Created
February 16, 2017 13:57
-
-
Save anonymous/da260d2f7b72c6ad3711f451c882930e to your computer and use it in GitHub Desktop.
Full Feature Set
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"call_feature": { | |
"function" : [ | |
"NtOpenSection", | |
"NtWaitForSingleObject", | |
"GetAsyncKeyState", | |
"NtDeleteValueKey", | |
"WSARecv", | |
"getaddrinfo", | |
"InternetGetConnectedState", | |
"NtCreateEvent", | |
"GetFileVersionInfoSizeW", | |
"GetAdaptersAddresses", | |
"NtMakeTemporaryObject", | |
"NtRenameKey", | |
"HttpSendRequestA", | |
"GetLocalTime", | |
"NetUserGetLocalGroups", | |
"FindFirstFileExW", | |
"CryptRetrieveObjectByUrlW", | |
"NtReadVirtualMemory", | |
"HttpAddRequestHeadersA", | |
"RegOpenKeyExW", | |
"NtDelayExecution", | |
"InternetCrackUrlA", | |
"SetErrorMode", | |
"ShellExecuteExW", | |
"RegOpenKeyExA", | |
"HttpSendRequestW", | |
"HttpAddRequestHeadersW", | |
"GetCursorPos", | |
"JsEval", | |
"GetUserNameW", | |
"WinHttpSetTimeouts", | |
"WaitForDebugEvent", | |
"FindWindowExA", | |
"GetUserNameA", | |
"NtCreateFile", | |
"TransmitFile", | |
"GetSystemTimeAsFileTime", | |
"WinHttpOpen", | |
"NtLoadDriver", | |
"GetDiskFreeSpaceA", | |
"NtCreateProcess", | |
"NtDeleteKey", | |
"WinHttpQueryHeaders", | |
"InternetSetOptionA", | |
"CryptGenKey", | |
"recvfrom", | |
"CryptEncrypt", | |
"sendto", | |
"NtSuspendThread", | |
"NtQueryInformationFile", | |
"RegCreateKeyExW", | |
"GetSystemTime", | |
"DeviceIoControl", | |
"WSASendTo", | |
"FindFirstChangeNotificationW", | |
"NtQueryKey", | |
"OpenServiceA", | |
"WriteProcessMemory", | |
"WSARecvFrom", | |
"NtSetContextThread", | |
"HttpEndRequestW", | |
"RegQueryValueExA", | |
"RemoveDirectoryW", | |
"EnumWindows", | |
"OpenServiceW", | |
"NtSetValueKey", | |
"LookupPrivilegeValueW", | |
"NtQueryValueKey", | |
"RegCreateKeyExA", | |
"RemoveDirectoryA", | |
"HttpEndRequestA", | |
"RegQueryValueExW", | |
"WSASocketW", | |
"NetUserGetInfo", | |
"SetWindowsHookExW", | |
"ExitWindowsEx", | |
"WSASend", | |
"WinHttpGetProxyForUrl", | |
"StartServiceA", | |
"NtDeviceIoControlFile", | |
"NtReadFile", | |
"CryptCreateHash", | |
"FindWindowExW", | |
"NtWriteFile", | |
"LdrGetDllHandle", | |
"WinHttpSendRequest", | |
"RtlDecompressBuffer", | |
"NtQuerySystemInformation", | |
"NtEnumerateValueKey", | |
"CreateDirectoryExW", | |
"CreateThread", | |
"NtLoadKey", | |
"SetupDiGetClassDevsA", | |
"SetUnhandledExceptionFilter", | |
"NtQuerySystemTime", | |
"GetVolumeNameForVolumeMountPointW", | |
"DnsQuery_A", | |
"CryptDecrypt", | |
"recv", | |
"SetupDiGetClassDevsW", | |
"NtProtectVirtualMemory", | |
"SHGetFolderPathW", | |
"RegDeleteValueW", | |
"GetDiskFreeSpaceExA", | |
"socket", | |
"RegSetValueExW", | |
"WriteConsoleA", | |
"LdrGetProcedureAddress", | |
"NtOpenThread", | |
"CopyFileA", | |
"CopyFileW", | |
"RegSetValueExA", | |
"GetDiskFreeSpaceExW", | |
"NtEnumerateKey", | |
"NtOpenDirectoryObject", | |
"LdrLoadDll", | |
"NtWriteVirtualMemory", | |
"URLDownloadToFileW", | |
"WriteConsoleW", | |
"CreateToolhelp32Snapshot", | |
"SendNotifyMessageA", | |
"RegCloseKey", | |
"NtOpenEvent", | |
"NtSetInformationFile", | |
"HttpSendRequestExW", | |
"NtCreateKey", | |
"WinHttpConnect", | |
"MoveFileWithProgressW", | |
"ioctlsocket", | |
"WSAStartup", | |
"NtTerminateThread", | |
"DbgUiWaitStateChange", | |
"NtTerminateProcess", | |
"send", | |
"shutdown", | |
"SendNotifyMessageW", | |
"COleScript_ParseScriptText", | |
"HttpSendRequestExA", | |
"select", | |
"NtQueryFullAttributesFile", | |
"CreateRemoteThread", | |
"GetSystemMetrics", | |
"NtQueueApcThread", | |
"WSASocketA", | |
"CreateServiceA", | |
"WinHttpSetOption", | |
"InternetCloseHandle", | |
"DeleteFileA", | |
"NtLoadKey2", | |
"CryptExportKey", | |
"CryptImportPublicKeyInfo", | |
"NtAllocateVirtualMemory", | |
"ReadProcessMemory", | |
"CreateDirectoryW", | |
"DeleteFileW", | |
"VirtualProtectEx", | |
"CreateServiceW", | |
"listen", | |
"NtCreateThread", | |
"GetComputerNameW", | |
"NtResumeThread", | |
"CryptAcquireContextA", | |
"setsockopt", | |
"InternetReadFile", | |
"CoCreateInstance", | |
"RegEnumKeyExW", | |
"FindNextFileW", | |
"ObtainUserAgentString", | |
"CryptAcquireContextW", | |
"DnsQuery_W", | |
"NtCreateNamedPipeFile", | |
"GetComputerNameA", | |
"NtReplaceKey", | |
"RegEnumKeyExA", | |
"closesocket", | |
"NtGetContextThread", | |
"RtlCreateUserThread", | |
"RegEnumValueW", | |
"NtCreateSection", | |
"StartServiceW", | |
"WinHttpGetIEProxyConfigForCurrentUser", | |
"SetWindowsHookExA", | |
"NtOpenMutant", | |
"InternetOpenA", | |
"NtDeleteFile", | |
"NSPStartup", | |
"IsDebuggerPresent", | |
"RegEnumValueA", | |
"WinHttpReceiveResponse", | |
"InternetOpenW", | |
"CreateProcessInternalW", | |
"connect", | |
"RegDeleteKeyA", | |
"NtDuplicateObject", | |
"RegNotifyChangeKeyValue", | |
"NtQueryMultipleValueKey", | |
"HttpOpenRequestA", | |
"OpenSCManagerW", | |
"GetSystemInfo", | |
"NtCreateProcessEx", | |
"accept", | |
"FindWindowW", | |
"ControlService", | |
"NtClose", | |
"RegDeleteKeyW", | |
"CryptHashData", | |
"NtOpenProcess", | |
"FindWindowA", | |
"HttpOpenRequestW", | |
"NtFreeVirtualMemory", | |
"Process32NextW", | |
"GetLastInputInfo", | |
"InternetConnectW", | |
"UnhookWindowsHookEx", | |
"InternetWriteFile", | |
"GetDiskFreeSpaceW", | |
"NtSaveKeyEx", | |
"RegEnumKeyW", | |
"InternetConnectA", | |
"NtSaveKey", | |
"SetWindowLongA", | |
"CDocument_write", | |
"WSAConnect", | |
"RegDeleteValueA", | |
"CopyFileExW", | |
"NtMapViewOfSection", | |
"SetupDiGetDeviceRegistryPropertyW", | |
"Process32FirstW", | |
"DeleteService", | |
"LsaOpenPolicy", | |
"NtOpenFile", | |
"RegQueryInfoKeyW", | |
"NtUnmapViewOfSection", | |
"NtQueryDirectoryFile", | |
"NetGetJoinInformation", | |
"FindFirstFileExA", | |
"gethostbyname", | |
"DecodeImage", | |
"NtQueryAttributesFile", | |
"RegQueryInfoKeyA", | |
"NtCreateMutant", | |
"GetAddrInfoW", | |
"InternetOpenUrlA", | |
"WSAAccept", | |
"bind", | |
"NtOpenKey", | |
"InternetCrackUrlW", | |
"DnsQuery_UTF8", | |
"CoInternetSetFeatureEnabled", | |
"NtResumeProcess", | |
"OpenSCManagerA", | |
"GetFileVersionInfoW", | |
"CryptDecodeObjectEx", | |
"InternetOpenUrlW", | |
"OpenSCManagerA", | |
"WinHttpOpenRequest", | |
"SetupDiGetDeviceRegistryPropertyA" | |
], | |
"call_file": [ | |
"msxml3.dll", | |
"winsta.dll", | |
"icm32.dll", | |
"sqlite3.dll", | |
"msls31.dll", | |
"pstorec.dll", | |
"mpr.dll", | |
"iertutil.dll", | |
"crypt32.dll", | |
"clbcatq.dll", | |
"advapi32.dll", | |
"ole32.dll", | |
"ws2_32.dll", | |
"davclnt.dll", | |
"linkinfo.dll", | |
"mlang.dll", | |
"sqlite.dll", | |
"imgutil.dll", | |
"setupapi.dll", | |
"iphlpapi.dll", | |
"mswsock.dll", | |
"avicap32.dll", | |
"nss3.dll", | |
"msvcrt.dll", | |
"rpcrt4.dll", | |
"ieui.dll", | |
"ieproxy.dll", | |
"urlmon.dll", | |
"odbc32.dll", | |
"apphelp.dll", | |
"dnsapi.dll", | |
"msv1_0.dll", | |
"oleaut32.dll", | |
"netapi32.dll", | |
"ntdll.dll", | |
"xpshims.dll", | |
"shdocvw.dll", | |
"mfc42.dll", | |
"ntlanman.dll", | |
"hnetcfg.dll", | |
"acroiehelper.dll", | |
"comdlg32.dll", | |
"rtutils.dll", | |
"usp10.dll", | |
"uxtheme.dll", | |
"winspool.drv", | |
"rasman.dll", | |
"mfc42u.dll", | |
"comctl32.dll", | |
"winrnr.dll", | |
"msctfime.ime", | |
"samlib.dll", | |
"rasapi32.dll", | |
"user32.dll", | |
"gdi32.dll", | |
"ogl.dll", | |
"shlwapi.dll", | |
"msimg32.dll", | |
"ieframe.dll", | |
"mshtml.dll", | |
"mscms.dll", | |
"actxprxy.dll", | |
"msvbvm60.dll", | |
"winmm.dll", | |
"msctf.dll", | |
"dciman32.dll", | |
"wbemsvc.dll", | |
"xmllite.dll", | |
"sensapi.dll", | |
"psapi.dll", | |
"mso.dll", | |
"faultrep.dll", | |
"kernel32.dll", | |
"drprov.dll", | |
"msi.dll", | |
"shell32.dll", | |
"acgenral.dll", | |
"userenv.dll", | |
"gdiplus.dll", | |
"wintrust.dll", | |
"wshtcpip.dll", | |
"imm32.dll", | |
"ntmarta.dll", | |
"olepro32.dll", | |
"rasadhlp.dll", | |
"sqmapi.dll", | |
"scrrun.dll", | |
"winhttp.dll", | |
"fastprox.dll", | |
"version.dll", | |
"wininet.dll", | |
"shfolder.dll", | |
"cscdll.dll", | |
"sxs.dll", | |
"msvfw32.dll", | |
"secur32.dll" | |
] | |
}, | |
"registry_feature": [ | |
"regkey_written", | |
"regkey_opened", | |
"regkey_read", | |
"regkey_deleted" | |
], | |
"file_feature": { | |
"file": [ | |
"file_opened", | |
"file_written", | |
"file_exists", | |
"file_moved", | |
"file_read", | |
"file_deleted", | |
"file_failed", | |
"file_copied" | |
], | |
"directory": [ | |
"directory_enumerated", | |
"directory_created", | |
"directory_removed" | |
] | |
}, | |
"misc_feature": { | |
"misc": [ | |
"mutex", | |
"processes", | |
"processtree" | |
], | |
"com_sign": [ | |
"recon_beacon", | |
"recon_checkip", | |
"mimics_agent", | |
"antiav_detectreg", | |
"packer_upx", | |
"packer_vmprotect", | |
"packer_armadillo_regkey", | |
"removes_zoneid_ads", | |
"antiemu_wine_func", | |
"network_tor", | |
"browser_helper_object", | |
"disables_wfp", | |
"antivirus_virustotal", | |
"bootkit", | |
"disables_browser_warn", | |
"browser_addon", | |
"antiav_avast_libs", | |
"disables_system_restore", | |
"41antivm_generic_disk_setupapi", | |
"antivm_vmware_files", | |
"packer_entropy", | |
"browser_startpage", | |
"recon_fingerprint", | |
"banker_spyeye_mutexes", | |
"disables_uac", | |
"banker_zeus_mutex", | |
"bitcoin_opencl", | |
"modify_uac_prompt", | |
"antivm_vmware_devices", | |
"infostealer_browser", | |
"antisandbox_unhook", | |
"antiav_servicestop", | |
"spoofs_procname", | |
"infostealer_mail", | |
"persistence_ads", | |
"persistence_service", | |
"stealth_file", | |
"sniffer_winpcap", | |
"driver_load", | |
"spreading_autoruninf", | |
"recon_programs", | |
"antiav_detectfile", | |
"rat_xtreme_mutexes", | |
"packer_armadillo_mutex", | |
"deepfreeze_mutex", | |
"injection_createremotethread", | |
"modifies_certs", | |
"antivm_generic_services", | |
"antivm_generic_diskreg", | |
"process_interest", | |
"antivm_generic_bios", | |
"antisandbox_sleep", | |
"network_icmp", | |
"injection_explorer", | |
"darkcomet_regkeys", | |
"antisandbox_suspend", | |
"network_tor_service", | |
"copies_self", | |
"pdf_page", | |
"antianalysis_detectreg", | |
"stealth_hiddenreg", | |
"mimics_filetime", | |
"rat_pcclient", | |
"reads_self", | |
"modify_proxy", | |
"stealth_network", | |
"antisandbox_mouse_hook", | |
"antisandbox_sunbelt_libs", | |
"antisandbox_productid", | |
"network_http", | |
"stealth_hide_notifications", | |
"antisandbox_sboxie_libs", | |
"browser_security", | |
"stealth_window", | |
"ransomware_recyclebin", | |
"deletes_self", | |
"banker_cridex", | |
"banker_zeus_p2p", | |
"stealth_webhistory", | |
"rat_plugx_mutexes", | |
"antidbg_devices", | |
"antivm_generic_scsi", | |
"exec_crash", | |
"antivm_generic_disk", | |
"encrypted_ioc", | |
"network_bind", | |
"dropper", | |
"antivm_generic_cpu", | |
"creates_nullvalue", | |
"injection_rwx", | |
"antidbg_windows", | |
"disables_windowsupdate", | |
"rat_poisonivy_mutexes", | |
"polymorphic", | |
"modify_security_center_warnings", | |
"prevents_safeboot", | |
"infostealer_im", | |
"infostealer_bitcoin", | |
"injection_runpe", | |
"rat_spynet", | |
"virus", | |
"persistence_autorun", | |
"infostealer_keylog", | |
"multiple_useragents", | |
"bypass_firewall", | |
"origin_langid", | |
"process_needed", | |
"infostealer_ftp", | |
"bot_russkill", | |
"rat_fynloski_mutexes", | |
"antiemu_wine_reg", | |
"stealth_timeout" | |
] | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment