MalwareConfig¶
Extracted Malware Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| config_extractor | Keyword | Name of extractor | Yes |
None |
| family | List [Text] | What family is this associated to? | Yes |
None |
| version | Text | Version of the malware | Optional |
None |
| category | List [Enum] | Category of malware | Optional |
None |
| attack | List [Enum] | ATT&CK ID associated | Optional |
None |
| capability_enabled | List [Text] | Enabled Capabilities | Optional |
None |
| capability_disabled | List [Text] | Disabled Capabilities | Optional |
None |
| campaign_id | List [Text] | Campaign ID | Optional |
None |
| identifier | List [Text] | Identifier | Optional |
None |
| decoded_strings | List [Text] | Decoded Strings | Optional |
None |
| password | List [Text] | Passwords | Optional |
None |
| mutex | List [Text] | Mutex | Optional |
None |
| pipe | List [Text] | Pipe | Optional |
None |
| ipc | List [IPC] | IPC (similar to 'pipe' field but more detailed) | Optional |
None |
| sleep_delay | Integer | Sleep Delay | Optional |
None |
| sleep_delay_jitter | Integer | Sleep Delay Jitter | Optional |
None |
| inject_exe | List [Text] | Injected EXE | Optional |
None |
| binaries | List [Binary] | Binaries | Optional |
None |
| ftp | List [FTP] | FTPs | Optional |
None |
| smtp | List [SMTP] | SMTPs | Optional |
None |
| http | List [HTTP] | HTTPs | Optional |
None |
| ssh | List [SSH] | SSHs | Optional |
None |
| proxy | List [Proxy] | Proxies | Optional |
None |
| dns | List [DNS] | DNS | Optional |
None |
| tcp | List [GeneralConnection] | TCPs | Optional |
None |
| udp | List [GeneralConnection] | UDPs | Optional |
None |
| encryption | List [Encryption] | Encryptions | Optional |
None |
| service | List [Service] | Services | Optional |
None |
| cryptocurrency | List [Cryptocurrency] | Cryptocurrencies | Optional |
None |
| paths | List [Path] | Paths | Optional |
None |
| registry | List [Registry] | Registry | Optional |
None |
| other | Mapping [String, Any] | Other information | Optional |
None |
Binary¶
Binary data extracted by decoder
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| datatype | Enum | None Supported values are: "config", "other", "payload" |
Optional |
None |
| data | Text | None | Yes |
None |
| other | Mapping [String, Any] | Other information | Optional |
None |
| encryption | List [Encryption] | None | Optional |
None |
Encryption¶
Encryption details
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| algorithm | Text | Algorithm | Optional |
None |
| public_key | Text | Public Key | Optional |
None |
| key | Text | Key | Optional |
None |
| provider | Text | Provider | Optional |
None |
| mode | Text | Mode | Optional |
None |
| iv | Text | Initialization Vector | Optional |
None |
| seed | Text | Seed | Optional |
None |
| nonce | Text | Nonce value | Optional |
None |
| constants | List [Text] | Constants | Optional |
None |
| usage | Enum | Purpose of encryptions Supported values are: "binary", "communication", "config", "other", "ransom" |
Optional |
None |
Cryptocurrency¶
Cryptocoin usage (ransomware/miner)
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| coin | Text | Name of coin used | Optional |
None |
| address | Text | Wallet address | Optional |
None |
| random_amount | Integer | Ransom amount | Optional |
None |
| usage | Enum | Use of cryptocurrency Supported values are: "miner", "other", "ransomware" |
Optional |
None |
DNS¶
Usage of DNS connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| ip | IP | IP of DNS server | Optional |
None |
| port | Integer | Port of DNS server | Optional |
None |
| hostname | Text | Hostname used in query | Optional |
None |
| record_type | Enum | Type of DNS record Supported values are: "A", "AAAA", "AFSDB", "APL", "CAA", "CDNSKEY", "CDS", "CERT", "CNAME", "CSYNC", "DHCID", "DLV", "DNAME", "DNSKEY", "DS", "EUI48", "EUI64", "HINFO", "HIP", "HTTPS", "IPSECKEY", "KEY", "KX", "LOC", "MX", "NAPTR", "NS", "NSEC", "NSEC3", "NSEC3PARAM", "OPENPGPKEY", "PTR", "RP", "RRSIG", "SIG", "SMIMEA", "SOA", "SRV", "SSHFP", "SVCB", "TA", "TKEY", "TLSA", "TSIG", "TXT", "URI", "ZONEMD" |
Optional |
None |
| usage | Enum | Purpose of DNS connection Supported values are: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
Encryption¶
Encryption details
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| algorithm | Text | Algorithm | Optional |
None |
| public_key | Text | Public Key | Optional |
None |
| key | Text | Key | Optional |
None |
| provider | Text | Provider | Optional |
None |
| mode | Text | Mode | Optional |
None |
| iv | Text | Initialization Vector | Optional |
None |
| seed | Text | Seed | Optional |
None |
| nonce | Text | Nonce value | Optional |
None |
| constants | List [Text] | Constants | Optional |
None |
| usage | Enum | Purpose of encryptions Supported values are: "binary", "communication", "config", "other", "ransom" |
Optional |
None |
FTP¶
Usage of FTP connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| username | Text | Username | Optional |
None |
| password | Text | Password | Optional |
None |
| hostname | Text | FTP Host | Optional |
None |
| port | Integer | FTP Port | Optional |
None |
| path | Text | FTP Path | Optional |
None |
| usage | Enum | Purpose of FTP connection Supported values are: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
GeneralConnection¶
Usage of General TCP/UDP connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| client_ip | IP | Client IP | Optional |
None |
| client_port | Integer | Client Port | Optional |
None |
| server_ip | IP | Server IP | Optional |
None |
| server_domain | Domain | Server Domain | Optional |
None |
| server_port | Integer | Server Port | Optional |
None |
| usage | Enum | Purpose of TCP/UDP connection Supported values are: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
HTTP¶
Usage of HTTP connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| uri | URI | URI | Optional |
None |
| protocol | Enum | Protocol Supported values are: "http", "https" |
Optional |
None |
| username | Text | Username | Optional |
None |
| password | Text | Password | Optional |
None |
| hostname | Text | HTTP server | Optional |
None |
| port | Integer | HTTP Port | Optional |
None |
| path | URIPath | URI Path | Optional |
None |
| query | Text | Query parameters | Optional |
None |
| fragment | Text | Fragment | Optional |
None |
| user_agent | Text | User Agent | Optional |
None |
| method | Enum | Method Supported values are: "BCOPY", "BDELETE", "BMOVE", "BPROPFIND", "BPROPPATCH", "CONNECT", "COPY", "DELETE", "GET", "HEAD", "LOCK", "MKCOL", "MOVE", "NOTIFY", "OPTIONS", "PATCH", "POLL", "POST", "PROPFIND", "PROPPATCH", "PUT", "SEARCH", "SUBSCRIBE", "TRACE", "UNLOCK", "UNSUBSCRIBE", "X-MS-ENUMATTS" |
Optional |
None |
| headers | Mapping [String, Text] | HTTP Headers | Optional |
None |
| max_size | Integer | Maximum size | Optional |
None |
| usage | Enum | Purpose of HTTP connection Supported values are: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
IPC¶
Inter-Process Communications
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| file | List [Text] | A record stored on disk, or a record synthesized on demand by a file server, which can be accessed by multiple processes. | Optional |
None |
| socket | List [Text] | Data sent over a network interface, either to a different process on the same computer or to another computer on the network. Stream oriented (TCP; data written through a socket requires formatting to preserve message boundaries) or more rarely message-oriented (UDP, SCTP). | Optional |
None |
| unix_domain_socket | List [Text] | Similar to an internet socket, but all communication occurs within the kernel. Domain sockets use the file system as their address space. Processes reference a domain socket as an inode, and multiple processes can communicate with one socket. | Optional |
None |
| memory_mapped_file | List [Text] | A file mapped to RAM and can be modified by changing memoryaddresses directly instead of outputting to a stream. This shares the same benefits as a standard file. | Optional |
None |
| message_queue | List [Text] | A data stream similar to a socket, but which usually preserves message boundaries. Typically implemented by the operating system, they allow multiple processes to read and write to the message queue without being directly connected to each other. | Optional |
None |
| anonymous_pipe | List [Text] | A unidirectional data channel using standard input and output. Data written to the write-end of the pipe is buffered by the operating system until it is read from the read-end of the pipe. Two-way communication between processes can be achieved by using two pipes in opposite "directions". | Optional |
None |
| named_pipe | List [Text] | A pipe that is treated like a file. Instead of using standard input and output as with an anonymous pipe, processes write to and read from a named pipe, as if it were a regular file. | Optional |
None |
| process_names | List [Text] | The process names involved in the IPC communication | Optional |
None |
| shared_memory | Text | Multiple processes are given access to the same block of memory, which creates a shared buffer for the processes to communicate with each other. | Optional |
None |
| usage | Enum | Purpose of connection Supported values are: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
Path¶
File Paths
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| path | Text | Path | Optional |
None |
| usage | Enum | Use of path Supported values are: "c2", "config", "install", "logs", "other", "plugins", "storage" |
Optional |
None |
Proxy¶
Usage of Proxy connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| username | Text | Username | Optional |
None |
| password | Text | Password | Optional |
None |
| hostname | Text | Proxy Host | Optional |
None |
| port | Integer | Proxy Port | Optional |
None |
| usage | Enum | Purpose of proxy connection Supported values are: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
| protocol | Text | Protocol used | Optional |
None |
Registry¶
Registry
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| key | Text | Registry key | Yes |
None |
| value | Text | Registry | Optional |
None |
| usage | Enum | Use of registry key Supported values are: "other", "persistence", "read", "store_data", "store_payload" |
Optional |
None |
SMTP¶
Usage of SMTP connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| username | Text | Username | Optional |
None |
| password | Text | Password | Optional |
None |
| hostname | Text | SMTP Host | Optional |
None |
| port | Integer | SMTP Port | Optional |
None |
| mail_to | List [Text] | Sent to | Optional |
None |
| mail_from | Text | Sent from | Optional |
None |
| subject | Text | Subject | Optional |
None |
| usage | Enum | Purpose of SMTP connection Supported values are: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
SSH¶
Usage of SSH connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| username | Text | Username | Optional |
None |
| password | Text | Password | Optional |
None |
| public_key | Text | SSH Public Key | Optional |
None |
| hostname | Text | SSH Host | Optional |
None |
| port | Integer | SSH Port | Optional |
None |
| usage | Enum | Purpose of SSH connection Supported values are: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
Service¶
Operating System services affected
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| dll | Text | DLL associated to service | Optional |
None |
| name | Text | Name of service | Optional |
None |
| display_name | Text | Display Name of service | Optional |
None |
| description | Text | Service Description | Optional |
None |