numbers' Behavior steals the list of phone numbers that a user has dialed (i.e. on a mobile device). | user data theft | ||
| steal digital certificates | The 'steal digital certificates' Behavior steals one or more digital private keys that may be present on the system on which the malware instance is executing, to then use to hijack the corresponding digital certificates, e.g., those used in public-key infrastructure (PKI). | authentication credentials theft | ||
| steal documents | The 'steal documents' Behavior steals document files (e.g., PDF) stored on a system. | stored information theft | ||
| steal email data | The 'steal email data' Behavior steals a user's email data. | Data Theft: targeted application, Data Theft: targeted website | user data theft | |
| steal images | The 'steal images' Behavior steals image files that may be stored on a system. | stored information theft | ||
| steal password hashes | The 'steal password hashes' Behavior steals password hashes. | authentication credentials theft | ||
| steal PKI key | The 'steal PKI key' Behavior steals one or more public key infrastructure (PKI) keys. | authentication credentials theft | ||
| steal referrer URLs | The 'steal referrer URLs' Behavior steals HTTP referrer information (URL of the webpage that linked to the resource being requested). | user data theft | ||
| steal serial numbers | The 'steal serial numbers' Behavior steals serial numbers stored on a system. | stored information theft | ||
| steal SMS database | The 'steal SMS database' Behavior steals a user's short message service (SMS) (text messaging) database (i.e. on a mobile device). | user data theft | ||
| steal web/network credential | The 'steal web/network credential' Behavior steals usernames, passwords, or other forms of web (e.g., for logging into a website) and/or network credentials. | Common: technique, Common: applicable platform | authentication credentials theft | |
| stop execution of security software | The 'stop execution of security program' Behavior stops the execution of one or more instances of security software that may already be executing on a system. | Common: applicable platform | security software degradation | |
| suicide exit | The 'suicide exit' Behavior terminates the execution of the malware instance based on some trigger condition or value. | Secondary Operation: trigger type | secondary operation | |
| test for firewall | The 'test for firewall' Behavior tests whether the network environment in which the malware instance is executing contains a hardware or software firewall. | network environment probing | ||
| test for internet connectivity | The 'test for internet connectivity' Behavior tests whether the network environment in which the malware instance is executing is connected to the internet. | network environment probing | ||
| test for network drives | The 'test for network drives' Behavior tests for network drives that may be present in the network environment in which the malware instance is executing. | network environment probing | ||
| test for proxy | The 'test for proxy' Behavior tests whether the network environment in which the malware instance is executing contains a hardware or software proxy. | network environment probing | ||
| test SMTP connection | The 'test smtp connection' Behavior tests whether an outgoing SMTP connection can be made from the system on which the malware instance is executing to some SMTP server, by sending a test SMTP transaction. | email spam | ||
| update configuration | The 'update configuration' Behavior updates the configuration of the malware instance using data received from a command and control server. | receive data from c2 server | ||
| validate data | The 'validate data' Behavior validates the integrity of data received from a command and control server. | receive data from c2 server | ||
| write code into file | The 'write code into file' Behavior writes code into one or more files. | Infection Propagation: targeted file type, Infection Propagation: targeted file architecture type, Infection Propagation: file infection type | file infection |
