From 3531eb02340681d1aed41b8c36ce94b9ed883719 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 30 Apr 2024 20:24:05 -0400
Subject: [PATCH] Code samples (#149)
* Update obfuscated-files-or-information.md
Added code sample with some proposed formatting incl. annotations explaining broad behavior patterns
* Update obfuscated-files-or-information.md
Added brief clarification to note
* Update obfuscated-files-or-information.md
Made requested changes to format
* Update system-information-discovery.md
Added code snippet from PoisonIvy RAT
* Update debugger-detection.md
Added code with example of PEB access
* Update system-information-discovery.md
Added new method based on code snippet
* Update registry.md
Added snippet for registry key query
* Update generate-pseudorandom-sequence.md
Added example of Mersenne Twister algorithm
* Update keylogging.md
Add Dark Comet keylogging code sample
* Update dns-communication.md
Added code sample from darkcomet
* Update socket-communication.md
Added DarkComet code snippet
* Update delete-file.md
Provided DarkComet sample
* Update file-and-directory-discovery.md
Added DarkComet snippet
* Update allocate-memory.md
Added DarkComet sample
* Update modulo.md
Added Hupigon snippet
* Update get-file-attributes.md
Added Hupigon sample
* Update application-window-discovery.md
Added Hupigon snippet
* Update create-process.md
Added Hupigon snippet.
* Update conditional-execution.md
Added Hupigon snippet
* Update create-thread.md
Added Hupigon snippet
* Update resume-thread.md
Added Hupigon snippet
* Update command-and-scripting-interpreter.md
Added SmokeLoader sample
* Update change-memory-protection.md
Added SmokeLoader snippet
* Update console.md
Added snippet from SmokeLoader
* Update dynamic-analysis-evasion.md
Added Industroyer sample
* Update interprocess-communication.md
Added CobaltStrike sample
* Update read-file.md
Added Cobalt Strike snippet
* Update writes-file.md
Added cobalt strike snippet
* Update noncryptographic-hash.md
Added emotet snippet
* Update clipboard-modification.md
Added emotet snippet
* Update check-mutex.md
Added emotet sampler
* Update check-mutex.md
Fixed typo
* Update create-mutex.md
Added Emotet snippet
* Update allocate-thread-local-storage.md
Added emotet snippet
* Update registry-run-keys-startup-folder.md
Added emotet snippet
* Update wininet.md
Added EnvyScout snippet
* Update http-communication.md
Added EnvyScout snippet
* Update enumerate-threads.md
Added Envyscout snippet
* Update set-thread-local-storage-value.md
Added Envyscout sample
* Update create-directory.md
Added explosive snippet
* Update delete-directory.md
Added explosive code snippet (note: the malware is called "explosive")
* Update set-file-attributes.md
Added explosive sample
* Update terminate-process.md
Added explosive snippet
* Update terminate-thread.md
Added explosive sample
* Update move-file.md
Added Finfisher snippet
* Update screen-capture.md
Added ECCENTRICBANDWAGON snippet
---
.../debugger-detection.md | 10 +++++
.../dynamic-analysis-evasion.md | 11 ++++++
collection/keylogging.md | 14 +++++++
collection/screen-capture.md | 22 +++++++++++
.../obfuscated-files-or-information.md | 30 ++++++++++++++
discovery/application-window-discovery.md | 15 +++++++
discovery/file-and-directory-discovery.md | 17 +++++++-
discovery/system-information-discovery.md | 13 +++++++
.../command-and-scripting-interpreter.md | 10 +++++
execution/conditional-execution.md | 25 ++++++++++++
impact/clipboard-modification.md | 38 ++++++++++++++++++
.../communication/dns-communication.md | 11 ++++++
.../communication/http-communication.md | 15 +++++++
.../interprocess-communication.md | 18 +++++++++
.../communication/socket-communication.md | 12 ++++++
micro-behaviors/communication/wininet.md | 39 +++++++++++++++++++
.../generate-pseudorandom-sequence.md | 37 ++++++++++++++++++
micro-behaviors/data/modulo.md | 10 +++++
micro-behaviors/data/noncryptographic-hash.md | 24 ++++++++++++
.../file-system/create-directory.md | 12 ++++++
.../file-system/delete-directory.md | 11 ++++++
micro-behaviors/file-system/delete-file.md | 14 +++++++
.../file-system/get-file-attributes.md | 19 +++++++++
micro-behaviors/file-system/move-file.md | 14 +++++++
micro-behaviors/file-system/read-file.md | 15 +++++++
.../file-system/set-file-attributes.md | 12 ++++++
micro-behaviors/file-system/writes-file.md | 15 +++++++
micro-behaviors/memory/allocate-memory.md | 14 +++++++
.../memory/change-memory-protection.md | 17 ++++++++
micro-behaviors/operating-system/console.md | 18 +++++++++
micro-behaviors/operating-system/registry.md | 15 +++++++
.../process/allocate-thread-local-storage.md | 10 +++++
micro-behaviors/process/check-mutex.md | 15 +++++++
micro-behaviors/process/create-mutex.md | 13 +++++++
micro-behaviors/process/create-process.md | 24 ++++++++++++
micro-behaviors/process/create-thread.md | 20 ++++++++++
micro-behaviors/process/enumerate-threads.md | 15 +++++++
micro-behaviors/process/resume-thread.md | 15 +++++++
.../process/set-thread-local-storage-value.md | 12 ++++++
micro-behaviors/process/terminate-process.md | 11 ++++++
micro-behaviors/process/terminate-thread.md | 12 ++++++
.../registry-run-keys-startup-folder.md | 31 +++++++++++++++
42 files changed, 724 insertions(+), 1 deletion(-)
diff --git a/anti-behavioral-analysis/debugger-detection.md b/anti-behavioral-analysis/debugger-detection.md
index 11aadff1..6304bc0c 100644
--- a/anti-behavioral-analysis/debugger-detection.md
+++ b/anti-behavioral-analysis/debugger-detection.md
@@ -145,6 +145,16 @@ Details on detecting debuggers can be found in the references.
|[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntsetinformationthread.py)|Debugger Detection::NtSetInformationThread (B0001.014)|NtSetInformationThread|
|[antidebug_debugactiveprocess](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_debugactiveprocess.py)|Debugger Detection (B0001)|DebugActiveProcess|
+### B0001.019 Snippet
+
+ Anti-Behavioral Analysis::Debugger Detection::Process Environment Block
+SHA256: e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc
+Location: 0x1800270A2
+
+mov rax, qword ptr GS:[0x60] ; GS:[0x60] contains a pointer to the Windows Process Environment Block on 64-bit versions of Windows. This command is copying that pointer into the rax register.
+
+
+
## References
[1] S. Yosef,"RASPBERRY ROBIN: ANTI-EVASION HOW-TO & EXPLOIT ANALYSIS," https://research.checkpoint.com/, 18 Apr 2023. [Online]. Available: https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/.
diff --git a/anti-behavioral-analysis/dynamic-analysis-evasion.md b/anti-behavioral-analysis/dynamic-analysis-evasion.md
index 9974e6e4..bbd0d42c 100644
--- a/anti-behavioral-analysis/dynamic-analysis-evasion.md
+++ b/anti-behavioral-analysis/dynamic-analysis-evasion.md
@@ -85,6 +85,17 @@ The related **Virtualization/Sandbox Evasion ([T1497](https://attack.mitre.org/t
|[stealth_timeout](https://github.com/CAPESandbox/community/tree/master/modules/signatures/stealth_timeout.py)|Dynamic Analysis Evasion::Delayed Execution (B0003.003)|NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime|
|[antisandbox_unhook](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_unhook.py)|Dynamic Analysis Evasion (B0003)|--|
+### B0003.003 Snippet
+
+ Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution
+SHA256: 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561
+Location: 0x40103B
+
+push 0x36ee80 ; sleep duration: 3600000 milliseconds (1 hour)
+call dword ptr [->KERNEL32.DLL::Sleep] ; Windows API call instructing thread to sleep for the time period specified above
+
+
+
## References
[1] https://www.joesecurity.org/blog/4310408827727907098
diff --git a/collection/keylogging.md b/collection/keylogging.md
index 15a99fd9..049b8929 100644
--- a/collection/keylogging.md
+++ b/collection/keylogging.md
@@ -70,6 +70,20 @@ See ATT&CK: **Input Capture: Keylogging ([T1056.001](https://attack.mitre.org/te
|[infostealer_keylog](https://github.com/CAPESandbox/community/tree/master/modules/signatures/infostealer_keylog.py)|Keylogging::Application Hook (F0002.001)|SetWindowsHookExA, GetAsyncKeyState, SetWindowsHookExW|
|[browser_scanbox](https://github.com/CAPESandbox/community/tree/master/modules/signatures/browser_scanbox.py)|Keylogging (F0002)|JsEval, COleScript_ParseScriptText, COleScript_Compile|
+### F0002.002 Snippet
+
+ Collection::Keylogging::Polling
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+
+Location: 0x438af1
+
+push 0x11 ; provide argument for function call. In this case, 0x11 is the Windows keyboard code for indicating the 'CTRL' key
+call USER32.DLL::GetKeyState ; call function to get the state of the control key
+test ax, 0x8000 ; test to see what the previous function returned. In this case, we are seeing if the return value's high-order bit is a 1, which would mean the ctrl key is pressed
+setnz al ; if the previous condition is not met (the zero flag is 1), a 1 is stored in byte al
+
+
+
## References
[1] https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml
diff --git a/collection/screen-capture.md b/collection/screen-capture.md
index 12e05bdb..0c9d7190 100644
--- a/collection/screen-capture.md
+++ b/collection/screen-capture.md
@@ -62,6 +62,28 @@ See ATT&CK: **Screen Capture ([T1113](https://attack.mitre.org/techniques/T1113/
|[poullight_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/poullight_files.py)|Screen Capture (E1113)|--|
|[captures_screenshot](https://github.com/CAPESandbox/community/tree/master/modules/signatures/captures_screenshot.py)|Screen Capture (E1113)|LdrGetProcedureAddress, NtCreateFile|
+### E1113.m01 Snippet
+
+ Collection::Screen Capture::WinAPI
+SHA256: c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec
+Location: 0x4036de
+
+push 0xcc0020 ; Raster operation code to copy the source rectangle directly onto the destination rectangle
+push 0x0 ; y-coordinate of upper left corner of source rectangle
+push 0x0 ; x-coordinate of upper left corner of source rectangle
+push dword ptr [esi] ; handle to source device
+push eax ; height of source/destination rectangles
+mov eax, dword ptr [esi + 0xc]
+sub eax, param_2
+sub param_2, ebx
+push eax ; width of source/destination rectangles
+push param_1 ; y-coordinate of upper left corner of destination rectangle
+push param_2 ; x-coordinate of upper left corner of destination rectangle
+push dword ptr [ebp + local_28] ; handle to destingation device
+call dword ptr [->GDI32.DLL::BitBlt] ; Windows API function to transfer a rectangle of pixels from one device to another
+
+
+
## References
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
diff --git a/defense-evasion/obfuscated-files-or-information.md b/defense-evasion/obfuscated-files-or-information.md
index d664b06c..b5c80d3c 100644
--- a/defense-evasion/obfuscated-files-or-information.md
+++ b/defense-evasion/obfuscated-files-or-information.md
@@ -124,6 +124,36 @@ Instead of being listed alphabetically, methods have been grouped to better faci
|[cmdline_obfuscation](https://github.com/CAPESandbox/community/tree/master/modules/signatures/cmdline_obfuscation.py)|Obfuscated Files or Information (E1027)|--|
|[dotnet_code_compile](https://github.com/CAPESandbox/community/tree/master/modules/signatures/dotnet_code_compile.py)|Obfuscated Files or Information (E1027)|NtWriteFile, CreateProcessInternalA, NtCreateUserProcess, CreateProcessInternalW|
+### E1027.m02 Snippet
+
+ Obfuscated Files or Information::Encoding-Standard Algorithm
+SHA256: 5fb7f3fac0a9b9ab243ee642a0775500c524166ef075035c9510ccbab76ad633
+Location: 0x10001060
+
+mov eax, dword ptr [esi + 0x38]
+xor dword ptr [esi + 0xd0], eax
+mov eax, dword ptr [esi + 0xf0]
+add eax, 0xfff5b6c8
+add eax, ecx
+mov ecx, dword ptr [esi + 0x8c]
+add dword ptr [esi + 0xc0], eax
+mov eax, dword ptr [esi + 0x54]
+xor dword ptr [ecx + edx*0x1], eax ; perform encryption operation
+add edx, 0x4 ; adjust edx to next location to encrypt
+mov eax, dword ptr [esi + 0x90]
+add dword ptr [esi + 0x54], eax
+mov ecx, dword ptr [esi + 0xe8]
+mov eax, ecx
+xor eax, 0xa4937
+add dword ptr [esi + 0x68], eax
+mov eax, dword ptr [esi + 0xa4]
+xor eax, 0x4
+sub dword ptr [esi + 0x60], eax
+cmp edx, 0x36c8 ; perform comparison to check if all data encrypted
+jl lab_10001060 ; jump to first line of sample
+
+
+
## References
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
diff --git a/discovery/application-window-discovery.md b/discovery/application-window-discovery.md
index f91038ad..88523384 100644
--- a/discovery/application-window-discovery.md
+++ b/discovery/application-window-discovery.md
@@ -57,6 +57,21 @@ Malware may attempt to gain information about the operating system and applicati
|---|---|---|
|[browser_needed](https://github.com/CAPESandbox/community/tree/master/modules/signatures/browser_needed.py)|Application Window Discovery (E1010)|FindWindowW, FindWindowExA, FindWindowExW, FindWindowA|
+### E1010 Snippet
+
+ Discovery::Application Window Discovery
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x455A5D
+
+push 0x100 ; Maximum number of characters to get from window title, including trailing string terminator (in this case, 256).
+lea param_1, [esp + 0x4]
+push param_1 ; Buffer for receiving text from window
+mov param_1, dword ptr [ebx + 0x30]
+push param_1 ; Handle to window containing text
+call USER32.DLL::GetWindowTextA ; Function call to fetch specified window title
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/discovery/file-and-directory-discovery.md b/discovery/file-and-directory-discovery.md
index 38111ce0..179b49fa 100644
--- a/discovery/file-and-directory-discovery.md
+++ b/discovery/file-and-directory-discovery.md
@@ -98,6 +98,21 @@ Malware may enumerate files and directories or may search for specific files or
|[antisandbox_sunbelt_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_sunbelt_files.py)|File and Directory Discovery (E1083)|--|
|[antianalysis_detectfile](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antianalysis_detectfile.py)|File and Directory Discovery (E1083)|--|
+### E1083 Snippet
+
+ Discovery::File and Directory Discovery
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x409A62
+
+push eax ; argument to function containing file path to search
+call KERNEL32.DLL::GetFileAttributesA ; Function to retrieve file attributes for file path indicated by eax
+cmp eax, -0x1 ; Test if function returned an error
+jz lab_00409a71 ; If the function failed (the file's attributes were not retrieved and the return value is -1), jump to the specified address to continue execution
+test al, 0x10 ; Test the lower 8 bits of the return value to check if the file is a directory
+jnz lab_00409a75 ; If the returned result is not a directory, jump to the specified address to continue execution
+
+
+
## References
[1] https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/
@@ -112,4 +127,4 @@ Malware may enumerate files and directories or may search for specific files or
[6] capa v4.0, analyzed at MITRE on 10/12/2022
-[7] https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/
\ No newline at end of file
+[7] https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/
diff --git a/discovery/system-information-discovery.md b/discovery/system-information-discovery.md
index f32be5c1..e7056965 100644
--- a/discovery/system-information-discovery.md
+++ b/discovery/system-information-discovery.md
@@ -37,6 +37,7 @@ See ATT&CK: **System Information Discovery ([T1082](https://attack.mitre.org/tec
|Name|ID|Description|
|---|---|---|
|**Generate Windows Exception**|E1082.m01|Malware may trigger an exception as a way of gathering system details.|
+|**Enumerate Environment Variables**|E1082.m02|Malware may query environmental variables as a way of gathering system details.|
## Use in Malware
@@ -101,6 +102,18 @@ See ATT&CK: **System Information Discovery ([T1082](https://attack.mitre.org/tec
|[browser_scanbox](https://github.com/CAPESandbox/community/tree/master/modules/signatures/browser_scanbox.py)|System Information Discovery (E1082)|JsEval, COleScript_ParseScriptText, COleScript_Compile|
|[recon_fingerprint](https://github.com/CAPESandbox/community/tree/master/modules/signatures/recon_fingerprint.py)|System Information Discovery (E1082)|--|
+### E1082.m02 Snippet
+
+ System Information Discovery
+SHA256: e4b36a1d4e70d988efa2ec27e5a639be5eb0880474f746851c13e56f007a8377
+Location: 0x004017e9
+
+push eax ; push register to store return value onto the stack
+push u_ALLUSERSPROFILE_0041a9a4 ; push argument to function (name of the sought environment variable - in this case, ALLUSERSPROFILE)
+call dword ptr [->KERNEL32.DLL::GetEnvironmentVariableW] ; call function to get environment variable value
+
+
+
## References
[1] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279
diff --git a/execution/command-and-scripting-interpreter.md b/execution/command-and-scripting-interpreter.md
index 0569d42e..f143084a 100644
--- a/execution/command-and-scripting-interpreter.md
+++ b/execution/command-and-scripting-interpreter.md
@@ -113,6 +113,16 @@ See ATT&CK: **Command and Scripting Interpreter ([T1059](https://attack.mitre.or
|[script_network_activity](https://github.com/CAPESandbox/community/tree/master/modules/signatures/script_network_activity.py)|Command and Scripting Interpreter (E1059)|URLDownloadToFileW, HttpOpenRequestW, send, WSAConnect, InternetCrackUrlW, InternetCrackUrlA, SslEncryptPacket, InternetReadFile|
|[suspicious_js_script](https://github.com/CAPESandbox/community/tree/master/modules/signatures/suspicious_js_script.py)|Command and Scripting Interpreter (E1059)|JsEval, COleScript_ParseScriptText|
+### E1059 Snippet
+
+ Execution::Command and Scripting Interpreter
+SHA256: 905b9db8cf5a3001318b28ee5dc674f8f65ca1e4306aab9e331b3bba24e7b8a8
+Location: 0x41B7A6
+
+call dword ptr [->KERNEL32.DLL::GetCommandLineW]
+
+
+
## References
[1] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy
diff --git a/execution/conditional-execution.md b/execution/conditional-execution.md
index 70be472d..d21a232e 100644
--- a/execution/conditional-execution.md
+++ b/execution/conditional-execution.md
@@ -70,6 +70,31 @@ Some aspects of this Conditional Execution behavior are related to the [Executio
|---|---|---|
|[run as service](https://github.com/mandiant/capa-rules/blob/master/host-interaction/service/run-as-service.yml)|Conditional Execution::Runs as Service (B0025.007)|RegisterServiceCtrlHandler, RegisterServiceCtrlHandlerEx, StartServiceCtrlDispatcher, System.ServiceProcess.ServiceBase::Run|
+### B0025.007 Snippet
+
+ Execution::Conditional Execution::Runs as Service
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x4596BC
+
+push 0x0 ; Optional password to account running the service. Not needed for services running as LocalService
+push 0x0 ; Name of account under which to run the service. If null, use the LocalService account
+push 0x0 ; Optional list of dependencies required for the service to run
+push 0x0 ; Optional variable for tag depending on value of next parameter. If null, accept the value provided by that parameter.
+push 0x0 ; Optional load order group for the service. This service does not belong to a group
+mov param_1, dword ptr [ebp + local_8]
+call FUN_00404dfc ; Get path of binary for service to run and any arguments
+push param_1 ; Push to stack
+push 0x0 ; What to do if there is an error -- in this case, ignore it
+push 0x2 ; How to start service -- in this case, during system startup
+push 0x110 ; Service type -- in this case, service is its own process and is capable of interacting with desktop
+push 0xf01ff ; Desired access rights for service -- in this case, all rights
+push edi ; Display name for service
+push esi ; Name of service to install
+push ebx ; Handle to service control manager database
+call ADVAPI32.DLL::CreateServiceA ; Create service
+
+
+
## References
[1] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
diff --git a/impact/clipboard-modification.md b/impact/clipboard-modification.md
index 7e544982..f16ba82e 100644
--- a/impact/clipboard-modification.md
+++ b/impact/clipboard-modification.md
@@ -56,6 +56,44 @@ After E1510 was defined, T1510 was replaced by T1641.001, and Clipboard Data (
+ Impact::Clipboard Modification
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x402C0F
+
+push 0x0 ; associate clipboard with current task
+call dword ptr [->USER32.DLL::OpenClipboard] ; call function to open clipboard
+test eax, eax ; test if the clipboard open returned 0
+jz LAB_00402c70 ; if the clipboard open operation returned 0 (failed), jump to another instruction and execute from that point
+call dword ptr [->USER32.DLL::EmptyClipboard] ; call function to empty the clipboard
+lea eax, [esi * 0x2 + 0x2]
+push eax ; Number of bytes of heap memory to allocate
+push 0x2042 ; Memory allocation attributes. Notably, 0x2000 is deprecated and only intended for use with 16-bit Windows and will be ignored, so the actual argument is 0x0042, which allocates moveable memory and initializes the contents to zero
+call dword ptr [->KERNEL32.DLL::GlobalAlloc] ; Allocates heap memory
+mov esi, eax ; store pointer to allocated memory in esi
+test esi, esi ; test to see if NULL (0) returned, indicating an error with allocation
+jz LAB_00402c6a ; if error occurred, jump to memory address and begin execution there
+push esi ; pass newly-allocated memory to lock function
+call dword ptr [->KERNEL32.DLL::GlobalLock] ; lock the allocated heap memory
+test eax, eax ; test to see if lock returned NULL (0), indicating an error occurred
+jz LAB_00402c6a ; if an error occurred, jump to memory address and begin execution there
+push dword ptr [esp + local_26c] ; number of characters that can be stored in the provided buffer
+push eax ; buffer that will hold converted string
+push -0x1 ; size of the string to process. -1 indicates that the input ends with a null-terminating character, so to process up through that point
+push edi ; pointer to string to convert
+push 0x0 ; conversion type flags (must be 0 for UTF-8)
+push 0xfde9 ; code to use for conversion. In this case, 65001 indicates UTF-8
+call dword ptr [->KERNEL32.DLL::MultiByteToWideChar] ; call function to map string from UTF-8 to UTF-16
+push esi ; pointer to heap memory to unlock
+call dword ptr [->KERNEL32.DLL::GlobalUnlock] ; call function to unlock heap memory
+push esi ; handle to heap memory that will be written to clipboard
+push 0xd ; type of data to write (0xd indicates unicode)
+call dword ptr [->USER32.DLL::SetClipboardData] ; call function to write data to clipboard
+call dword ptr [->USER32.DLL::CloseClipboard] ; close the clipboard
+
+
+
## References
[1] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking
diff --git a/micro-behaviors/communication/dns-communication.md b/micro-behaviors/communication/dns-communication.md
index d7077f9f..b7d6ddc2 100644
--- a/micro-behaviors/communication/dns-communication.md
+++ b/micro-behaviors/communication/dns-communication.md
@@ -65,6 +65,17 @@ The DNS Communication micro-behavior focuses on DNS communication.
|[network_dns_doh_tls](https://github.com/CAPESandbox/community/tree/master/modules/signatures/network_dns_doh_tls.py)|DNS Communication (C0011)|--|
|[network_dga](https://github.com/CAPESandbox/community/tree/master/modules/signatures/network_dga.py)|DNS Communication (C0011)|--|
+### C0011.001 Snippet
+
+ Communication::DNS Communication::Resolve
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x472CD3
+
+push ebx ; hostname to perform DNS lookup for
+call WSOCK32.DLL::gethostbyname ; Windows function which will retrieve an object representing the specified host
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/communication/http-communication.md b/micro-behaviors/communication/http-communication.md
index 0d9dabf9..20994cb2 100644
--- a/micro-behaviors/communication/http-communication.md
+++ b/micro-behaviors/communication/http-communication.md
@@ -120,6 +120,21 @@ Instead of being listed alphabetically, methods have been grouped to better faci
|[downloads_from_filehosting](https://github.com/CAPESandbox/community/tree/master/modules/signatures/downloads_from_filehosting.py)|HTTP Communication (C0002)|WinHttpOpenRequest, InternetOpenUrlA|
|[purplewave_network_activity](https://github.com/CAPESandbox/community/tree/master/modules/signatures/purplewave_network_activity.py)|HTTP Communication (C0002)|InternetOpenW, HttpOpenRequestW, HttpSendRequestW, HttpAddRequestHeadersA|
+### C0002.017 Snippet
+
+ Communication::HTTP Communication::Get Response
+SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641
+Location: 0x180001380
+
+mov param_2, ebx
+lea r9, [rsp + 0x44] ; where to store the number of bytes read
+add param_2, r14 ; pointer to buffer to receive HTTP data
+mov param_3, 0x400 ; number of bytes to read (1024)
+mov param_1, rsi ; handle to previously opened HTTP request
+call qword ptr [->WININET::InternetReadFile] ; Windows API for reading data from HTTP or FTP connections
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/communication/interprocess-communication.md b/micro-behaviors/communication/interprocess-communication.md
index a680e4d4..e4193392 100644
--- a/micro-behaviors/communication/interprocess-communication.md
+++ b/micro-behaviors/communication/interprocess-communication.md
@@ -64,6 +64,24 @@ The Interprocess Communication micro-behavior focuses on interprocess communicat
|[ipc_namedpipe](https://github.com/CAPESandbox/community/tree/master/modules/signatures/ipc_namedpipe.py)|Interprocess Communication (C0003)|NtReadFile, NtCreateNamedPipeFile, NtWriteFile|
|[ipc_namedpipe](https://github.com/CAPESandbox/community/tree/master/modules/signatures/ipc_namedpipe.py)|Interprocess Communication::Create Pipe (C0003.001)|NtReadFile, NtCreateNamedPipeFile, NtWriteFile|
+### C0003.002 Snippet
+
+ Communication::Interprocess Communication::Connect Pipe
+SHA256: e5897829835f3e9fbab71674ca06f48ff127ec014d1629817f0566203c93b732
+Location: 0x40167C
+
+call qword ptr [->KERNEL32.DLL::CreateNamedPipeA] ; stores return value in rax
+mov r12, rax ; r12 now contains a handle to the named pipe
+lea rax, [rax + -0x1]
+cmp rax, -0x3
+ja LAB_004016dc
+xor param_2, param_2 ; set value to zeroes. param_2 is edx, which is sometimes used to hold the second argument to a function
+mov param_1, r12 ; param_1 is rcx, which is sometimes used to hold the first argument to a function. r12 contains the return value from KERNEL32.DLL::CreateNamedPipeA (see earlier mov instruction)
+lea rdi, [rsp + 0x4c]
+call qword ptr [->KERNEL32.DLL::ConnectNamedPipe] ; takes param_1 and param_2 as arguments. Return value stored in rax.
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/communication/socket-communication.md b/micro-behaviors/communication/socket-communication.md
index d442bfab..97a20a99 100644
--- a/micro-behaviors/communication/socket-communication.md
+++ b/micro-behaviors/communication/socket-communication.md
@@ -90,6 +90,18 @@ Instead of being listed alphabetically, methods have been grouped to better faci
|[obliquerat_network_activity](https://github.com/CAPESandbox/community/tree/master/modules/signatures/obliquerat_network_activity.py)|Socket Communication (C0001)|send|
|[network_bind](https://github.com/CAPESandbox/community/tree/master/modules/signatures/network_bind.py)|Socket Communication (C0001)|listen, bind|
+### C0001.009 Snippet
+
+ Communication::Socket Communication::Initialize Winsock Library
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x472C92
+
+push eax ; pointer to WSADATA structure that the call to start Winsock will populate with the Windows socket data
+push 0x101 ; highest version of Winsock permitted for use in this application -- in this case, version 1.1 (major version in lowest-order byte, minor version in highest-order byte)
+call WSOCK.DLL::WSAStartup ; Initiate the Winsock DLL
+
+
+
## References
[1] https://www.mandiant.com/resources/synful-knock-acis
diff --git a/micro-behaviors/communication/wininet.md b/micro-behaviors/communication/wininet.md
index d1f61812..c1a2c715 100644
--- a/micro-behaviors/communication/wininet.md
+++ b/micro-behaviors/communication/wininet.md
@@ -48,6 +48,45 @@ The methods below are those of most interest in malware analysis. Details can be
|---|---|---|
|[nemty_network_activity](https://github.com/CAPESandbox/community/tree/master/modules/signatures/nemty_network_activity.py)|WinINet (C0005)|InternetOpenA, InternetOpenUrlA|
+### C0005.001 Snippet
+
+ Communication::WinINet::InternetConnect
+SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641
+Location: 0x1800010b2
+
+call qword ptr [->WININET.DLL::InternetOpenA] ; Open a connection to the Internet and return the handle into rax
+mov rbp, rax ; store the handle in rbp
+test rax, rax
+jz LAB_1800013de
+mov param_1, 0x17
+call thunk_FUN_180004114
+mov r10, rax
+mov rdi, rax
+xor eax, eax
+mov param_1, 0x17
+stosb.rep rdi
+mov rdi, r10
+mov param_2, rbx
+nop dword ptr [rax]
+nop word ptr [rax + rax*0x1]
+movzx param_1, byte ptr [param_2 + rsi*offset DAT_18001ea00] ; first instruction in loop
+add param_2, 0x3 ; increase loop variable
+mov byte ptr [rdi], param_1
+lea rdi, [rdi + 0x1]
+cmp param_2, 0x42 ; test for loop end
+jl LAB_1800010f0 ; jump to beginning of loop
+movzx param_3, word ptr [DAT_18001ea44] ; TCP/IP port to connect to. DAT_18001ea44 contains 443, so this connection will occur on the default HTTPS port
+xor r9d, r9d ; name of user (if FTP connection), or NULL
+mov qword ptr [rsp + local_390], rbx ; pointer to application context for the returned handle to the internet connection
+mov param_2, r10 ; pointer to host name for internet server
+mov dword ptr [rsp + local_398], ebx ; pointer to flags specific for service used
+mov param_1, rbp ; handle to the internet connection established earlier
+mov dword ptr [rsp + local_3a0], 0x3 ; service type to access (0x3 indicates use of HTTP)
+mov qword ptr [rsp + local_3a8], rbx ; password for FTP (if needed)
+call qword ptr [->WININET.DLL::InternetConnectA] ; Windows API function to initiate an HTTP connection
+
+
+
## References
[1] https://docs.microsoft.com/en-us/windows/win32/wininet/wininet-functions
diff --git a/micro-behaviors/cryptography/generate-pseudorandom-sequence.md b/micro-behaviors/cryptography/generate-pseudorandom-sequence.md
index 925ee27a..16e7441e 100644
--- a/micro-behaviors/cryptography/generate-pseudorandom-sequence.md
+++ b/micro-behaviors/cryptography/generate-pseudorandom-sequence.md
@@ -55,6 +55,43 @@ The Generate Pseudo-random Sequence micro-behavior can be used for a number of p
|[generate random numbers via RtlGenRandom](https://github.com/mandiant/capa-rules/blob/master/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml)|Generate Pseudo-random Sequence::Use API (C0021.003)|SystemFunction036|
|[generate random numbers using a Mersenne Twister](https://github.com/mandiant/capa-rules/blob/master/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml)|Generate Pseudo-random Sequence (C0021)|--|
+### C0021 Snippet
+
+ Cryptography::Generate Pseudo-random Sequence
+SHA256: 192cdcbdec8bdebb7cae89037d6004b4aff2b8264c35a3875fa2d6db104437ca
+Location: 0x40B120
+
+mov eax, [DAT_00423174] ; set up the array of values used for the twister
+mov ecx, dword ptr [eax*0x4 + DAT_004227b0]
+mov dword ptr [EBP + local_8], ecx
+mov edx, dword ptr [DAT_00423174]
+add edx, 0x1
+mov dword ptr [DAT_OO423174], edx
+mov eax, dword ptr [ebp + local_8] ; set up by taking x (value in series to start the transform, stored at the memory address [ebp + local_8] in this case
+shr eax, 0xb ; shift x right by 11
+xor eax, dword ptr [ebp + local_8] ; xor the result of the previous operation with the old value of x. The eax register now contains intermediate value y
+mov dword ptr [ebp + local_8], eax ; store the value of y
+mov ecx, dword ptr [ebp + local_8] ; ecx now contains y
+shl ecx, 0x7 ; shift y left by 7
+and ecx, 0x9d2c5680 ; perform a bitwise and against a known constant bitmask (this value is specified in the transform equation)
+xor ecx, dword ptr [ebp + local_8] ; xor the output of the previous two instructions with the old value of y to produce y1 (still an intermediate value)
+mov dword ptr [ebp + local_8], ecx ; store y1
+mov edx, dword ptr [ebp + local_8] ; load y1 into edx to start the third part of the transform
+shl edx, 0xf ; shift y1 left by 15
+and edx, 0xefc60000 ; take y1 and perform a bitwise and operation with another constant
+xor edx, dword ptr [ebp + local_8] ; xor the output from the previous two instructions with the value of y1 stored earlier
+mov dword ptr [ebp + local_8], edx ; save this new intermediate y-value (y2)
+mov eax, dword ptr [ebp + local_8] ; load y2 into eax to start the final portion of the transform and produce the output
+shr eax, 0x12 ; shift y2 right by 18
+xor eax, dword ptr [ebp + local_8] ; xor the output from the previous instruction with the value of y2 stored earlier
+mov dword ptr [ebp + local_8], eax ; store the z-value (final output)
+mov eax, dword ptr [ebp + local_8] ; load the z-value into eax to return it
+mov esp, ebp ; move the stack pointer to the frame pointer
+pop ebp ; pop the current frame off the stack
+ret ; return from the function
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/data/modulo.md b/micro-behaviors/data/modulo.md
index cd2e9373..d07b4de2 100644
--- a/micro-behaviors/data/modulo.md
+++ b/micro-behaviors/data/modulo.md
@@ -35,3 +35,13 @@ Malware calculates a modulo value.
|Tool: capa|Mapping|APIs|
|---|---|---|
|[calculate modulo 256 via x86 assembly](https://github.com/mandiant/capa-rules/blob/master/lib/calculate-modulo-256-via-x86-assembly.yml)|Modulo (C0058)|--|
+
+### C0058 Snippet
+
+ Data::Modulo
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x403135
+
+and param_3, 0xff ; Taking the bitwise AND of any number x with a number equivalent to (2^n - 1) where n is a whole number is congruent to taking x % 2^n. In this case, x = param_3 and 0xff = 255 which satisfies (2^n - 1) for n = 8.
+
+
diff --git a/micro-behaviors/data/noncryptographic-hash.md b/micro-behaviors/data/noncryptographic-hash.md
index a8915886..29c935d8 100644
--- a/micro-behaviors/data/noncryptographic-hash.md
+++ b/micro-behaviors/data/noncryptographic-hash.md
@@ -48,3 +48,27 @@ Malware may use a non-cryptographic hash.
|[hash data using murmur3](https://github.com/mandiant/capa-rules/blob/master/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml)|Non-Cryptographic Hash::MurmurHash (C0030.001)|--|
|[hash data using fnv](https://github.com/mandiant/capa-rules/blob/master/data-manipulation/hashing/fnv/hash-data-using-fnv.yml)|Non-Cryptographic Hash::FNV (C0030.005)|_allmul|
|[hash data using djb2](https://github.com/mandiant/capa-rules/blob/master/data-manipulation/hashing/djb2/hash-data-using-djb2.yml)|Non-Cryptographic Hash::djb2 (C0030.006)|--|
+
+
+### C0030.005 Snippet
+
+ Data::Non-Cryptographic Hash::FNV
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x403454
+
+mov esi, dword ptr [ebp + param_2] ; set number of bytes to hash
+mov edx, 0x811c9dc5 ; store FNV offset constant. The constants used in this snippet are the constants used for a 32-bit/4 byte message.
+push edi ; save the value of edi on the stack
+mov edi, dword ptr [ebp + param_1] ; first byte to hash
+mov ecx, 0x0 ; initialize counter
+sub esi, edi ; obtain the offset between first and last bytes to hash
+jz LAB_00403481 ; if the first and last bytes of the hash are the same, execute elsewhere and don't perform the hashing operation.
+nop dword ptr [eax]
+movzx eax, byte ptr [ecx + edi*0x1] ; move the byte to hash into the accumulator
+inc ecx ; increment the counter
+xor eax, edx ; xor the new value in the accumulator with the rest of the hash (for first xor, this will be the offset constant set earlier) and store the result in the accumulator. The xor occurring before the multiplication indicates that this is the FNV-1a variant of the algorithm
+imul edx, eax, 0x1000193 ; multiply the accumulator by the prime constant and store in edx for xor operation in next iteration
+cmp ecx, esi ; check if counter has reached offset (hashed last byte)
+jc LAB_00403470 ; if the counter has not yet reached the offset, jump back to the movzx instruction above
+
+
diff --git a/micro-behaviors/file-system/create-directory.md b/micro-behaviors/file-system/create-directory.md
index 1da7ace8..35d1c960 100644
--- a/micro-behaviors/file-system/create-directory.md
+++ b/micro-behaviors/file-system/create-directory.md
@@ -52,6 +52,18 @@ Malware creates a directory.
|---|---|---|
|[arkei_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/arkei_files.py)|Create Directory (C0046)|--|
+### C0046 Snippet
+
+ File System::Create Directory
+SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
+Location: 0x1400036d4
+
+xor param_2, param_2 ; use default security attributes (param_2 is NULL)
+mov param_1, rbp ; use contents of rbp as directory name
+call qword ptr [->KERNEL32.DLL::CreateDirectoryA] ; call Windows API to create directory
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/file-system/delete-directory.md b/micro-behaviors/file-system/delete-directory.md
index dfdf3ff0..8344dead 100644
--- a/micro-behaviors/file-system/delete-directory.md
+++ b/micro-behaviors/file-system/delete-directory.md
@@ -44,6 +44,17 @@ Malware deletes a directory.
|---|---|---|
|[delete directory](https://github.com/mandiant/capa-rules/blob/master/host-interaction/file-system/delete/delete-directory.yml)|Delete Directory (C0048)|RemoveDirectory, RemoveDirectoryTransacted, _rmdir, _wrmdir, System.IO.DirectoryInfo::Delete, System.IO.Directory::Delete|
+### C0048 Snippet
+
+ File System::Delete Directory
+SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
+Location: 0x140002204
+
+mov param_1, rdi ; store name of directory to remove
+call qword ptr [->KERNEL32.DLL::RemoveDirectoryA] ; call Windows API function to remove directory
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/file-system/delete-file.md b/micro-behaviors/file-system/delete-file.md
index 8aff2e32..30a01287 100644
--- a/micro-behaviors/file-system/delete-file.md
+++ b/micro-behaviors/file-system/delete-file.md
@@ -63,6 +63,20 @@ Malware deletes a file.
|[anomalous_deletefile](https://github.com/CAPESandbox/community/tree/master/modules/signatures/anomalous_deletefile.py)|Delete File (C0047)|NtDeleteFile, DeleteFileW, DeleteFileA|
|[deletes_self](https://github.com/CAPESandbox/community/tree/master/modules/signatures/deletes_self.py)|Delete File (C0047)|NtDeleteFile, DeleteFileW, DeleteFileA, MoveFileWithProgressW, MoveFileWithProgressTransactedW|
+### C0047 Snippet
+
+ File System::Delete File
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x409BB1
+
+call FUN_00404E80 ; generate file name to delete and store in eax
+push eax ; use the name generated by the previous function as an argument to the next function call
+call KERNEL32.DLL::DeleteFileA ; delete the file
+cmp eax, 0x1 ; if the file was successfully deleted, the previous function call will return a 1 into eax
+sbb eax, eax ; isolate the carry flag from the previous comparison. This will only be 1 if the previous command failed, otherwise it will be 0.
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/file-system/get-file-attributes.md b/micro-behaviors/file-system/get-file-attributes.md
index 3b0ea50b..0f20289e 100644
--- a/micro-behaviors/file-system/get-file-attributes.md
+++ b/micro-behaviors/file-system/get-file-attributes.md
@@ -47,6 +47,25 @@ Malware gets file attributes.
|---|---|---|
|[get file attributes](https://github.com/mandiant/capa-rules/blob/master/host-interaction/file-system/meta/get-file-attributes.yml)|Get File Attributes (C0049)|kernel32.GetFileAttributes, ZwQueryDirectoryFile, ZwQueryInformationFile, NtQueryDirectoryFile, NtQueryInformationFile, System.IO.File::GetAttributes, System.IO.File::GetCreationTime, System.IO.File::GetCreationTimeUtc, System.IO.File::GetLastAccessTime, System.IO.File::GetLastAccessTimeUtc, System.IO.File::GetLastWriteTime, System.IO.File::GetLastWriteTimeUtc|
+### C0049 Snippet
+
+ File System::Get File Attributes
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x4094B0
+
+push ebx ; Name of file to get attributes for
+mov ebx, param_1
+mov param_1, ebx
+call FUN_00404DFC
+push param_1 ; Return value for function call
+call KERNEL32.DLL::GetFileAttributesA ; Call Windows API for file deletion
+cmp param_1, -0x1 ; Test if the return value indicates an error
+jz LAB_004094C9 ; If the function returned an error, go to this address to continue execution
+test param_1, 0x10 ; Test to see if the file queried is a directory
+jnz LAB_004094CD ; If the file is not a directory, continue execution from this address
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/file-system/move-file.md b/micro-behaviors/file-system/move-file.md
index 15062203..82fb9cd6 100644
--- a/micro-behaviors/file-system/move-file.md
+++ b/micro-behaviors/file-system/move-file.md
@@ -51,6 +51,20 @@ Malware moves a file.
|---|---|---|
|[move_file_on_reboot](https://github.com/CAPESandbox/community/tree/master/modules/signatures/move_file_on_reboot.py)|Move File (C0063)|MoveFileWithProgressTransactedA, MoveFileWithProgressTransactedW|
+### C0063 Snippet
+
+ File System::Move File
+SHA256: bb8c0e477512adab1db26eb77fe10dadbc5dcbf8e94569061c7199ca4626a420
+Location: 0x41a61d
+
+push 0x4 ; option to delay move until the next reboot
+push edi ; new name for the moved file
+lea eax, [ebp + 0xffffefc4]
+push eax ; name of the file to be moved
+call dword ptr [->KERNEL32.DLL::MoveFileExW] ; Windows API function to move the file from one name to another
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/file-system/read-file.md b/micro-behaviors/file-system/read-file.md
index bf1c3414..2289c0e5 100644
--- a/micro-behaviors/file-system/read-file.md
+++ b/micro-behaviors/file-system/read-file.md
@@ -67,6 +67,21 @@ Malware reads a file.
|[infostealer_browser](https://github.com/CAPESandbox/community/tree/master/modules/signatures/infostealer_browser.py)|Read File (C0051)|NtReadFile, CopyFileA, CopyFileExW, CopyFileW|
|[antianalysis_detectfile](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antianalysis_detectfile.py)|Read File (C0051)|--|
+### C0051 Snippet
+
+ File System::Read File
+SHA256: e5897829835f3e9fbab71674ca06f48ff127ec014d1629817f0566203c93b732
+Location: 0x401762
+
+mov r9, rdi ; variable that will hold number of bytes actually read from file
+mov r8d, ebx ; number of bytes to read
+mov param_2, rsi ; pointer to buffer that will hold content read from file
+mov param_1, r12 ; handle to the device/file to read from
+mov qword ptr [rsp + local_58], 0x0 ; optional pointer to OVERLAPPED structure (in this case, it is NULL)
+call qword ptr [->KERNEL32.DLL::ReadFile] ; API call to read file specified in param_1
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/file-system/set-file-attributes.md b/micro-behaviors/file-system/set-file-attributes.md
index 91201645..2b1c405a 100644
--- a/micro-behaviors/file-system/set-file-attributes.md
+++ b/micro-behaviors/file-system/set-file-attributes.md
@@ -48,6 +48,18 @@ Malware sets file attributes.
|[change file permission on Linux](https://github.com/mandiant/capa-rules/blob/master/host-interaction/file-system/change-file-permission-on-linux.yml)|Set File Attributes (C0050)|chown, fchown, lchown, fchownat|
|[set file attributes](https://github.com/mandiant/capa-rules/blob/master/host-interaction/file-system/meta/set-file-attributes.yml)|Set File Attributes (C0050)|kernel32.SetFileAttributes, ZwSetInformationFile, NtSetInformationFile, System.IO.File::SetAttributes, System.IO.File::SetCreationTime, System.IO.File::SetCreationTimeUtc, System.IO.File::SetLastAccessTime, System.IO.File::SetLastAccessTimeUtc, System.IO.File::SetLastWriteTime, System.IO.File::SetLastWriteTimeUtc|
+### C0050 Snippet
+
+ File System::Set File Attributes
+SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
+Location: 0x140006a6d
+
+mov edx, 0x2 ; pass the value indicating for the 'hidden' attribute to be set on the file
+lea rcx, [rsp + 0x40] ; name of the file for which attributes should be changed
+call qword ptr [->KERNEL32.DLL::SetFileAttributesA] ; call Windows API for changing file attributes
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/file-system/writes-file.md b/micro-behaviors/file-system/writes-file.md
index d492b041..1c42caba 100644
--- a/micro-behaviors/file-system/writes-file.md
+++ b/micro-behaviors/file-system/writes-file.md
@@ -67,6 +67,21 @@ Malware writes to a file.
|[echelon_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/echelon_files.py)|Writes File (C0052)|--|
|[upatre_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/upatre_files.py)|Writes File (C0052)|--|
+### C0052 Snippet
+
+ File System::Writes File
+SHA256: e5897829835f3e9fbab71674ca06f48ff127ec014d1629817f0566203c93b732
+Location: 0x4016A7
+
+mov r9, rdi ; variable that will hold number of bytes actually written
+mov r8d, ebx ; number of bytes to write
+mov param_2, rsi ; pointer to buffer containing data that will be written to the file
+mov param_1, r12 ; handle to the device/file to write to
+mov qword ptr [rsp + local_58], 0x0 ; optional pointer to OVERLAPPED structure (in this case, it is NULL)
+call qword ptr [->KERNEL32.DLL::WriteFile] ; API call to write to file specified in param_1
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/memory/allocate-memory.md b/micro-behaviors/memory/allocate-memory.md
index 6dfb1adf..58c34ca1 100644
--- a/micro-behaviors/memory/allocate-memory.md
+++ b/micro-behaviors/memory/allocate-memory.md
@@ -57,6 +57,20 @@ Malware allocates memory, often to unpack itself.
|---|---|---|
|[Unpacker](https://github.com/CAPESandbox/community/tree/master/modules/signatures/Unpacker.py)|Allocate Memory (C0007)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+### C0007 Snippet
+
+ Memory::Allocate Memory
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x422BDC
+
+push 0x40 ; Memory protections to apply to pages in allocated memory region (in this case, PAGE_EXECUTE_READWRITE, which allows execute, read-only, or read/write access to the allocated memory)
+push 0x1000 ; The type of allocation to perform (in this case, MEM_COMMIT which allocates empty virtual memory to begin with and only allocates physical pages when needed).
+push 0x1000 ; Size of region to allocate in bytes
+push 0x0 ; Starting address for region where memory should be allocated (not provided in this example)
+call KERNEL32.DLL::VirtualAlloc ; call function to allocate virtual memory
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/memory/change-memory-protection.md b/micro-behaviors/memory/change-memory-protection.md
index 4c8a8f16..3168d50f 100644
--- a/micro-behaviors/memory/change-memory-protection.md
+++ b/micro-behaviors/memory/change-memory-protection.md
@@ -50,6 +50,23 @@ Malware may change memory protection. For example, read-write memory may be chan
|---|---|---|
|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_guardpages.py)|Change Memory Protection (C0008)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+### C0008 Snippet
+
+ Memory::Change Memory Protection
+SHA256: 905b9db8cf5a3001318b28ee5dc674f8f65ca1e4306aab9e331b3bba24e7b8a8
+Location: 0x41AB74
+
+push ecx ; pointer to return value
+push 0x40 ; new memory protection option to apply -- in this case, read, write, and execute permissions will be applied to the pages
+mov [DAT_01f56ff0], eax
+mov eax, [DAT_00492fc4]
+push edx ; size of region to change access protection attributes (in bytes)
+push eax ; Address of first page in region where access protection attributes are to be changed
+; instructions from 0x41ab83 to 0x41abb4 omitted
+call dword ptr [->KERNEL32.DLL::VirtualProtect] ; call function to change memory protection attributes
+
+
+
## References
[1] https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html
diff --git a/micro-behaviors/operating-system/console.md b/micro-behaviors/operating-system/console.md
index 1967b735..dc603479 100644
--- a/micro-behaviors/operating-system/console.md
+++ b/micro-behaviors/operating-system/console.md
@@ -40,3 +40,21 @@ Malware modifies the console.
|Tool: CAPE|Mapping|APIs|
|---|---|---|
|[bcdedit_command](https://github.com/CAPESandbox/community/tree/master/modules/signatures/bcdedit_command.py)|Console (C0033)|ShellExecuteExW, NtCreateUserProcess, CreateProcessInternalW|
+
+### C0033 Snippet
+
+ Operating System::Console
+SHA256: 905b9db8cf5a3001318b28ee5dc674f8f65ca1e4306aab9e331b3bba24e7b8a8
+Location: 0x41B4CD
+
+lea eax, [esp + 0x50] ; load an address into eax
+push eax ; where to store number of characters read
+push ecx ; coordinates of console cell on screen where reading text should begin
+push ecx ; number of screen buffer character cells to read
+lea edx, [esp + 0x2cc] ; load address into edx
+push edx ; address of buffer into which characters should be read
+push ecx ; handle to the console read buffer
+mov dword ptr [esp + 0x68], ecx
+call KERNEL32.DLL::ReadConsoleOutputCharacterA ; call function to read characters from the console
+
+
diff --git a/micro-behaviors/operating-system/registry.md b/micro-behaviors/operating-system/registry.md
index 4ec41c31..3c39bca6 100644
--- a/micro-behaviors/operating-system/registry.md
+++ b/micro-behaviors/operating-system/registry.md
@@ -220,6 +220,21 @@ Malware modifies the registry.
|[bypass_firewall](https://github.com/CAPESandbox/community/tree/master/modules/signatures/bypass_firewall.py)|Registry::Set Registry Value (C0036.001)|--|
|[remcos_regkeys](https://github.com/CAPESandbox/community/tree/master/modules/signatures/remcos_regkeys.py)|Registry (C0036)|--|
+### C0036.005 Snippet
+
+ Registry::Query Registry Key
+SHA256: 1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53
+Location: 0x408723
+
+push eax ; phkResult: stores pointer to handle containing open registry key
+push 0x1 ; samDesired: Desired access rights for opened key. 0x1 is KEY_QUERY_VALUE, which is required to query the value of the sought registry key
+push 0x0 ; ulOptions: Optional key set to 0, so no options passed to registry key
+push ecx ; lpSubKey: Optional parameter indicating a subkey to read from
+push edx ; handle to open registry key or name of registry key to open
+call dword ptr [->ADVAPI32.DLL::RegOpenKeyExA] ; Windows API call which opens registry key for the query
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/process/allocate-thread-local-storage.md b/micro-behaviors/process/allocate-thread-local-storage.md
index 1c982a2f..56fb7b44 100644
--- a/micro-behaviors/process/allocate-thread-local-storage.md
+++ b/micro-behaviors/process/allocate-thread-local-storage.md
@@ -43,6 +43,16 @@ Malware allocates thread local storage.
|---|---|---|
|[allocate thread local storage](https://github.com/mandiant/capa-rules/blob/master/host-interaction/process/allocate-thread-local-storage.yml)|Allocate Thread Local Storage (C0040)|kernel32.TlsAlloc|
+### C0040 Snippet
+
+ Process::Allocate Thread Local Storage
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x4142CB
+
+call dword ptr [->KERNEL32.DLL::TlsAlloc] ; call Windows API function to allocate thread local storage
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/process/check-mutex.md b/micro-behaviors/process/check-mutex.md
index 6a08675f..70844be7 100644
--- a/micro-behaviors/process/check-mutex.md
+++ b/micro-behaviors/process/check-mutex.md
@@ -51,6 +51,21 @@ Malware checks a mutex.
|[antivm_vmware_mutexes](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antivm_vmware_mutexes.py)|Check Mutex (C0043)|--|
|[purplewave_mutexes](https://github.com/CAPESandbox/community/tree/master/modules/signatures/purplewave_mutexes.py)|Check Mutex (C0043)|--|
+### C0043 Snippet
+
+ Process::Check Mutex
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x40294C
+
+ push eax ; name of mutex to be opened
+push 0x0 ; whether to allow processes created by the process which owns the mutex to inherit it (false)
+push 0x1f0001 ; mutex access rights (MUTEX_ALL_ACCESS)
+call dword ptr [->KERNEL32.DLL::OpenMutexW] ; call function to open mutex
+test eax, eax ; test to see if previous function call returned 0
+jz LAB_00402976 ; if it returned zero (error), jump to new memory location and execute from that point
+
+
+
## References
[1] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
diff --git a/micro-behaviors/process/create-mutex.md b/micro-behaviors/process/create-mutex.md
index e94d0a7b..921ca3da 100644
--- a/micro-behaviors/process/create-mutex.md
+++ b/micro-behaviors/process/create-mutex.md
@@ -102,6 +102,19 @@ Malware creates a mutex.
|[medusalocker_mutexes](https://github.com/CAPESandbox/community/tree/master/modules/signatures/medusalocker_mutexes.py)|Create Mutex (C0042)|--|
|[remcos_mutexes](https://github.com/CAPESandbox/community/tree/master/modules/signatures/remcos_mutexes.py)|Create Mutex (C0042)|--|
+### C0042 Snippet
+
+ Process::Create Mutex
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x402A1E
+
+push eax ; name of mutex
+push 0x0 ; if the thread that creates the mutex owns it (false, in this case)
+push 0x0 ; optional security descriptor set to NULL, so default security descriptor will be used
+call dword ptr [->KERNEL32.DLL::CreateMutexW] ; call function to create mutex
+
+
+
## References
[1] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
diff --git a/micro-behaviors/process/create-process.md b/micro-behaviors/process/create-process.md
index 1cacab4e..423fec78 100644
--- a/micro-behaviors/process/create-process.md
+++ b/micro-behaviors/process/create-process.md
@@ -75,6 +75,30 @@ Malware creates a process.
|[wmi_create_process](https://github.com/CAPESandbox/community/tree/master/modules/signatures/wmi_create_process.py)|Create Process::Create Process via WMI (C0017.002)|NtCreateUserProcess, CreateProcessInternalW|
|[script_created_process](https://github.com/CAPESandbox/community/tree/master/modules/signatures/script_created_process.py)|Create Process (C0017)|NtCreateUserProcess, CreateProcessInternalW|
+### C0049 Snippet
+
+ Process::Create Process
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x458C26
+
+lea param_1, [ebp + 0xfffffeb0]
+push param_1 ; pointer to PROCESS_INFORMATION struct to hold information about the new process
+lea param_1, [ebp + 0xfffffec0]
+push param_1 ; pointer to STARTUPINFO struct
+push 0x0 ; path to directory for new process -- if null, use same directory as calling process
+push 0x0 ; environment block for new process -- if null, use the calling process's environment block
+push 0x4 ; process creation flags (CREATE_SUSPENDED in this case)
+push 0x0 ; if heritable handles in the calling process should be inherited by the new process. If false, inheritance will not occur.
+push 0x0 ; security attributes for new process. If null, child processes cannot inherit thread running new process
+push 0x0 ; security attributes for new process. If null, child processes cannot inherit handle for new process
+mov param_1, dword ptr [ebp + local_8]
+call FUN_00404dfc
+push param_1 ; command line for new process to execute
+push 0x0 ; application name to be executed. If null, use command line provided in another argument
+call KERNEL32.DLL::CreateProcessA ; Call Windows API function to create new process
+
+
+
## References
[1] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
diff --git a/micro-behaviors/process/create-thread.md b/micro-behaviors/process/create-thread.md
index d9fa7de1..b8d25cdc 100644
--- a/micro-behaviors/process/create-thread.md
+++ b/micro-behaviors/process/create-thread.md
@@ -54,6 +54,26 @@ Malware creates a thread.
|[antidebug_ntcreatethreadex](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntcreatethreadex.py)|Create Thread (C0038)|NtCreateThreadEx|
|[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntsetinformationthread.py)|Create Thread (C0038)|NtSetInformationThread|
+### C0038 Snippet
+
+ Process::Create Thread
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x404915
+
+mov param_2, dword ptr [ebp + param_4]
+push param_2 ; Pointer to location where thread handler will be returned
+mov param_2, dword ptr [ebp + param_5]
+push param_2 ; Flags controlling thread creation
+push param_1 ; Pointer to variable to be passed to thread
+mov param_1, FUN_004048b8
+push param_1 ; Pointer to function where thread will begin execution
+push esi ; Size of stack for new thread
+push ebx ; Pointer to security attributes for thread. If null, the handle to the thread cannot be inherited
+call KERNEL32.DLL::CreateThread ; Call to thread creation API
+
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/process/enumerate-threads.md b/micro-behaviors/process/enumerate-threads.md
index 33e0ffc7..2694924e 100644
--- a/micro-behaviors/process/enumerate-threads.md
+++ b/micro-behaviors/process/enumerate-threads.md
@@ -35,3 +35,18 @@ Malware enumerates threads.
|Tool: capa|Mapping|APIs|
|---|---|---|
|[enumerate threads](https://github.com/mandiant/capa-rules/blob/master/host-interaction/thread/list/enumerate-threads.yml)|Enumerate Threads (C0064)|kernel32.Thread32First, kernel32.Thread32Next, kernel32.CreateToolhelp32Snapshot|
+
+### C0064 Snippet
+
+ Process::Enumerate Threads
+SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641
+Location: 0x180003675
+
+lea rdx, [rsp + 0x48] ; pointer to THREAD32ENTRY struct
+mov rcx, r15 ; handle to snapshot of system processes
+call qword ptr [->KERNEL32.DLL::Thread32First] ; Windows API call to retrieve information about the first thread in a snapshot
+lea rdx, [rsp + 0x48]
+mov rcx, r15
+call qword ptr [->KERNEL32.DLL::Thread32Next] ; takes the same arguments as Thread32First and gets the next thread from the snapshot
+
+
diff --git a/micro-behaviors/process/resume-thread.md b/micro-behaviors/process/resume-thread.md
index d76bb007..6259449c 100644
--- a/micro-behaviors/process/resume-thread.md
+++ b/micro-behaviors/process/resume-thread.md
@@ -43,6 +43,21 @@ Malware resumes a thread.
|---|---|---|
|[resume thread](https://github.com/mandiant/capa-rules/blob/master/host-interaction/thread/resume/resume-thread.yml)|Resume Thread (C0054)|kernel32.ResumeThread, ntdll.NtResumeThread, ntdll.ZwResumeThread, System.Threading.Thread::Resume|
+### C0054 Snippet
+
+ Process::Resume Thread
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x41B345
+
+push esi ; Where to store return value
+mov ebx, param_1
+mov param_1, dword ptr [ebx + 0x4]
+push param_1 ; Handle to thread to resume
+call KERNEL32.DLL::ResumeThread ; API call to resume thread
+
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/process/set-thread-local-storage-value.md b/micro-behaviors/process/set-thread-local-storage-value.md
index 0b669b5b..f069155c 100644
--- a/micro-behaviors/process/set-thread-local-storage-value.md
+++ b/micro-behaviors/process/set-thread-local-storage-value.md
@@ -47,6 +47,18 @@ Malware allocates thread local storage.
|---|---|---|
|[set thread local storage value](https://github.com/mandiant/capa-rules/blob/master/host-interaction/process/set-thread-local-storage-value.yml)|Set Thread Local Storage Value (C0041)|kernel32.TlsSetValue|
+### C0041 Snippet
+
+ Process::Set Thread Local Storage Value
+SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641
+Location: 0x180005B08
+
+mov param_2, rbx ; Value to be stored in TLS index
+mov param_1, edi ; TLS index
+call qword ptr [->KERNEL32.DLL::TlsSetValue] ; Call Windows API function to store value in thread's thread local storage (TLS) at the specified index
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/process/terminate-process.md b/micro-behaviors/process/terminate-process.md
index ef09a51a..72925ac6 100644
--- a/micro-behaviors/process/terminate-process.md
+++ b/micro-behaviors/process/terminate-process.md
@@ -56,6 +56,17 @@ Malware terminates a process.
|---|---|---|
|[terminates_remote_process](https://github.com/CAPESandbox/community/tree/master/modules/signatures/terminates_remote_process.py)|Terminate Process (C0018)|NtTerminateProcess|
+### C0018 Snippet
+
+ Process::Terminate Process
+SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
+Location: 0x1400083c7
+
+mov ecx, eax ; use the value stored in eax as the exit status for the exited process
+call qword ptr [->MSVCRT.DLL::exit] ; call the Windows API function to terminate the process
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
diff --git a/micro-behaviors/process/terminate-thread.md b/micro-behaviors/process/terminate-thread.md
index 692cd6e3..cbd50276 100644
--- a/micro-behaviors/process/terminate-thread.md
+++ b/micro-behaviors/process/terminate-thread.md
@@ -35,3 +35,15 @@ Malware terminates a thread.
|Tool: capa|Mapping|APIs|
|---|---|---|
|[terminate thread](https://github.com/mandiant/capa-rules/blob/master/host-interaction/thread/terminate/terminate-thread.yml)|Terminate Thread (C0039)|kernel32.TerminateThread, PsTerminateSystemThread, System.Threading.Thread.Abort|
+
+### C0039 Snippet
+
+ Process::Terminate Thread
+SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
+Location: 0x14000395B
+
+mov param_1, qword ptr [DAT_14000ca58] ; thread to terminate
+xor param_2, param_2 ; set the thread's exit status to 0
+call qword ptr [->KERNEL32.DLL::TerminateThread] ; call the Windows API function to terminate the thread
+
+
diff --git a/persistence/registry-run-keys-startup-folder.md b/persistence/registry-run-keys-startup-folder.md
index eaa89350..140f5599 100644
--- a/persistence/registry-run-keys-startup-folder.md
+++ b/persistence/registry-run-keys-startup-folder.md
@@ -68,6 +68,37 @@ See ATT&CK: **Boot or Logon Autostart Execution: Registry Run Keys / Startup Fol
|[geodo_banking_trojan](https://github.com/CAPESandbox/community/tree/master/modules/signatures/geodo_banking_trojan.py)|Registry Run Keys / Startup Folder (F0012)|--|
|[persistence_autorun](https://github.com/CAPESandbox/community/tree/master/modules/signatures/persistence_autorun.py)|Registry Run Keys / Startup Folder (F0012)|NtSetValueKey, RegSetValueExA, RegSetValueExW, CreateServiceW, CreateServiceA|
+### F0012 Snippet
+
+ Persistence::Registry Run Keys/Startup Folder
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x402994
+
+push eax ; where to store handle to created/opened registry key
+push u_SOFTWARE\Microsoft\Windows\Curre_00429bb8 ; subkey to create -- in this case SOFTWARE\Microsoft\Windows\Current\Version\Run
+push 0x80000001 ; predefined registry key HKEY_CURRENT_USER
+call dword ptr [->ADVAPI32.DLL::RegCreateKeyW] ; call to Windows API function to create the registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current\Version\Run
+lea ecx, [esp + 0x70]
+lea edx, [ecx + 0x2]
+nop dword ptr [eax]
+mov ax, word ptr [ecx]
+add ecx, 0x2
+test ax, ax
+jnz lab_004029b0
+sub ecx, edx
+sar ecx, 1
+lea eax, [ecx * 0x2 + 0x2]
+push eax ; size of data to write to registry key
+lea eax, [esp + 0x74]
+push eax ; data to write to registry key
+push 0x1 ; indicates that the type of value to be written to registry key is a string
+push 0x0 ; reserved parameter, must be NULL
+push u_WinHoster_00429c14 ; name of the value to add to the key -- in this case, WinHoster
+push dword ptr [esp + local_264] ; handle to open registry key
+call dword ptr [->ADVAPI32.DLL::RegSetValueExW] ; API call to set registry value
+
+
+
## References
[1] https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html