Code samples

anti-behavioral-analysis/debugger-detection.md

@@ -145,6 +145,16 @@ Details on detecting debuggers can be found in the references.
 |[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntsetinformationthread.py)|Debugger Detection::NtSetInformationThread (B0001.014)|NtSetInformationThread|
 |[antidebug_debugactiveprocess](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_debugactiveprocess.py)|Debugger Detection (B0001)|DebugActiveProcess|
 
+### B0001.019 Snippet
+<details>
+<summary> Anti-Behavioral Analysis::Debugger Detection::Process Environment Block </summary>
+SHA256: e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc
+Location: 0x1800270A2
+<pre>
+mov     rax, qword ptr GS:[0x60]        ; GS:[0x60] contains a pointer to the Windows Process Environment Block on 64-bit versions of Windows.  This command is copying that pointer into the rax register.
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> S. Yosef,"RASPBERRY ROBIN: ANTI-EVASION HOW-TO & EXPLOIT ANALYSIS," https://research.checkpoint.com/, 18 Apr 2023. [Online]. Available: https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/.  

anti-behavioral-analysis/dynamic-analysis-evasion.md

@@ -85,6 +85,17 @@ The related **Virtualization/Sandbox Evasion ([T1497](https://attack.mitre.org/t
 |[stealth_timeout](https://github.com/CAPESandbox/community/tree/master/modules/signatures/stealth_timeout.py)|Dynamic Analysis Evasion::Delayed Execution (B0003.003)|NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime|
 |[antisandbox_unhook](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_unhook.py)|Dynamic Analysis Evasion (B0003)|--|
 
+### B0003.003 Snippet
+<details>
+<summary> Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution </summary>
+SHA256: 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561
+Location: 0x40103B
+<pre>
+push    0x36ee80        ; sleep duration: 3600000 milliseconds (1 hour)
+call    dword ptr [->KERNEL32.DLL::Sleep]       ; Windows API call instructing thread to sleep for the time period specified above
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> https://www.joesecurity.org/blog/4310408827727907098

collection/keylogging.md

@@ -70,6 +70,20 @@ See ATT&CK: **Input Capture: Keylogging ([T1056.001](https://attack.mitre.org/te
 |[infostealer_keylog](https://github.com/CAPESandbox/community/tree/master/modules/signatures/infostealer_keylog.py)|Keylogging::Application Hook (F0002.001)|SetWindowsHookExA, GetAsyncKeyState, SetWindowsHookExW|
 |[browser_scanbox](https://github.com/CAPESandbox/community/tree/master/modules/signatures/browser_scanbox.py)|Keylogging (F0002)|JsEval, COleScript_ParseScriptText, COleScript_Compile|
 
+### F0002.002 Snippet
+<details>
+<summary> Collection::Keylogging::Polling </summary>
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+
+Location: 0x438af1
+<pre>
+push    0x11    ; provide argument for function call.  In this case, 0x11 is the Windows keyboard code for indicating the 'CTRL' key
+call    USER32.DLL::GetKeyState ; call function to get the state of the control key
+test    ax, 0x8000      ; test to see what the previous function returned.  In this case, we are seeing if the return value's high-order bit is a 1, which would mean the ctrl key is pressed
+setnz   al      ; if the previous condition is not met (the zero flag is 1), a 1 is stored in byte al
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml

collection/screen-capture.md

@@ -62,6 +62,28 @@ See ATT&CK: **Screen Capture ([T1113](https://attack.mitre.org/techniques/T1113/
 |[poullight_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/poullight_files.py)|Screen Capture (E1113)|--|
 |[captures_screenshot](https://github.com/CAPESandbox/community/tree/master/modules/signatures/captures_screenshot.py)|Screen Capture (E1113)|LdrGetProcedureAddress, NtCreateFile|
 
+### E1113.m01 Snippet
+<details>
+<summary> Collection::Screen Capture::WinAPI </summary>
+SHA256: c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec
+Location: 0x4036de
+<pre>
+push    0xcc0020        ; Raster operation code to copy the source rectangle directly onto the destination rectangle
+push    0x0     ; y-coordinate of upper left corner of source rectangle
+push    0x0     ; x-coordinate of upper left corner of source rectangle
+push    dword ptr [esi] ; handle to source device
+push    eax     ; height of source/destination rectangles
+mov     eax, dword ptr [esi + 0xc]
+sub     eax, param_2
+sub     param_2, ebx
+push    eax     ; width of source/destination rectangles
+push    param_1 ; y-coordinate of upper left corner of destination rectangle
+push    param_2 ; x-coordinate of upper left corner of destination rectangle
+push    dword ptr [ebp + local_28]      ; handle to destingation device
+call    dword ptr [->GDI32.DLL::BitBlt] ; Windows API function to transfer a rectangle of pixels from one device to another
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/

defense-evasion/obfuscated-files-or-information.md

@@ -124,6 +124,36 @@ Instead of being listed alphabetically, methods have been grouped to better faci
 |[cmdline_obfuscation](https://github.com/CAPESandbox/community/tree/master/modules/signatures/cmdline_obfuscation.py)|Obfuscated Files or Information (E1027)|--|
 |[dotnet_code_compile](https://github.com/CAPESandbox/community/tree/master/modules/signatures/dotnet_code_compile.py)|Obfuscated Files or Information (E1027)|NtWriteFile, CreateProcessInternalA, NtCreateUserProcess, CreateProcessInternalW|
 
+### E1027.m02 Snippet
+<details>
+<summary> Obfuscated Files or Information::Encoding-Standard Algorithm </summary>
+SHA256: 5fb7f3fac0a9b9ab243ee642a0775500c524166ef075035c9510ccbab76ad633
+Location: 0x10001060
+<pre>
+mov     eax, dword ptr [esi + 0x38]
+xor     dword ptr [esi + 0xd0], eax
+mov     eax, dword ptr [esi + 0xf0]
+add     eax, 0xfff5b6c8
+add     eax, ecx
+mov     ecx, dword ptr [esi + 0x8c]
+add     dword ptr [esi + 0xc0], eax
+mov     eax, dword ptr [esi + 0x54]
+xor     dword ptr [ecx + edx*0x1], eax ; perform encryption operation
+add     edx, 0x4        ; adjust edx to next location to encrypt
+mov     eax, dword ptr [esi + 0x90]
+add     dword ptr [esi + 0x54], eax
+mov     ecx, dword ptr [esi + 0xe8]
+mov     eax, ecx
+xor     eax, 0xa4937
+add     dword ptr [esi + 0x68], eax
+mov     eax, dword ptr [esi + 0xa4]
+xor     eax, 0x4
+sub     dword ptr [esi + 0x60], eax
+cmp     edx, 0x36c8     ; perform comparison to check if all data encrypted
+jl      lab_10001060    ; jump to first line of sample
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/

discovery/application-window-discovery.md

@@ -57,6 +57,21 @@ Malware may attempt to gain information about the operating system and applicati
 |---|---|---|
 |[browser_needed](https://github.com/CAPESandbox/community/tree/master/modules/signatures/browser_needed.py)|Application Window Discovery (E1010)|FindWindowW, FindWindowExA, FindWindowExW, FindWindowA|
 
+### E1010 Snippet
+<details>
+<summary> Discovery::Application Window Discovery </summary>
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x455A5D
+<pre>
+push    0x100   ; Maximum number of characters to get from window title, including trailing string terminator (in this case, 256).
+lea     param_1, [esp + 0x4]
+push    param_1 ; Buffer for receiving text from window
+mov     param_1, dword ptr [ebx + 0x30]
+push    param_1 ; Handle to window containing text
+call    USER32.DLL::GetWindowTextA      ; Function call to fetch specified window title
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> capa v4.0, analyzed at MITRE on 10/12/2022

discovery/file-and-directory-discovery.md

@@ -98,6 +98,21 @@ Malware may enumerate files and directories or may search for specific files or
 |[antisandbox_sunbelt_files](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_sunbelt_files.py)|File and Directory Discovery (E1083)|--|
 |[antianalysis_detectfile](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antianalysis_detectfile.py)|File and Directory Discovery (E1083)|--|
 
+### E1083 Snippet
+<details>
+<summary> Discovery::File and Directory Discovery </summary>
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x409A62
+<pre>
+push    eax     ; argument to function containing file path to search
+call    KERNEL32.DLL::GetFileAttributesA        ; Function to retrieve file attributes for file path indicated by eax
+cmp     eax, -0x1       ; Test if function returned an error
+jz      lab_00409a71    ; If the function failed (the file's attributes were not retrieved and the return value is -1), jump to the specified address to continue execution
+test    al, 0x10        ; Test the lower 8 bits of the return value to check if the file is a directory
+jnz     lab_00409a75    ; If the returned result is not a directory, jump to the specified address to continue execution
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/
@@ -112,4 +127,4 @@ Malware may enumerate files and directories or may search for specific files or
 
 <a name="6">[6]</a> capa v4.0, analyzed at MITRE on 10/12/2022
 
-<a name="7">[7]</a> https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/
+<a name="7">[7]</a> https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/

discovery/system-information-discovery.md

@@ -37,6 +37,7 @@ See ATT&CK: **System Information Discovery ([T1082](https://attack.mitre.org/tec
 |Name|ID|Description|
 |---|---|---|
 |**Generate Windows Exception**|E1082.m01|Malware may trigger an exception as a way of gathering system details.|
+|**Enumerate Environment Variables**|E1082.m02|Malware may query environmental variables as a way of gathering system details.|
 
 ## Use in Malware
 
@@ -101,6 +102,18 @@ See ATT&CK: **System Information Discovery ([T1082](https://attack.mitre.org/tec
 |[browser_scanbox](https://github.com/CAPESandbox/community/tree/master/modules/signatures/browser_scanbox.py)|System Information Discovery (E1082)|JsEval, COleScript_ParseScriptText, COleScript_Compile|
 |[recon_fingerprint](https://github.com/CAPESandbox/community/tree/master/modules/signatures/recon_fingerprint.py)|System Information Discovery (E1082)|--|
 
+### E1082.m02 Snippet
+<details>
+<summary> System Information Discovery </summary>
+SHA256: e4b36a1d4e70d988efa2ec27e5a639be5eb0880474f746851c13e56f007a8377
+Location: 0x004017e9
+<pre>
+push    eax     ; push register to store return value onto the stack
+push    u_ALLUSERSPROFILE_0041a9a4      ; push argument to function (name of the sought environment variable - in this case, ALLUSERSPROFILE)
+call    dword ptr [->KERNEL32.DLL::GetEnvironmentVariableW]     ; call function to get environment variable value
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279

execution/command-and-scripting-interpreter.md

@@ -113,6 +113,16 @@ See ATT&CK: **Command and Scripting Interpreter ([T1059](https://attack.mitre.or
 |[script_network_activity](https://github.com/CAPESandbox/community/tree/master/modules/signatures/script_network_activity.py)|Command and Scripting Interpreter (E1059)|URLDownloadToFileW, HttpOpenRequestW, send, WSAConnect, InternetCrackUrlW, InternetCrackUrlA, SslEncryptPacket, InternetReadFile|
 |[suspicious_js_script](https://github.com/CAPESandbox/community/tree/master/modules/signatures/suspicious_js_script.py)|Command and Scripting Interpreter (E1059)|JsEval, COleScript_ParseScriptText|
 
+### E1059 Snippet
+<details>
+<summary> Execution::Command and Scripting Interpreter </summary>
+SHA256: 905b9db8cf5a3001318b28ee5dc674f8f65ca1e4306aab9e331b3bba24e7b8a8
+Location: 0x41B7A6
+<pre>
+call    dword ptr [->KERNEL32.DLL::GetCommandLineW]
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy

execution/conditional-execution.md

@@ -70,6 +70,31 @@ Some aspects of this Conditional Execution behavior are related to the [Executio
 |---|---|---|
 |[run as service](https://github.com/mandiant/capa-rules/blob/master/host-interaction/service/run-as-service.yml)|Conditional Execution::Runs as Service (B0025.007)|RegisterServiceCtrlHandler, RegisterServiceCtrlHandlerEx, StartServiceCtrlDispatcher, System.ServiceProcess.ServiceBase::Run|
 
+### B0025.007 Snippet
+<details>
+<summary> Execution::Conditional Execution::Runs as Service </summary>
+SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
+Location: 0x4596BC
+<pre>
+push    0x0     ; Optional password to account running the service.  Not needed for services running as LocalService
+push    0x0     ; Name of account under which to run the service.  If null, use the LocalService account
+push    0x0     ; Optional list of dependencies required for the service to run
+push    0x0     ; Optional variable for tag depending on value of next parameter.  If null, accept the value provided by that parameter.
+push    0x0     ; Optional load order group for the service.  This service does not belong to a group
+mov     param_1, dword ptr [ebp + local_8]
+call    FUN_00404dfc    ; Get path of binary for service to run and any arguments
+push    param_1 ; Push to stack
+push    0x0     ; What to do if there is an error -- in this case, ignore it
+push    0x2     ; How to start service -- in this case, during system startup
+push    0x110   ; Service type -- in this case, service is its own process and is capable of interacting with desktop
+push    0xf01ff ; Desired access rights for service -- in this case, all rights
+push    edi     ; Display name for service
+push    esi     ; Name of service to install
+push    ebx     ; Handle to service control manager database
+call    ADVAPI32.DLL::CreateServiceA    ; Create service
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/

impact/clipboard-modification.md

@@ -56,6 +56,44 @@ After E1510 was defined, T1510 was replaced by T1641.001, and Clipboard Data (<a
 |---|---|---|
 |[set_clipboard_data](https://github.com/CAPESandbox/community/tree/master/modules/signatures/set_clipboard_data.py)|Clipboard Modification (E1510)|SetClipboardData|
 
+### E1510 Snippet
+<details>
+<summary> Impact::Clipboard Modification </summary>
+SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c
+Location: 0x402C0F
+<pre>
+push    0x0     ; associate clipboard with current task
+call    dword ptr [->USER32.DLL::OpenClipboard] ; call function to open clipboard
+test    eax, eax        ; test if the clipboard open returned 0
+jz      LAB_00402c70    ; if the clipboard open operation returned 0 (failed), jump to another instruction and execute from that point
+call    dword ptr [->USER32.DLL::EmptyClipboard]        ; call function to empty the clipboard
+lea     eax, [esi * 0x2 + 0x2]
+push    eax     ; Number of bytes of heap memory to allocate
+push    0x2042  ; Memory allocation attributes.  Notably, 0x2000 is deprecated and only intended for use with 16-bit Windows and will be ignored, so the actual argument is 0x0042, which allocates moveable memory and initializes the contents to zero
+call    dword ptr [->KERNEL32.DLL::GlobalAlloc] ; Allocates heap memory
+mov     esi, eax        ; store pointer to allocated memory in esi
+test    esi, esi        ; test to see if NULL (0) returned, indicating an error with allocation
+jz      LAB_00402c6a    ; if error occurred, jump to memory address and begin execution there
+push    esi     ; pass newly-allocated memory to lock function
+call    dword ptr [->KERNEL32.DLL::GlobalLock]  ; lock the allocated heap memory
+test    eax, eax        ; test to see if lock returned NULL (0), indicating an error occurred
+jz      LAB_00402c6a    ; if an error occurred, jump to memory address and begin execution there
+push    dword ptr [esp + local_26c]     ; number of characters that can be stored in the provided buffer
+push    eax     ; buffer that will hold converted string
+push    -0x1    ; size of the string to process.  -1 indicates that the input ends with a null-terminating character, so to process up through that point
+push    edi     ; pointer to string to convert
+push    0x0     ; conversion type flags (must be 0 for UTF-8)
+push    0xfde9  ; code to use for conversion.  In this case, 65001 indicates UTF-8
+call    dword ptr [->KERNEL32.DLL::MultiByteToWideChar] ; call function to map string from UTF-8 to UTF-16
+push    esi     ; pointer to heap memory to unlock
+call    dword ptr [->KERNEL32.DLL::GlobalUnlock]        ; call function to unlock heap memory
+push    esi     ; handle to heap memory that will be written to clipboard
+push    0xd     ; type of data to write (0xd indicates unicode)
+call    dword ptr [->USER32.DLL::SetClipboardData]      ; call function to write data to clipboard
+call    dword ptr [->USER32.DLL::CloseClipboard]        ; close the clipboard
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking

micro-behaviors/communication/dns-communication.md

@@ -65,6 +65,17 @@ The DNS Communication micro-behavior focuses on DNS communication.
 |[network_dns_doh_tls](https://github.com/CAPESandbox/community/tree/master/modules/signatures/network_dns_doh_tls.py)|DNS Communication (C0011)|--|
 |[network_dga](https://github.com/CAPESandbox/community/tree/master/modules/signatures/network_dga.py)|DNS Communication (C0011)|--|
 
+### C0011.001 Snippet
+<details>
+<summary> Communication::DNS Communication::Resolve </summary>
+SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
+Location: 0x472CD3
+<pre>
+push    ebx     ; hostname to perform DNS lookup for
+call    WSOCK32.DLL::gethostbyname      ; Windows function which will retrieve an object representing the specified host
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> capa v4.0, analyzed at MITRE on 10/12/2022

micro-behaviors/communication/http-communication.md

@@ -120,6 +120,21 @@ Instead of being listed alphabetically, methods have been grouped to better faci
 |[downloads_from_filehosting](https://github.com/CAPESandbox/community/tree/master/modules/signatures/downloads_from_filehosting.py)|HTTP Communication (C0002)|WinHttpOpenRequest, InternetOpenUrlA|
 |[purplewave_network_activity](https://github.com/CAPESandbox/community/tree/master/modules/signatures/purplewave_network_activity.py)|HTTP Communication (C0002)|InternetOpenW, HttpOpenRequestW, HttpSendRequestW, HttpAddRequestHeadersA|
 
+### C0002.017 Snippet
+<details>
+<summary> Communication::HTTP Communication::Get Response </summary>
+SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641
+Location: 0x180001380
+<pre>
+mov     param_2, ebx
+lea     r9, [rsp + 0x44]        ; where to store the number of bytes read
+add     param_2, r14    ; pointer to buffer to receive HTTP data
+mov     param_3, 0x400  ; number of bytes to read (1024)
+mov     param_1, rsi    ; handle to previously opened HTTP request
+call    qword ptr [->WININET::InternetReadFile] ; Windows API for reading data from HTTP or FTP connections
+</pre>
+</details>
+
 ## References
 
 <a name="1">[1]</a> capa v4.0, analyzed at MITRE on 10/12/2022