Appendix B. dr_sandbox module for YARA rules

Verbose

autorun

Function	Description	Examples
modify_registry(regexp)	Returns amount of matches. descr_en: Technical Information To ensure autorun and distribution: Modifies the following registry keys:	Example: dr_sandbox.descr_tech.autorun.modify_registry(/C:\Users\user\AppData\Roaming\Sample.lnk/) XpathQuery: ./SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem XMLExample: <TSItem ID="10" Type="LI" Text="[\REGISTRY\USER\S-1-5-21-2922372159-162323534-3872807762-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'sidebar' = 'C:\Users\user\AppData\Roaming\Sample.lnk'">
modify_registry_num	Returns amount of this events.	Example: dr_sandbox.descr_tech.autorun.modify_registry_num >= 2
create_or_modify_files(regexp)	Returns amount of matches. descr_en: Technical Information To ensure autorun and distribution: Creates or modifies the following files:	Example: dr_sandbox.descr_tech.autorun.create_or_modify_files(/YogaGuide.job/) XpathQuery: ./SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem XMLExample: <TSItem ID="10" Type="LI" Text="%WINDIR%\Tasks\YogaGuide.job">
create_or_modify_files_num	Returns amount of this events.	Example: dr_sandbox.descr_tech.autorun.create_or_modify_files_num == 1
create_services(regexp)	Returns amount of matches. descr_en: Technical Information To ensure autorun and distribution: Creates the following services:	XpathQuery: ./SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem Example: dr_sandbox.descr_tech.autorun.create_services(/rsdsys/) XMLExample: <TSItem ID="10" Type="LI" Text="[<HKLM>\System\CurrentControlSet\Services\rsdsys] 'Start' = '00000002'">
create_services_num	Returns amount of this events.	Example: dr_sandbox.descr_tech.autorun.create_services_num > 0
change_system_executable_files(regexp)	Returns amount of matches. descr_en: Technical Information To ensure autorun and distribution: Changes the following executable system files:	XpathQuery: ./SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"40\"]/SubItems/TSItem Example: dr_sandbox.descr_tech.autorun.change_system_executable_files(/beep.sys/) XMLExample: <TSItem ID="10" Type="LI" Text="<DRIVERS>\beep.sys">
change_system_executable_files_num	Returns amount of this events.	Example: dr_sandbox.descr_tech.autorun.change_system_executable_files_num > 0
replace_system_executable_files(regexp)	Returns amount of matches. descr_en: Technical Information To ensure autorun and distribution: Substitutes the following executable system files:	XpathQuery: ./SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"45\"]/SubItems/TSItem Example: dr_sandbox.descr_tech.autorun.replace_system_executable_files(/ir50_qc.dll/) XMLExample: <TSItem ID="10" Type="LI" Text="<SYSTEM32>\ir50_qc.dll with file %TEMP%\1.tmp">
replace_system_executable_files_num	Returns amount of this events.	Example: dr_sandbox.descr_tech.autorun.replace_system_executable_files_num > 0
infect_executables(regexp)	Returns amount of matches. descr_en: Technical Information To ensure autorun and distribution: Infects the following executable files:	Example: dr_sandbox.descr_tech.autorun.infect_executables(/eirmayxm/) XpathQuery: ./SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"47\"]/SubItems/TSItem XMLExample: <TSItem ID="10" Type="LI" Text="%BOOT_VOL%\eirmayxm\<Malware name>.exe">
infect_executables_num	Returns amount of this events.	Example: dr_sandbox.descr_tech.autorun.infect_executables_num > 0
create_files_on_removable_media(regexp)	Returns amount of matches. descr_en: Technical Information To ensure autorun and distribution: Creates the following files on removable media:	Example: dr_sandbox.descr_tech.autorun.create_files_on_removable_media(/10thingscondoms.pdf/) XpathQuery: ./SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"50\"]/SubItems/TSItem XMLExample: <TSItem ID="10" Type="LI" Text="<Drive name>:\10thingscondoms.pdf">
create_files_on_removable_media_num	Returns amount of this events.	Example: dr_sandbox.descr_tech.autorun.create_files_on_removable_media_num > 0
modify_mbr	1 if modifies, 0 otherwise. descr_en: Technical Information To ensure autorun and distribution: Modifies master boot record (MBR).	Example: dr_sandbox.descr_tech.autorun.modify_mbr XpathQuery: ./SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"60\"] XMLExample: <TSItem ID="60" Type="PT" Text="Modifies master boot record (MBR).">

malicious

Function

Description

Examples

modify_registry_to_bypass_firewall(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

Example: dr_sandbox.descr_tech.malicious.modify_registry_to_bypass_firewall(/Enabled:taskmg.exe/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\taskmg.exe' = '%TEMP%\taskmg.exe:*:Enabled:taskmg.exe'">

modify_registry_to_bypass_firewall_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.modify_registry_to_bypass_firewall_num > 0

create_and_exec(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Creates and executes the following:

Example: dr_sandbox.descr_tech.malicious.create_and_exec(/Total Commander/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="'%HOMEPATH%\...\total commander\backup.exe' %HOMEPATH%\...\Total Commander\">

create_and_exec_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.create_and_exec_num > 0

exec(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Executes the following:

Example: dr_sandbox.descr_tech.malicious.exec(/netsh.exe/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"35\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="'<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\system.exe" "system.exe" ENABLE">

exec_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.exec_num > 0

inject_to_system_proc(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Injects code into

the following system processes:

Example: dr_sandbox.descr_tech.malicious.inject_to_system_proc(/RegAsm.exe/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"40\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe">

inject_to_system_proc_num

Example: dr_sandbox.descr_tech.autorun.inject_to_system_proc_num > 0

inject_to_user_proc(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Injects code into

the following user processes:

Example: dr_sandbox.descr_tech.malicious.inject_to_user_proc(/^iexplore.exe$/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"40\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="iexplore.exe">

inject_to_user_proc_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.inject_to_user_proc_num > 0

hook_keyboard_all_processes(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Installs hooks to intercept notifications

on keystrokes:

Handler for all processes: (?LibraryPath)

Example: dr_sandbox.descr_tech.malicious.hook_keyboard_all_processes(/OQKWHP\BJX.01/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"45\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"10\"]

XMLExample: <TSItem ID="10" Type="LI" Text="Handler library for all processes: %ALLUSERSPROFILE%\Application Data\OQKWHP\BJX.01">

hook_keyboard_all_processes_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.hook_keyboard_all_processes_num > 0

hook_keyboard_concrete_processes(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Installs hooks to intercept notifications

on keystrokes:

Handler for the '(?HookedProcess.Name)' process: (?LibraryPath)

Example: dr_sandbox.descr_tech.malicious.hook_keyboard_concrete_processes(/IMDCSC.exe/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"45\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"20\"]

XMLExample: <TSItem ID="20" Type="LI" Text="Handler library for the 'IMDCSC.exe' processes: %HOMEPATH%\My Documents\DCSCMIN\IMDCSC.exe">

hook_keyboard_concrete_processes_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.hook_keyboard_concrete_processes_num > 0

try_to_terminate_system_processes(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Terminates or attempts to terminate

the following system processes:

Example: dr_sandbox.descr_tech.malicious.try_to_terminate_system_processes(/ctfmon.exe/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"50\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="<SYSTEM32>\cmd.exe">

try_to_terminate_system_processes_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.try_to_terminate_system_processes_num > 0

try_to_terminate_user_processes(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Terminates or attempts to terminate

the following user processes:

Example: dr_sandbox.descr_tech.malicious.try_to_terminate_user_processes(/^AVSYNMGR.EXE$/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"50\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="AVGCTRL.EXE">

try_to_terminate_user_processes_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.try_to_terminate_user_processes_num > 0

search_password_in_registry(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Searches for registry branches where third party applications store passwords:

Example: dr_sandbox.descr_tech.malicious.search_password_in_registry(/MessengerService/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"60\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="[<HKCU>\Software\Microsoft\MessengerService]">

search_password_in_registry_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.search_password_in_registry_num > 0

search_wnd_to_bypass_av(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Searches for windows to

bypass different anti-viruses:

Example: dr_sandbox.descr_tech.malicious.search_wnd_to_bypass_av(/AVP.AlertDialog/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"70\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="ClassName: 'AVP.Product_Notification' WindowName: ''">

search_wnd_to_bypass_av_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.search_wnd_to_bypass_av_num > 0

search_wnd_to_bypass_wfp(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Searches for windows to

bypass Windows Files Protection (WFP):

Example: dr_sandbox.descr_tech.malicious.search_wnd_to_bypass_wfp(/Windows File Protection/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"70\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="ClassName: '' WindowName: 'Windows File Protection'">

search_wnd_to_bypass_wfp_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.search_wnd_to_bypass_wfp_num > 0

search_wnd_for_analyzing_soft(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Searches for windows to

detect analytical utilities:

Example: dr_sandbox.descr_tech.malicious.search_wnd_for_analyzing_soft(/PEiD/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"70\"]/SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="ClassName: '' WindowName: 'PEiD v0.95'">

search_wnd_for_analyzing_soft_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.search_wnd_for_analyzing_soft_num > 0

search_wnd_for_programs_and_games(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Searches for windows to

detect programs and games:

Example: dr_sandbox.descr_tech.malicious.search_wnd_for_programs_and_games(/The Wireshark Network Analyzer/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"70\"]/SubItems/TSItem[@ID=\"40\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="ClassName: 'gdkWindowToplevel' WindowName: 'The Wireshark Network Analyzer'">

search_wnd_for_programs_and_games_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.search_wnd_for_programs_and_games_num > 0

set_ssdt_hooks(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Hooks the following functions in System Service Descriptor Table (SSDT):

Example: dr_sandbox.descr_tech.malicious.set_ssdt_hooks(/NtReadVirtualMemory/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"85\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="NtReadVirtualMemory, driver-handler: sys.sys">

set_ssdt_hooks_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.set_ssdt_hooks_num > 0

modify_explorer_settings(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Modifies settings of Windows Explorer:

Example: dr_sandbox.descr_tech.malicious.modify_explorer_settings(/’NoFolderOptions’ = ‘00000001’/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"90\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="[<HKLM>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'">

modify_explorer_settings_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.modify_explorer_settings_num > 0

modify_ie_settings(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Modifies settings of Windows Internet Explorer:

Example: dr_sandbox.descr_tech.malicious.modify_ie_settings(/Zones\1] ‘1206’ = ‘00000000’/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"100\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1206' = '00000000'">

modify_ie_settings_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.modify_ie_settings_num > 0

hide_processes(regexp)

Returns amount of matches.

descr_en:

Technical Information

Malicious functions:

Hides the following processes:

Example: dr_sandbox.descr_tech.malicious.hide_processes(/cscript.exe/)

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"105\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="<SYSTEM32>\cscript.exe">

hide_processes_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.hide_processes_num > 0

hide_from_view_hidden_files

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files

Example: dr_sandbox.descr_tech.malicious.hide_from_view_hidden_files

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"10\"]

XMLExample: <TSItem ID="10" Type="LI" Text="hidden files">

hide_from_view_file_extensions

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

To complicate detection of its presence in the operating system,

forces the system hide from view:

file extensions

Example: dr_sandbox.descr_tech.malicious.hide_from_view_file_extensions

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem[@ID=\"20\"]

XMLExample: <TSItem ID="20" Type="LI" Text="filename extensions">

block_cmd

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Command Prompt (CMD)

Example: dr_sandbox.descr_tech.malicious.block_cmd

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"10\"]

XMLExample: <TSItem ID="10" Type="LI" Text="Command line interpreter(CMD)">

block_taskmgr

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Task Manager (Taskmgr)

Example: dr_sandbox.descr_tech.malicious.block_taskmgr

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]

XMLExample: <TSItem ID="20" Type="LI" Text="Task manager(Taskmgr)">

block_regedit

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Registry Editor (RegEdit)

Example: dr_sandbox.descr_tech.malicious.block_regedit

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"30\"]

XMLExample: <TSItem ID="30" Type="LI" Text="Registry editor (RegEdit)">

block_sr

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

System Restore (SR)

Example: dr_sandbox.descr_tech.malicious.block_sr

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"10\"]

XMLExample: <TSItem ID="10" Type="LI" Text="System Restore Component(SR)">

block_uac

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

User Account Control (UAC)

Example: dr_sandbox.descr_tech.malicious.block_uac

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"30\"]

XMLExample: <TSItem ID="30" Type="LI" Text="User Account Control(UAC)">

block_sfc

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

System File Checker (SFC)

Example: dr_sandbox.descr_tech.malicious.block_sfc

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"40\"]

XMLExample: <TSItem ID="40" Type="LI" Text="System File Checker(SFC)">

block_windows_security_center

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

To complicate detection of its presence in the operating system,

blocks the following features:

Windows Security Center

Example: dr_sandbox.descr_tech.malicious.block_windows_security_center

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"50\"]

XMLExample: <TSItem ID="50" Type="LI" Text="Security Center">

inject_to_a_lot_of_user_processes

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

Injects code into

a large number of user processes.

Example: dr_sandbox.descr_tech.malicious.inject_to_a_lot_of_user_processes

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"40\"]/SubItems/TSItem[@ID=\"30\"]

XMLExample: <TSItem ID="30" Type="PT" Text="a high number of user processes">

try_to_terminate_a_lot_of_user_processes

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

Terminates or attempts to terminate

a large number of user processes.

Example: dr_sandbox.descr_tech.malicious.try_to_terminate_a_lot_of_user_processes

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"50\"]/SubItems/TSItem[@ID=\"30\"]

XMLExample: <TSItem ID="30" Type="PT" Text="a high number of user processes">

remove_ssdt_hooks

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

Restores hooked functions in System Service Descriptor Table (SSDT).

Example: dr_sandbox.descr_tech.malicious.remove_ssdt_hooks

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"88\"]

XMLExample: <TSItem ID="88" Type="PT" Text="System Service Descriptor Table">

force_autorun_for_removable_media

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

Forces autoplay for removable media.

Example: dr_sandbox.descr_tech.malicious.force_autorun_for_removable_media

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"110\"]

XMLExample: <TSItem ID="110" Type="PT" Text="Forces autorun for removable media.">

set_homepage_for_ie

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

Sets a new unauthorized home page for Windows Internet Explorer.

Example: dr_sandbox.descr_tech.malicious.set_homepage_for_ie

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"120\"]

XMLExample: <TSItem ID="120" Type="PT" Text="Sets a new unauthorized home page for Internet Explorer.">

shut_down_windows

1 if modifies, 0 otherwise.

descr_en:

Technical Information

Malicious functions:

Attempts to shut down the Windows operating system.

Example: dr_sandbox.descr_tech.malicious.shut_down_windows

XpathQuery: ./SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"130\"]

XMLExample: <TSItem ID="130" Type="PT" Text="Attempts to shut down the Windows operating system.">

filesystem

Function

Description

Examples

create_files(regexp)

Returns amount of matches.

descr_en:

Technical Information

Modifies file system :

Creates the following files:

Example: dr_sandbox.descr_tech.filesystem.create_files(/nsArray.dll/)

XpathQuery: ./SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="%TEMP%\nsb3.tmp\750934895">

create_files_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.create_files_num >= 2

set_hidden(regexp)

Returns amount of matches.

descr_en:

Technical Information

Modifies file system :

Sets the 'hidden' attribute to the following files:

Example: dr_sandbox.descr_tech.filesystem.set_hidden(/^%TEMP%\~2.cmd$/)

XpathQuery: ./SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="%TEMP%\~2.cmd">

set_hidden_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.set_hidden_num >= 2

remove_files(regexp)

Returns amount of matches.

descr_en:

Technical Information

Modifies file system :

Deletes the following files:

Example: dr_sandbox.descr_tech.filesystem.remove_files(/^%TEMP%\7zS1.tmp\GOMPLAYERENSETUP.EXE$/)

XpathQuery: ./SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="%TEMP%\7zS1.tmp\GOMPLAYERENSETUP.EXE">

remove_files_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.remove_files_num >= 2

move_system_files(regexp)

Returns amount of matches.

descr_en:

Technical Information

Modifies file system :

Moves the following system files:

Example: dr_sandbox.descr_tech.filesystem.move_system_files(/ir50_qc.dll/)

XpathQuery: ./SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"35\"]/SubItems/TSItem

move_system_files_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.move_system_files_num >= 2

move_files(regexp)

Returns amount of matches.

descr_en:

Technical Information

Modifies file system :

Moves the following files:

Example: dr_sandbox.descr_tech.filesystem.move_files(/%WINDIR%.*CONFIG\security.config.cch/)

XpathQuery: ./SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"40\"]/SubItems/TSItem

move_files_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.move_files_num >= 2

move_self(regexp)

Returns amount of matches.

descr_en:

Technical Information

Modifies file system :

Moves itself:

Example: dr_sandbox.descr_tech.filesystem.move_self(/CreativeAudio/)

XpathQuery: ./SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"60\"]/SubItems/TSItem

move_self_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.autorun.move_self_num >= 2

modify_hosts

1 if it modifies hosts, 0 otherwise.

descr_en:

Technical Information

Modifies file system :

Modifies the HOSTS file.

Example: dr_sandbox.descr_tech.filesystem.modify_hosts

XpathQuery: ./SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"50\"]

XMLExample: <TSItem ID="50" Type="PT" Text="Modifies the HOSTS file">

replace_hosts

1 if it replaces hosts, 0 otherwise.

descr_en:

Technical Information

Modifies file system :

Substitutes the HOSTS file.

Example: dr_sandbox.descr_tech.filesystem.replace_hosts

XpathQuery: ./SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"55\"]

XMLExample: <TSItem ID="55" Type="PT" Text="Replaces the HOSTS file.">

remove_self

1 if it removes self, 0 otherwise.

descr_en:

Technical Information

Modifies file system :

Deletes itself.

Example: dr_sandbox.descr_tech.filesystem.remove_self

XpathQuery: ./SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem[@ID=\"70\"]

XMLExample: <TSItem ID="70" Type="PT" Text="Deletes itself.">

network

Function	Description	Examples
connect_to(regexp)	Returns amount of matches. descr_en: Technical Information Network activity: Connects to:	Example: dr_sandbox.descr_tech.network.connect_to(/www.xfo.cn/) XpathQuery: ./SubItems/TSItem[@ID=\"40\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem XMLExample: <TSItem ID="10" Type="LI" Text="'www.xfo.cn':80">
connect_to_num	Returns amount of this events.	Example: dr_sandbox.descr_tech.network.connect_to_num >= 2
tcp_http_get(regexp)	Returns amount of matches. descr_en: Technical Information Network activity: TCP: HTTP GET requests:	Example: dr_sandbox.descr_tech.network.tcp_http_get(/addurl.html$/) XpathQuery: ./SubItems/TSItem[@ID=\"40\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem XMLExample: <TSItem ID="10" Type="LI" Text="http://www.xfo.cn/addurl.html">
tcp_http_get_num	Returns amount of this events.	Example: dr_sandbox.descr_tech.network.tcp_http_get_num >= 2
tcp_http_post(regexp)	Returns amount of matches. descr_en: Technical Information Network activity: TCP: HTTP POST requests:	XpathQuery: ./SubItems/TSItem[@ID=\"40\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem[@ID=\"20\"]/SubItems/TSItem XMLExample: <TSItem ID="10" Type="LI" Text="http://findville.xyz/get/">
tcp_http_post_num	Returns amount of this events.	Example: dr_sandbox.descr_tech.network.tcp_http_post_num >= 2
udp(regexp)	Returns amount of matches. descr_en: Technical Information Network activity: UDP:	Example: dr_sandbox.descr_tech.network.udp(/disk57/)XpathQuery: ./SubItems/TSItem[@ID=\"40\"]/SubItems/TSItem[@ID=\"30\"]/SubItems/TSItem XMLExample: <TSItem ID="10" Type="LI" Text="DNS ASK disk57.com"> XMLExample: <TSItem ID="20" Type="LI" Text="'localhost':1037">
udp_num	Returns amount of this events.	Example: dr_sandbox.descr_tech.network.udp_num >= 2

miscellaneous

Function

Description

Examples

search_wnd(regexp)

Returns amount of matches.

descr_en:

Miscellaneous:

Searches for the following windows:

Example: dr_sandbox.descr_tech.miscellaneous.search_wnd(/MS_WebcheckMonitor/)

XpathQuery: ./SubItems/TSItem[@ID=\"50\"]/SubItems/TSItem[@ID=\"10\"]/SubItems/TSItem

XMLExample: <TSItem ID="10" Type="LI" Text="ClassName: 'MS_WebcheckMonitor' WindowName: ''">

search_wnd_num

Returns amount of this events.

Example: dr_sandbox.descr_tech.miscellaneous.search_wnd_num == 3

add_root_certificate

1 if it adds certificate, 0 otherwise.

descr_en:

Miscellaneous:

Adds a root certificate

Example: dr_sandbox.descr_tech.miscellaneous.add_root_certificate

XpathQuery: ./SubItems/TSItem[@ID=\"50\"]/SubItems/TSItem[@ID=\"30\"]

XMLExample: <TSItem ID="30" Type="PT" Text="Adds a root certificate">

detects

Function	Examples
all_detects_here(regexp)	dr_sandbox.detects.all_detects_here(/Virlock/)
detects_of_src(regexp)	dr_sandbox.detects.detects_of_src(/Virlock/)
detects_of_drops(regexp)	dr_sandbox.detects.detects_of_drops(/Virlock/)
detects_of_memdmps(regexp)	dr_sandbox.detects.detects_of_memdmps(/Virlock/)
detects_of_allocs(regexp)	dr_sandbox.detects.detects_of_allocs(/Virlock/)
detects_of_dumps(regexp)	dr_sandbox.detects.detects_of_dumps(/Virlock/)
detects_of_injects(regexp)	dr_sandbox.detects.detects_of_injects(/Virlock/)
detects_of_this_file(regex)	dr_sandbox.detects_of_this_file(/Virlock/) == 0

sb_filetype

Function

Description

Examples

sb_filetype

Integer with one of the following values:

SB_FILETYPE_SRC

SB_FILETYPE_DROP

SB_FILETYPE_MEMDMP

SB_FILETYPE_ALLOC

SB_FILETYPE_DUMP

SB_FILETYPE_INJECT

dr_sandbox.sb_filetype == dr_sandbox.SB_FILETYPE_SRC

archive_file(regex)

Function	Description	Examples
archive_file(regex)	Returns amount of matches	dr_sandbox.andr.archive_files(/pattern/)

archive_file_num

Function	Description	Examples
archive_file_num	Amount of events	dr_sandbox.andr.archive_files_num

certificate_sha1(regex)

Function	Description	Examples
certificate_sha1(regex)	Returns amount of matches	dr_sandbox.andr.certificate_sha1(/pattern/)

certificate_sha1_num

Function	Description	Examples
certificate_sha1_num	Amount of events	dr_sandbox.andr.certificate_sha1_num

resources_digests(regex)

Function	Description	Examples
resources_digests(regex)	Returns amount of matches	dr_sandbox.andr.resources_digests(/pattern/)

resources_digests_num

Function	Description	Examples
resources_digests_num	Amount of events	dr_sandbox.andr.resources_digests_num

sha1(regex)

Function	Description	Examples
sha1(regex)	Returns amount of matches	dr_sandbox.andr.sha1(/pattern/)

sha1_num

Function	Description	Examples
sha1_num	Amount of events	dr_sandbox.andr.sha1_num

source_host(regex)

Function	Description	Examples
source_host(regex)	Returns amount of matches	dr_sandbox.andr.source_host(/pattern/)

source_host_num

Function	Description	Examples
source_host_num	Amount of events	dr_sandbox.andr.source_host_num

dynamic

Function	Description	Examples
crypto_dumps(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.crypto_dumps(/pattern/)
crypto_dumps_num	Amount of events	dr_sandbox.andr.dynamic.crypto_dumps_num
executed_commands(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.executed_commands(/pattern/)
executed_commands_num	Amount of events	dr_sandbox.andr.dynamic.executed_commands_num
flags(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.flags(/pattern/)
flags_num	Amount of events	dr_sandbox.andr.dynamic.flags_num
phone_calls(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.phone_calls(/pattern/)
phone_calls_num	Amount of events	dr_sandbox.andr.dynamic.phone_calls_num
urls(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.urls(/pattern/)
urls_num	Amount of events	dr_sandbox.andr.dynamic.urls_num

dynamic.created files

Function	Description	Examples
path(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.created_files.path(/pattern/)
path_num	Amount of events	dr_sandbox.andr.dynamic.created_files.path_num
sha1(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.created_files.sha1(/pattern/)
sha1_num	Amount of events	dr_sandbox.andr.dynamic.created_files.sha1_num

dynamic.downloaders

Function	Description	Examples
detect(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.downloaders.detect(/pattern/)
detect_num	Amount of events	dr_sandbox.andr.dynamic.downloaders.detect_num
sha1(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.downloaders.sha1(/pattern/)
sha1_num	Amount of events	dr_sandbox.andr.dynamic.downloaders.sha1_num

dynamic.downloads

Function	Description	Examples
detect(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.downloads.detect(/pattern/)
detect_num	Amount of events	dr_sandbox.andr.dynamic.downloads.detect_num
sha1(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.downloads.sha1(/pattern/)
sha1_num	Amount of events	dr_sandbox.andr.dynamic.downloads.sha1_num
url(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.downloads.url(/pattern/)
url_num	Amount of events	dr_sandbox.andr.dynamic.downloads.url_num

dynamic.droppers

Function	Description	Examples
detect(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.droppers.detect(/pattern/)
detect_num	Amount of events	dr_sandbox.andr.dynamic.droppers.detect_num
sha1(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.droppers.sha1(/pattern/)
sha1_num	Amount of events	dr_sandbox.andr.dynamic.droppers.sha1_num

dynamic.dumps

Function	Description	Examples
detect(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.dumps.detect(/pattern/)
detect_num	Amount of events	dr_sandbox.andr.dynamic.dumps.detect_num
path(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.dumps.path(/pattern/)
path_num	Amount of events	dr_sandbox.andr.dynamic.dumps.path_num
sha1(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.dumps.sha1(/pattern/)
sha1_num	Amount of events	dr_sandbox.andr.dynamic.dumps.sha1_num

dynamic.sms

Function	Description	Examples
message(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.sms.message(/pattern/)
message_num	Amount of events	dr_sandbox.andr.dynamic.sms.message_num
number(regex)	Returns amount of matches	dr_sandbox.andr.dynamic.sms.number(/pattern/)
number_num	Amount of events	dr_sandbox.andr.dynamic.sms.number_num

manifest

Function	Description	Examples
activities(regex)	Returns amount of matches	dr_sandbox.andr.manifest.activities(/pattern/)
activities_num	Amount of events	dr_sandbox.andr.manifest.activities_num
app_name(regex)	Returns amount of matches	dr_sandbox.andr.manifest.app_name(/pattern/)
app_name_num	Amount of events	dr_sandbox.andr.manifest.app_name_num
filters(regex)	Returns amount of matches	dr_sandbox.andr.manifest.filters(/pattern/)
filters_num	Amount of events	dr_sandbox.andr.manifest.filters_num
home_activity(regex)	Returns amount of matches	dr_sandbox.andr.manifest.home_activity(/pattern/)
home_activity_num	Amount of events	dr_sandbox.andr.manifest.home_activity_num
is_firmware(regex)	Returns amount of matches	dr_sandbox.andr.manifest.is_firmware(/pattern/)
is_firmware_num	Amount of events	dr_sandbox.andr.manifest.is_firmware_num
main_activity(regex)	Returns amount of matches	dr_sandbox.andr.manifest.main_activity(/pattern/)
main_activity_num	Amount of events	dr_sandbox.andr.manifest.main_activity_num
package(regex)	Returns amount of matches	dr_sandbox.andr.manifest.package(/pattern/)
package_num	Amount of events	dr_sandbox.andr.manifest.package_num
permissions(regex)	Returns amount of matches	dr_sandbox.andr.manifest.permissions(/pattern/)
permissions_num	Amount of events	dr_sandbox.andr.manifest.permissions_num
receivers(regex)	Returns amount of matches	dr_sandbox.andr.manifest.receivers(/pattern/)
receivers_num	Amount of events	dr_sandbox.andr.manifest.receivers_num
services(regex)	Returns amount of matches	dr_sandbox.andr.manifest.services(/pattern/)
services_num	Amount of events	dr_sandbox.andr.manifest.services_num
strings_resources(regex)	Returns amount of matches	dr_sandbox.andr.manifest.strings_resources(/pattern/)
strings_resources_num	Amount of events	dr_sandbox.andr.manifest.strings_resources_num
version_code(regex)	Returns amount of matches	dr_sandbox.andr.manifest.version_code(/pattern/)
version_code_num	Amount of events	dr_sandbox.andr.manifest.version_code_num
version_name(regex)	Returns amount of matches	dr_sandbox.andr.manifest.version_name(/pattern/)
version_name_num	Amount of events	dr_sandbox.andr.manifest.version_name_num

manifest.meta_data

Function	Description	Examples
name(regex)	Returns amount of matches	dr_sandbox.andr.manifest.meta_data.name(/pattern/)
name_num	Amount of events	dr_sandbox.andr.manifest.meta_data.name_num
resource(regex)	Returns amount of matches	dr_sandbox.andr.manifest.meta_data.resource(/pattern/)
resource_num	Amount of events	dr_sandbox.andr.manifest.meta_data.resource_num
value(regex)	Returns amount of matches	dr_sandbox.andr.manifest.meta_data.value(/pattern/)
value_num	Amount of events	dr_sandbox.andr.manifest.meta_data.value_num

Other

Function	Description	Examples
filename(regex)	A filename (in dr_yara—full path, in dr_yara_scanner—it depends on a parameter, which you pass to scan)	Example: dr_sandbox.filename(/xtbl/)
autorun_num	An integer representing the number of autorun events autorun_num = autorun.modify_registry_num + autorun.create_or_modify_files_num + autorun.create_services_num + autorun.change_system_executable_files_num + autorun.replace_system_executable_files_num + autorun.infect_executables_num + autorun.create_files_on_removable_media_num + autorun.modify_mbr	Example: dr_sandbox.descr_tech.autorun_num >= 3
malicious_num	An integer representing the number of malicious events malicious_num = malicious.modify_registry_to_bypass_firewall_num + malicious.create_and_exec_num + malicious.exec_num + malicious.inject_to_system_proc_num + malicious.inject_to_user_proc_num + malicious.hook_keyboard_all_processes_num + malicious.hook_keyboard_concrete_processes_num + malicious.try_to_terminate_system_processes_num + malicious.try_to_terminate_user_processes_num + malicious.search_password_in_registry_num + malicious.search_wnd_to_bypass_av_num + malicious.search_wnd_to_bypass_wfp_num + malicious.search_wnd_for_analyzing_soft_num + malicious.search_wnd_for_programs_and_games_num + malicious.set_ssdt_hooks_num + malicious.modify_explorer_settings_num + malicious.modify_ie_settings_num + malicious.hide_processes_num + malicious.hide_from_view_hidden_files + malicious.hide_from_view_file_extensions + malicious.block_cmd + malicious.block_taskmgr + malicious.block_regedit + malicious.block_sr + malicious.block_uac + malicious.block_sfc + malicious.block_windows_security_center + malicious.inject_to_a_lot_of_user_processes + malicious.try_to_terminate_a_lot_of_user_processes + malicious.remove_ssdt_hooks + malicious.force_autorun_for_removable_media + malicious.set_homepage_for_ie + malicious.shut_down_windows	Example: dr_sandbox.descr_tech.malicious_num > 5
filesystem_num	An integer representing the number of filesystem events filesystem_num = filesystem.create_files_num + filesystem.set_hidden_num + filesystem.remove_files_num + filesystem.move_system_files_num + filesystem.move_files_num + filesystem.move_self_num + filesystem.modify_hosts + filesystem.replace_hosts + filesystem.remove_self	Example: dr_sandbox.descr_tech.filesystem_num < 4
network_num	An integer representing the number of network events filesystem_num = network.connect_to_num + network.tcp_http_get_num + network.tcp_http_post_num + network.udp_num	Example: dr_sandbox.descr_tech.network_num == 3
miscellaneous_num	An integer representing the number of miscellaneous events miscellaneous_num = miscellaneous.search_wnd_num + miscellaneous.add_root_certificate	Example: dr_sandbox.descr_tech.miscellaneous_num == 2
filesystem_access(regexp)	High-level function, which matches all filesystem operations to the regex	Example: dr_sandbox.filesystem_access(/AnnaKournikova\.jpg\.vbs/)
network_access(regexp)	High-level function, which matches all network operations to the regex	Example: dr_sandbox.network_access(/\.php\?id=[0-9]+&token=[0-9]+/)
check_byte(offset, byte_value)	Check bytes at some offset. Can be used instead of ‘strings’ part, for example, to not slow down the scanning.	Example: dr_sandbox.check_byte(0,0x4d)
check_word(offset, word_value)	Check words at some offset. Can be used instead of ‘strings’ part, for example, to not slow down the scanning.	Example: dr_sandbox.check_word(0,0x5a4d)
check_dword(offset, dword_value)	Check dwords at some offset. Can be used instead of ‘strings’ part, for example, to not slow down the scanning.	Example: dr_sandbox.check_dword(0,0x00905A4D)
check_buffer(offset, buffer_asciihex_value)	Check buffer at some offset. Buffer in asciihex. Length must be even. Can be used instead of ‘strings’ part, for example, to not slow down the scanning.	Example: dr_sandbox.check_buffer(0,”4d5A”)
filename_boost_regex(string_with_regex)	Search regex in a filename using boost::regex. Flags for regex: boost::regex::perl. Search by: boost::regex_search. Can be used if you want to use regex features, which are absent in the YARA regex, for example, negative lookahead or backreferences.	Example: dr_sandbox.filename_boost_regex(“(?<!abc)def”)

Note that invalid regex will slow down the scanning. Moreover, boost::regex is slower than YARA regex, it's recommended to use dr_sandbox.filename(//) if possible.