In particular, samples’ MITRE mapping can be found under the BEHAVIOR tab of a file’s report. This data is searchable in VirusTotal Intelligence (VTI) with the help of a set of specific file search modifiers.
Hunting for Ransomware
Common TTPs of modern ransomware groups by Kaspersky
- “attack_tactic” search modifier followed by the MITRE Tactic ID returns the list of files that, based on our sandboxes analysis reports, execute techniques under the specified tactic. For example:
- “attack_technique” search modifier followed by the MITRE Technique ID returns the list of files that, based on our sandboxes analysis reports, execute the specified technique. For example:
According to the community, the file belongs to a BlackHunt Ransomware campaign threat that compromised multiple companies in Paraguay.
-
T1490 (Inhibit System Recovery), the sample deletes the shadow copies (as highlighted in the Capabilities section below) and it also modifies Windows boot settings via bcdedit.
-
T1083 and T1135: The sample runs discovery processes to get system local files and directories, and also network shares.
-
The encryption process is visible by the CryptEncrypt operating system API call, functionality provided by the Advapi32.dll, and visible under the file’s DETAILS tab.
Hunting for Keyloggers
Conclusions
Appendix I – Behavior search modifiers
- “behavior_processes”: followed by the executable and parameters used to run during the sample dynamic analysis:
- behavior_processes:”\vssadmin.exe delete shadows /all /quiet”
- behavior_processes:”wbadmin.exe delete catalog -quiet”
- behavior_processes:” tree c:\”
- “behavior_injected_processes”: followed by the executable name with or without extension:
- “behavior_created_processes”: followed by the executable name with or without extension:
- “behavior_services”: followed by the service name to get files opening or deleting internal services:
- “behavior_registry”: followed by a system registry key to check for new, deleted or modified registry keys:
- “behavior_network”: followed by an URL, domain or IP address to identify files communicating with those network elements:
- “behavior_files”: followed by the file name with or without extension and/or path to identify files that were opened, written, deleted or dropped:
- behavior_files: “C:ProgramDataVaccine.txt”
- behavior_files: “MicrosoftWindowsStart MenuProgramsStartup*”
- “behavior”: all the previous search modifiers in the appendix can be replaced by this one. It matches against the whole file behavior report and provides a way to check for other data that doesn’t have a specific search modifier assigned:
- API calls: Calls Highlighted subsection under Highlighted actions section of a file behavior report:
- behavior: CryptEncrypt
- behavior: IsDebuggerPresent
- behavior: IsWow64Process
- behavior: GetSystemMetrics
- behavior: GetAsyncKeyState
- Mutexes created or opened, under the Synchronization mechanisms & Signals section of a file behavior report:
- Modules loaded section of a file behavior report:
- “behavior_tags”: followed by the tag of your interest to get files assigned with the indicated tag that you can check here.
.my-code{
font-family: “Courier”, sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: “Courier”, sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img p {
text-align: center;
font-style: italic;
}
.central_img_set{
text-align: center;
font-style: italic;
margin: auto;
width: auto;
padding: auto;
display: block;
}
.img_container{
float:central;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
Leave a Reply