Skip to content

Instantly share code, notes, and snippets.

/features.json
Created Feb 16, 2017

Embed
What would you like to do?
Full Feature Set
{
"call_feature": {
"function" : [
"NtOpenSection",
"NtWaitForSingleObject",
"GetAsyncKeyState",
"NtDeleteValueKey",
"WSARecv",
"getaddrinfo",
"InternetGetConnectedState",
"NtCreateEvent",
"GetFileVersionInfoSizeW",
"GetAdaptersAddresses",
"NtMakeTemporaryObject",
"NtRenameKey",
"HttpSendRequestA",
"GetLocalTime",
"NetUserGetLocalGroups",
"FindFirstFileExW",
"CryptRetrieveObjectByUrlW",
"NtReadVirtualMemory",
"HttpAddRequestHeadersA",
"RegOpenKeyExW",
"NtDelayExecution",
"InternetCrackUrlA",
"SetErrorMode",
"ShellExecuteExW",
"RegOpenKeyExA",
"HttpSendRequestW",
"HttpAddRequestHeadersW",
"GetCursorPos",
"JsEval",
"GetUserNameW",
"WinHttpSetTimeouts",
"WaitForDebugEvent",
"FindWindowExA",
"GetUserNameA",
"NtCreateFile",
"TransmitFile",
"GetSystemTimeAsFileTime",
"WinHttpOpen",
"NtLoadDriver",
"GetDiskFreeSpaceA",
"NtCreateProcess",
"NtDeleteKey",
"WinHttpQueryHeaders",
"InternetSetOptionA",
"CryptGenKey",
"recvfrom",
"CryptEncrypt",
"sendto",
"NtSuspendThread",
"NtQueryInformationFile",
"RegCreateKeyExW",
"GetSystemTime",
"DeviceIoControl",
"WSASendTo",
"FindFirstChangeNotificationW",
"NtQueryKey",
"OpenServiceA",
"WriteProcessMemory",
"WSARecvFrom",
"NtSetContextThread",
"HttpEndRequestW",
"RegQueryValueExA",
"RemoveDirectoryW",
"EnumWindows",
"OpenServiceW",
"NtSetValueKey",
"LookupPrivilegeValueW",
"NtQueryValueKey",
"RegCreateKeyExA",
"RemoveDirectoryA",
"HttpEndRequestA",
"RegQueryValueExW",
"WSASocketW",
"NetUserGetInfo",
"SetWindowsHookExW",
"ExitWindowsEx",
"WSASend",
"WinHttpGetProxyForUrl",
"StartServiceA",
"NtDeviceIoControlFile",
"NtReadFile",
"CryptCreateHash",
"FindWindowExW",
"NtWriteFile",
"LdrGetDllHandle",
"WinHttpSendRequest",
"RtlDecompressBuffer",
"NtQuerySystemInformation",
"NtEnumerateValueKey",
"CreateDirectoryExW",
"CreateThread",
"NtLoadKey",
"SetupDiGetClassDevsA",
"SetUnhandledExceptionFilter",
"NtQuerySystemTime",
"GetVolumeNameForVolumeMountPointW",
"DnsQuery_A",
"CryptDecrypt",
"recv",
"SetupDiGetClassDevsW",
"NtProtectVirtualMemory",
"SHGetFolderPathW",
"RegDeleteValueW",
"GetDiskFreeSpaceExA",
"socket",
"RegSetValueExW",
"WriteConsoleA",
"LdrGetProcedureAddress",
"NtOpenThread",
"CopyFileA",
"CopyFileW",
"RegSetValueExA",
"GetDiskFreeSpaceExW",
"NtEnumerateKey",
"NtOpenDirectoryObject",
"LdrLoadDll",
"NtWriteVirtualMemory",
"URLDownloadToFileW",
"WriteConsoleW",
"CreateToolhelp32Snapshot",
"SendNotifyMessageA",
"RegCloseKey",
"NtOpenEvent",
"NtSetInformationFile",
"HttpSendRequestExW",
"NtCreateKey",
"WinHttpConnect",
"MoveFileWithProgressW",
"ioctlsocket",
"WSAStartup",
"NtTerminateThread",
"DbgUiWaitStateChange",
"NtTerminateProcess",
"send",
"shutdown",
"SendNotifyMessageW",
"COleScript_ParseScriptText",
"HttpSendRequestExA",
"select",
"NtQueryFullAttributesFile",
"CreateRemoteThread",
"GetSystemMetrics",
"NtQueueApcThread",
"WSASocketA",
"CreateServiceA",
"WinHttpSetOption",
"InternetCloseHandle",
"DeleteFileA",
"NtLoadKey2",
"CryptExportKey",
"CryptImportPublicKeyInfo",
"NtAllocateVirtualMemory",
"ReadProcessMemory",
"CreateDirectoryW",
"DeleteFileW",
"VirtualProtectEx",
"CreateServiceW",
"listen",
"NtCreateThread",
"GetComputerNameW",
"NtResumeThread",
"CryptAcquireContextA",
"setsockopt",
"InternetReadFile",
"CoCreateInstance",
"RegEnumKeyExW",
"FindNextFileW",
"ObtainUserAgentString",
"CryptAcquireContextW",
"DnsQuery_W",
"NtCreateNamedPipeFile",
"GetComputerNameA",
"NtReplaceKey",
"RegEnumKeyExA",
"closesocket",
"NtGetContextThread",
"RtlCreateUserThread",
"RegEnumValueW",
"NtCreateSection",
"StartServiceW",
"WinHttpGetIEProxyConfigForCurrentUser",
"SetWindowsHookExA",
"NtOpenMutant",
"InternetOpenA",
"NtDeleteFile",
"NSPStartup",
"IsDebuggerPresent",
"RegEnumValueA",
"WinHttpReceiveResponse",
"InternetOpenW",
"CreateProcessInternalW",
"connect",
"RegDeleteKeyA",
"NtDuplicateObject",
"RegNotifyChangeKeyValue",
"NtQueryMultipleValueKey",
"HttpOpenRequestA",
"OpenSCManagerW",
"GetSystemInfo",
"NtCreateProcessEx",
"accept",
"FindWindowW",
"ControlService",
"NtClose",
"RegDeleteKeyW",
"CryptHashData",
"NtOpenProcess",
"FindWindowA",
"HttpOpenRequestW",
"NtFreeVirtualMemory",
"Process32NextW",
"GetLastInputInfo",
"InternetConnectW",
"UnhookWindowsHookEx",
"InternetWriteFile",
"GetDiskFreeSpaceW",
"NtSaveKeyEx",
"RegEnumKeyW",
"InternetConnectA",
"NtSaveKey",
"SetWindowLongA",
"CDocument_write",
"WSAConnect",
"RegDeleteValueA",
"CopyFileExW",
"NtMapViewOfSection",
"SetupDiGetDeviceRegistryPropertyW",
"Process32FirstW",
"DeleteService",
"LsaOpenPolicy",
"NtOpenFile",
"RegQueryInfoKeyW",
"NtUnmapViewOfSection",
"NtQueryDirectoryFile",
"NetGetJoinInformation",
"FindFirstFileExA",
"gethostbyname",
"DecodeImage",
"NtQueryAttributesFile",
"RegQueryInfoKeyA",
"NtCreateMutant",
"GetAddrInfoW",
"InternetOpenUrlA",
"WSAAccept",
"bind",
"NtOpenKey",
"InternetCrackUrlW",
"DnsQuery_UTF8",
"CoInternetSetFeatureEnabled",
"NtResumeProcess",
"OpenSCManagerA",
"GetFileVersionInfoW",
"CryptDecodeObjectEx",
"InternetOpenUrlW",
"OpenSCManagerA",
"WinHttpOpenRequest",
"SetupDiGetDeviceRegistryPropertyA"
],
"call_file": [
"msxml3.dll",
"winsta.dll",
"icm32.dll",
"sqlite3.dll",
"msls31.dll",
"pstorec.dll",
"mpr.dll",
"iertutil.dll",
"crypt32.dll",
"clbcatq.dll",
"advapi32.dll",
"ole32.dll",
"ws2_32.dll",
"davclnt.dll",
"linkinfo.dll",
"mlang.dll",
"sqlite.dll",
"imgutil.dll",
"setupapi.dll",
"iphlpapi.dll",
"mswsock.dll",
"avicap32.dll",
"nss3.dll",
"msvcrt.dll",
"rpcrt4.dll",
"ieui.dll",
"ieproxy.dll",
"urlmon.dll",
"odbc32.dll",
"apphelp.dll",
"dnsapi.dll",
"msv1_0.dll",
"oleaut32.dll",
"netapi32.dll",
"ntdll.dll",
"xpshims.dll",
"shdocvw.dll",
"mfc42.dll",
"ntlanman.dll",
"hnetcfg.dll",
"acroiehelper.dll",
"comdlg32.dll",
"rtutils.dll",
"usp10.dll",
"uxtheme.dll",
"winspool.drv",
"rasman.dll",
"mfc42u.dll",
"comctl32.dll",
"winrnr.dll",
"msctfime.ime",
"samlib.dll",
"rasapi32.dll",
"user32.dll",
"gdi32.dll",
"ogl.dll",
"shlwapi.dll",
"msimg32.dll",
"ieframe.dll",
"mshtml.dll",
"mscms.dll",
"actxprxy.dll",
"msvbvm60.dll",
"winmm.dll",
"msctf.dll",
"dciman32.dll",
"wbemsvc.dll",
"xmllite.dll",
"sensapi.dll",
"psapi.dll",
"mso.dll",
"faultrep.dll",
"kernel32.dll",
"drprov.dll",
"msi.dll",
"shell32.dll",
"acgenral.dll",
"userenv.dll",
"gdiplus.dll",
"wintrust.dll",
"wshtcpip.dll",
"imm32.dll",
"ntmarta.dll",
"olepro32.dll",
"rasadhlp.dll",
"sqmapi.dll",
"scrrun.dll",
"winhttp.dll",
"fastprox.dll",
"version.dll",
"wininet.dll",
"shfolder.dll",
"cscdll.dll",
"sxs.dll",
"msvfw32.dll",
"secur32.dll"
]
},
"registry_feature": [
"regkey_written",
"regkey_opened",
"regkey_read",
"regkey_deleted"
],
"file_feature": {
"file": [
"file_opened",
"file_written",
"file_exists",
"file_moved",
"file_read",
"file_deleted",
"file_failed",
"file_copied"
],
"directory": [
"directory_enumerated",
"directory_created",
"directory_removed"
]
},
"misc_feature": {
"misc": [
"mutex",
"processes",
"processtree"
],
"com_sign": [
"recon_beacon",
"recon_checkip",
"mimics_agent",
"antiav_detectreg",
"packer_upx",
"packer_vmprotect",
"packer_armadillo_regkey",
"removes_zoneid_ads",
"antiemu_wine_func",
"network_tor",
"browser_helper_object",
"disables_wfp",
"antivirus_virustotal",
"bootkit",
"disables_browser_warn",
"browser_addon",
"antiav_avast_libs",
"disables_system_restore",
"41antivm_generic_disk_setupapi",
"antivm_vmware_files",
"packer_entropy",
"browser_startpage",
"recon_fingerprint",
"banker_spyeye_mutexes",
"disables_uac",
"banker_zeus_mutex",
"bitcoin_opencl",
"modify_uac_prompt",
"antivm_vmware_devices",
"infostealer_browser",
"antisandbox_unhook",
"antiav_servicestop",
"spoofs_procname",
"infostealer_mail",
"persistence_ads",
"persistence_service",
"stealth_file",
"sniffer_winpcap",
"driver_load",
"spreading_autoruninf",
"recon_programs",
"antiav_detectfile",
"rat_xtreme_mutexes",
"packer_armadillo_mutex",
"deepfreeze_mutex",
"injection_createremotethread",
"modifies_certs",
"antivm_generic_services",
"antivm_generic_diskreg",
"process_interest",
"antivm_generic_bios",
"antisandbox_sleep",
"network_icmp",
"injection_explorer",
"darkcomet_regkeys",
"antisandbox_suspend",
"network_tor_service",
"copies_self",
"pdf_page",
"antianalysis_detectreg",
"stealth_hiddenreg",
"mimics_filetime",
"rat_pcclient",
"reads_self",
"modify_proxy",
"stealth_network",
"antisandbox_mouse_hook",
"antisandbox_sunbelt_libs",
"antisandbox_productid",
"network_http",
"stealth_hide_notifications",
"antisandbox_sboxie_libs",
"browser_security",
"stealth_window",
"ransomware_recyclebin",
"deletes_self",
"banker_cridex",
"banker_zeus_p2p",
"stealth_webhistory",
"rat_plugx_mutexes",
"antidbg_devices",
"antivm_generic_scsi",
"exec_crash",
"antivm_generic_disk",
"encrypted_ioc",
"network_bind",
"dropper",
"antivm_generic_cpu",
"creates_nullvalue",
"injection_rwx",
"antidbg_windows",
"disables_windowsupdate",
"rat_poisonivy_mutexes",
"polymorphic",
"modify_security_center_warnings",
"prevents_safeboot",
"infostealer_im",
"infostealer_bitcoin",
"injection_runpe",
"rat_spynet",
"virus",
"persistence_autorun",
"infostealer_keylog",
"multiple_useragents",
"bypass_firewall",
"origin_langid",
"process_needed",
"infostealer_ftp",
"bot_russkill",
"rat_fynloski_mutexes",
"antiemu_wine_reg",
"stealth_timeout"
]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.