MalwareConfig¶
Extracted Malware Configuration
Field | Type | Description | Required | Default |
---|---|---|---|---|
config_extractor | Keyword | Name of extractor | Yes |
None |
family | List [Text] | What family is this associated to? | Yes |
None |
version | Text | Version of the malware | Optional |
None |
category | List [Enum] | Category of malware | Optional |
None |
attack | List [Enum] | ATT&CK ID associated | Optional |
None |
capability_enabled | List [Text] | Enabled Capabilities | Optional |
None |
capability_disabled | List [Text] | Disabled Capabilities | Optional |
None |
campaign_id | List [Text] | Campaign ID | Optional |
None |
identifier | List [Text] | Identifier | Optional |
None |
decoded_strings | List [Text] | Decoded Strings | Optional |
None |
password | List [Text] | Passwords | Optional |
None |
mutex | List [Text] | Mutex | Optional |
None |
pipe | List [Text] | Pipe | Optional |
None |
ipc | List [IPC] | IPC (similar to 'pipe' field but more detailed) | Optional |
None |
sleep_delay | Integer | Sleep Delay | Optional |
None |
sleep_delay_jitter | Integer | Sleep Delay Jitter | Optional |
None |
inject_exe | List [Text] | Injected EXE | Optional |
None |
binaries | List [Binary] | Binaries | Optional |
None |
ftp | List [FTP] | FTPs | Optional |
None |
smtp | List [SMTP] | SMTPs | Optional |
None |
http | List [HTTP] | HTTPs | Optional |
None |
ssh | List [SSH] | SSHs | Optional |
None |
proxy | List [Proxy] | Proxies | Optional |
None |
dns | List [DNS] | DNS | Optional |
None |
tcp | List [GeneralConnection] | TCPs | Optional |
None |
udp | List [GeneralConnection] | UDPs | Optional |
None |
encryption | List [Encryption] | Encryptions | Optional |
None |
service | List [Service] | Services | Optional |
None |
cryptocurrency | List [Cryptocurrency] | Cryptocurrencies | Optional |
None |
paths | List [Path] | Paths | Optional |
None |
registry | List [Registry] | Registry | Optional |
None |
other | Mapping [String, Any] | Other information | Optional |
None |
Binary¶
Binary data extracted by decoder
Field | Type | Description | Required | Default |
---|---|---|---|---|
datatype | Enum | None Values: "config", "other", "payload" |
Optional |
None |
data | Text | None | Yes |
None |
other | Mapping [String, Any] | Other information | Optional |
None |
encryption | List [Encryption] | None | Optional |
None |
Encryption¶
Encryption details
Field | Type | Description | Required | Default |
---|---|---|---|---|
algorithm | Text | Algorithm | Optional |
None |
public_key | Text | Public Key | Optional |
None |
key | Text | Key | Optional |
None |
provider | Text | Provider | Optional |
None |
mode | Text | Mode | Optional |
None |
iv | Text | Initialization Vector | Optional |
None |
seed | Text | Seed | Optional |
None |
nonce | Text | Nonce value | Optional |
None |
constants | List [Text] | Constants | Optional |
None |
usage | Enum | Purpose of encryptions Values: "binary", "communication", "config", "other", "ransom" |
Optional |
None |
Cryptocurrency¶
Cryptocoin usage (ransomware/miner)
Field | Type | Description | Required | Default |
---|---|---|---|---|
coin | Text | Name of coin used | Optional |
None |
address | Text | Wallet address | Optional |
None |
random_amount | Integer | Ransom amount | Optional |
None |
usage | Enum | Use of cryptocurrency Values: "miner", "other", "ransomware" |
Optional |
None |
DNS¶
Usage of DNS connection
Field | Type | Description | Required | Default |
---|---|---|---|---|
ip | IP | IP of DNS server | Optional |
None |
port | Integer | Port of DNS server | Optional |
None |
hostname | Text | Hostname used in query | Optional |
None |
record_type | Enum | Type of DNS record Values: "A", "AAAA", "AFSDB", "APL", "CAA", "CDNSKEY", "CDS", "CERT", "CNAME", "CSYNC", "DHCID", "DLV", "DNAME", "DNSKEY", "DS", "EUI48", "EUI64", "HINFO", "HIP", "HTTPS", "IPSECKEY", "KEY", "KX", "LOC", "MX", "NAPTR", "NS", "NSEC", "NSEC3", "NSEC3PARAM", "OPENPGPKEY", "PTR", "RP", "RRSIG", "SIG", "SMIMEA", "SOA", "SRV", "SSHFP", "SVCB", "TA", "TKEY", "TLSA", "TSIG", "TXT", "URI", "ZONEMD" |
Optional |
None |
usage | Enum | Purpose of DNS connection Values: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
Encryption¶
Encryption details
Field | Type | Description | Required | Default |
---|---|---|---|---|
algorithm | Text | Algorithm | Optional |
None |
public_key | Text | Public Key | Optional |
None |
key | Text | Key | Optional |
None |
provider | Text | Provider | Optional |
None |
mode | Text | Mode | Optional |
None |
iv | Text | Initialization Vector | Optional |
None |
seed | Text | Seed | Optional |
None |
nonce | Text | Nonce value | Optional |
None |
constants | List [Text] | Constants | Optional |
None |
usage | Enum | Purpose of encryptions Values: "binary", "communication", "config", "other", "ransom" |
Optional |
None |
FTP¶
Usage of FTP connection
Field | Type | Description | Required | Default |
---|---|---|---|---|
username | Text | Username | Optional |
None |
password | Text | Password | Optional |
None |
hostname | Text | FTP Host | Optional |
None |
port | Integer | FTP Port | Optional |
None |
path | Text | FTP Path | Optional |
None |
usage | Enum | Purpose of FTP connection Values: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
GeneralConnection¶
Usage of General TCP/UDP connection
Field | Type | Description | Required | Default |
---|---|---|---|---|
client_ip | IP | Client IP | Optional |
None |
client_port | Integer | Client Port | Optional |
None |
server_ip | IP | Server IP | Optional |
None |
server_domain | Domain | Server Domain | Optional |
None |
server_port | Integer | Server Port | Optional |
None |
usage | Enum | Purpose of TCP/UDP connection Values: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
HTTP¶
Usage of HTTP connection
Field | Type | Description | Required | Default |
---|---|---|---|---|
uri | URI | URI | Optional |
None |
protocol | Enum | Protocol Values: "http", "https" |
Optional |
None |
username | Text | Username | Optional |
None |
password | Text | Password | Optional |
None |
hostname | Text | HTTP server | Optional |
None |
port | Integer | HTTP Port | Optional |
None |
path | URIPath | URI Path | Optional |
None |
query | Text | Query parameters | Optional |
None |
fragment | Text | Fragment | Optional |
None |
user_agent | Text | User Agent | Optional |
None |
method | Enum | Method Values: "BCOPY", "BDELETE", "BMOVE", "BPROPFIND", "BPROPPATCH", "CONNECT", "COPY", "DELETE", "GET", "HEAD", "LOCK", "MKCOL", "MOVE", "NOTIFY", "OPTIONS", "PATCH", "POLL", "POST", "PROPFIND", "PROPPATCH", "PUT", "SEARCH", "SUBSCRIBE", "TRACE", "UNLOCK", "UNSUBSCRIBE", "X-MS-ENUMATTS" |
Optional |
None |
headers | Mapping [String, Text] | HTTP Headers | Optional |
None |
max_size | Integer | Maximum size | Optional |
None |
usage | Enum | Purpose of HTTP connection Values: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
IPC¶
Inter-Process Communications
Field | Type | Description | Required | Default |
---|---|---|---|---|
file | List [Text] | A record stored on disk, or a record synthesized on demand by a file server, which can be accessed by multiple processes. | Optional |
None |
socket | List [Text] | Data sent over a network interface, either to a different process on the same computer or to another computer on the network. Stream oriented (TCP; data written through a socket requires formatting to preserve message boundaries) or more rarely message-oriented (UDP, SCTP). | Optional |
None |
unix_domain_socket | List [Text] | Similar to an internet socket, but all communication occurs within the kernel. Domain sockets use the file system as their address space. Processes reference a domain socket as an inode, and multiple processes can communicate with one socket. | Optional |
None |
memory_mapped_file | List [Text] | A file mapped to RAM and can be modified by changing memoryaddresses directly instead of outputting to a stream. This shares the same benefits as a standard file. | Optional |
None |
message_queue | List [Text] | A data stream similar to a socket, but which usually preserves message boundaries. Typically implemented by the operating system, they allow multiple processes to read and write to the message queue without being directly connected to each other. | Optional |
None |
anonymous_pipe | List [Text] | A unidirectional data channel using standard input and output. Data written to the write-end of the pipe is buffered by the operating system until it is read from the read-end of the pipe. Two-way communication between processes can be achieved by using two pipes in opposite "directions". | Optional |
None |
named_pipe | List [Text] | A pipe that is treated like a file. Instead of using standard input and output as with an anonymous pipe, processes write to and read from a named pipe, as if it were a regular file. | Optional |
None |
process_names | List [Text] | The process names involved in the IPC communication | Optional |
None |
shared_memory | Text | Multiple processes are given access to the same block of memory, which creates a shared buffer for the processes to communicate with each other. | Optional |
None |
usage | Enum | Purpose of connection Values: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
Path¶
File Paths
Field | Type | Description | Required | Default |
---|---|---|---|---|
path | Text | Path | Optional |
None |
usage | Enum | Use of path Values: "c2", "config", "install", "logs", "other", "plugins", "storage" |
Optional |
None |
Proxy¶
Usage of Proxy connection
Field | Type | Description | Required | Default |
---|---|---|---|---|
username | Text | Username | Optional |
None |
password | Text | Password | Optional |
None |
hostname | Text | Proxy Host | Optional |
None |
port | Integer | Proxy Port | Optional |
None |
usage | Enum | Purpose of proxy connection Values: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
protocol | Text | Protocol used | Optional |
None |
Registry¶
Registry
Field | Type | Description | Required | Default |
---|---|---|---|---|
key | Text | Registry key | Yes |
None |
value | Text | Registry | Optional |
None |
usage | Enum | Use of registry key Values: "other", "persistence", "read", "store_data", "store_payload" |
Optional |
None |
SMTP¶
Usage of SMTP connection
Field | Type | Description | Required | Default |
---|---|---|---|---|
username | Text | Username | Optional |
None |
password | Text | Password | Optional |
None |
hostname | Text | SMTP Host | Optional |
None |
port | Integer | SMTP Port | Optional |
None |
mail_to | List [Text] | Sent to | Optional |
None |
mail_from | Text | Sent from | Optional |
None |
subject | Text | Subject | Optional |
None |
usage | Enum | Purpose of SMTP connection Values: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
SSH¶
Usage of SSH connection
Field | Type | Description | Required | Default |
---|---|---|---|---|
username | Text | Username | Optional |
None |
password | Text | Password | Optional |
None |
public_key | Text | SSH Public Key | Optional |
None |
hostname | Text | SSH Host | Optional |
None |
port | Integer | SSH Port | Optional |
None |
usage | Enum | Purpose of SSH connection Values: "c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
Service¶
Operating System services affected
Field | Type | Description | Required | Default |
---|---|---|---|---|
dll | Text | DLL associated to service | Optional |
None |
name | Text | Name of service | Optional |
None |
display_name | Text | Display Name of service | Optional |
None |
description | Text | Service Description | Optional |
None |