Appendix B. Functions of the dr_sandbox Module

Functions for the Android sandbox (the 'andr' category)

archive_files

certificate_sha1

dynamic

created_files

path

sha1

crypto_dumps

downloaders

detect

sha1

downloads

detect

sha1

url

droppers

detect

sha1

dumps

detect

path

sha1

executed_commands

flags

phone_calls

sms

message

number

urls

manifest

activities

app_name

filters

home_activity

is_firmware

main_activity

meta_data

name

resource

value

package

permissions

receivers

services

strings_resources

version_code

version_name

resources_digests

sha1

source_host

Functions for the Windows sandbox (the 'descr_tech' category)

Enabling autorun and distribution (the 'autorun' category)

Changes executable system files (change_system_executable_files)

Creates files on removable media (create_files_on_removable_media)

Creates or modifies files (create_or_modify_files)

Creates services (create_services)

Infects executable files (infect_executables)

Modifies the master boot record (modify_mbr)

Modifies registry keys (modify_registry)

Substitutes executable system files (replace_system_executable_files)

Modifies a file system (the 'filesystem' category)

Changes file extensions in user data (change_user_data_extensions)

Creates files (create_files)

Creates files and demands payment for file decoding (create_ransom_message_files)

Modifies a HOSTS file (modify_hosts)

Modifies user data files (modify_user_data_files)

Moves files (move_files)

Moves itself (move_self)

Moves system files (move_system_files)

Deletes files (remove_files)

Deletes itself (remove_self)

Assigns the 'hidden' attribute to files (set_hidden)

Substitutes executable files (substitute_executables)

Substitutes files (substitute_files)

Replaces a HOSTS file (substitute_hosts)

Malicious functions (the 'malicious' category)

Adds an anti-virus exclusion (add_antivirus_exclusion)

Blocks Command Prompt (block_cmd)

Blocks Registry Editor (block_regedit)

Blocks System File Checker (block_system_file_checker)

Blocks System Restore (block_system_restore)

Blocks Windows Task Manager (block_taskmgr)

Blocks User Account Control (block_user_account_control)

Blocks Windows Action Center (block_windows_action_center)

Blocks Windows Defender (block_windows_defender)

Blocks Windows File Protection (block_windows_file_protection)

Blocks Windows Firewall (block_windows_firewall)

Blocks Windows Security Center (block_windows_security_center)

Blocks Windows Update (block_windows_updates)

Brute forces passwords of OS accounts (bruteforce_os_accounts)

Creates and executes processes (create_and_exec)

Creates an onion service (create_onion_service)

Removes shadow copies of volumes (delete_volume_shadow_copies)

Searches for windows to detect virtual machines (detect_virtual_machine)

Disables AMSI (disable_amsi)

Downloads and executes (downloads_and_executes)

Downloads and executes files (downloads_and_executes_files)

Downloads the files (download_file)

Downloads files (download_files)

Executes (exec)

Executes WMI operations (exec_wmi)

Creates and executes files (an exploit) (exploit_create_and_exec)

Creates and loads libraries (an exploit) (exploit_create_and_load_library)

Executes the following (an exploit) (exploit_exec)

Forces autorun for removable media (force_autorun_for_removable_media)

Forces the system to hide file extensions from view (hide_from_view_file_extensions)

Forces the system to hide hidden files from view (hide_from_view_hidden_files)

Hides processes (hide_processes)

Disables taskbar notifications (hide_taskbar_notifications)

Hooks functions in browsers (hook_in_browser)

Installs hooks to intercept notifications on keystrokes for all processes (hook_keyboard_all_processes)

Installs hooks to intercept notifications on keystrokes for specific processes (hook_keyboard_concrete_processes)

Installs hooks to intercept notifications on window messages (hook_keyboard_on_window_messages)

Injects code into numerous user processes (inject_to_a_lot_of_user_processes)

Injects code into system processes (inject_to_system_proc)

Injects code into user processes (inject_to_user_proc)

Modifies settings of Windows Explorer (modify_explorer_settings)

Modifies settings of Windows Internet Explorer (modify_ie_settings)

Removes or modifies registry (modify_registry_to_bypass_firewall)

Changes the DNS server (modify_system_dns)

Modifies system settings (modify_system_settings)

Reads files that store third party passwords (read_third_party_passwords)

Registers BHO (register_bho)

Registers a COM server (register_com_server)

Registers file system filter (register_filesystem_filter)

Restores hooked functions in SSDT (restore_ssdt_hooks)

Searches for registry branches that store third party passwords (search_password_in_registry)

Searches for windows to detect analytical utilities (search_wnd_for_analyzing_soft)

Searches for windows to detect programs and games (search_wnd_for_programs_and_games)

Searches for windows to bypass anti-viruses (search_wnd_to_bypass_av)

Searches for windows to bypass WFP system (search_wnd_to_bypass_wfp)

Hook specific functions in SSDT (set_concrete_ssdt_hooks)

Sets a home page for Windows IE (set_homepage_for_ie)

Hook specific functions in SSDT (set_ssdt_hooks)

Terminates numerous user processes (try_to_terminate_a_lot_of_user_processes)

Terminates system processes (try_to_terminate_system_processes)

Terminates user processes (try_to_terminate_user_processes)

Miscellaneous (the 'miscellaneous' category)

Adds a root certificate (add_root_certificate)

Creates and executes (create_and_exec)

Disables a certificate (disable_certificate)

Executes (exec)

Loads drivers (load_driver)

Changes the AutoConfigURL parameter (modify_auto_config_url)

Searches for windows (search_wnd)

Attempts to shut down Windows OS (shut_down_windows)

Uses NTFS alternate data streams (use_ntfs_data_streams)

Network activity (the 'network' category)

Connects to the following (connect_to)

TCP requests (tcp)

HTTP GET requests using TCP (tcp_http_get)

HTTP POST requests using TCP (tcp_http_post)

Unknown HTTP requests using TCP (tcp_http_unk)

UDP requests (udp)

Functions for the Linux sandbox (the 'descr_tech_lbcl' category)

Enabling autorun and distribution ('autorun' category)

Creates or modifies files (create_or_modify_files)

Creates or modifies symbolic links (create_or_modify_symlinks)

Modifies a file system (the 'filesystem' category)

Changes the time when the file was created, accessed, or modified (change_time_of_file)

Creates directories (create_dir)

Creates or modifies files (create_or_modify_file)

Creates symbolic links (create_symlink)

Blocks files (lock_file)

Changes file access rights (modify_file_access_rights)

Changes file owner (modify_file_owner)

Mounts file systems (mount_file_system)

Deletes directories (remove_dir)

Deletes files (remove_files)

Unmounts file systems (unmount_file_system)

Malicious functions ('malicious' category)

Tries to kill system processes (attempt_kill_system_proc)

Tries to kill analyzers (attept_kill_analyzers)

Tries to kill processes (attept_kill_proc)

Compiles source code (compile_program_from_source_codes)

Gains root access (gain_root_privileges)

Accesses SSH keys (get_access_to_ssh_keys)

Injects itself in processes (inject_to_proc)

Kills analyzers (kill_analyzers)

Kills processes (kill_proc)

Kills system processes (kill_system_proc)

Launches itself as a daemon (launch_itself_as_daemon)

Launches processes (launch_processes)

Manages services (manage_services)

Changes firewall settings (modify_firewall_settings)

Changes router settings (modify_router_settings)

Operates kernel modules (operate_kernel_modules)

Performs process tracing (perform_process_tracing)

Deletes itself (remove_self)

Deletes system files (remove_system_files)

Replaces system files (replace_system_files)

Stops system services (stops_system_services)

Substitutes an application name (substitute_application_name_for)

Network activity (the 'network' category)

Performs a bruteforce attack via the SSH protocol (attack_bruteforce_via_ssh)

Performs a bruteforce attack via the TELNET protocol (attack_bruteforce_via_telnet)

Performs a bruteforce attack via the undefined protocol (attack_bruteforce_via_unk_protocol)

Connects to servers (connect_to)

Connects to servers over the IRC protocol (connect_to)

DNS requests (dns_ask)

HTTP GET requests (http_get)

Other HTTP requests (http_other)

HTTP POST requests (http_post)

Awaits incoming connections on ports (listening_port)

Receives data from servers (receive_data_from_server)

Sends data to servers (send_data_to_server)

Other (the 'other' category)

Collects information about the CPU (collect_cpu_info)

Collects information about the network activity (collect_network_info)

Collects information about the OS (collect_os_info)

Collects information about RAM (collect_ram_info)

Reads information from /proc/kallsyms (read_info_from_proc_kallsyms)

Detects (the 'detects' category)

All detects (all_detects_here)

Detects of alloc files (detects_of_allocs)

Detects of drops (detects_of_drops)

Detects of dumps (detects_of_dumps)

Detects of injects (detects_of_injects)

Detects of src files (detects_of_src)

Checks the buffer with the offset (check_buffer)

Checks the byte with the offset (check_byte)

Checks DWORD with the offset (check_dword)

Checks WORD with the offset (check_word)

Searches for the case-insensitive ASCII or wide string (ci_any)

Searches for the case-insensitive ASCII string (ci_ascii)

Searches for the case-insensitive wide string (ci_wide)

Searches for the case-insensitive XORed string (ci_wide)

Calculates the crc32 hash of the buffer (crc32)

Searches for the case-sensitive ASCII or wide string (cs_any)

Searches for the case-sensitive ASCII string (cs_ascii)

Searches for the case-sensitive wide string (cs_wide)

Returns detects for the file (detects_of_this_file)

Searches for the file name (filename)

Searches for the file name using boost::regex (filename_boost_regex)

Searches for actions with a file system (filesystem_access)

Searches for a network activity (network_access)

Searches for actions with a registry (registry_access)

Returns a file type (sb_filetype)

Searches for the substring in the buffer (search_substring_in_range)

The descriptions of the functions for the Android sandbox (the 'andr' category)

Function

Result

Examples

archive_file(regex)

The list of files that are included in APK and match the pattern: ARCHIVE_FILES_PATTERN = ['.dll', '.js', '.html', '.so'].

dr_sandbox.andr.archive_files(/pattern/)

archive_file_num

The list of files that are included in APK and match the pattern: ARCHIVE_FILES_PATTERN = ['.dll', '.js', '.html', '.so'].

dr_sandbox.andr.archive_files_num

certificate_sha1(regex)

The SHA1 hash of the certificate that an app is signed with.

dr_sandbox.andr.certificate_sha1(/pattern/)

certificate_sha1_num

The SHA1 hash of the certificate that an app is signed with.

dr_sandbox.andr.certificate_sha1_num

The dynamic subcategory

created_files.path(regex)

Created files: a path.

dr_sandbox.andr.dynamic.created_files.path(/pattern/)

created_files.path_num

Created files: a path.

dr_sandbox.andr.dynamic.created_files.path_num

created_files.sha1(regex)

Created files: SHA1.

dr_sandbox.andr.dynamic.created_files.sha1(/pattern/)

created_files.sha1_num

Created files: SHA1.

dr_sandbox.andr.dynamic.created_files.sha1_num

crypto_dumps(regex)

Encrypted dumps.

dr_sandbox.andr.dynamic.crypto_dumps(/pattern/)

crypto_dumps_num

Encrypted dumps.

dr_sandbox.andr.dynamic.crypto_dumps_num

downloaders.detect(regex)

The list of samples that download an analyzed sample.

dr_sandbox.andr.dynamic.downloaders.detect(/pattern/)

downloaders.detect_num

The list of samples that download an analyzed sample.

dr_sandbox.andr.dynamic.downloaders.detect_num

downloaders.sha1(regex)

The list of samples that download an analyzed sample.

dr_sandbox.andr.dynamic.downloaders.sha1(/pattern/)

downloaders.sha1_num

The list of samples that download an analyzed sample.

dr_sandbox.andr.dynamic.downloaders.sha1_num

downloads.detect(regex)

The downloaded payload (apk/dex).

dr_sandbox.andr.dynamic.downloads.detect(/pattern/)

downloads.detect_num

The downloaded payload (apk/dex).

dr_sandbox.andr.dynamic.downloads.detect_num

downloads.sha1(regex)

The downloaded payload (apk/dex).

dr_sandbox.andr.dynamic.downloads.sha1(/pattern/)

downloads.sha1_num

The downloaded payload (apk/dex).

dr_sandbox.andr.dynamic.downloads.sha1_num

downloads.url(regex)

The downloaded payload (apk/dex).

dr_sandbox.andr.dynamic.downloads.url(/pattern/)

downloads.url_num

The downloaded payload (apk/dex).

dr_sandbox.andr.dynamic.downloads.url_num

droppers.detect(regex)

The list of samples that upload an analyzed sample.

dr_sandbox.andr.dynamic.droppers.detect(/pattern/)

droppers.detect_num

The list of samples that upload an analyzed sample.

dr_sandbox.andr.dynamic.droppers.detect_num

droppers.sha1(regex)

The list of samples that upload an analyzed sample.

dr_sandbox.andr.dynamic.droppers.sha1(/pattern/)

droppers.sha1_num

The list of samples that upload an analyzed sample.

dr_sandbox.andr.dynamic.droppers.sha1_num

dumps.detect(regex)

The payload dump: a detect.

dr_sandbox.andr.dynamic.dumps.detect(/pattern/)

dumps.detect_num

The payload dump: a detect.

dr_sandbox.andr.dynamic.dumps.detect_num

dumps.path(regex)

The payload dump: a path.

dr_sandbox.andr.dynamic.dumps.path(/pattern/)

dumps.path_num

The payload dump: a path.

dr_sandbox.andr.dynamic.dumps.path_num

dumps.sha1(regex)

The payload dump: a SHA1 hash.

dr_sandbox.andr.dynamic.dumps.sha1(/pattern/)

dumps.sha1_num

The payload dump: a SHA1 hash.

dr_sandbox.andr.dynamic.dumps.sha1_num

executed_commands(regex)

Executed shell commands.

dr_sandbox.andr.dynamic.executed_commands(/pattern/)

executed_commands_num

Executed shell commands.

dr_sandbox.andr.dynamic.executed_commands_num

flags(regex)

Behavior flags.

dr_sandbox.andr.dynamic.flags(/pattern/)

flags_num

Behavior flags.

dr_sandbox.andr.dynamic.flags_num

phone_calls(regex)

Phone calls.

dr_sandbox.andr.dynamic.phone_calls(/pattern/)

phone_calls_num

Phone calls.

dr_sandbox.andr.dynamic.phone_calls_num

sms.message(regex)

Sent SMS: a message content.

dr_sandbox.andr.dynamic.sms.message(/pattern/)

sms.message_num

Sent SMS: a message content.

dr_sandbox.andr.dynamic.sms.message_num

sms.number(regex)

Sent SMS: a phone number.

dr_sandbox.andr.dynamic.sms.number(/pattern/)

sms.number_num

Sent SMS: a phone number.

dr_sandbox.andr.dynamic.sms.number_num

urls(regex)

Found URLs. Only the URLs that match the regular expression are counted.

dr_sandbox.andr.dynamic.urls(/pattern/)

urls_num

Found URLs.

dr_sandbox.andr.dynamic.urls_num

The manifest subcategory

activities(regex)

The list of app activities (screens).

dr_sandbox.andr.manifest.activities(/pattern/)

activities_num

The list of all app activities (screens).

dr_sandbox.andr.manifest.activities_num

app_name(regex)

The app name on the device.

dr_sandbox.andr.manifest.app_name(/pattern/)

app_name_num

The app name on the device.

dr_sandbox.andr.manifest.app_name_num

filters(regex)

The list of actions from the manifest.

dr_sandbox.andr.manifest.filters(/pattern/)

filters_num

The list of actions from the manifest.

dr_sandbox.andr.manifest.filters_num

home_activity(regex)

Activity, the app entry point.

dr_sandbox.andr.manifest.home_activity(/pattern/)

home_activity_num

Activity, the app entry point.

dr_sandbox.andr.manifest.home_activity_num

is_firmware(regex)

Is app from firmware or not.

dr_sandbox.andr.manifest.is_firmware(/pattern/)

is_firmware_num

Is app from firmware or not.

dr_sandbox.andr.manifest.is_firmware_num

main_activity(regex)

Main activity, the app entry point.

dr_sandbox.andr.manifest.main_activity(/pattern/)

main_activity_num

Main activity, the app entry point.

dr_sandbox.andr.manifest.main_activity_num

meta_data.name(regex)

Metadata: the name.

dr_sandbox.andr.manifest.meta_data.name(/pattern/)

meta_data.name_num

Metadata: the name.

dr_sandbox.andr.manifest.meta_data.name_num

meta_data.resource(regex)

Metadata: the resource.

dr_sandbox.andr.manifest.meta_data.resource(/pattern/)

meta_data.resource_num

Metadata: the resource.

dr_sandbox.andr.manifest.meta_data.resource_num

meta_data.value(regex)

Metadata: the value.

dr_sandbox.andr.manifest.meta_data.value(/pattern/)

meta_data.value_num

Metadata: the value.

dr_sandbox.andr.manifest.meta_data.value_num

package(regex)

The app package name.

dr_sandbox.andr.manifest.package(/pattern/)

package_num

The app package name.

dr_sandbox.andr.manifest.package_num

permissions(regex)

The list of permissions that the app needs.

dr_sandbox.andr.manifest.permissions(/pattern/)

permissions_num

The list of permissions that the app needs.

dr_sandbox.andr.manifest.permissions_num

receivers(regex)

The list of broadcast receivers.

dr_sandbox.andr.manifest.receivers(/pattern/)

receivers_num

The list of broadcast receivers.

dr_sandbox.andr.manifest.receivers_num

services(regex)

The list of app services.

dr_sandbox.andr.manifest.services(/pattern/)

services_num

The list of app services.

dr_sandbox.andr.manifest.services_num

strings_resources(regex)

The list of all string resources.

dr_sandbox.andr.manifest.strings_resources(/pattern/)

strings_resources_num

The list of all string resources.

dr_sandbox.andr.manifest.strings_resources_num

version_code(regex)

The version code.

dr_sandbox.andr.manifest.version_code(/pattern/)

version_code_num

The version code.

dr_sandbox.andr.manifest.version_code_num

version_name(regex)

The version name.

dr_sandbox.andr.manifest.version_name(/pattern/)

version_name_num

The version name.

dr_sandbox.andr.manifest.version_name_num

resources_digests(regex)

The list of SHA1-Digest for APK resource files.

dr_sandbox.andr.resources_digests(/pattern/)

resources_digests_num

The list of SHA1-Digest for APK resource files.

dr_sandbox.andr.resources_digests_num

sha1(regex)

SHA1 of the sample.

dr_sandbox.andr.sha1(/pattern/)

sha1_num

SHA1 of the sample.

dr_sandbox.andr.sha1_num

source_host(regex)

The sample source.

dr_sandbox.andr.source_host(/pattern/)

source_host_num

The sample source.

dr_sandbox.andr.source_host_num

The descriptions of the functions for the Windows sandbox (the 'descr_tech' category)

Enabling autorun and distribution (the 'autorun' category)

Function

Result

Event type

Examples

change_system_executable_files(regex)

Returns the number of events of a specific type.

Changes executable system files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.autorun.change_system_executable_files(/beep.sys/)

change_system_executable_files_num

Returns the amount of events of a certain type.

Changes executable system files.

dr_sandbox.descr_tech.autorun.change_system_executable_files_num > 0

create_files_on_removable_media(regex)

Returns the number of events of a specific type.

Creates files on removable media. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.autorun.create_files_on_removable_media(/10thingscondoms.pdf/)

create_files_on_removable_media_num

Returns the number of events of a specific type.

Creates files on removable media.

dr_sandbox.descr_tech.autorun.create_files_on_removable_media_num > 0

create_or_modify_files(regex)

Returns the number of events of a specific type.

Creates or changes files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.autorun.create_or_modify_files(/YogaGuide.job/)

create_or_modify_files_num

Returns the number of events of a specific type.

Creates or modifies files.

dr_sandbox.descr_tech.autorun.create_or_modify_files_num == 1

create_services(regex)

Returns the number of events of a specific type.

Creates services. Only the services that match the regular expression are counted.

dr_sandbox.descr_tech.autorun.create_services(/rsdsys/)

create_services_num

Returns the amount of events of a certain type.

Creates services.

dr_sandbox.descr_tech.autorun.create_services_num > 0

infect_executables(regex)

Returns the amount of events of a certain type.

Infects executable files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.autorun.infect_executables(/eirmayxm/)

infect_executables_num

Returns the number of events of a specific type.

Infects executable files.

dr_sandbox.descr_tech.autorun.infect_executables_num > 0

modify_mbr

Returns 1 if a master boot record (MBR) is modified, 0 otherwise.

Modifies the master boot record (MBR).

dr_sandbox.descr_tech.autorun.modify_mbr

modify_registry(regex)

Returns the number of events of a specific type.

Modifies registry keys. Only the keys that match the regular expression are counted.

dr_sandbox.descr_tech.autorun.modify_registry(/C:\Users\user\AppData\Roaming\Sample.lnk/)

modify_registry_num

Returns the number of events of a specific type.

Modifies registry keys.

dr_sandbox.descr_tech.autorun.modify_registry_num >= 2

replace_system_executable_files(regex)

Returns the number of events of a specific type.

Replaces executable system files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.autorun.replace_system_executable_files(/ir50_qc.dll/)

replace_system_executable_files_num

Returns the number of events of a specific type.

Replaces executable system files.

dr_sandbox.descr_tech.autorun.replace_system_executable_files_num > 0

Modifies a file system (the 'filesystem' category)

Function

Result

Event type

Examples

change_user_data_extensions

Returns the number of events of a specific type.

Changes file extensions in user data (Trojan.Encoder).

dr_sandbox.descr_tech.filesystem.change_user_data_extensions

create_files(regex)

Returns the number of events of a specific type.

Creates files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.filesystem.create_files(/nsArray.dll/)

create_files_num

Returns the number of events of a specific type.

Creates files.

dr_sandbox.descr_tech.filesystem.create_files_num >= 2

create_ransom_message_files

Returns the number of events of a specific type.

Creates files and demands payment for file decoding (Trojan.Encoder).

dr_sandbox.descr_tech.filesystem.create_ransom_message_files

modify_hosts

Returns 1 if the HOSTS file is modified, 0 otherwise.

Modifies the HOSTS file.

dr_sandbox.descr_tech.filesystem.modify_hosts

modify_user_data_files

Returns the number of events of a specific type.

Changes a large amount of user data (Trojan.Encoder).

dr_sandbox.descr_tech.filesystem.modify_user_data_files

move_files(regex)

Returns the number of events of a specific type.

Moves files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.filesystem.move_files(/%WINDIR%.*CONFIG\security.config.cch/)

move_files_num

Returns the number of events of a specific type.

Moves files.

dr_sandbox.descr_tech.filesystem.move_files_num >= 2

move_self(regex)

Returns the number of events of a specific type.

Moves itself.

dr_sandbox.descr_tech.filesystem.move_self(/CreativeAudio/)

move_self_num

Returns the number of events of a specific type.

Moves itself.

dr_sandbox.descr_tech.filesystem.move_self_num >= 2

move_system_files(regex)

Returns the number of events of a specific type.

Moves system files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.filesystem.move_system_files(/ir50_qc.dll/)

move_system_files_num

Returns the number of events of a specific type.

Moves system files.

dr_sandbox.descr_tech.filesystem.move_system_files_num >= 2

remove_files(regex)

Returns the number of events of a specific type.

Deletes files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.filesystem.remove_files(/^%TEMP%\7zS1.tmp\GOMPLAYERENSETUP.EXE$/)

remove_files_num

Returns the number of events of a specific type.

Deletes files.

dr_sandbox.descr_tech.filesystem.remove_files_num >= 2

remove_self

Returns the number of events of a specific type.

Deletes itself.

dr_sandbox.descr_tech.filesystem.remove_self

set_hidden(regex)

Returns the number of events of a specific type.

Assigns the 'hidden' attribute to files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.filesystem.set_hidden(/^%TEMP%\~2.cmd$/)

set_hidden_num

Returns the number of events of a specific type.

Assigns the 'hidden' attribute to files.

dr_sandbox.descr_tech.filesystem.set_hidden_num >= 2

substitute_executables(regex)

Returns the number of events of a specific type.

Substitutes executable files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.filesystem.substitute_executables(/pattern/)

substitute_executables_num

Returns the number of events of a specific type.

Substitutes executable files.

dr_sandbox.descr_tech.filesystem.substitute_executables_num >= 2

substitute_files(regex)

Returns the number of events of a specific type.

Substitutes files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.filesystem.substitute_files(/pattern/)

substitute_files_num

Returns the number of events of a specific type.

Substitutes files.

dr_sandbox.descr_tech.filesystem.substitute_files_num >= 2

substitute_hosts

Returns the number of events of a specific type.

Replaces the HOSTS file.

dr_sandbox.descr_tech.filesystem.substitute_hosts

Malicious functions (the 'malicious' category)

Function

Result

Event type

Examples

add_antivirus_exclusion(regex)

Returns the number of events of a specific type.

In order to make it harder to detect in the operating system, adds anti-virus exclusions using the registry keys. Only the keys that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.add_antivirus_exclusion(/pattern/)

add_antivirus_exclusion_num

Returns the number of events of a specific type.

In order to make it harder to detect in the operating system, adds anti-virus exclusions using the registry keys.

dr_sandbox.descr_tech.malicious.add_antivirus_exclusion_num

block_cmd

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, blocks the Command Prompt (CMD) system utility.

dr_sandbox.descr_tech.malicious.block_cmd

block_regedit

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, blocks the Registry Editor (RegEdit) system utility.

dr_sandbox.descr_tech.malicious.block_regedit

block_system_file_checker

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, blocks System File Checker (SFC).

dr_sandbox.descr_tech.malicious.block_system_file_checker

block_system_restore

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, blocks System Restore (SR).

dr_sandbox.descr_tech.malicious.block_system_restore

block_taskmgr

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, blocks the Windows Task Manager (Taskmgr) system utility.

dr_sandbox.descr_tech.malicious.block_taskmgr

block_user_account_control

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, blocks User Account Control (UAC).

dr_sandbox.descr_tech.malicious.block_user_account_control

block_windows_action_center

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, blocks Windows Action Center.

dr_sandbox.descr_tech.malicious.block_windows_action_center

block_windows_defender

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, blocks the Windows Defender system utility.

dr_sandbox.descr_tech.malicious.block_windows_defender

block_windows_file_protection

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, blocks Windows File Protection (WFP).

dr_sandbox.descr_tech.malicious.block_windows_file_protection

block_windows_firewall

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, blocks the Windows Firewall system utility.

dr_sandbox.descr_tech.malicious.block_windows_firewall

block_windows_security_center

Returns 1 if the event occurred, 0 otherwise.

 

In order to make it harder to detect in the operating system, blocks Windows Security Center.

dr_sandbox.descr_tech.malicious.block_windows_security_center

block_windows_updates

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, blocks the Windows Update system utility.

dr_sandbox.descr_tech.malicious.block_windows_updates

bruteforce_os_accounts

Returns 1 if the event occurred, 0 otherwise.

Brute forces passwords of OS accounts.

dr_sandbox.descr_tech.malicious.bruteforce_os_accounts

create_and_exec(regex)

Returns the number of events of a specific type.

Creates and executes. Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.create_and_exec(/Total Commander/)

create_and_exec_num

Returns the number of events of a specific type.

Creates and executes.

dr_sandbox.descr_tech.malicious.create_and_exec_num > 0

create_onion_service

Returns the number of events of a specific type.

Creates an onion service.

dr_sandbox.descr_tech.malicious.create_onion_service

delete_volume_shadow_copies

Returns the number of events of a specific type.

In order to make it harder to detect in the operating system, deletes volume shadow copies.

dr_sandbox.descr_tech.malicious.delete_volume_shadow_copies

detect_virtual_machine(regex)

Returns the number of events of a specific type.

Searches for windows to detect virtual machines. Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.detect_virtual_machine(/pattern/)

detect_virtual_machine_num

Returns the number of events of a specific type.

Searches for windows to detect virtual machines.

dr_sandbox.descr_tech.malicious.detect_virtual_machine_num

disable_amsi

Returns the number of events of a specific type.

Disables AMSI.

dr_sandbox.descr_tech.malicious.disable_amsi

downloads_and_executes(regex)

Returns the number of events of a specific type.

Downloads and executes. Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.downloads_and_executes(/pattern/)

downloads_and_executes_num

Returns the number of events of a specific type.

Downloads and executes.

dr_sandbox.descr_tech.malicious.downloads_and_executes_num

downloads_and_executes_files

Returns the number of events of a specific type.

Downloads and executes the files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.downloads_and_executes_files

download_file(regex)

Returns the number of events of a specific type.

Downloads files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.download_file(/pattern/)

download_file_num

Returns the number of events of a specific type.

Downloads files.

dr_sandbox.descr_tech.malicious.download_file_num

download_files

Returns 1 if the event occurred, 0 otherwise.

Downloads files.

dr_sandbox.descr_tech.malicious.download_files

exec(regex)

Returns the number of events of a specific type.

Executes. Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.exec(/netsh.exe/)

exec_num

Returns the number of events of a specific type.

Executes.

dr_sandbox.descr_tech.malicious.exec_num > 0

exec_wmi(regex)

Returns the number of events of a specific type.

Executes WMI operations. Only the operations that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.exec_wmi(/pattern/)

exec_wmi_num

Returns the number of events of a specific type.

Executes WMI operations.

dr_sandbox.descr_tech.malicious.exec_wmi_num

exploit_create_and_exec(regex)

Returns the number of events of a specific type.

Creates and executes (an exploit). Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.exploit_create_and_exec(/pattern/)

exploit_create_and_exec_num

Returns the number of events of a specific type.

Creates and executes files (an exploit).

dr_sandbox.descr_tech.malicious.exploit_create_and_exec_num

exploit_create_and_load_library(regex)

Returns the number of events of a specific type.

Creates and loads libraries (an exploit). Only the libraries that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.exploit_create_and_load_library(/pattern/)

exploit_create_and_load_library_num

Returns the number of events of a specific type.

Creates and loads libraries (an exploit).

dr_sandbox.descr_tech.malicious.exploit_create_and_load_library_num

exploit_exec(regex)

Returns the number of events of a specific type.

Executes (an exploit). Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.exploit_exec(/pattern/)

exploit_exec_num

Returns the number of events of a specific type.

Executes (an exploit).

dr_sandbox.descr_tech.malicious.exploit_exec_num

force_autorun_for_removable_media

Returns 1 if the event occurred, 0 otherwise.

Forces autorun for removable media.

dr_sandbox.descr_tech.malicious.force_autorun_for_removable_media

hide_from_view_file_extensions

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, forces the system to hide file extensions from view.

dr_sandbox.descr_tech.malicious.hide_from_view_file_extensions

hide_from_view_hidden_files

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, forces the system to hide hidden files from view.

dr_sandbox.descr_tech.malicious.hide_from_view_hidden_files

hide_processes(regex)

Returns the number of events of a specific type.

Hides processes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.hide_processes(/cscript.exe/)

hide_processes_num

Returns the number of events of a specific type.

Hides processes.

dr_sandbox.descr_tech.malicious.hide_processes_num > 0

hide_taskbar_notifications

Returns 1 if the event occurred, 0 otherwise.

In order to make it harder to detect in the operating system, disables taskbar notifications.

dr_sandbox.descr_tech.malicious.hide_taskbar_notifications

hook_in_browser(regex)

Returns the number of events of a specific type.

Hooks functions in browsers. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.hook_in_browser(/pattern/)

hook_in_browser_num

Returns the number of events of a specific type.

Hooks functions in browsers.

dr_sandbox.descr_tech.malicious.hook_in_browser_num

hook_keyboard_all_processes(regex)

Returns the number of events of a specific type.

Installs hooks to intercept notifications on keystrokes.

Handler for all processes (?LibraryPath).

dr_sandbox.descr_tech.malicious.hook_keyboard_all_processes(/OQKWHP\BJX.01/)

hook_keyboard_all_processes_num

Returns the number of events of a specific type.

Installs hooks to intercept notifications on keystrokes.

dr_sandbox.descr_tech.malicious.hook_keyboard_all_processes_num > 0

hook_keyboard_concrete_processes(regex)

Returns the number of events of a specific type.

Installs hooks to intercept notifications on keystrokes.

Handler for the '(?HookedProcess.Name)' process: (?LibraryPath).

dr_sandbox.descr_tech.malicious.hook_keyboard_concrete_processes(/IMDCSC.exe/)

hook_keyboard_concrete_processes_num

Returns the number of events of a specific type.

Installs hooks to intercept notifications on keystrokes.

dr_sandbox.descr_tech.malicious.hook_keyboard_concrete_processes_num > 0

hook_keyboard_on_window_messages(regex)

Returns the number of events of a specific type.

Installs hooks to intercept notifications on window messages. Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.hook_keyboard_on_window_messages(/pattern/)

hook_keyboard_on_window_messages_num

Returns the number of events of a specific type.

Installs hooks to intercept notifications on window messages.

dr_sandbox.descr_tech.malicious.hook_keyboard_on_window_messages_num

inject_to_a_lot_of_user_processes

Returns 1 if the event occurred, 0 otherwise.

Injects code into numerous user processes.

dr_sandbox.descr_tech.malicious.inject_to_a_lot_of_user_processes

inject_to_system_proc(regex)

Returns the number of events of a specific type.

Injects code into system processes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.inject_to_system_proc(/RegAsm.exe/)

inject_to_system_proc_num

Returns the number of events of a specific type.

Injects code into system processes.

dr_sandbox.descr_tech.malicious.inject_to_system_proc_num > 0

inject_to_user_proc(regex)

Returns the number of events of a specific type.

Injects code into user processes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.inject_to_user_proc(/^iexplore.exe$/)

inject_to_user_proc_num

Returns the number of events of a specific type.

Injects code into user processes.

dr_sandbox.descr_tech.malicious.inject_to_user_proc_num > 0

modify_explorer_settings(regex)

Returns the number of events of a specific type.

Modifies settings of Windows Explorer. Only the settings that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.modify_explorer_settings(/’NoFolderOptions’ = ‘00000001’/)

modify_explorer_settings_num

Returns the number of events of a specific type.

Modifies settings of Windows Explorer.

dr_sandbox.descr_tech.malicious.modify_explorer_settings_num > 0

modify_ie_settings(regex)

Returns the number of events of a specific type.

Modifies settings of Windows Internet Explorer. Only the settings that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.modify_ie_settings(/Zones\1] ‘1206’ = ‘00000000’/)

modify_ie_settings_num

Returns the number of events of a specific type.

Modifies settings of Windows Internet Explorer.

dr_sandbox.descr_tech.malicious.modify_ie_settings_num > 0

modify_registry_to_bypass_firewall(regex)

Returns the number of events of a specific type.

To bypass firewall, removes or modifies registry keys. Only the keys that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.modify_registry_to_bypass_firewall(/Enabled:taskmg.exe/)

modify_registry_to_bypass_firewall_num

Returns the number of events of a specific type.

To bypass firewall, removes or modifies registry keys.

dr_sandbox.descr_tech.malicious.modify_registry_to_bypass_firewall_num > 0

modify_system_dns(regex)

Returns the number of events of a specific type.

In order to make it harder to detect in the operating system, modifies DNS servers. Only the servers that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.modify_system_dns(/pattern/)

modify_system_dns_num

Returns the number of events of a specific type.

In order to make it harder to detect in the operating system, modifies DNS servers.

dr_sandbox.descr_tech.malicious.modify_system_dns_num

modify_system_settings(regex)

Returns the number of events of a specific type.

In order to make it harder to detect in the operating system, modifies system settings. Only the settings that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.modify_system_settings(/pattern/)

modify_system_settings_num

Returns the number of events of a specific type.

In order to make it harder to detect in the operating system, modifies system settings.

dr_sandbox.descr_tech.malicious.modify_system_settings_num

read_third_party_passwords(regex)

Returns the number of events of a specific type.

Reads files that store third party app passwords. Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.read_third_party_passwords(/pattern/)

read_third_party_passwords_num

Returns the number of events of a specific type.

Reads files that store third party app passwords.

dr_sandbox.descr_tech.malicious.read_third_party_passwords_num

register_bho(regex)

Returns the number of events of a specific type.

Registers BHO. Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.register_bho(/pattern/)

register_com_server(regex)

Returns the number of events of a specific type.

Registers a COM server. Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.register_com_server(/pattern/)

register_com_server_num

Returns the number of events of a specific type.

Registers a COM server.

dr_sandbox.descr_tech.malicious.register_com_server_num

register_filesystem_filter(regex)

Returns the number of events of a specific type.

Registers a file system filter. Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.register_filesystem_filter(/pattern/)

restore_ssdt_hooks

Returns 1 if the event occurred, 0 otherwise.

Restores hooked functions in the System Service Descriptor Table (SSDT).

dr_sandbox.descr_tech.malicious.restore_ssdt_hooks

search_password_in_registry(regex)

Returns the number of events of a specific type.

Searches for registry branches where third party apps store their passwords. Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.search_password_in_registry(/MessengerService/)

search_password_in_registry_num

Returns the number of events of a specific type.

Searches for registry branches where third-party apps store their passwords.

dr_sandbox.descr_tech.malicious.search_password_in_registry_num > 0

search_wnd_for_analyzing_soft(regex)

Returns the number of events of a specific type.

Searches for windows to detect analytical utilities. Only the objects that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.search_wnd_for_analyzing_soft(/PEiD/)

search_wnd_for_analyzing_soft_num

Returns the number of events of a specific type.

Searches for windows to detect analytical utilities.

dr_sandbox.descr_tech.malicious.search_wnd_for_analyzing_soft_num > 0

search_wnd_for_programs_and_games(regex)

Returns the number of events of a specific type.

Searches for windows to detect apps and games. Only the windows that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.search_wnd_for_programs_and_games(/The Wireshark Network Analyzer/)

search_wnd_for_programs_and_games_num

Returns the number of events of a specific type.

Searches for windows to detect apps and games.

dr_sandbox.descr_tech.malicious.search_wnd_for_programs_and_games_num > 0

search_wnd_to_bypass_av(regex)

Returns the number of events of a specific type.

Searches for windows to bypass anti-viruses. Only the windows that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.search_wnd_to_bypass_av(/AVP.AlertDialog/)

search_wnd_to_bypass_av_num

Returns the number of events of a specific type.

Searches for windows to bypass anti-viruses.

dr_sandbox.descr_tech.malicious.search_wnd_to_bypass_av_num > 0

search_wnd_to_bypass_wfp(regex)

Returns the number of events of a specific type.

Searches for windows to bypass Windows Files Protection (WFP). Only the windows that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.search_wnd_to_bypass_wfp(/Windows File Protection/)

search_wnd_to_bypass_wfp_num

Returns the number of events of a specific type.

Searches for windows to bypass Windows Files Protection (WFP).

dr_sandbox.descr_tech.malicious.search_wnd_to_bypass_wfp_num > 0

set_concrete_ssdt_hooks(regex)

Returns the number of events of a specific type.

Hooks functions in System Service Descriptor Table (SSDT). Only the functions that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.set_concrete_ssdt_hooks(/pattern/)

set_concrete_ssdt_hooks_num

Returns the number of events of a specific type.

Hooks functions in System Service Descriptor Table (SSDT).

dr_sandbox.descr_tech.malicious.set_concrete_ssdt_hooks_num

set_homepage_for_ie

Returns 1 if the event occurred, 0 otherwise.

Sets a new unauthorized home page for Windows Internet Explorer.

dr_sandbox.descr_tech.malicious.set_homepage_for_ie

set_ssdt_hooks

Returns the number of events of a specific type.

Hooks functions in System Service Descriptor Table (SSDT).

dr_sandbox.descr_tech.malicious.set_ssdt_hooks

try_to_terminate_a_lot_of_user_processes

Returns 1 if the event occurred, 0 otherwise.

Terminates or attempts to terminate numerous user processes.

dr_sandbox.descr_tech.malicious.try_to_terminate_a_lot_of_user_processes

try_to_terminate_system_processes(regex)

Returns the number of events of a specific type.

Terminates or attempts to terminate system processes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.try_to_terminate_system_processes(/ctfmon.exe/)

try_to_terminate_system_processes_num

Returns the number of events of a specific type.

Terminates or attempts to terminate system processes.

dr_sandbox.descr_tech.malicious.try_to_terminate_system_processes_num > 0

try_to_terminate_user_processes(regex)

Returns the number of events of a specific type.

Terminates or attempts to terminate user processes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech.malicious.try_to_terminate_user_processes(/^AVSYNMGR.EXE$/)

try_to_terminate_user_processes_num

Returns the number of events of a specific type.

Terminates or attempts to terminate user processes.

dr_sandbox.descr_tech.malicious.try_to_terminate_user_processes_num > 0

Miscellaneous (the 'miscellaneous' category)

Function

Result

Event type

Examples

add_root_certificate

Returns 1 if the scanned object adds certificate, 0 otherwise.

Adds a root certificate.

dr_sandbox.descr_tech.miscellaneous.add_root_certificate

create_and_exec

Returns 1 if the event occurred, 0 otherwise.

Creates and executes (with a hidden window).

dr_sandbox.descr_tech.miscellaneous.create_and_exec

disable_certificate

Returns 1 if the event occurred, 0 otherwise.

Disables a certificate.

dr_sandbox.descr_tech.miscellaneous.disable_certificate

exec(regex)

Returns the number of events of a specific type.

Executes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech.miscellaneous.exec(/pattern/)

load_driver(regex)

Returns the number of events of a specific type.

Loads the drivers. Only the drivers that match the regular expression are counted.

dr_sandbox.descr_tech.miscellaneous.load_driver(/pattern/)

load_driver_num

Returns the number of events of a specific type.

Loads drivers.

dr_sandbox.descr_tech.miscellaneous.load_driver_num

modify_auto_config_url(regex)

Returns the number of events of a specific type.

Changes the AutoConfigURL parameter. Only the values that match the regular expression are counted.

dr_sandbox.descr_tech.miscellaneous.modify_auto_config_url(/pattern/)

search_wnd(regex)

Returns the number of events of a specific type.

Searches for windows. Only the windows that match the regular expression are counted.

dr_sandbox.descr_tech.miscellaneous.search_wnd(/MS_WebcheckMonitor/)

search_wnd_num

Returns the number of events of a specific type.

Searches for windows.

dr_sandbox.descr_tech.miscellaneous.search_wnd_num == 3

shut_down_windows

Returns 1 if the event occurred, 0 otherwise.

Attempts to shut down Windows OS.

dr_sandbox.descr_tech.miscellaneous.shut_down_windows

use_ntfs_data_streams

Returns 1 if the event occurred, 0 otherwise.

Uses NTFS alternate data streams.

dr_sandbox.descr_tech.miscellaneous.use_ntfs_data_streams

Network activity (the 'network' category)

Function

Result

Event type

Examples

connect_to(regex)

Returns the number of events of a specific type.

Connects to the objects listed in the regular expression.

dr_sandbox.descr_tech.network.connect_to(/www.xfo.cn/)

connect_to_num

Returns the number of events of a specific type.

Connects to the objects.

dr_sandbox.descr_tech.network.connect_to_num >= 2

tcp(regex)

Returns the number of events of a specific type.

TCP requests.

dr_sandbox.descr_tech.network.tcp(/pattern/)

tcp_num

Returns the number of events of a specific type.

TCP requests.

dr_sandbox.descr_tech.network.tcp_num

tcp_http_get(regex)

Returns the number of events of a specific type.

HTTP GET requests using TCP.

dr_sandbox.descr_tech.network.tcp_http_get(/addurl.html$/)

tcp_http_get_num

Returns the number of events of a specific type.

HTTP GET requests using TCP.

dr_sandbox.descr_tech.network.tcp_http_get_num >= 2

tcp_http_post(regex)

Returns the number of events of a specific type.

HTTP POST requests using TCP.

dr_sandbox.descr_tech.network.tcp_http_post(/addurl.html$/)

tcp_http_post_num

Returns the number of events of a specific type.

HTTP POST requests using TCP.

dr_sandbox.descr_tech.network.tcp_http_post_num >= 2

tcp_http_unk(regex)

Returns the number of events of a specific type.

Unknown HTTP requests.

dr_sandbox.descr_tech.network.tcp_http_unk(/pattern/)

tcp_http_unk_num

Returns the number of events of a specific type.

Unknown HTTP requests.

dr_sandbox.descr_tech.network.tcp_http_unk_num

udp(regex)

Returns the number of events of a specific type.

UDP requests.

dr_sandbox.descr_tech.network.udp(/disk57/)

udp_num

Returns the number of events of a specific type.

UDP requests.

dr_sandbox.descr_tech.network.udp_num >= 2

Functions for the Linux sandbox (the 'descr_tech_lbcl' category)

Enabling autorun and distribution (the 'autorun' category)

Function

Result

Event type

Examples

create_or_modify_files(regex)

Returns the number of events of a specific type.

Creates or changes files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.autorun.create_or_modify_files(/pattern/)

create_or_modify_files_num

Returns the number of events of a specific type.

Creates or modifies files.

dr_sandbox.descr_tech_lbcl.autorun.create_or_modify_files_num

create_or_modify_symlinks(regex)

Returns the number of events of a specific type.

Creates or modifies symbolic links. Only the links that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.autorun.create_or_modify_symlinks(/pattern/)

create_or_modify_symlinks_num

Returns the number of events of a specific type.

Creates or modifies symbolic links.

dr_sandbox.descr_tech_lbcl.autorun.create_or_modify_symlinks_num

Modifies a file system (the 'filesystem' category)

Function

Result

Event type

Examples

change_time_of_file(regex)

Returns the number of events of a specific type.

Changes the time when the file was created, accessed, or modified. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.filesystem.change_time_of_file(/pattern/)

change_time_of_file_num

Returns the number of events of a specific type.

Changes the time when the file was created, accessed, or modified.

dr_sandbox.descr_tech_lbcl.filesystem.change_time_of_file_num

create_dir(regex)

Returns the number of events of a specific type.

Creates directories. Only the directories that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.filesystem.create_dir(/pattern/)

create_dir_num

Returns the number of events of a specific type.

Creates directories.

dr_sandbox.descr_tech_lbcl.filesystem.create_dir_num

create_or_modify_file(regex)

Returns the number of events of a specific type.

Creates or changes files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.filesystem.create_or_modify_file(/pattern/)

create_or_modify_file_num

Returns the number of events of a specific type.

Creates or modifies files.

dr_sandbox.descr_tech_lbcl.filesystem.create_or_modify_file_num

create_symlink(regex)

Returns the number of events of a specific type.

Creates symbolic links.

dr_sandbox.descr_tech_lbcl.filesystem.create_symlink(/pattern/)

create_symlink_num

Returns the number of events of a specific type.

Only the links that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.filesystem.create_symlink_num

lock_file(regex)

Returns the number of events of a specific type.

Blocks files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.filesystem.lock_file(/pattern/)

lock_file_num

Returns the number of events of a specific type.

Blocks files.

dr_sandbox.descr_tech_lbcl.filesystem.lock_file_num

modify_file_access_rights(regex)

Returns the number of events of a specific type.

Changes file access rights.

dr_sandbox.descr_tech_lbcl.filesystem.modify_file_access_rights(/pattern/)

modify_file_access_rights_num

Returns the number of events of a specific type.

Changes file access rights.

dr_sandbox.descr_tech_lbcl.filesystem.modify_file_access_rights_num

modify_file_owner(regex)

Returns the number of events of a specific type.

Changes a file owner.

dr_sandbox.descr_tech_lbcl.filesystem.modify_file_owner(/pattern/)

modify_file_owner_num

Returns the number of events of a specific type.

Changes a file owner.

dr_sandbox.descr_tech_lbcl.filesystem.modify_file_owner_num

mount_file_system(regex)

Returns the number of events of a specific type.

Mounts file systems. Only the systems that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.filesystem.mount_file_system(/pattern/)

mount_file_system_num

Returns the number of events of a specific type.

Mounts file systems.

dr_sandbox.descr_tech_lbcl.filesystem.mount_file_system_num

remove_dir(regex)

Returns the number of events of a specific type.

Deletes directories. Only the directories that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.filesystem.remove_dir(/pattern/)

remove_dir_num

Returns the number of events of a specific type.

Deletes directories.

dr_sandbox.descr_tech_lbcl.filesystem.remove_dir_num

remove_file(regex)

Returns the number of events of a specific type.

Deletes files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.filesystem.remove_file(/pattern/)

remove_file_num

Returns the number of events of a specific type.

Deletes files.

dr_sandbox.descr_tech_lbcl.filesystem.remove_file_num

unmount_file_system(regex)

Returns the number of events of a specific type.

Unmounts file systems. Only the systems that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.filesystem.unmount_file_system(/pattern/)

unmount_file_system_num

Returns the number of events of a specific type.

Unmounts file systems.

dr_sandbox.descr_tech_lbcl.filesystem.unmount_file_system_num

Malicious functions (the 'malicious' category)

Function

Result

Event type

Examples

attempt_kill_system_proc(regex)

Returns the number of events of a specific type.

Tries to kill system processes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.attempt_kill_system_proc(/pattern/)

attempt_kill_system_proc_num

Returns the number of events of a specific type.

Tries to kill system processes.

dr_sandbox.descr_tech_lbcl.malicious.attempt_kill_system_proc_num

attept_kill_analyzers(regex)

Returns the number of events of a specific type.

Tries to kill analyzers. Only the analyzers that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.attept_kill_analyzers(/pattern/)

attept_kill_analyzers_num

Returns the number of events of a specific type.

Tries to kill analyzers.

dr_sandbox.descr_tech_lbcl.malicious.attept_kill_analyzers_num

attept_kill_proc(regex)

Returns the number of events of a specific type.

Tries to kill processes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.attept_kill_proc(/pattern/)

attept_kill_proc_num

Returns the number of events of a specific type.

Tries to kill processes.

dr_sandbox.descr_tech_lbcl.malicious.attept_kill_proc_num

compile_program_from_source_codes(regex)

Returns the number of events of a specific type.

Compiles source code.

dr_sandbox.descr_tech_lbcl.malicious.compile_program_from_source_codes(/pattern/)

compile_program_from_source_codes_num

Returns the number of events of a specific type.

Compiles source code.

dr_sandbox.descr_tech_lbcl.malicious.compile_program_from_source_codes_num

gain_root_privileges

Returns the number of events of a specific type.

Gains root access.

dr_sandbox.descr_tech_lbcl.malicious.gain_root_privileges

get_access_to_ssh_keys

Returns the number of events of a specific type.

Accesses SSH keys.

dr_sandbox.descr_tech_lbcl.malicious.get_access_to_ssh_keys

inject_to_proc(regex)

Returns the number of events of a specific type.

Injects itself in processes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.inject_to_proc(/pattern/)

inject_to_proc_num

Returns the number of events of a specific type.

Injects itself in processes.

dr_sandbox.descr_tech_lbcl.malicious.inject_to_proc_num

kill_analyzers(regex)

Returns the number of events of a specific type.

Kills analyzers. Only the analyzers that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.kill_analyzers(/pattern/)

kill_analyzers_num

Returns the number of events of a specific type.

Kills analyzers.

dr_sandbox.descr_tech_lbcl.malicious.kill_analyzers_num

kill_proc(regex)

Returns the number of events of a specific type.

Kills processes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.kill_proc(/pattern/)

kill_proc_num

Returns the number of events of a specific type.

Kills processes.

dr_sandbox.descr_tech_lbcl.malicious.kill_proc_num

kill_system_proc(regex)

Returns the number of events of a specific type.

Kills system processes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.kill_system_proc(/pattern/)

kill_system_proc_num

Returns the number of events of a specific type.

Kills system processes.

dr_sandbox.descr_tech_lbcl.malicious.kill_system_proc_num

launch_itself_as_daemon

Returns the number of events of a specific type.

Launches itself as a daemon.

dr_sandbox.descr_tech_lbcl.malicious.launch_itself_as_daemon

launch_processes(regex)

Returns the number of events of a specific type.

Launches processes. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.launch_processes(/pattern/)

launch_processes_num

Returns the number of events of a specific type.

Launches processes.

dr_sandbox.descr_tech_lbcl.malicious.launch_processes_num

manage_services(regex)

Returns the number of events of a specific type.

Manages services. Only the services that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.manage_services(/pattern/)

manage_services_num

Returns the number of events of a specific type.

Manages services.

dr_sandbox.descr_tech_lbcl.malicious.manage_services_num

modify_firewall_settings(regex)

Returns the number of events of a specific type.

Changes firewall settings. Only the settings that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.modify_firewall_settings(/pattern/)

modify_firewall_settings_num

Returns the number of events of a specific type.

Changes firewall settings.

dr_sandbox.descr_tech_lbcl.malicious.modify_firewall_settings_num

modify_router_settings(regex)

Returns the number of events of a specific type.

Changes router settings. Only the settings that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.modify_router_settings(/pattern/)

modify_router_settings_num

Returns the number of events of a specific type.

Changes router settings.

dr_sandbox.descr_tech_lbcl.malicious.modify_router_settings_num

operate_kernel_modules(regex)

Returns the number of events of a specific type.

Operates kernel modules.

dr_sandbox.descr_tech_lbcl.malicious.operate_kernel_modules(/pattern/)

operate_kernel_modules_num

Returns the number of events of a specific type.

Operates kernel modules.

dr_sandbox.descr_tech_lbcl.malicious.operate_kernel_modules_num

perform_process_tracing(regex)

Returns the number of events of a specific type.

Performs process tracing. Only the processes that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.perform_process_tracing(/pattern/)

perform_process_tracing_num

Returns the number of events of a specific type.

Performs process tracing.

dr_sandbox.descr_tech_lbcl.malicious.perform_process_tracing_num

remove_self

Returns the number of events of a specific type.

Deletes itself.

dr_sandbox.descr_tech_lbcl.malicious.remove_self

remove_system_files(regex)

Returns the number of events of a specific type.

Deletes system files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.remove_system_files(/pattern/)

remove_system_files_num

Returns the number of events of a specific type.

Deletes system files.

dr_sandbox.descr_tech_lbcl.malicious.remove_system_files_num

replace_system_files(regex)

Returns the number of events of a specific type.

Replaces system files. Only the files that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.replace_system_files(/pattern/)

replace_system_files_num

Returns the number of events of a specific type.

Replaces system files.

dr_sandbox.descr_tech_lbcl.malicious.replace_system_files_num

stops_system_services(regex)

Returns the number of events of a specific type.

Stops system services. Only the services that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.malicious.stops_system_services(/pattern/)

stops_system_services_num

Returns the number of events of a specific type.

Stops system services.

dr_sandbox.descr_tech_lbcl.malicious.stops_system_services_num

substitute_application_name_for(regex)

Returns the number of events of a specific type.

Substitutes an application name.

dr_sandbox.descr_tech_lbcl.malicious.substitute_application_name_for(/pattern/)

substitute_application_name_for_num

Returns the number of events of a specific type.

Substitutes an application name.

dr_sandbox.descr_tech_lbcl.malicious.substitute_application_name_for_num

Network activity (the 'network' category)

Function

Result

Event type

Examples

attack_bruteforce_via_ssh

Returns the number of events of a specific type.

Performs a bruteforce attack via the SSH protocol.

dr_sandbox.descr_tech_lbcl.network.attack_bruteforce_via_ssh

attack_bruteforce_via_telnet

Returns the number of events of a specific type.

Performs a bruteforce attack via the TELNET protocol.

dr_sandbox.descr_tech_lbcl.network.attack_bruteforce_via_telnet

attack_bruteforce_via_unk_protocol

Returns the number of events of a specific type.

Performs a bruteforce attack via the undefined protocol.

dr_sandbox.descr_tech_lbcl.network.attack_bruteforce_via_unk_protocol

connect_to(regex)

Returns the number of events of a specific type.

Connects to servers. Only the servers that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.network.connect_to(/pattern/)

connect_to_num

Returns the number of events of a specific type.

Connects to servers.

dr_sandbox.descr_tech_lbcl.network.connect_to_num

connect_to_irc(regex)

Returns the number of events of a specific type.

Connects to servers over the IRC protocol. Only the servers that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.network.connect_to_irc(/pattern/)

dns_ask(regex)

Returns the number of events of a specific type.

DNS queries.

dr_sandbox.descr_tech_lbcl.network.dns_ask(/pattern/)

dns_ask_num

Returns the number of events of a specific type.

DNS queries.

dr_sandbox.descr_tech_lbcl.network.dns_ask_num

http_get(regex)

Returns the number of events of a specific type.

HTTP GET requests.

dr_sandbox.descr_tech_lbcl.network.http_get(/pattern/)

http_get_num

Returns the number of events of a specific type.

HTTP GET requests.

dr_sandbox.descr_tech_lbcl.network.http_get_num

http_other(regex)

Returns the number of events of a specific type.

Other HTTP requests.

dr_sandbox.descr_tech_lbcl.network.http_other(/pattern/)

http_other_num

Returns the number of events of a specific type.

Other HTTP requests.

dr_sandbox.descr_tech_lbcl.network.http_other_num

http_post(regex)

Returns the number of events of a specific type.

HTTP POST requests.

dr_sandbox.descr_tech_lbcl.network.http_post(/pattern/)

http_post_num

Returns the number of events of a specific type.

HTTP POST requests.

dr_sandbox.descr_tech_lbcl.network.http_post_num

listening_port(regex)

Returns the number of events of a specific type.

Awaits incoming connections on ports. Only the ports that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.network.listening_port(/pattern/)

listening_port_num

Returns the number of events of a specific type.

Awaits incoming connections on ports.

dr_sandbox.descr_tech_lbcl.network.listening_port_num

receive_data_from_server(regex)

Returns the number of events of a specific type.

Receives data from servers. Only the servers that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.network.receive_data_from_server(/pattern/)

receive_data_from_server_num

Returns the number of events of a specific type.

Receives data from servers.

dr_sandbox.descr_tech_lbcl.network.receive_data_from_server_num

send_data_to_server(regex)

Returns the number of events of a specific type.

Sends data to servers. Only the servers that match the regular expression are counted.

dr_sandbox.descr_tech_lbcl.network.send_data_to_server(/pattern/)

send_data_to_server_num

Returns the number of events of a specific type.

Sends data to servers.

dr_sandbox.descr_tech_lbcl.network.send_data_to_server_num

Other (the 'other' category)

Function

Result

Event type

Examples

collect_cpu_info

Returns the number of events of a specific type.

Collects information about the CPU.

dr_sandbox.descr_tech_lbcl.other.collect_cpu_info

collect_network_info

Returns the number of events of a specific type.

Collects information about the network activity.

dr_sandbox.descr_tech_lbcl.other.collect_network_info

collect_os_info

Returns the number of events of a specific type.

Collects information about the OS.

dr_sandbox.descr_tech_lbcl.other.collect_os_info

collect_ram_info

Returns the number of events of a specific type.

Collects information about RAM.

dr_sandbox.descr_tech_lbcl.other.collect_ram_info

read_info_from_proc_kallsyms

Returns the number of events of a specific type.

Reads information from /proc/kallsyms.

dr_sandbox.descr_tech_lbcl.other.read_info_from_proc_kallsyms

Detects (the 'detects' category)

Function

Result

Event type

Examples

all_detects_here(regexp)

Returns the number of events of a specific type.

All detects.

dr_sandbox.detects.all_detects_here(/Virlock/)

all_detects_here_num

Returns the number of events of a specific type.

All detects.

dr_sandbox.detects.all_detects_here_num

detects_of_allocs(regexp)

Returns the number of events of a specific type.

Detects of alloc files.

dr_sandbox.detects.detects_of_allocs(/Virlock/)

 

detects_of_allocs_num

Returns the number of events of a specific type.

Detects of alloc files.

dr_sandbox.detects.detects_of_allocs_num

detects_of_drops(regexp)

Returns the number of events of a specific type.

Detects of drops.

dr_sandbox.detects.detects_of_drops(/Virlock/)

detects_of_drops_num

Returns the number of events of a specific type.

Detects of drops.

dr_sandbox.detects.detects_of_drops_num

detects_of_dumps(regexp)

Returns the number of events of a specific type.

Detects of dumps.

dr_sandbox.detects.detects_of_dumps(/Virlock/)

detects_of_dumps_num

Returns the number of events of a specific type.

Detects of dumps.

dr_sandbox.detects.detects_of_dumps_num

detects_of_injects(regexp)

Returns the number of events of a specific type.

Detects of injects.

dr_sandbox.detects.detects_of_injects(/Virlock/)

detects_of_injects_num

Returns the number of events of a specific type.

Detects of injects.

dr_sandbox.detects.detects_of_injects_num

detects_of_src(regexp)

Returns the number of events of a specific type.

Detects of src files.

dr_sandbox.detects.detects_of_src(/Virlock/)

detects_of_src_num

Returns the number of events of a specific type.

Detects of src files.

dr_sandbox.detects.detects_of_src_num

Other functions

Function

Description

Examples

check_buffer(offset, buffer_asciihex_value)

Check an asciihex buffer at the specified offset. Length must be even. Can be used instead of 'strings' part, for example, to not slow down the scanning.

Returns 1 if the string is found, 0 otherwise.

dr_sandbox.check_buffer(0,"4d5A")

check_byte(offset, byte_value)

Check bytes at the specified offset. Can be used instead of 'strings' part, for example, to not slow down the scanning.

Returns 1 if a value in bytes is found, 0 otherwise.

dr_sandbox.check_byte(0,0x4d)

check_dword(offset, dword_value)

Check dwords at the specified offset. Can be used instead of 'strings' part, for example, to not slow down the scanning.

Returns 1 if a DWORD value is found, 0 otherwise.

dr_sandbox.check_dword(0,0x00905A4D)

check_word(offset, word_value)

Check words at the specified offset. Can be used instead of the 'strings' part, for example, to not slow down the scanning.

Returns 1 if a WORD value is found, 0 otherwise.

dr_sandbox.check_word(0,0x5a4d)

ci_any(string)

Returns 1 if the case-insensitive ASCII or wide string is found, 0 otherwise.

dr_sandbox.ci_any("string")

ci_any_num(string)

Returns the number of case-insensitive ASCII or wide strings that are found, 0 otherwise.

dr_sandbox.ci_any_num("string")

ci_ascii(string)

Returns 1 if the case-insensitive ASCII string is found, 0 otherwise.

dr_sandbox.ci_ascii("string")

ci_ascii_num(string)

Returns the number of case-insensitive ASCII strings that are found, 0 otherwise.

dr_sandbox.ci_ascii_num("string")

ci_wide(string)

Returns 1 if a case-insensitive wide string is found, 0 otherwise.

dr_sandbox.ci_wide("string")

ci_wide_num(string)

Returns the number of case-insensitive wide strings that are found, 0 otherwise.

dr_sandbox.ci_wide_num("string")

ci_xor(string)

Returns 1 if the case-insensitive XOR-ed 1-byte ASCII string is found, 0 otherwise.

dr_sandbox.ci_xor("string")

ci_xor_num(string)

Returns the number of case-insensitive XOR-ed 1-byte ASCII strings that are found, 0 otherwise.

dr_sandbox.ci_xor_num("string")

crc32(integer, integer)

Calculates and returns the crc32 hash of the buffer. The first parameter is the offset, and the second parameter is the length of the buffer.

dr_sandbox.crc32(0, 0)

cs_any(string)

Returns 1 if the case-sensitive ASCII or wide string is found, 0 otherwise.

dr_sandbox.cs_any("string")

cs_any_num(string)

Returns the number of case-sensitive ASCII or wide strings that are found, 0 otherwise.

dr_sandbox.cs_any_num("string")

cs_ascii(string)

Returns 1 if the case-sensitive ASCII string is found, 0 otherwise.

dr_sandbox.cs_ascii("string")

cs_ascii_num(string)

Returns the number of case-sensitive ASCII strings that are found, 0 otherwise.

dr_sandbox.cs_ascii_num("string")

cs_wide(string)

Returns 1 if the case-sensitive wide string is found, 0 otherwise.

dr_sandbox.cs_wide("string")

cs_wide_num(string)

Returns the number of case-sensitive wide strings that are found, 0 otherwise.

dr_sandbox.cs_wide_num("string")

detects_of_this_file(regex)

Returns the number of detects on a scanned file.

dr_sandbox.detects_of_this_file(/Virlock/) == 0

detects_of_this_file_num

Returns the number of detects on a scanned file.

dr_sandbox.detects_of_this_file_num

filename(regex)

Returns 1 if the regular expression is found in the file name, 0 otherwise.

dr_sandbox.filename(/xtbl/)

filename_boost_regex(string_with_regex)

Search for a regular expression in a file name using boost::regex. Flags for regex: boost::regex::perl. Search by boost::regex_search.

Can be used if you need regex features like negative lookahead or backreferences, which are not supported in the YARA regex. Note that invalid regex will slow down the scanning. Moreover, boost::regex is slower than the YARA regex, it's recommended to use dr_sandbox.filename(//) if possible.

Returns 1 if the regular expression is found, 0 otherwise.

dr_sandbox.filename_boost_regex(“(?<!abc)def”)

filesystem_access(regex)

The high-level function, which matches all filesystem operations to the regular expression.

dr_sandbox.filesystem_access(/AnnaKournikova\.jpg\.vbs/)

network_access(regex)

The high-level function, which matches all network operations to the regular expression.

dr_sandbox.network_access(/\.php\?id=[0-9]+&token=[0-9]+/)

registry_access(regex)

Returns the number of actions with a registry.

dr_sandbox.registry_access(/pattern/)

sb_filetype

Returns a file type. Used for comparing with the following SB_FILETYPE_* constants:

SB_FILETYPE_SRC;

SB_FILETYPE_DROP;

SB_FILETYPE_MEMDMP;

SB_FILETYPE_ALLOC;

SB_FILETYPE_DUMP;

SB_FILETYPE_INJECT.

dr_sandbox.sb_filetype == dr_sandbox.SB_FILETYPE_SRC

search_substring_in_range(string, integer, integer)

Search for the substring in the buffer using the Boyer–Moore algorithm. The first argument is the asciihex string, the second parameter is the offset, and the third parameter is the length. Use it carefully because it's not performance free.

dr_sandbox.search_substring_in_range("string", 0, 0)