Skip to content

Instantly share code, notes, and snippets.

@staybuzz

staybuzz/cuckoo_sig_categories.csv

Last active January 5, 2019 07:15
Show Gist options
  • Save staybuzz/125de3574d0426e7046115aaa5ace4d1 to your computer and use it in GitHub Desktop.
Save staybuzz/125de3574d0426e7046115aaa5ace4d1 to your computer and use it in GitHub Desktop.
Download ZIP
List of Cuckoo Sandbox signature's name and categories. Signatures from https://github.com/cuckoosandbox/community/tree/master/modules/signatures are as of January 4, 2019.
Raw
cuckoo_sig_categories.csv
name categories
adds_user ['commands']
adds_user_admin ['commands']
alina_pos_file ['pos']
alina_pos_url ['pos']
allocates_execute_remote_process ['injection', 'shellcode']
allocates_rwx ['unpacking']
amsi_bypass ['script', 'malware', 'powershell', 'amsi']
android_antivirus_virustotal ['antivirus']
android_dangerous_permissions ['android']
android_dynamic_code ['android']
android_embedded_apk ['android']
android_google_play_diff ['android']
android_native_code ['android']
android_reflection_code ['android']
andromeda ['rat']
antianalysis_detectfile ['anti-analysis']
antiav_avast_libs ['anti-av']
antiav_bitdefender_libs ['anti-av']
antiav_detectfile ['anti-av']
antiav_detectreg ['anti-av']
antiav_servicestop ['anti-av']
antiav_srp ['anti-av']
antidbg_devices ['anti-debug']
antidbg_windows ['anti-debug']
antiemu_wine ['anti-emulation']
antisandbox_clipboard ['anti-sandbox']
antisandbox_cuckoo_files ['anti-sandbox']
antisandbox_file ['anti-sandbox']
antisandbox_foregroundwindows ['anti-sandbox']
antisandbox_fortinet_files ['anti-sandbox']
antisandbox_idletime ['anti-sandbox']
antisandbox_joe_anubis_files ['anti-sandbox']
antisandbox_mouse_hook ['hooking', 'anti-sandbox']
antisandbox_restart ['anti-sandbox']
antisandbox_sleep ['anti-sandbox']
antisandbox_sunbelt ['anti-vm']
antisandbox_sunbelt_files ['anti-sandbox']
antisandbox_threattrack_files ['anti-sandbox']
antisandbox_unhook ['anti-sandbox']
antivirus_irma ['antivirus']
antivirus_virustotal ['antivirus']
antivm_disk_size ['anti-vm']
antivm_firmware ['anti-vm']
antivm_generic_bios ['anti-vm']
antivm_generic_cpu ['anti-vm']
antivm_generic_disk ['anti-vm']
antivm_generic_ide ['anti-vm']
antivm_generic_scsi ['anti-vm']
antivm_generic_services ['anti-vm']
antivm_hyperv_keys ['anti-vm']
antivm_memory_available ['anti-vm']
antivm_network_adapters ['anti-vm']
antivm_parallels_keys ['anti-vm']
antivm_parallels_window ['anti-vm']
antivm_queries_computername ['AntiVM']
antivm_sandboxie ['anti-vm']
antivm_shared_device ['anti-vm']
antivm_vbox_acpi ['anti-vm']
antivm_vbox_devices ['anti-vm']
antivm_vbox_files ['anti-vm']
antivm_vbox_keys ['anti-vm']
antivm_vbox_provname ['anti-vm']
antivm_vbox_window ['anti-vm']
antivm_virtualpc ['anti-vm']
antivm_virtualpc_illegal_instruction ['anti-vm']
antivm_virtualpc_window ['anti-vm']
antivm_vmware_files ['anti-vm']
antivm_vmware_in_instruction ['anti-vm']
antivm_vmware_keys ['anti-vm']
antivm_vmware_window ['anti-vm']
antivm_vpc_keys ['anti-vm']
antivm_xen_keys ['anti-vm']
antivm_xen_keys ['anti-vm']
applcation_raises_exception ['exploit', 'crash']
application_aborted_broadcast_receiver ['android']
application_deleted_app ['android']
application_executed_shell_command ['android']
application_installed_app ['android']
application_queried_account_info ['android']
application_queried_installed_apps ['android']
application_queried_phone_number ['android']
application_queried_private_information ['android']
application_recording_audio ['android']
application_registered_receiver_runtime ['android']
application_sent_sms_messages ['android']
application_stopped_processes ['android']
application_uses_location ['android']
application_using_the_camera ['android']
applocker_bypass ['applocker', 'bypass']
apt_carbunak ['apt']
apt_cloudatlas ['apt']
apt_inception ['apt']
apt_sandworm_ip ['apt']
apt_sandworm_url ['apt']
apt_turlacarbon ['apt']
ardamax_mutexes ['keylogger']
athena_url ['athena']
av_detect_china_key ['avdetect']
backdoor_tdss ['backdoor']
backdoor_vanbot ['backdoor']
backdoor_whimoo ['backdoor']
bad_certificate ['']
bagle ['worm']
bandook ['rat']
banker_bancos ['trojan']
banker_cridex ['Banking', 'Trojan']
banker_prinimalka ['banker']
banker_spyeye_mutexes ['banker']
banker_spyeye_url ['banker']
banker_tinba_mutexes ['rat']
banker_zeus_mutex ['banker']
banker_zeus_p2p ['banker']
banker_zeus_url ['banker']
banking_mutexes ['banking']
banload ['trojan']
begseabugtd_mutexes ['trojandl']
betabot_url ['betabot']
bitcoin_opencl ['bitcoin']
blackenergy_mutexes ['rootkit']
blackpos_url ['blackpos']
bladabindi_mutexes ['rat']
bootkit ['rootkit']
bot_athenahttp ['bot', 'ddos']
bot_dirtjumper ['bot', 'ddos']
bot_drive ['bot', 'ddos']
bot_drive2 ['bot', 'ddos']
bot_kelihos ['http']
bot_kovter ['http']
bot_madness ['bot', 'ddos']
bot_russkill ['bot', 'ddos']
bot_vnloader_url ['bot']
bozok_key ['rat']
browser_security ['browser', 'clickfraud', 'banker']
browser_startpage ['browser', 'adware']
btc ['rat']
bypass_firewall ['bypass']
c24_url ['C24 Stealer']
carberp_mutex ['banker', 'trojan', 'rootkit']
chanitor_mutexes ['ransom']
checks_debugger ['anti-debug']
checks_kernel_debugger ['anti-debug']
clear_permission_event_logs ['commands', 'stealth']
clears_event_logs ['commands', 'stealth']
clickfraud_cookies ['clickfraud']
cloud_dropbox ['cloud']
cloud_google ['cloud']
cloud_mediafire ['cloud']
cloud_mega ['cloud']
cloud_rapidshare ['recon']
cloud_wetransfer ['cloud']
Cloudflare ['Cloudflare']
coinminer_mutexes ['trojan']
console_output ['command']
creates_doc ['generic']
creates_exe ['generic']
creates_hidden_file ['stealth']
creates_largekey ['stealth']
creates_null_reg_entry ['stealth']
creates_service ['service', 'persistence']
creates_shortcut ['persistance']
creates_user_folder_exe ['']
credential_dumping_lsass ['persistence', 'lateral_movement']
credential_dumping_lsass_access ['persistence', 'lateral_movement']
cryptlocker ['rat']
cryptomining_stratum_command ['mining', 'cryptocurrency']
cybergate ['rat']
darkcloud ['rat']
darwin_code_injection ['injection']
ddos_blackrev_mutexes ['ddos']
ddos_darkddos_mutexes ['ddos']
ddos_eclipse_mutexes ['ddos']
ddos_ipkiller_mutexes ['ddos']
ddos556 ['rat']
dead_host ['network']
decay ['rat']
decebal_mutexes ['pos']
deepfreeze_mutex ['anti-sandbox']
deletes_executed_files ['persistence', 'stealth']
dep_heap_bypass ['exploit']
dep_stack_bypass ['exploit']
detect_putty ['ssh']
dexter ['pos']
disables_app_launch ['stealth']
disables_browser_warn ['generic', 'banker', 'clickfraud']
disables_ie_http2 ['infostealer', 'banker']
disables_proxy ['infostealer']
disables_security ['anti-av']
disables_spdy_chrome ['infostealer', 'banker']
disables_spdy_firefox ['infostealer', 'banker']
disables_spdy_ie ['infostealer', 'banker']
disables_system_restore ['ransomware', 'persistance']
disables_wer ['stealth']
disables_windowsupdate ['generic']
dns_freehosting_domain ['freehosting']
dnsserver_dynamic ['dns']
document_close ['office']
document_open ['office']
dofoil ['virus']
downloader_cabby ['downloader']
dridex_behavior ['banker', 'trojan']
dropper ['dropper']
dumped_buffer ['']
dumped_buffer2 ['']
dyreza ['banking']
emotet_behavior ['infostealer', 'banker']
encryption_keys ['']
evilbot ['rat']
excel_datalink ['generic']
exe_appdata ['dropper', 'persistence']
exec_bits_admin ['script', 'dropper']
exec_crash ['execution', 'crash']
exec_waitfor ['script', 'bypass']
exp_3322_dom ['expdom']
expiro ['rat']
exploit_blackhole_url ['exploit']
exploit_heapspray ['exploit']
exploitkit_mutexes ['exploit']
fakeav_mutexes ['rat']
fakeav_mutexes ['rat']
farfli ['rat']
fesber_mutexes ['worm']
fraudtool_fakerean ['fraudtool']
gaelicum ['worm']
generates_crypto_key ['']
ghostbot ['rat']
has_authenticode ['']
has_office_eps ['office']
has_pdb ['']
has_wmi ['wmi']
hesperbot ['rat']
html_flash ['exploit']
icepoint ['rat']
im_btb ['im']
im_qq ['im']
infinity ['rat']
infostealer_bitcoin ['infostealer']
infostealer_browser ['infostealer']
infostealer_clipboard ['infostealer']
infostealer_derusbi_files ['infostealer']
infostealer_ftp ['infostealer']
infostealer_im ['infostealer']
infostealer_keylogger ['generic']
infostealer_mail ['infostealer']
injection_createremotethread ['injection']
injection_explorer ['injection']
injection_modifies_memory ['injection']
injection_network_trafic ['injection', 'cnc', 'stealth']
injection_ntsetcontextthread ['injection', 'shellcode']
injection_process_search ['generic']
injection_queueapcthread ['injection']
injection_resumethread ['injection']
injection_runpe ['injection']
injection_write_memory ['injection']
injection_write_memory_exe ['injection', 'unpacking']
installs_appinit ['persistence']
installs_bho ['browser']
ircbrute ['rat']
isrstealer_url ['isrstealer']
istealer_url ['istealer']
jackpos_file ['pos']
jackpos_url ['jackpos']
javascript_commandline ['javascript', 'persistence', 'downloader']
jeefo_mutexes ['virus']
jintor_mutexes ['keylogger']
js_anti_analysis ['anti-analysis']
js_eval ['unpacking']
js_iframe ['obfuscation']
js_suspicious ['unpacking']
karagany ['rat']
karakum ['rat']
katusha ['rat']
killdisk ['trojan']
koobface ['rat']
krepper_mutexes ['worm']
kuluoz_mutexes ['rat']
locates_browser ['']
locates_sniffer ['']
locker_cmd ['locker']
locker_regedit ['locker']
locker_taskmgr ['locker']
luder ['rat']
madness_url ['madness']
magania_mutexes ['rat']
malicious_document_urls ['downloader']
martian_command_process ['martian', 'exploit', 'dropper']
memdump_ip_urls ['unpacking', 'c2']
memdump_tor_urls ['unpacking', 'ransomware', 'c2']
memdump_urls ['unpacking']
memdump_yara ['generic']
metasploit_shellcode ['shellcode']
minerbot ['rat']
miningpool ['mining']
mirc_file ['tool']
modifies_boot_config ['persistance', 'ransomware']
modifies_certificates ['infostealer', 'banker']
modifies_desktop_wallpaper ['ransomware']
modifies_firefox_configuration ['infostealer', 'banker']
modifies_proxy_autoconfig ['infostealer']
modifies_proxy_override ['infostealer']
modifies_proxy_wpad ['infostealer']
modifies_security_center_warnings ['stealth']
modifies_zoneid ['']
modify_uac_prompt ['stealth']
moves_self ['stealth']
multiple_useragents ['network']
mutex_winscp ['filetransfer']
nakbot ['rat']
netshadow ['rat']
netwire ['rat']
network_bind ['bind']
network_cnc_http ['http', 'cnc']
network_dns_txt_lookup ['dns', 'cnc']
network_document_file ['exploit', 'downloader']
network_downloader_exe ['exploit', 'downloader']
network_http ['http']
network_http_post ['http', 'cnc']
network_icmp ['icmp']
network_irc ['irc']
network_smtp ['smtp', 'spam']
network_tor ['network', 'anonimity', 'tor']
network_tor_service ['network', 'anonimity', 'tor']
network_torgateway ['network']
network_wscript_downloader ['downloader']
networkdyndns_checkip ['dyndns']
nitol ['rat']
njrat ['rat']
nolookup_communication ['network']
nymaim_behavior ['trojan', 'ransomware']
obfus_mutexes ['trojan']
office_appinfo_version ['vba']
office_check_doc_name ['office']
office_check_project_name ['vba']
office_check_window ['vba']
office_count_dirs ['vba']
office_create_object ['vba']
office_dde ['dropper']
office_eps_strings ['office']
office_http_request ['vba']
office_indirect_call ['office']
office_packager ['dropper', 'office']
office_platform_detect ['office']
office_recent_files ['vba']
office_vuln_guid ['office']
office_vuln_modules ['office']
oldrea ['rat']
origin_langid ['origin']
p2p_cnc ['p2p', 'cnc']
packer_entropy ['packer']
packer_polymorphic ['packer']
packer_upx ['packer']
packer_vmprotect ['packer']
pdf_attachments ['static']
pdf_javascript ['static']
pdf_openaction ['static']
pdf_openaction_js ['static']
pe_features ['packer']
pe_unknown_resource_name ['packer']
peid_packer ['packer']
perflogger ['keylogger']
persistence_ads ['persistence', 'ads']
persistence_autorun ['persistence']
persistence_bootexecute ['persistence']
persistence_registry_exe ['persistence']
persistence_registry_javascript ['persistence']
persistence_registry_powershell ['persistence']
pidief ['trojan']
poebot ['rat']
poisonivy ['rat']
ponfoy ['rat']
ponybot_url ['ponybot']
pos_poscardstealer_url ['pos']
powerfun ['script', 'malware', 'injector']
powershell_bitstransfer ['script', 'dropper', 'downloader', 'malware', 'powershell']
powershell_c2dns ['script', 'bot', 'dns', 'malware']
powershell_ddi_rc4 ['script', 'dropper', 'downloader', 'malware', 'powershell']
powershell_dfsp ['script', 'dropper', 'downloader', 'malware']
powershell_di ['script', 'dropper', 'downloader', 'malware', 'powershell']
powershell_download ['downloader']
powershell_empire ['script', 'dropper', 'downloader', 'malware']
powershell_meterpreter ['script', 'meterpreter', 'powershell', 'malware']
powershell_reg_add ['script', 'powershell']
powershell_request ['downloader']
powershell_unicorn ['script', 'dropper', 'downloader', 'malware']
powerworm ['script', 'malware', 'powershell', 'worm']
privilege_luid_check ['privileges']
process_interest ['generic']
process_martian ['martian', 'exploit', 'dropper']
process_needed ['generic']
protection_rx ['unpacking']
puce_mutexes ['worm']
putterpanda_mutexes ['rat']
pwdump_file ['hacktool']
qakbot ['rat']
queries_programs ['recon']
ragebot ['rat']
raises_exception ['']
ramnit ['rat']
ransomware_appends_extensions ['ransomware']
ransomware_bcdedit ['ransomware']
ransomware_dropped_files ['ransomware']
ransomware_extensions ['ransomware']
ransomware_file_moves ['ransomware']
ransomware_files ['ransomware']
ransomware_mass_file_delete ['ransomware', 'wiper']
ransomware_message ['ransomware']
ransomware_message_ocr ['ransomware', 'ocr']
ransomware_recyclebin ['ransomware']
ransomware_shadowcopy ['ransomware']
ransomware_viruscoder ['Ransomware']
ransomware_wbadmin ['ransomware']
rat_adzok ['rat']
rat_beastdoor ['rat']
rat_beebus_mutexes ['rat']
rat_bifrose ['rat']
rat_blackhole ['rat']
rat_blackice ['rat']
rat_blackshades ['rat']
rat_bottilda ['rat']
rat_buzus_mutexes ['rat']
rat_comRAT ['APT', 'RAT']
rat_darkshell ['rat']
rat_delf ['trojan']
rat_dibik ['rat']
rat_fexel_ip ['rat']
rat_flystudio ['rat']
rat_fynloski ['rat']
rat_hikit ['rat']
rat_hupigon ['rat']
rat_jewdo ['rat']
rat_koutodoor ['rat']
rat_likseput ['rat']
rat_lolbot ['backdoor']
rat_madness ['rat']
rat_mybot ['rat']
rat_naid_ip ['rat']
rat_netobserve ['rat']
rat_pasta ['rat']
rat_pcclient ['rat']
rat_plugx ['rat']
rat_rbot ['rat']
rat_sdbot ['backdoor']
rat_shadowbot ['rat']
rat_siggenflystudio ['rat']
rat_spynet ['rat']
rat_swrort ['rat']
rat_teamviewer ['rat']
rat_travnet ['rat']
rat_trogbot ['rat']
rat_turkojan ['rat']
rat_urxbot ['rat']
rat_vertex ['rat']
rat_xtreme ['rat']
rat_zegost ['rat']
rdp_mutexes ['rat']
reads_user_agent ['stealth']
recon_beacon ['network', 'recon']
recon_checkip ['recon']
recon_fingerprint ['recon']
recon_programs ['recon']
recon_systeminfo ['recon']
removes_zoneid_ads ['generic']
renostrojan ['trojan']
rovnix ['banker', 'trojan']
rtf_unknown_character_set ['office']
rtf_unknown_version ['office']
runouce_mutexes ['worm']
sadbot ['rat']
self_delete_bat ['trojan']
senna ['rat']
sharing_rghost ['filesharing']
sharpstealer_url ['sharpstealer']
shellcode_writeprocessmemory ['exploit', 'shellcode']
shiza ['rat']
shutdown_system ['stealth']
shylock ['rat']
SipStun ['']
smtp_gmail ['smtp']
smtp_live ['smtp']
smtp_mail_ru ['smtp']
smtp_yahoo ['smtp']
sniffer_winpcap ['sniffer']
snort_alert ['network']
solarbot_url ['solarbot']
spreading_autoruninf ['spreading']
spyrecorder ['rat']
stack_pivot ['exploit', 'rop']
stack_pivot_shellcode_apis ['exploit', 'rop', 'shellcode']
stackpivot_shellcode_createprocess ['exploit', 'rop', 'shellcode']
staser ['rat']
stealth_childproc ['stealth']
stealth_hidden_extension ['stealth']
stealth_hidden_icons ['stealth']
stealth_hiddenfile ['stealth']
stealth_hide_notifications ['stealth']
stealth_system_procname ['stealth']
stealth_window ['stealth']
stops_service ['anti-av']
suricata_alert ['network']
suspicious_command_tools ['commands', 'lateral']
suspicious_powershell ['script', 'dropper', 'downloader', 'packer']
suspicious_process ['packer']
suspicious_tld ['tldwatch', 'network']
suspicious_write_exe ['exploit', 'downloader', 'virus']
sweetorange_mutexes ['exploit']
sysinternals_tools_usage ['commands', 'lateral']
TAPI_DP_mutex ['fraud']
targeted_flame ['targeted']
task_for_pid ['injection']
terminates_remote_process ['persistence', 'stealth']
tnega_mutexes ['trojan']
trojan_bublik ['rat']
trojan_ceatrg ['trojan']
trojan_dapato ['trojan']
trojan_emotet ['trojan']
trojan_jorik ['trojan']
trojan_jorik ['trojan']
trojan_kilim ['trojan']
trojan_lethic ['trojan']
trojan_lockscreen ['trojan']
trojan_mrblack ['trojan']
trojan_pincav ['trojan']
trojan_redosru ['trojan']
trojan_sysn ['trojan']
trojan_vbinject ['trojan']
trojan_yoddos ['trojan']
tufik_mutexes ['virus']
UFR_Stealer ['rat']
upatre ['rat']
upatretd_mutexes ['trojandl']
url_file ['generic']
urlshortcn_checkip ['urlshort']
urlspy ['rat']
uroburos_file ['rat']
uroburos_mutexes ['rat']
uses_windows_utilities ['commands', 'lateral']
vertex_url ['vertex']
vir_napolar ['vir']
vir_nebuler ['trojan']
vir_pykse ['worm']
virut ['rat']
vnc_mutexes ['rat']
volatility_devicetree_1 ['generic']
volatility_handles_1 ['generic']
volatility_ldrmodules_1 ['generic']
volatility_ldrmodules_2 ['generic']
volatility_malfind_2 ['generic']
volatility_modscan_1 ['generic']
volatility_svcscan_1 ['generic']
volatility_svcscan_2 ['generic']
volatility_svcscan_3 ['generic']
wakbot ['rat']
warbot_url ['warbot']
win32_process_create ['wmi']
winsxsbot ['work']
wmi_antivm ['wmi', 'anti-vm']
wmi_persistance ['persistance']
wmi_service ['persistance']
worm_allaple ['worm']
worm_kolabc ['worm']
worm_palevo ['worm']
worm_phorpiex ['worm']
worm_psyokym ['worm']
worm_renocide ['worm']
worm_rungbu ['worm']
worm_xworm ['worm']
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment