+ Obfuscated Files or Information::Encoding-Standard Algorithm
+SHA256: 5fb7f3fac0a9b9ab243ee642a0775500c524166ef075035c9510ccbab76ad633
+
+1 mov eax, dword ptr [esi + 0x38]
+2 xor dword ptr [esi + 0xd0], eax
+3 mov eax, dword ptr [esi + 0xf0]
+4 add eax, 0xfff5b6c8
+5 add eax, ecx
+6 mov ecx, dword ptr [esi + 0x8c]
+7 add dword ptr [esi + 0xc0], eax
+8 mov eax, dword ptr [esi + 0x54]
+9 xor dword ptr [ecx + edx*0x1], eax
+10 add edx, 0x4
+11 mov eax, dword ptr [esi + 0x90]
+12 add dword ptr [esi + 0x54], eax
+13 mov ecx, dword ptr [esi + 0xe8]
+14 mov eax, ecx
+15 xor eax, 0xa4937
+16 add dword ptr [esi + 0x68], eax
+17 mov eax, dword ptr [esi + 0xa4]
+18 xor eax, 0x4
+19 sub dword ptr [esi + 0x60], eax
+20 cmp edx, 0x36c8
+21 jl lab_10001060
+
+Notes
+
+ - Line 9: Encryption operation occurs.
+ - Line 10: edx is incremented in preparation to encode the next value
+ - Line 20: Test to see if the encryption operation has encoded the last value
+ - Line 21: Code loops back to Line 1 if edx is less than 0x36c8
+
+
+
## References
Obfuscated Files or Information::Encoding-Standard Algorithm
SHA256: 5fb7f3fac0a9b9ab243ee642a0775500c524166ef075035c9510ccbab76ad633
+Location: 0x10001060
-1 mov eax, dword ptr [esi + 0x38]
-2 xor dword ptr [esi + 0xd0], eax
-3 mov eax, dword ptr [esi + 0xf0]
-4 add eax, 0xfff5b6c8
-5 add eax, ecx
-6 mov ecx, dword ptr [esi + 0x8c]
-7 add dword ptr [esi + 0xc0], eax
-8 mov eax, dword ptr [esi + 0x54]
-9 xor dword ptr [ecx + edx*0x1], eax
-10 add edx, 0x4
-11 mov eax, dword ptr [esi + 0x90]
-12 add dword ptr [esi + 0x54], eax
-13 mov ecx, dword ptr [esi + 0xe8]
-14 mov eax, ecx
-15 xor eax, 0xa4937
-16 add dword ptr [esi + 0x68], eax
-17 mov eax, dword ptr [esi + 0xa4]
-18 xor eax, 0x4
-19 sub dword ptr [esi + 0x60], eax
-20 cmp edx, 0x36c8
-21 jl lab_10001060
+mov eax, dword ptr [esi + 0x38]
+xor dword ptr [esi + 0xd0], eax
+mov eax, dword ptr [esi + 0xf0]
+add eax, 0xfff5b6c8
+add eax, ecx
+mov ecx, dword ptr [esi + 0x8c]
+add dword ptr [esi + 0xc0], eax
+mov eax, dword ptr [esi + 0x54]
+xor dword ptr [ecx + edx*0x1], eax ; perform encryption operation
+add edx, 0x4 ; adjust edx to next location to encrypt
+mov eax, dword ptr [esi + 0x90]
+add dword ptr [esi + 0x54], eax
+mov ecx, dword ptr [esi + 0xe8]
+mov eax, ecx
+xor eax, 0xa4937
+add dword ptr [esi + 0x68], eax
+mov eax, dword ptr [esi + 0xa4]
+xor eax, 0x4
+sub dword ptr [esi + 0x60], eax
+cmp edx, 0x36c8 ; perform comparison to check if all data encrypted
+jl lab_10001060 ; jump to first line of sample
-Notes
-
- - Line 9: Encryption operation occurs.
- - Line 10: edx is incremented in preparation to encode the next value
- - Line 20: Test to see if the encryption operation has encoded the last value (did edx meet or exceed the hardcoded boundary value during the last increment?)
- - Line 21: Code loops back to Line 1 if edx is less than 0x36c8
-
## References
From 8455fdc5af7f26e3961245208ab0cd786b881bc5 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 5 Mar 2024 16:40:53 -0500
Subject: [PATCH 04/46] Update system-information-discovery.md
Added code snippet from PoisonIvy RAT
---
discovery/system-information-discovery.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/discovery/system-information-discovery.md b/discovery/system-information-discovery.md
index cda14b5b..cf3c5343 100644
--- a/discovery/system-information-discovery.md
+++ b/discovery/system-information-discovery.md
@@ -101,6 +101,18 @@ See ATT&CK: **System Information Discovery ([T1082](https://attack.mitre.org/tec
|[browser_scanbox](https://github.com/CAPESandbox/community/tree/master/modules/signatures/browser_scanbox.py)|System Information Discovery (E1082)|JsEval, COleScript_ParseScriptText, COleScript_Compile|
|[recon_fingerprint](https://github.com/CAPESandbox/community/tree/master/modules/signatures/recon_fingerprint.py)|System Information Discovery (E1082)|--|
+### E1082 Snippet
+
System Information Discovery
SHA256: e4b36a1d4e70d988efa2ec27e5a639be5eb0880474f746851c13e56f007a8377
From 8b3e18fa79cbcaa766c5a508717ea46b2a21f385 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Fri, 8 Mar 2024 08:53:37 -0500
Subject: [PATCH 07/46] Update registry.md
Added snippet for registry key query
---
micro-behaviors/operating-system/registry.md | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/micro-behaviors/operating-system/registry.md b/micro-behaviors/operating-system/registry.md
index 56a51b78..8f9ab482 100644
--- a/micro-behaviors/operating-system/registry.md
+++ b/micro-behaviors/operating-system/registry.md
@@ -220,6 +220,21 @@ Malware modifies the registry.
|[bypass_firewall](https://github.com/CAPESandbox/community/tree/master/modules/signatures/bypass_firewall.py)|Registry::Set Registry Value (C0036.001)|--|
|[remcos_regkeys](https://github.com/CAPESandbox/community/tree/master/modules/signatures/remcos_regkeys.py)|Registry (C0036)|--|
+### C0036.005 Snippet
+
+ Registry::Query Registry Key
+SHA256: 1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53
+Location: 0x408723
+
+push eax ; phkResult: stores pointer to handle containing open registry key
+push 0x1 ; samDesired: Desired access rights for opened key. 0x1 is KEY_QUERY_VALUE, which is required to query the value of the sought registry key
+push 0x0 ; ulOptions: Optional key set to 0, so no options passed to registry key
+push ecx ; lpSubKey: Optional parameter indicating a subkey to read from
+push edx ; handle to open registry key or name of registry key to open
+call dword ptr [->ADVAPI32.DLL::RegOpenKeyExA] ; Windows API call which opens registry key for the query
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 6c4006b5f5c78e4ec9aaa54fa26e81281a18b0f3 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 14 Mar 2024 11:02:26 -0400
Subject: [PATCH 08/46] Update generate-pseudorandom-sequence.md
Added example of Mersenne Twister algorithm
---
.../generate-pseudorandom-sequence.md | 37 +++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/micro-behaviors/cryptography/generate-pseudorandom-sequence.md b/micro-behaviors/cryptography/generate-pseudorandom-sequence.md
index c22ecb4c..55f0c2ee 100644
--- a/micro-behaviors/cryptography/generate-pseudorandom-sequence.md
+++ b/micro-behaviors/cryptography/generate-pseudorandom-sequence.md
@@ -55,6 +55,43 @@ The Generate Pseudo-random Sequence micro-behavior can be used for a number of p
|[generate random numbers via RtlGenRandom](https://github.com/mandiant/capa-rules/blob/master/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml)|Generate Pseudo-random Sequence::Use API (C0021.003)|SystemFunction036|
|[generate random numbers using a Mersenne Twister](https://github.com/mandiant/capa-rules/blob/master/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml)|Generate Pseudo-random Sequence (C0021)|--|
+### C0021 Snippet
+
+ Cryptography::Generate Pseudo-random Sequence
+SHA256: 192cdcbdec8bdebb7cae89037d6004b4aff2b8264c35a3875fa2d6db104437ca
+Location: 0x40B120
+
+mov eax, [DAT_00423174] ; set up the array of values used for the twister
+mov ecx, dword ptr [eax*0x4 + DAT_004227b0]
+mov dword ptr [EBP + local_8], ecx
+mov edx, dword ptr [DAT_00423174]
+add edx, 0x1
+mov dword ptr [DAT_OO423174], edx
+mov eax, dword ptr [ebp + local_8] ; set up by taking x (value in series to start the transform, stored at the memory address [ebp + local_8] in this case
+shr eax, 0xb ; shift x right by 11
+xor eax, dword ptr [ebp + local_8] ; xor the result of the previous operation with the old value of x. The eax register now contains intermediate value y
+mov dword ptr [ebp + local_8], eax ; store the value of y
+mov ecx, dword ptr [ebp + local_8] ; ecx now contains y
+shl ecx, 0x7 ; shift y left by 7
+and ecx, 0x9d2c5680 ; perform a bitwise and against a known constant bitmask (this value is specified in the transform equation)
+xor ecx, dword ptr [ebp + local_8] ; xor the output of the previous two instructions with the old value of y to produce y1 (still an intermediate value)
+mov dword ptr [ebp + local_8], ecx ; store y1
+mov edx, dword ptr [ebp + local_8] ; load y1 into edx to start the third part of the transform
+shl edx, 0xf ; shift y1 left by 15
+and edx, 0xefc60000 ; take y1 and perform a bitwise and operation with another constant
+xor edx, dword ptr [ebp + local_8] ; xor the output from the previous two instructions with the value of y1 stored earlier
+mov dword ptr [ebp + local_8], edx ; save this new intermediate y-value (y2)
+mov eax, dword ptr [ebp + local_8] ; load y2 into eax to start the final portion of the transform and produce the output
+shr eax, 0x12 ; shift y2 right by 18
+xor eax, dword ptr [ebp + local_8] ; xor the output from the previous instruction with the value of y2 stored earlier
+mov dword ptr [ebp + local_8], eax ; store the z-value (final output)
+mov eax, dword ptr [ebp + local_8] ; load the z-value into eax to return it
+mov esp, ebp ; move the stack pointer to the frame pointer
+pop ebp ; pop the current frame off the stack
+ret ; return from the function
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From c6a440af5c737429da72cb0f1296a50ed58e372f Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 14 Mar 2024 13:53:55 -0400
Subject: [PATCH 09/46] Update keylogging.md
Add Dark Comet keylogging code sample
---
collection/keylogging.md | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/collection/keylogging.md b/collection/keylogging.md
index 15a99fd9..049b8929 100644
--- a/collection/keylogging.md
+++ b/collection/keylogging.md
@@ -70,6 +70,20 @@ See ATT&CK: **Input Capture: Keylogging ([T1056.001](https://attack.mitre.org/te
|[infostealer_keylog](https://github.com/CAPESandbox/community/tree/master/modules/signatures/infostealer_keylog.py)|Keylogging::Application Hook (F0002.001)|SetWindowsHookExA, GetAsyncKeyState, SetWindowsHookExW|
|[browser_scanbox](https://github.com/CAPESandbox/community/tree/master/modules/signatures/browser_scanbox.py)|Keylogging (F0002)|JsEval, COleScript_ParseScriptText, COleScript_Compile|
+### F0002.002 Snippet
+
+ Collection::Keylogging::Polling
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+
+Location: 0x438af1
+
+push 0x11 ; provide argument for function call. In this case, 0x11 is the Windows keyboard code for indicating the 'CTRL' key
+call USER32.DLL::GetKeyState ; call function to get the state of the control key
+test ax, 0x8000 ; test to see what the previous function returned. In this case, we are seeing if the return value's high-order bit is a 1, which would mean the ctrl key is pressed
+setnz al ; if the previous condition is not met (the zero flag is 1), a 1 is stored in byte al
+
+
+
## References
[1] https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml
From 57a67808819a45292886f8ce9cd6f0d6f5e0eae9 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Mon, 18 Mar 2024 11:36:49 -0400
Subject: [PATCH 10/46] Update dns-communication.md
Added code sample from darkcomet
---
micro-behaviors/communication/dns-communication.md | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/micro-behaviors/communication/dns-communication.md b/micro-behaviors/communication/dns-communication.md
index 4669c35e..c3f91008 100644
--- a/micro-behaviors/communication/dns-communication.md
+++ b/micro-behaviors/communication/dns-communication.md
@@ -65,6 +65,17 @@ The DNS Communication micro-behavior focuses on DNS communication.
|[network_dns_doh_tls](https://github.com/CAPESandbox/community/tree/master/modules/signatures/network_dns_doh_tls.py)|DNS Communication (C0011)|--|
|[network_dga](https://github.com/CAPESandbox/community/tree/master/modules/signatures/network_dga.py)|DNS Communication (C0011)|--|
+### C0011.001 Snippet
+
+ Communication::DNS Communication::Resolve
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x472CD3
+
+push ebx ; hostname to perform DNS lookup for
+call WSOCK32.DLL::gethostbyname ; Windows function which will retrieve an object representing the specified host
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 3d830ad7a8563d0a6d43568e56c4452092a5d976 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Mon, 18 Mar 2024 12:46:20 -0400
Subject: [PATCH 11/46] Update socket-communication.md
Added DarkComet code snippet
---
.../communication/socket-communication.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/micro-behaviors/communication/socket-communication.md b/micro-behaviors/communication/socket-communication.md
index 94e775bf..26dc1c0e 100644
--- a/micro-behaviors/communication/socket-communication.md
+++ b/micro-behaviors/communication/socket-communication.md
@@ -90,6 +90,18 @@ Instead of being listed alphabetically, methods have been grouped to better faci
|[obliquerat_network_activity](https://github.com/CAPESandbox/community/tree/master/modules/signatures/obliquerat_network_activity.py)|Socket Communication (C0001)|send|
|[network_bind](https://github.com/CAPESandbox/community/tree/master/modules/signatures/network_bind.py)|Socket Communication (C0001)|listen, bind|
+### C0001.009 Snippet
+
+ Communication::Socket Communication::Initialize Winsock Library
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x472C92
+
+push eax ; pointer to WSADATA structure that the call to start Winsock will populate with the Windows socket data
+push 0x101 ; highest version of Winsock permitted for use in this application -- in this case, version 1.1 (major version in lowest-order byte, minor version in highest-order byte)
+call WSOCK.DLL::WSAStartup ; Initiate the Winsock DLL
+
+
+
## References
[1] https://www.mandiant.com/resources/synful-knock-acis
From 729f775ff888d0c05cd9345cda8ff7a07fc14571 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Mon, 18 Mar 2024 14:04:08 -0400
Subject: [PATCH 12/46] Update delete-file.md
Provided DarkComet sample
---
micro-behaviors/file-system/delete-file.md | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/micro-behaviors/file-system/delete-file.md b/micro-behaviors/file-system/delete-file.md
index 21c00d64..f2bc62aa 100644
--- a/micro-behaviors/file-system/delete-file.md
+++ b/micro-behaviors/file-system/delete-file.md
@@ -63,6 +63,20 @@ Malware deletes a file.
|[anomalous_deletefile](https://github.com/CAPESandbox/community/tree/master/modules/signatures/anomalous_deletefile.py)|Delete File (C0047)|NtDeleteFile, DeleteFileW, DeleteFileA|
|[deletes_self](https://github.com/CAPESandbox/community/tree/master/modules/signatures/deletes_self.py)|Delete File (C0047)|NtDeleteFile, DeleteFileW, DeleteFileA, MoveFileWithProgressW, MoveFileWithProgressTransactedW|
+### C0047 Snippet
+
+ File System::Delete File
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x409BB1
+
+call FUN_00404E80 ; generate file name to delete and store in eax
+push eax ; use the name generated by the previous function as an argument to the next function call
+call KERNEL32.DLL::DeleteFileA ; delete the file
+cmp eax, 0x1 ; if the file was successfully deleted, the previous function call will return a 1 into eax
+sbb eax, eax ; isolate the carry flag from the previous comparison. This will only be 1 if the previous command failed, otherwise it will be 0.
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 6e9de65afe42772399ece3aeb53f9fef3513d31b Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Mon, 18 Mar 2024 14:38:53 -0400
Subject: [PATCH 13/46] Update file-and-directory-discovery.md
Added DarkComet snippet
---
discovery/file-and-directory-discovery.md | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/discovery/file-and-directory-discovery.md b/discovery/file-and-directory-discovery.md
index bc147dd8..5a5cc00a 100644
--- a/discovery/file-and-directory-discovery.md
+++ b/discovery/file-and-directory-discovery.md
@@ -98,6 +98,21 @@ Malware may enumerate files and directories or may search for specific files or
|[antisandbox_sunbelt_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_sunbelt_files.py)|File and Directory Discovery (E1083)|--|
|[antianalysis_detectfile](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antianalysis_detectfile.py)|File and Directory Discovery (E1083)|--|
+### E1083 Snippet
+
+ Discovery::File and Directory Discovery
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x409A62
+
+push eax ; argument to function containing file path to search
+call KERNEL32.DLL::GetFileAttributesA ; Function to retrieve file attributes for file path indicated by eax
+cmp eax, -0x1 ; Test if function returned an error
+jz lab_00409a71 ; If the function failed (the file's attributes were not retrieved and the return value is -1), jump to the specified address to continue execution
+test al, 0x10 ; Test the lower 8 bits of the return value to check if the file is a directory
+jnz lab_00409a75 ; If the returned result is not a directory, jump to the specified address to continue execution
+
+
+
## References
[1] https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/
@@ -112,4 +127,4 @@ Malware may enumerate files and directories or may search for specific files or
[6] capa v4.0, analyzed at MITRE on 10/12/2022
-[7] https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/
\ No newline at end of file
+[7] https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/
From f29236ab85451414767b2039ddf8df08e2813436 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Mon, 18 Mar 2024 15:50:06 -0400
Subject: [PATCH 14/46] Update allocate-memory.md
Added DarkComet sample
---
micro-behaviors/memory/allocate-memory.md | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/micro-behaviors/memory/allocate-memory.md b/micro-behaviors/memory/allocate-memory.md
index 492bae22..6c5b2437 100644
--- a/micro-behaviors/memory/allocate-memory.md
+++ b/micro-behaviors/memory/allocate-memory.md
@@ -57,6 +57,20 @@ Malware allocates memory, often to unpack itself.
|---|---|---|
|[Unpacker](https://github.com/CAPESandbox/community/tree/master/modules/signatures/Unpacker.py)|Allocate Memory (C0007)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+### C0007 Snippet
+
+ Memory::Allocate Memory
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x422BDC
+
+push 0x40 ; Memory protections to apply to pages in allocated memory region (in this case, PAGE_EXECUTE_READWRITE, which allows execute, read-only, or read/write access to the allocated memory)
+push 0x1000 ; The type of allocation to perform (in this case, MEM_COMMIT which allocates empty virtual memory to begin with and only allocates physical pages when needed).
+push 0x1000 ; Size of region to allocate in bytes
+push 0x0 ; Starting address for region where memory should be allocated (not provided in this example)
+call KERNEL32.DLL::VirtualAlloc ; call function to allocate virtual memory
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 9ab481971a351be4d7cc1eb1793e8318dc0cbfaf Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Mon, 18 Mar 2024 16:39:12 -0400
Subject: [PATCH 15/46] Update modulo.md
Added Hupigon snippet
---
micro-behaviors/data/modulo.md | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/micro-behaviors/data/modulo.md b/micro-behaviors/data/modulo.md
index cd2e9373..d07b4de2 100644
--- a/micro-behaviors/data/modulo.md
+++ b/micro-behaviors/data/modulo.md
@@ -35,3 +35,13 @@ Malware calculates a modulo value.
|Tool: capa|Mapping|APIs|
|---|---|---|
|[calculate modulo 256 via x86 assembly](https://github.com/mandiant/capa-rules/blob/master/lib/calculate-modulo-256-via-x86-assembly.yml)|Modulo (C0058)|--|
+
+### C0058 Snippet
+
+ Data::Modulo
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x403135
+
+and param_3, 0xff ; Taking the bitwise AND of any number x with a number equivalent to (2^n - 1) where n is a whole number is congruent to taking x % 2^n. In this case, x = param_3 and 0xff = 255 which satisfies (2^n - 1) for n = 8.
+
+
From 26f169fb186eccf369dbac18b288879101496b02 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 21 Mar 2024 09:19:22 -0400
Subject: [PATCH 16/46] Update get-file-attributes.md
Added Hupigon sample
---
.../file-system/get-file-attributes.md | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/micro-behaviors/file-system/get-file-attributes.md b/micro-behaviors/file-system/get-file-attributes.md
index 2ceed044..e36286a5 100644
--- a/micro-behaviors/file-system/get-file-attributes.md
+++ b/micro-behaviors/file-system/get-file-attributes.md
@@ -47,6 +47,25 @@ Malware gets file attributes.
|---|---|---|
|[get file attributes](https://github.com/mandiant/capa-rules/blob/master/host-interaction/file-system/meta/get-file-attributes.yml)|Get File Attributes (C0049)|kernel32.GetFileAttributes, ZwQueryDirectoryFile, ZwQueryInformationFile, NtQueryDirectoryFile, NtQueryInformationFile, System.IO.File::GetAttributes, System.IO.File::GetCreationTime, System.IO.File::GetCreationTimeUtc, System.IO.File::GetLastAccessTime, System.IO.File::GetLastAccessTimeUtc, System.IO.File::GetLastWriteTime, System.IO.File::GetLastWriteTimeUtc|
+### C0049 Snippet
+
+ File System::Get File Attributes
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x4094B0
+
+push ebx ; Name of file to get attributes for
+mov ebx, param_1
+mov param_1, ebx
+call FUN_00404DFC
+push param_1 ; Return value for function call
+call KERNEL32.DLL::GetFileAttributesA ; Call Windows API for file deletion
+cmp param_1, -0x1 ; Test if the return value indicates an error
+jz LAB_004094C9 ; If the function returned an error, go to this address to continue execution
+test param_1, 0x10 ; Test to see if the file queried is a directory
+jnz LAB_004094CD ; If the file is not a directory, continue execution from this address
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 704e8e2f8bdd1f0c00236760c1a3a1e1eb6ea538 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 21 Mar 2024 09:48:44 -0400
Subject: [PATCH 17/46] Update application-window-discovery.md
Added Hupigon snippet
---
discovery/application-window-discovery.md | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/discovery/application-window-discovery.md b/discovery/application-window-discovery.md
index f91038ad..88523384 100644
--- a/discovery/application-window-discovery.md
+++ b/discovery/application-window-discovery.md
@@ -57,6 +57,21 @@ Malware may attempt to gain information about the operating system and applicati
|---|---|---|
|[browser_needed](https://github.com/CAPESandbox/community/tree/master/modules/signatures/browser_needed.py)|Application Window Discovery (E1010)|FindWindowW, FindWindowExA, FindWindowExW, FindWindowA|
+### E1010 Snippet
+
+ Discovery::Application Window Discovery
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x455A5D
+
+push 0x100 ; Maximum number of characters to get from window title, including trailing string terminator (in this case, 256).
+lea param_1, [esp + 0x4]
+push param_1 ; Buffer for receiving text from window
+mov param_1, dword ptr [ebx + 0x30]
+push param_1 ; Handle to window containing text
+call USER32.DLL::GetWindowTextA ; Function call to fetch specified window title
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From bf4c361729de75e8d4b490d36754d3d87f09cfa0 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 21 Mar 2024 10:25:27 -0400
Subject: [PATCH 18/46] Update create-process.md
Added Hupigon snippet.
---
micro-behaviors/process/create-process.md | 24 +++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/micro-behaviors/process/create-process.md b/micro-behaviors/process/create-process.md
index 67326406..80035778 100644
--- a/micro-behaviors/process/create-process.md
+++ b/micro-behaviors/process/create-process.md
@@ -75,6 +75,30 @@ Malware creates a process.
|[wmi_create_process](https://github.com/CAPESandbox/community/tree/master/modules/signatures/wmi_create_process.py)|Create Process::Create Process via WMI (C0017.002)|NtCreateUserProcess, CreateProcessInternalW|
|[script_created_process](https://github.com/CAPESandbox/community/tree/master/modules/signatures/script_created_process.py)|Create Process (C0017)|NtCreateUserProcess, CreateProcessInternalW|
+### C0049 Snippet
+
+ Process::Create Process
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x458C26
+
+lea param_1, [ebp + 0xfffffeb0]
+push param_1 ; pointer to PROCESS_INFORMATION struct to hold information about the new process
+lea param_1, [ebp + 0xfffffec0]
+push param_1 ; pointer to STARTUPINFO struct
+push 0x0 ; path to directory for new process -- if null, use same directory as calling process
+push 0x0 ; environment block for new process -- if null, use the calling process's environment block
+push 0x4 ; process creation flags (CREATE_SUSPENDED in this case)
+push 0x0 ; if heritable handles in the calling process should be inherited by the new process. If false, inheritance will not occur.
+push 0x0 ; security attributes for new process. If null, child processes cannot inherit thread running new process
+push 0x0 ; security attributes for new process. If null, child processes cannot inherit handle for new process
+mov param_1, dword ptr [ebp + local_8]
+call FUN_00404dfc
+push param_1 ; command line for new process to execute
+push 0x0 ; application name to be executed. If null, use command line provided in another argument
+call KERNEL32.DLL::CreateProcessA ; Call Windows API function to create new process
+
+
+
## References
[1] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
From 29da1c7d2252d1cde6a9ad29917f858c188633bb Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Wed, 27 Mar 2024 09:06:16 -0400
Subject: [PATCH 19/46] Update conditional-execution.md
Added Hupigon snippet
---
execution/conditional-execution.md | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/execution/conditional-execution.md b/execution/conditional-execution.md
index 70be472d..d21a232e 100644
--- a/execution/conditional-execution.md
+++ b/execution/conditional-execution.md
@@ -70,6 +70,31 @@ Some aspects of this Conditional Execution behavior are related to the [Executio
|---|---|---|
|[run as service](https://github.com/mandiant/capa-rules/blob/master/host-interaction/service/run-as-service.yml)|Conditional Execution::Runs as Service (B0025.007)|RegisterServiceCtrlHandler, RegisterServiceCtrlHandlerEx, StartServiceCtrlDispatcher, System.ServiceProcess.ServiceBase::Run|
+### B0025.007 Snippet
+
+ Execution::Conditional Execution::Runs as Service
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x4596BC
+
+push 0x0 ; Optional password to account running the service. Not needed for services running as LocalService
+push 0x0 ; Name of account under which to run the service. If null, use the LocalService account
+push 0x0 ; Optional list of dependencies required for the service to run
+push 0x0 ; Optional variable for tag depending on value of next parameter. If null, accept the value provided by that parameter.
+push 0x0 ; Optional load order group for the service. This service does not belong to a group
+mov param_1, dword ptr [ebp + local_8]
+call FUN_00404dfc ; Get path of binary for service to run and any arguments
+push param_1 ; Push to stack
+push 0x0 ; What to do if there is an error -- in this case, ignore it
+push 0x2 ; How to start service -- in this case, during system startup
+push 0x110 ; Service type -- in this case, service is its own process and is capable of interacting with desktop
+push 0xf01ff ; Desired access rights for service -- in this case, all rights
+push edi ; Display name for service
+push esi ; Name of service to install
+push ebx ; Handle to service control manager database
+call ADVAPI32.DLL::CreateServiceA ; Create service
+
+
+
## References
[1] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
From d71f582a4103d32173992cdd55bd3815b68d3507 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Wed, 27 Mar 2024 09:21:52 -0400
Subject: [PATCH 20/46] Update create-thread.md
Added Hupigon snippet
---
micro-behaviors/process/create-thread.md | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/micro-behaviors/process/create-thread.md b/micro-behaviors/process/create-thread.md
index ac451533..31e3862f 100644
--- a/micro-behaviors/process/create-thread.md
+++ b/micro-behaviors/process/create-thread.md
@@ -54,6 +54,26 @@ Malware creates a thread.
|[antidebug_ntcreatethreadex](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntcreatethreadex.py)|Create Thread (C0038)|NtCreateThreadEx|
|[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntsetinformationthread.py)|Create Thread (C0038)|NtSetInformationThread|
+### C0038 Snippet
+
+ Process::Create Thread
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x404915
+
+mov param_2, dword ptr [ebp + param_4]
+push param_2 ; Pointer to location where thread handler will be returned
+mov param_2, dword ptr [ebp + param_5]
+push param_2 ; Flags controlling thread creation
+push param_1 ; Pointer to variable to be passed to thread
+mov param_1, FUN_004048b8
+push param_1 ; Pointer to function where thread will begin execution
+push esi ; Size of stack for new thread
+push ebx ; Pointer to security attributes for thread. If null, the handle to the thread cannot be inherited
+call KERNEL32.DLL::CreateThread ; Call to thread creation API
+
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From b66bdd59dcd8635156d1a93e50d7aa4e1645ebc5 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Wed, 27 Mar 2024 09:46:31 -0400
Subject: [PATCH 21/46] Update resume-thread.md
Added Hupigon snippet
---
micro-behaviors/process/resume-thread.md | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/micro-behaviors/process/resume-thread.md b/micro-behaviors/process/resume-thread.md
index 85c69615..c208150b 100644
--- a/micro-behaviors/process/resume-thread.md
+++ b/micro-behaviors/process/resume-thread.md
@@ -43,6 +43,21 @@ Malware resumes a thread.
|---|---|---|
|[resume thread](https://github.com/mandiant/capa-rules/blob/master/host-interaction/thread/resume/resume-thread.yml)|Resume Thread (C0054)|kernel32.ResumeThread, ntdll.NtResumeThread, ntdll.ZwResumeThread, System.Threading.Thread::Resume|
+### C0054 Snippet
+
+ Process::Resume Thread
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x41B345
+
+push esi ; Where to store return value
+mov ebx, param_1
+mov param_1, dword ptr [ebx + 0x4]
+push param_1 ; Handle to thread to resume
+call KERNEL32.DLL::ResumeThread ; API call to resume thread
+
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From d46e626afdbd9935ec7cf41ed045c4a2f654c0bc Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 2 Apr 2024 10:34:58 -0400
Subject: [PATCH 22/46] Update command-and-scripting-interpreter.md
Added SmokeLoader sample
---
execution/command-and-scripting-interpreter.md | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/execution/command-and-scripting-interpreter.md b/execution/command-and-scripting-interpreter.md
index 75a36259..5bee1eae 100644
--- a/execution/command-and-scripting-interpreter.md
+++ b/execution/command-and-scripting-interpreter.md
@@ -113,6 +113,16 @@ See ATT&CK: **Command and Scripting Interpreter ([T1059](https://attack.mitre.or
|[script_network_activity](https://github.com/CAPESandbox/community/tree/master/modules/signatures/script_network_activity.py)|Command and Scripting Interpreter (E1059)|URLDownloadToFileW, HttpOpenRequestW, send, WSAConnect, InternetCrackUrlW, InternetCrackUrlA, SslEncryptPacket, InternetReadFile|
|[suspicious_js_script](https://github.com/CAPESandbox/community/tree/master/modules/signatures/suspicious_js_script.py)|Command and Scripting Interpreter (E1059)|JsEval, COleScript_ParseScriptText|
+### E1059 Snippet
+
+ Execution::Command and Scripting Interpreter
+SHA256: 905b9db8cf5a3001318b28ee5dc674f8f65ca1e4306aab9e331b3bba24e7b8a8
+Location: 0x41B7A6
+
+call dword ptr [->KERNEL32.DLL::GetCommandLineW]
+
+
+
## References
[1] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy
From 73ec2d935a784cbd3bb0e04c8dd20150abe386dd Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 2 Apr 2024 10:49:21 -0400
Subject: [PATCH 23/46] Update change-memory-protection.md
Added SmokeLoader snippet
---
.../memory/change-memory-protection.md | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/micro-behaviors/memory/change-memory-protection.md b/micro-behaviors/memory/change-memory-protection.md
index 4c8a8f16..3168d50f 100644
--- a/micro-behaviors/memory/change-memory-protection.md
+++ b/micro-behaviors/memory/change-memory-protection.md
@@ -50,6 +50,23 @@ Malware may change memory protection. For example, read-write memory may be chan
|---|---|---|
|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_guardpages.py)|Change Memory Protection (C0008)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+### C0008 Snippet
+
+ Memory::Change Memory Protection
+SHA256: 905b9db8cf5a3001318b28ee5dc674f8f65ca1e4306aab9e331b3bba24e7b8a8
+Location: 0x41AB74
+
+push ecx ; pointer to return value
+push 0x40 ; new memory protection option to apply -- in this case, read, write, and execute permissions will be applied to the pages
+mov [DAT_01f56ff0], eax
+mov eax, [DAT_00492fc4]
+push edx ; size of region to change access protection attributes (in bytes)
+push eax ; Address of first page in region where access protection attributes are to be changed
+; instructions from 0x41ab83 to 0x41abb4 omitted
+call dword ptr [->KERNEL32.DLL::VirtualProtect] ; call function to change memory protection attributes
+
+
+
## References
[1] https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html
From 332465a3cd2a1cdc1b8f9c676985c45fd9bdac94 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 2 Apr 2024 11:03:19 -0400
Subject: [PATCH 24/46] Update console.md
Added snippet from SmokeLoader
---
micro-behaviors/operating-system/console.md | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/micro-behaviors/operating-system/console.md b/micro-behaviors/operating-system/console.md
index 1967b735..dc603479 100644
--- a/micro-behaviors/operating-system/console.md
+++ b/micro-behaviors/operating-system/console.md
@@ -40,3 +40,21 @@ Malware modifies the console.
|Tool: CAPE|Mapping|APIs|
|---|---|---|
|[bcdedit_command](https://github.com/CAPESandbox/community/tree/master/modules/signatures/bcdedit_command.py)|Console (C0033)|ShellExecuteExW, NtCreateUserProcess, CreateProcessInternalW|
+
+### C0033 Snippet
+
+ Operating System::Console
+SHA256: 905b9db8cf5a3001318b28ee5dc674f8f65ca1e4306aab9e331b3bba24e7b8a8
+Location: 0x41B4CD
+
+lea eax, [esp + 0x50] ; load an address into eax
+push eax ; where to store number of characters read
+push ecx ; coordinates of console cell on screen where reading text should begin
+push ecx ; number of screen buffer character cells to read
+lea edx, [esp + 0x2cc] ; load address into edx
+push edx ; address of buffer into which characters should be read
+push ecx ; handle to the console read buffer
+mov dword ptr [esp + 0x68], ecx
+call KERNEL32.DLL::ReadConsoleOutputCharacterA ; call function to read characters from the console
+
+
From 26a2a343d5a916b3896a1a11bce0ef60fc0fc0d8 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 2 Apr 2024 13:00:47 -0400
Subject: [PATCH 25/46] Update dynamic-analysis-evasion.md
Added Industroyer sample
---
anti-behavioral-analysis/dynamic-analysis-evasion.md | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/anti-behavioral-analysis/dynamic-analysis-evasion.md b/anti-behavioral-analysis/dynamic-analysis-evasion.md
index 9974e6e4..bbd0d42c 100644
--- a/anti-behavioral-analysis/dynamic-analysis-evasion.md
+++ b/anti-behavioral-analysis/dynamic-analysis-evasion.md
@@ -85,6 +85,17 @@ The related **Virtualization/Sandbox Evasion ([T1497](https://attack.mitre.org/t
|[stealth_timeout](https://github.com/CAPESandbox/community/tree/master/modules/signatures/stealth_timeout.py)|Dynamic Analysis Evasion::Delayed Execution (B0003.003)|NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime|
|[antisandbox_unhook](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_unhook.py)|Dynamic Analysis Evasion (B0003)|--|
+### B0003.003 Snippet
+
+ Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution
+SHA256: 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561
+Location: 0x40103B
+
+push 0x36ee80 ; sleep duration: 3600000 milliseconds (1 hour)
+call dword ptr [->KERNEL32.DLL::Sleep] ; Windows API call instructing thread to sleep for the time period specified above
+
+
+
## References
[1] https://www.joesecurity.org/blog/4310408827727907098
From 6db8dd568efc132d313581e98ce2e7e14d02d22f Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 4 Apr 2024 08:46:19 -0400
Subject: [PATCH 26/46] Update interprocess-communication.md
Added CobaltStrike sample
---
.../interprocess-communication.md | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/micro-behaviors/communication/interprocess-communication.md b/micro-behaviors/communication/interprocess-communication.md
index 735d31e3..a978c9c0 100644
--- a/micro-behaviors/communication/interprocess-communication.md
+++ b/micro-behaviors/communication/interprocess-communication.md
@@ -64,6 +64,24 @@ The Interprocess Communication micro-behavior focuses on interprocess communicat
|[ipc_namedpipe](https://github.com/CAPESandbox/community/tree/master/modules/signatures/ipc_namedpipe.py)|Interprocess Communication (C0003)|NtReadFile, NtCreateNamedPipeFile, NtWriteFile|
|[ipc_namedpipe](https://github.com/CAPESandbox/community/tree/master/modules/signatures/ipc_namedpipe.py)|Interprocess Communication::Create Pipe (C0003.001)|NtReadFile, NtCreateNamedPipeFile, NtWriteFile|
+### C0003.002 Snippet
+
+ Communication::Interprocess Communication::Connect Pipe
+SHA256: e5897829835f3e9fbab71674ca06f48ff127ec014d1629817f0566203c93b732
+Location: 0x40167C
+
+call qword ptr [->KERNEL32.DLL::CreateNamedPipeA] ; stores return value in rax
+mov r12, rax ; r12 now contains a handle to the named pipe
+lea rax, [rax + -0x1]
+cmp rax, -0x3
+ja LAB_004016dc
+xor param_2, param_2 ; set value to zeroes. param_2 is edx, which is sometimes used to hold the second argument to a function
+mov param_1, r12 ; param_1 is rcx, which is sometimes used to hold the first argument to a function. r12 contains the return value from KERNEL32.DLL::CreateNamedPipeA (see earlier mov instruction)
+lea rdi, [rsp + 0x4c]
+call qword ptr [->KERNEL32.DLL::ConnectNamedPipe] ; takes param_1 and param_2 as arguments. Return value stored in rax.
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 966d8fa718e62fb8eeda3489d02e176d3729fc49 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 4 Apr 2024 09:03:04 -0400
Subject: [PATCH 27/46] Update read-file.md
Added Cobalt Strike snippet
---
micro-behaviors/file-system/read-file.md | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/micro-behaviors/file-system/read-file.md b/micro-behaviors/file-system/read-file.md
index e3afb553..f4a54ca9 100644
--- a/micro-behaviors/file-system/read-file.md
+++ b/micro-behaviors/file-system/read-file.md
@@ -67,6 +67,21 @@ Malware reads a file.
|[infostealer_browser](https://github.com/CAPESandbox/community/tree/master/modules/signatures/infostealer_browser.py)|Read File (C0051)|NtReadFile, CopyFileA, CopyFileExW, CopyFileW|
|[antianalysis_detectfile](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antianalysis_detectfile.py)|Read File (C0051)|--|
+### C0051 Snippet
+
+ File System::Read File
+SHA256: e5897829835f3e9fbab71674ca06f48ff127ec014d1629817f0566203c93b732
+Location: 0x401762
+
+mov r9, rdi ; variable that will hold number of bytes actually read from file
+mov r8d, ebx ; number of bytes to read
+mov param_2, rsi ; pointer to buffer that will hold content read from file
+mov param_1, r12 ; handle to the device/file to read from
+mov qword ptr [rsp + local_58], 0x0 ; optional pointer to OVERLAPPED structure (in this case, it is NULL)
+call qword ptr [->KERNEL32.DLL::ReadFile] ; API call to read file specified in param_1
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From bb304ff531650f23c5c40b884d6666eec7bcb425 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 4 Apr 2024 09:42:25 -0400
Subject: [PATCH 28/46] Update writes-file.md
Added cobalt strike snippet
---
micro-behaviors/file-system/writes-file.md | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/micro-behaviors/file-system/writes-file.md b/micro-behaviors/file-system/writes-file.md
index 44e57343..a1449df8 100644
--- a/micro-behaviors/file-system/writes-file.md
+++ b/micro-behaviors/file-system/writes-file.md
@@ -67,6 +67,21 @@ Malware writes to a file.
|[echelon_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/echelon_files.py)|Writes File (C0052)|--|
|[upatre_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/upatre_files.py)|Writes File (C0052)|--|
+### C0052 Snippet
+
+ File System::Writes File
+SHA256: e5897829835f3e9fbab71674ca06f48ff127ec014d1629817f0566203c93b732
+Location: 0x4016A7
+
+mov r9, rdi ; variable that will hold number of bytes actually written
+mov r8d, ebx ; number of bytes to write
+mov param_2, rsi ; pointer to buffer containing data that will be written to the file
+mov param_1, r12 ; handle to the device/file to write to
+mov qword ptr [rsp + local_58], 0x0 ; optional pointer to OVERLAPPED structure (in this case, it is NULL)
+call qword ptr [->KERNEL32.DLL::WriteFile] ; API call to write to file specified in param_1
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 216faa74feacee1016f2a4cf1c4b3e5615d85007 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Mon, 8 Apr 2024 10:19:36 -0400
Subject: [PATCH 29/46] Update noncryptographic-hash.md
Added emotet snippet
---
micro-behaviors/data/noncryptographic-hash.md | 24 +++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/micro-behaviors/data/noncryptographic-hash.md b/micro-behaviors/data/noncryptographic-hash.md
index a8915886..29c935d8 100644
--- a/micro-behaviors/data/noncryptographic-hash.md
+++ b/micro-behaviors/data/noncryptographic-hash.md
@@ -48,3 +48,27 @@ Malware may use a non-cryptographic hash.
|[hash data using murmur3](https://github.com/mandiant/capa-rules/blob/master/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml)|Non-Cryptographic Hash::MurmurHash (C0030.001)|--|
|[hash data using fnv](https://github.com/mandiant/capa-rules/blob/master/data-manipulation/hashing/fnv/hash-data-using-fnv.yml)|Non-Cryptographic Hash::FNV (C0030.005)|_allmul|
|[hash data using djb2](https://github.com/mandiant/capa-rules/blob/master/data-manipulation/hashing/djb2/hash-data-using-djb2.yml)|Non-Cryptographic Hash::djb2 (C0030.006)|--|
+
+
+### C0030.005 Snippet
+
+ Data::Non-Cryptographic Hash::FNV
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x403454
+
+mov esi, dword ptr [ebp + param_2] ; set number of bytes to hash
+mov edx, 0x811c9dc5 ; store FNV offset constant. The constants used in this snippet are the constants used for a 32-bit/4 byte message.
+push edi ; save the value of edi on the stack
+mov edi, dword ptr [ebp + param_1] ; first byte to hash
+mov ecx, 0x0 ; initialize counter
+sub esi, edi ; obtain the offset between first and last bytes to hash
+jz LAB_00403481 ; if the first and last bytes of the hash are the same, execute elsewhere and don't perform the hashing operation.
+nop dword ptr [eax]
+movzx eax, byte ptr [ecx + edi*0x1] ; move the byte to hash into the accumulator
+inc ecx ; increment the counter
+xor eax, edx ; xor the new value in the accumulator with the rest of the hash (for first xor, this will be the offset constant set earlier) and store the result in the accumulator. The xor occurring before the multiplication indicates that this is the FNV-1a variant of the algorithm
+imul edx, eax, 0x1000193 ; multiply the accumulator by the prime constant and store in edx for xor operation in next iteration
+cmp ecx, esi ; check if counter has reached offset (hashed last byte)
+jc LAB_00403470 ; if the counter has not yet reached the offset, jump back to the movzx instruction above
+
+
From 8ffcaf39be85ab2cfa29b689fcc41f65429bca83 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Mon, 8 Apr 2024 11:40:33 -0400
Subject: [PATCH 30/46] Update clipboard-modification.md
Added emotet snippet
---
impact/clipboard-modification.md | 38 ++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/impact/clipboard-modification.md b/impact/clipboard-modification.md
index 7e544982..f16ba82e 100644
--- a/impact/clipboard-modification.md
+++ b/impact/clipboard-modification.md
@@ -56,6 +56,44 @@ After E1510 was defined, T1510 was replaced by T1641.001, and Clipboard Data (
+ Impact::Clipboard Modification
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x402C0F
+
+push 0x0 ; associate clipboard with current task
+call dword ptr [->USER32.DLL::OpenClipboard] ; call function to open clipboard
+test eax, eax ; test if the clipboard open returned 0
+jz LAB_00402c70 ; if the clipboard open operation returned 0 (failed), jump to another instruction and execute from that point
+call dword ptr [->USER32.DLL::EmptyClipboard] ; call function to empty the clipboard
+lea eax, [esi * 0x2 + 0x2]
+push eax ; Number of bytes of heap memory to allocate
+push 0x2042 ; Memory allocation attributes. Notably, 0x2000 is deprecated and only intended for use with 16-bit Windows and will be ignored, so the actual argument is 0x0042, which allocates moveable memory and initializes the contents to zero
+call dword ptr [->KERNEL32.DLL::GlobalAlloc] ; Allocates heap memory
+mov esi, eax ; store pointer to allocated memory in esi
+test esi, esi ; test to see if NULL (0) returned, indicating an error with allocation
+jz LAB_00402c6a ; if error occurred, jump to memory address and begin execution there
+push esi ; pass newly-allocated memory to lock function
+call dword ptr [->KERNEL32.DLL::GlobalLock] ; lock the allocated heap memory
+test eax, eax ; test to see if lock returned NULL (0), indicating an error occurred
+jz LAB_00402c6a ; if an error occurred, jump to memory address and begin execution there
+push dword ptr [esp + local_26c] ; number of characters that can be stored in the provided buffer
+push eax ; buffer that will hold converted string
+push -0x1 ; size of the string to process. -1 indicates that the input ends with a null-terminating character, so to process up through that point
+push edi ; pointer to string to convert
+push 0x0 ; conversion type flags (must be 0 for UTF-8)
+push 0xfde9 ; code to use for conversion. In this case, 65001 indicates UTF-8
+call dword ptr [->KERNEL32.DLL::MultiByteToWideChar] ; call function to map string from UTF-8 to UTF-16
+push esi ; pointer to heap memory to unlock
+call dword ptr [->KERNEL32.DLL::GlobalUnlock] ; call function to unlock heap memory
+push esi ; handle to heap memory that will be written to clipboard
+push 0xd ; type of data to write (0xd indicates unicode)
+call dword ptr [->USER32.DLL::SetClipboardData] ; call function to write data to clipboard
+call dword ptr [->USER32.DLL::CloseClipboard] ; close the clipboard
+
+
+
## References
Process::Check Mutex
SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
From 9393d7632a6940a1211b9b45b6ec1c14459fb51a Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Mon, 8 Apr 2024 13:01:14 -0400
Subject: [PATCH 33/46] Update create-mutex.md
Added Emotet snippet
---
micro-behaviors/process/create-mutex.md | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/micro-behaviors/process/create-mutex.md b/micro-behaviors/process/create-mutex.md
index c94dce0a..79d9b8bb 100644
--- a/micro-behaviors/process/create-mutex.md
+++ b/micro-behaviors/process/create-mutex.md
@@ -102,6 +102,19 @@ Malware creates a mutex.
|[medusalocker_mutexes](https://github.com/CAPESandbox/community/tree/master/modules/signatures/medusalocker_mutexes.py)|Create Mutex (C0042)|--|
|[remcos_mutexes](https://github.com/CAPESandbox/community/tree/master/modules/signatures/remcos_mutexes.py)|Create Mutex (C0042)|--|
+### C0042 Snippet
+
+ Process::Create Mutex
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x402A1E
+
+push eax ; name of mutex
+push 0x0 ; if the thread that creates the mutex owns it (false, in this case)
+push 0x0 ; optional security descriptor set to NULL, so default security descriptor will be used
+call dword ptr [->KERNEL32.DLL::CreateMutexW] ; call function to create mutex
+
+
+
## References
[1] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
From aaafd962602b77943d5e0b65d867bbabf0cc8f8e Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Mon, 8 Apr 2024 13:12:31 -0400
Subject: [PATCH 34/46] Update allocate-thread-local-storage.md
Added emotet snippet
---
.../process/allocate-thread-local-storage.md | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/micro-behaviors/process/allocate-thread-local-storage.md b/micro-behaviors/process/allocate-thread-local-storage.md
index 75b97916..2e41ff74 100644
--- a/micro-behaviors/process/allocate-thread-local-storage.md
+++ b/micro-behaviors/process/allocate-thread-local-storage.md
@@ -43,6 +43,16 @@ Malware allocates thread local storage.
|---|---|---|
|[allocate thread local storage](https://github.com/mandiant/capa-rules/blob/master/host-interaction/process/allocate-thread-local-storage.yml)|Allocate Thread Local Storage (C0040)|kernel32.TlsAlloc|
+### C0040 Snippet
+
+ Process::Allocate Thread Local Storage
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x4142CB
+
+call dword ptr [->KERNEL32.DLL::TlsAlloc] ; call Windows API function to allocate thread local storage
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 1913c2d9d69ab808bedd68dc0c593148686f52a3 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Mon, 8 Apr 2024 14:49:58 -0400
Subject: [PATCH 35/46] Update registry-run-keys-startup-folder.md
Added emotet snippet
---
.../registry-run-keys-startup-folder.md | 31 +++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/persistence/registry-run-keys-startup-folder.md b/persistence/registry-run-keys-startup-folder.md
index 05ed7d69..575026f5 100644
--- a/persistence/registry-run-keys-startup-folder.md
+++ b/persistence/registry-run-keys-startup-folder.md
@@ -68,6 +68,37 @@ See ATT&CK: **Boot or Logon Autostart Execution: Registry Run Keys / Startup Fol
|[geodo_banking_trojan](https://github.com/CAPESandbox/community/tree/master/modules/signatures/geodo_banking_trojan.py)|Registry Run Keys / Startup Folder (F0012)|--|
|[persistence_autorun](https://github.com/CAPESandbox/community/tree/master/modules/signatures/persistence_autorun.py)|Registry Run Keys / Startup Folder (F0012)|NtSetValueKey, RegSetValueExA, RegSetValueExW, CreateServiceW, CreateServiceA|
+### F0012 Snippet
+
+ Persistence::Registry Run Keys/Startup Folder
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x402994
+
+push eax ; where to store handle to created/opened registry key
+push u_SOFTWARE\Microsoft\Windows\Curre_00429bb8 ; subkey to create -- in this case SOFTWARE\Microsoft\Windows\Current\Version\Run
+push 0x80000001 ; predefined registry key HKEY_CURRENT_USER
+call dword ptr [->ADVAPI32.DLL::RegCreateKeyW] ; call to Windows API function to create the registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current\Version\Run
+lea ecx, [esp + 0x70]
+lea edx, [ecx + 0x2]
+nop dword ptr [eax]
+mov ax, word ptr [ecx]
+add ecx, 0x2
+test ax, ax
+jnz lab_004029b0
+sub ecx, edx
+sar ecx, 1
+lea eax, [ecx * 0x2 + 0x2]
+push eax ; size of data to write to registry key
+lea eax, [esp + 0x74]
+push eax ; data to write to registry key
+push 0x1 ; indicates that the type of value to be written to registry key is a string
+push 0x0 ; reserved parameter, must be NULL
+push u_WinHoster_00429c14 ; name of the value to add to the key -- in this case, WinHoster
+push dword ptr [esp + local_264] ; handle to open registry key
+call dword ptr [->ADVAPI32.DLL::RegSetValueExW] ; API call to set registry value
+
+
+
## References
[1] https://threatvector.cylance.com/en_us/home/windows-registry-persistence-part-2-the-run-keys-and-search-order.html
From 0209ed1979b3a18dba446a5b7f68251822f77461 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 23 Apr 2024 11:03:12 -0400
Subject: [PATCH 36/46] Update wininet.md
Added EnvyScout snippet
---
micro-behaviors/communication/wininet.md | 39 ++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/micro-behaviors/communication/wininet.md b/micro-behaviors/communication/wininet.md
index d1f61812..c1a2c715 100644
--- a/micro-behaviors/communication/wininet.md
+++ b/micro-behaviors/communication/wininet.md
@@ -48,6 +48,45 @@ The methods below are those of most interest in malware analysis. Details can be
|---|---|---|
|[nemty_network_activity](https://github.com/CAPESandbox/community/tree/master/modules/signatures/nemty_network_activity.py)|WinINet (C0005)|InternetOpenA, InternetOpenUrlA|
+### C0005.001 Snippet
+
+ Communication::WinINet::InternetConnect
+SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641
+Location: 0x1800010b2
+
+call qword ptr [->WININET.DLL::InternetOpenA] ; Open a connection to the Internet and return the handle into rax
+mov rbp, rax ; store the handle in rbp
+test rax, rax
+jz LAB_1800013de
+mov param_1, 0x17
+call thunk_FUN_180004114
+mov r10, rax
+mov rdi, rax
+xor eax, eax
+mov param_1, 0x17
+stosb.rep rdi
+mov rdi, r10
+mov param_2, rbx
+nop dword ptr [rax]
+nop word ptr [rax + rax*0x1]
+movzx param_1, byte ptr [param_2 + rsi*offset DAT_18001ea00] ; first instruction in loop
+add param_2, 0x3 ; increase loop variable
+mov byte ptr [rdi], param_1
+lea rdi, [rdi + 0x1]
+cmp param_2, 0x42 ; test for loop end
+jl LAB_1800010f0 ; jump to beginning of loop
+movzx param_3, word ptr [DAT_18001ea44] ; TCP/IP port to connect to. DAT_18001ea44 contains 443, so this connection will occur on the default HTTPS port
+xor r9d, r9d ; name of user (if FTP connection), or NULL
+mov qword ptr [rsp + local_390], rbx ; pointer to application context for the returned handle to the internet connection
+mov param_2, r10 ; pointer to host name for internet server
+mov dword ptr [rsp + local_398], ebx ; pointer to flags specific for service used
+mov param_1, rbp ; handle to the internet connection established earlier
+mov dword ptr [rsp + local_3a0], 0x3 ; service type to access (0x3 indicates use of HTTP)
+mov qword ptr [rsp + local_3a8], rbx ; password for FTP (if needed)
+call qword ptr [->WININET.DLL::InternetConnectA] ; Windows API function to initiate an HTTP connection
+
+
+
## References
[1] https://docs.microsoft.com/en-us/windows/win32/wininet/wininet-functions
From 5a0a84f0c8934565230f997c116fdfb353d41fda Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 23 Apr 2024 11:20:55 -0400
Subject: [PATCH 37/46] Update http-communication.md
Added EnvyScout snippet
---
.../communication/http-communication.md | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/micro-behaviors/communication/http-communication.md b/micro-behaviors/communication/http-communication.md
index 62bef984..84fc0c49 100644
--- a/micro-behaviors/communication/http-communication.md
+++ b/micro-behaviors/communication/http-communication.md
@@ -120,6 +120,21 @@ Instead of being listed alphabetically, methods have been grouped to better faci
|[downloads_from_filehosting](https://github.com/CAPESandbox/community/tree/master/modules/signatures/downloads_from_filehosting.py)|HTTP Communication (C0002)|WinHttpOpenRequest, InternetOpenUrlA|
|[purplewave_network_activity](https://github.com/CAPESandbox/community/tree/master/modules/signatures/purplewave_network_activity.py)|HTTP Communication (C0002)|InternetOpenW, HttpOpenRequestW, HttpSendRequestW, HttpAddRequestHeadersA|
+### C0002.017 Snippet
+
+ Communication::HTTP Communication::Get Response
+SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641
+Location: 0x180001380
+
+mov param_2, ebx
+lea r9, [rsp + 0x44] ; where to store the number of bytes read
+add param_2, r14 ; pointer to buffer to receive HTTP data
+mov param_3, 0x400 ; number of bytes to read (1024)
+mov param_1, rsi ; handle to previously opened HTTP request
+call qword ptr [->WININET::InternetReadFile] ; Windows API for reading data from HTTP or FTP connections
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 4818a724220fedc9414cbae704e0bde843485a44 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 23 Apr 2024 15:25:19 -0400
Subject: [PATCH 38/46] Update enumerate-threads.md
Added Envyscout snippet
---
micro-behaviors/process/enumerate-threads.md | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/micro-behaviors/process/enumerate-threads.md b/micro-behaviors/process/enumerate-threads.md
index 33e0ffc7..2694924e 100644
--- a/micro-behaviors/process/enumerate-threads.md
+++ b/micro-behaviors/process/enumerate-threads.md
@@ -35,3 +35,18 @@ Malware enumerates threads.
|Tool: capa|Mapping|APIs|
|---|---|---|
|[enumerate threads](https://github.com/mandiant/capa-rules/blob/master/host-interaction/thread/list/enumerate-threads.yml)|Enumerate Threads (C0064)|kernel32.Thread32First, kernel32.Thread32Next, kernel32.CreateToolhelp32Snapshot|
+
+### C0064 Snippet
+
+ Process::Enumerate Threads
+SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641
+Location: 0x180003675
+
+lea rdx, [rsp + 0x48] ; pointer to THREAD32ENTRY struct
+mov rcx, r15 ; handle to snapshot of system processes
+call qword ptr [->KERNEL32.DLL::Thread32First] ; Windows API call to retrieve information about the first thread in a snapshot
+lea rdx, [rsp + 0x48]
+mov rcx, r15
+call qword ptr [->KERNEL32.DLL::Thread32Next] ; takes the same arguments as Thread32First and gets the next thread from the snapshot
+
+
From eb4e69decd8997c99ed5a3158a2765dad301fdff Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 23 Apr 2024 15:31:33 -0400
Subject: [PATCH 39/46] Update set-thread-local-storage-value.md
Added Envyscout sample
---
.../process/set-thread-local-storage-value.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/micro-behaviors/process/set-thread-local-storage-value.md b/micro-behaviors/process/set-thread-local-storage-value.md
index acc7ca83..1c2de1c2 100644
--- a/micro-behaviors/process/set-thread-local-storage-value.md
+++ b/micro-behaviors/process/set-thread-local-storage-value.md
@@ -47,6 +47,18 @@ Malware allocates thread local storage.
|---|---|---|
|[set thread local storage value](https://github.com/mandiant/capa-rules/blob/master/host-interaction/process/set-thread-local-storage-value.yml)|Set Thread Local Storage Value (C0041)|kernel32.TlsSetValue|
+### C0041 Snippet
+
+ Process::Set Thread Local Storage Value
+SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641
+Location: 0x180005B08
+
+mov param_2, rbx ; Value to be stored in TLS index
+mov param_1, edi ; TLS index
+call qword ptr [->KERNEL32.DLL::TlsSetValue] ; Call Windows API function to store value in thread's thread local storage (TLS) at the specified index
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From eb8bf6bbc96d321d32063120405478156516a473 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 23 Apr 2024 16:33:18 -0400
Subject: [PATCH 40/46] Update create-directory.md
Added explosive snippet
---
micro-behaviors/file-system/create-directory.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/micro-behaviors/file-system/create-directory.md b/micro-behaviors/file-system/create-directory.md
index cf60127a..7297d53e 100644
--- a/micro-behaviors/file-system/create-directory.md
+++ b/micro-behaviors/file-system/create-directory.md
@@ -52,6 +52,18 @@ Malware creates a directory.
|---|---|---|
|[arkei_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/arkei_files.py)|Create Directory (C0046)|--|
+### C0046 Snippet
+
+ File System::Create Directory
+SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
+Location: 0x1400036d4
+
+xor param_2, param_2 ; use default security attributes (param_2 is NULL)
+mov param_1, rbp ; use contents of rbp as directory name
+call qword ptr [->KERNEL32.DLL::CreateDirectoryA] ; call Windows API to create directory
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 6fabb4e66a6494a891e65db37fcd2d932aed1c0a Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 23 Apr 2024 16:43:18 -0400
Subject: [PATCH 41/46] Update delete-directory.md
Added explosive code snippet (note: the malware is called "explosive")
---
micro-behaviors/file-system/delete-directory.md | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/micro-behaviors/file-system/delete-directory.md b/micro-behaviors/file-system/delete-directory.md
index a2822178..daa8b381 100644
--- a/micro-behaviors/file-system/delete-directory.md
+++ b/micro-behaviors/file-system/delete-directory.md
@@ -44,6 +44,17 @@ Malware deletes a directory.
|---|---|---|
|[delete directory](https://github.com/mandiant/capa-rules/blob/master/host-interaction/file-system/delete/delete-directory.yml)|Delete Directory (C0048)|RemoveDirectory, RemoveDirectoryTransacted, _rmdir, _wrmdir, System.IO.DirectoryInfo::Delete, System.IO.Directory::Delete|
+### C0048 Snippet
+
+ File System::Delete Directory
+SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
+Location: 0x140002204
+
+mov param_1, rdi ; store name of directory to remove
+call qword ptr [->KERNEL32.DLL::RemoveDirectoryA] ; call Windows API function to remove directory
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From f353cfae3f8a96345ac6b9991650b4f81e7b3c7c Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 25 Apr 2024 08:35:10 -0400
Subject: [PATCH 42/46] Update set-file-attributes.md
Added explosive sample
---
micro-behaviors/file-system/set-file-attributes.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/micro-behaviors/file-system/set-file-attributes.md b/micro-behaviors/file-system/set-file-attributes.md
index e85c9f13..5dd7e9bb 100644
--- a/micro-behaviors/file-system/set-file-attributes.md
+++ b/micro-behaviors/file-system/set-file-attributes.md
@@ -48,6 +48,18 @@ Malware sets file attributes.
|[change file permission on Linux](https://github.com/mandiant/capa-rules/blob/master/host-interaction/file-system/change-file-permission-on-linux.yml)|Set File Attributes (C0050)|chown, fchown, lchown, fchownat|
|[set file attributes](https://github.com/mandiant/capa-rules/blob/master/host-interaction/file-system/meta/set-file-attributes.yml)|Set File Attributes (C0050)|kernel32.SetFileAttributes, ZwSetInformationFile, NtSetInformationFile, System.IO.File::SetAttributes, System.IO.File::SetCreationTime, System.IO.File::SetCreationTimeUtc, System.IO.File::SetLastAccessTime, System.IO.File::SetLastAccessTimeUtc, System.IO.File::SetLastWriteTime, System.IO.File::SetLastWriteTimeUtc|
+### C0050 Snippet
+
+ File System::Set File Attributes
+SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
+Location: 0x140006a6d
+
+mov edx, 0x2 ; pass the value indicating for the 'hidden' attribute to be set on the file
+lea rcx, [rsp + 0x40] ; name of the file for which attributes should be changed
+call qword ptr [->KERNEL32.DLL::SetFileAttributesA] ; call Windows API for changing file attributes
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 8fa497b1be885fd094f61d580d40caa8d28a4490 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 25 Apr 2024 08:54:50 -0400
Subject: [PATCH 43/46] Update terminate-process.md
Added explosive snippet
---
micro-behaviors/process/terminate-process.md | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/micro-behaviors/process/terminate-process.md b/micro-behaviors/process/terminate-process.md
index 24eac228..93a5957f 100644
--- a/micro-behaviors/process/terminate-process.md
+++ b/micro-behaviors/process/terminate-process.md
@@ -56,6 +56,17 @@ Malware terminates a process.
|---|---|---|
|[terminates_remote_process](https://github.com/CAPESandbox/community/tree/master/modules/signatures/terminates_remote_process.py)|Terminate Process (C0018)|NtTerminateProcess|
+### C0018 Snippet
+
+ Process::Terminate Process
+SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
+Location: 0x1400083c7
+
+mov ecx, eax ; use the value stored in eax as the exit status for the exited process
+call qword ptr [->MSVCRT.DLL::exit] ; call the Windows API function to terminate the process
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 2a0545b16afb282e19877e0ce6acf88fd26e86c8 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 25 Apr 2024 09:00:39 -0400
Subject: [PATCH 44/46] Update terminate-thread.md
Added explosive sample
---
micro-behaviors/process/terminate-thread.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/micro-behaviors/process/terminate-thread.md b/micro-behaviors/process/terminate-thread.md
index 692cd6e3..cbd50276 100644
--- a/micro-behaviors/process/terminate-thread.md
+++ b/micro-behaviors/process/terminate-thread.md
@@ -35,3 +35,15 @@ Malware terminates a thread.
|Tool: capa|Mapping|APIs|
|---|---|---|
|[terminate thread](https://github.com/mandiant/capa-rules/blob/master/host-interaction/thread/terminate/terminate-thread.yml)|Terminate Thread (C0039)|kernel32.TerminateThread, PsTerminateSystemThread, System.Threading.Thread.Abort|
+
+### C0039 Snippet
+
+ Process::Terminate Thread
+SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
+Location: 0x14000395B
+
+mov param_1, qword ptr [DAT_14000ca58] ; thread to terminate
+xor param_2, param_2 ; set the thread's exit status to 0
+call qword ptr [->KERNEL32.DLL::TerminateThread] ; call the Windows API function to terminate the thread
+
+
From 0c6c131b33f3bac666041d4e2f8a5d5f974f71af Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Thu, 25 Apr 2024 13:47:11 -0400
Subject: [PATCH 45/46] Update move-file.md
Added Finfisher snippet
---
micro-behaviors/file-system/move-file.md | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/micro-behaviors/file-system/move-file.md b/micro-behaviors/file-system/move-file.md
index 7e1fdc14..74fac546 100644
--- a/micro-behaviors/file-system/move-file.md
+++ b/micro-behaviors/file-system/move-file.md
@@ -51,6 +51,20 @@ Malware moves a file.
|---|---|---|
|[move_file_on_reboot](https://github.com/CAPESandbox/community/tree/master/modules/signatures/move_file_on_reboot.py)|Move File (C0063)|MoveFileWithProgressTransactedA, MoveFileWithProgressTransactedW|
+### C0063 Snippet
+
+ File System::Move File
+SHA256: bb8c0e477512adab1db26eb77fe10dadbc5dcbf8e94569061c7199ca4626a420
+Location: 0x41a61d
+
+push 0x4 ; option to delay move until the next reboot
+push edi ; new name for the moved file
+lea eax, [ebp + 0xffffefc4]
+push eax ; name of the file to be moved
+call dword ptr [->KERNEL32.DLL::MoveFileExW] ; Windows API function to move the file from one name to another
+
+
+
## References
[1] capa v4.0, analyzed at MITRE on 10/12/2022
From 107f9e17593445d107055ee50a7550e4f69318d6 Mon Sep 17 00:00:00 2001
From: brightmt <50853930+brightmt@users.noreply.github.com>
Date: Tue, 30 Apr 2024 10:16:08 -0400
Subject: [PATCH 46/46] Update screen-capture.md
Added ECCENTRICBANDWAGON snippet
---
collection/screen-capture.md | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/collection/screen-capture.md b/collection/screen-capture.md
index 12e05bdb..0c9d7190 100644
--- a/collection/screen-capture.md
+++ b/collection/screen-capture.md
@@ -62,6 +62,28 @@ See ATT&CK: **Screen Capture ([T1113](https://attack.mitre.org/techniques/T1113/
|[poullight_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/poullight_files.py)|Screen Capture (E1113)|--|
|[captures_screenshot](https://github.com/CAPESandbox/community/tree/master/modules/signatures/captures_screenshot.py)|Screen Capture (E1113)|LdrGetProcedureAddress, NtCreateFile|
+### E1113.m01 Snippet
+
+ Collection::Screen Capture::WinAPI
+SHA256: c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec
+Location: 0x4036de
+
+push 0xcc0020 ; Raster operation code to copy the source rectangle directly onto the destination rectangle
+push 0x0 ; y-coordinate of upper left corner of source rectangle
+push 0x0 ; x-coordinate of upper left corner of source rectangle
+push dword ptr [esi] ; handle to source device
+push eax ; height of source/destination rectangles
+mov eax, dword ptr [esi + 0xc]
+sub eax, param_2
+sub param_2, ebx
+push eax ; width of source/destination rectangles
+push param_1 ; y-coordinate of upper left corner of destination rectangle
+push param_2 ; x-coordinate of upper left corner of destination rectangle
+push dword ptr [ebp + local_28] ; handle to destingation device
+call dword ptr [->GDI32.DLL::BitBlt] ; Windows API function to transfer a rectangle of pixels from one device to another
+
+
+
## References
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/