From 712cee3604a8c55d03cd2b28c88900dd41d5697d Mon Sep 17 00:00:00 2001 From: Aayush Goel <81844215+Aayush-Goel-04@users.noreply.github.com> Date: Sun, 27 Aug 2023 16:36:10 +0530 Subject: [PATCH] prevlance db path updated --- assets/rules_prevalence.json | 594 +++++++++++++++++++++++++++++++++++ capa/render/default.py | 3 +- 2 files changed, 596 insertions(+), 1 deletion(-) create mode 100644 assets/rules_prevalence.json diff --git a/assets/rules_prevalence.json b/assets/rules_prevalence.json new file mode 100644 index 0000000000..a45371c335 --- /dev/null +++ b/assets/rules_prevalence.json @@ -0,0 +1,594 @@ +{ + "reference anti-VM strings": 0.012304250559284116, + "contain obfuscated stackstrings": 0.883668903803132, + "gather firefox profile information": 0.0011185682326621924, + "log keystrokes": 0.010626398210290829, + "log keystrokes via polling": 0.03691275167785235, + "capture screenshot": 0.012304250559284116, + "send data": 0.10346756152125279, + "receive and write data from server to client": 0.015100671140939598, + "resolve DNS": 0.07885906040268456, + "reference HTTP User-Agent string": 0.02069351230425056, + "send HTTP request with Host header": 0.008389261744966443, + "create pipe": 0.013982102908277404, + "create two anonymous pipes": 0.01174496644295302, + "read pipe": 0.007829977628635347, + "get socket status": 0.036353467561521254, + "initialize Winsock library": 0.053691275167785234, + "set socket configuration": 0.04753914988814318, + "act as TCP client": 0.03691275167785235, + "encode data using XOR": 1.0, + "create new key via CryptAcquireContext": 0.03970917225950783, + "encrypt data using DPAPI": 0.015100671140939598, + "encrypt data using RC4 PRGA": 0.05480984340044743, + "hash data via WinCrypt": 0.016778523489932886, + "hash data with MD5": 0.03076062639821029, + "hash data using SHA1": 0.03970917225950783, + "hash data using SHA1 via WinCrypt": 0.007829977628635347, + "accept command line arguments": 0.03691275167785235, + "query environment variable": 0.08445190156599552, + "get common file path": 0.23042505592841164, + "create directory": 0.05704697986577181, + "delete file": 0.16666666666666666, + "check if file exists": 0.09731543624161074, + "enumerate files recursively": 0.032997762863534674, + "get file attributes": 0.15492170022371365, + "set file attributes": 0.10682326621923938, + "move file": 0.05480984340044743, + "read file on Windows": 0.19686800894854586, + "write file on Windows": 0.26677852348993286, + "enumerate gui resources": 0.015659955257270694, + "get graphical window text": 0.04082774049217002, + "get disk information": 0.07214765100671142, + "get disk size": 0.01621923937360179, + "check mutex and exit": 0.029082774049217, + "get hostname": 0.0587248322147651, + "get system information on Windows": 0.06823266219239374, + "check OS version": 0.05201342281879195, + "create a process with modified I/O handles and window": 0.015100671140939598, + "create process on Windows": 0.2829977628635347, + "create process suspended": 0.012304250559284116, + "enumerate processes": 0.053131991051454136, + "terminate process": 0.17225950782997762, + "query or enumerate registry key": 0.06991051454138703, + "query or enumerate registry value": 0.18176733780760626, + "set registry value": 0.05704697986577181, + "delete registry key": 0.03076062639821029, + "delete registry value": 0.032997762863534674, + "get session user name": 0.030201342281879196, + "create thread": 0.21196868008948547, + "resume thread": 0.024049217002237135, + "link many functions at runtime": 0.07270693512304251, + "resolve function by parsing PE exports": 0.2779642058165548, + "persist via Active Setup registry key": 0.0005592841163310962, + "persist via Run registry key": 0.032997762863534674, + "contains PDB path": 0.0296420581655481, + "reference anti-VM strings targeting VirtualBox": 0.00727069351230425, + "receive data": 0.08053691275167785, + "start HTTP server": 0.0005592841163310962, + "access .NET resource": 0.0011185682326621924, + "manipulate console buffer": 0.026286353467561523, + "load .NET assembly": 0.0016778523489932886, + "unmanaged call": 0.020134228187919462, + "compiled to the .NET platform": 0.003355704697986577, + "reference Base64 string": 0.02796420581655481, + "encrypt or decrypt via WinCrypt": 0.03076062639821029, + "encrypt data using AES via WinAPI": 0.003355704697986577, + "initialize hashing via WinCrypt": 0.005592841163310962, + "generate random numbers via WinAPI": 0.012304250559284116, + "set current directory": 0.02796420581655481, + "copy file": 0.056487695749440715, + "print debug messages": 0.10961968680089486, + "create mutex": 0.012863534675615212, + "get thread local storage value": 0.08389261744966443, + "set thread local storage value": 0.04753914988814318, + "create service": 0.017337807606263984, + "enumerate services": 0.015100671140939598, + "linked against CPP standard library": 0.015100671140939598, + "parse PE header": 0.13143176733780762, + "schedule task via ITaskScheduler": 0.0011185682326621924, + "persist via Windows service": 0.022930648769574943, + "encode data using Base64": 0.030201342281879196, + "get file size": 0.053691275167785234, + "execute VBScript Javascript or JScript in memory": 0.0005592841163310962, + "act as Excel XLL add-in": 0.0005592841163310962, + "act as Word WLL add-in": 0.0, + "encrypt data using memfrob from glibc": 0.0, + "check for time delay via GetTickCount": 0.035794183445190156, + "check for VM using instruction VPCEXT": 0.002796420581655481, + "reference the VMWare IO port": 0.0044742729306487695, + "get HTTP content length": 0.0011185682326621924, + "parse URL": 0.010626398210290829, + "check HTTP status code": 0.017337807606263984, + "connect to HTTP server": 0.012863534675615212, + "create HTTP request": 0.0044742729306487695, + "get socket information": 0.016778523489932886, + "hash data with CRC32": 0.04194630872483222, + "decompress data using aPLib": 0.002796420581655481, + "encrypt data using RC4 via WinAPI": 0.003355704697986577, + "hash data using fnv": 0.012304250559284116, + "contain an embedded PE file": 0.012863534675615212, + "disable code signing": 0.0, + "manipulate boot configuration": 0.0050335570469798654, + "interact with driver via control codes": 0.036353467561521254, + "bypass Mark of the Web": 0.0011185682326621924, + "get local IPv4 addresses": 0.022930648769574943, + "shutdown system": 0.008389261744966443, + "modify access privileges": 0.0296420581655481, + "run as service": 0.01174496644295302, + "delete service": 0.01621923937360179, + "start service": 0.024608501118568233, + "get token membership": 0.008389261744966443, + "compare security identifiers": 0.0039149888143176735, + "access PEB ldr_data": 0.03523489932885906, + "enumerate PE sections": 0.08109619686800895, + "execute shellcode via indirect call": 0.027404921700223715, + "identify system language via API": 0.012304250559284116, + "hook routines via microsoft detours": 0.0011185682326621924, + "generate random numbers using a Mersenne Twister": 0.015659955257270694, + "read clipboard data": 0.01174496644295302, + "allocate RWX memory": 0.021252796420581657, + "enumerate processes on remote desktop session host": 0.0016778523489932886, + "acquire debug privileges": 0.027404921700223715, + "link function at runtime on Windows": 0.24272930648769575, + "linked against Microsoft Detours": 0.0005592841163310962, + "reference startup folder": 0.0016778523489932886, + "get geographical location": 0.031879194630872486, + "parse credit card information": 0.019574944071588368, + "get domain trust relationships": 0.0016778523489932886, + "initialize WinHTTP library": 0.007829977628635347, + "read HTTP header": 0.0044742729306487695, + "prepare HTTP request": 0.00727069351230425, + "receive HTTP response": 0.010067114093959731, + "hash data using SHA256": 0.01901565995525727, + "list domain servers": 0.0005592841163310962, + "set environment variable": 0.02348993288590604, + "hide graphical window": 0.030201342281879196, + "allocate thread local storage": 0.029082774049217, + "reference analysis tools strings": 0.016778523489932886, + "decrypt data using AES via x86 extensions": 0.010067114093959731, + "encrypt data using AES via x86 extensions": 0.035794183445190156, + "encrypt data using blowfish": 0.003355704697986577, + "encrypt data using Camellia": 0.005592841163310962, + "encrypt data using DES": 0.01621923937360179, + "encrypt data using Curve25519": 0.006152125279642058, + "encrypt data using Salsa20 or ChaCha": 0.003355704697986577, + "encrypt data using twofish": 0.0016778523489932886, + "hash data using murmur3": 0.01621923937360179, + "hash data using SHA384": 0.0016778523489932886, + "hash data using SHA512": 0.010067114093959731, + "hash data using tiger": 0.0005592841163310962, + "authenticate HMAC": 0.025727069351230425, + "generate random numbers via RtlGenRandom": 0.0039149888143176735, + "debug build": 0.003355704697986577, + "contain a thread local storage (.tls) section": 0.018456375838926176, + "read file via mapping": 0.02348993288590604, + "get memory capacity": 0.016778523489932886, + "query remote server for available data": 0.003355704697986577, + "create reverse shell": 0.0011185682326621924, + "convert IP address from string": 0.0016778523489932886, + "create UDP socket": 0.022930648769574943, + "enumerate files on Windows": 0.0296420581655481, + "use process Doppelg\u00e4nging": 0.0005592841163310962, + "use process replacement": 0.005592841163310962, + "get installed programs": 0.003355704697986577, + "connect to WMI namespace via WbemLocator": 0.00727069351230425, + "encrypt data using RC4 KSA": 0.012304250559284116, + "write file to startup folder": 0.0016778523489932886, + "reference SQL statements": 0.0050335570469798654, + "check if directory exists": 0.003355704697986577, + "act as Office COM add-in": 0.0, + "check for unmoving mouse cursor": 0.0022371364653243847, + "create BITS job": 0.0, + "enumerate process modules": 0.018456375838926176, + "bypass UAC via ICMLuaUtil": 0.0022371364653243847, + "check for debugger via API": 0.0022371364653243847, + "reference anti-VM strings targeting Xen": 0.0039149888143176735, + "obfuscated with Babel Obfuscator": 0.0005592841163310962, + "obfuscated with Dotfuscator": 0.0005592841163310962, + "obfuscated with Spices.Net Obfuscator": 0.0005592841163310962, + "obfuscated with Yano": 0.0005592841163310962, + "manipulate unmanaged memory in .NET": 0.0022371364653243847, + "get OS version in .NET": 0.0022371364653243847, + "resolve function by FNV-1a hash": 0.0044742729306487695, + "reference Google Public DNS server": 0.002796420581655481, + "connect network resource": 0.0016778523489932886, + "enumerate disk volumes": 0.003355704697986577, + "enumerate network shares": 0.006152125279642058, + "check for PEB BeingDebugged flag": 0.0436241610738255, + "reference anti-VM strings targeting VMWare": 0.007829977628635347, + "initialize IWebBrowser2": 0.0016778523489932886, + "get HTTP document via IWebBrowser2": 0.0005592841163310962, + "encrypt data using AES": 0.01901565995525727, + "reference AES constants": 0.0145413870246085, + "get Program Files directory": 0.006711409395973154, + "read .ini file": 0.015659955257270694, + "get number of processors": 0.027404921700223715, + "get keyboard layout": 0.010067114093959731, + "get networking parameters": 0.0005592841163310962, + "enumerate threads": 0.010067114093959731, + "schedule task via at": 0.0016778523489932886, + "get startup folder": 0.002796420581655481, + "create TCP socket via raw AFD driver": 0.0, + "execute shellcode via Windows callback function": 0.006152125279642058, + "create raw socket": 0.0022371364653243847, + "check for software breakpoints": 0.008948545861297539, + "log keystrokes via application hook": 0.0050335570469798654, + "capture webcam image": 0.0011185682326621924, + "compute adler32 checksum": 0.0050335570469798654, + "compress data via WinAPI": 0.002796420581655481, + "compress data via ZLIB inflate or deflate": 0.009507829977628635, + "encrypt or decrypt data via BCrypt": 0.0011185682326621924, + "hash data via BCrypt": 0.0005592841163310962, + "hash data using djb2": 0.005592841163310962, + "hash data using murmur2": 0.0, + "generate random numbers using the Delphi LCG": 0.0145413870246085, + "extract resource via kernel32 functions": 0.040268456375838924, + "get file system object information": 0.0039149888143176735, + "delete directory": 0.02237136465324385, + "get file version info": 0.006152125279642058, + "access firewall settings via INetFwMgr": 0.0011185682326621924, + "find graphical window": 0.015100671140939598, + "enumerate devices by category": 0.00727069351230425, + "get process heap flags": 0.015100671140939598, + "get process heap force flags": 0.017337807606263984, + "get process image filename": 0.006711409395973154, + "query service status": 0.03076062639821029, + "suspend thread": 0.008389261744966443, + "terminate thread": 0.0447427293064877, + "linked against CPP regex library": 0.002796420581655481, + "linked against libcurl": 0.0011185682326621924, + "linked against OpenSSL": 0.0005592841163310962, + "linked against wolfSSL": 0.0011185682326621924, + "import public key": 0.0016778523489932886, + "empty the recycle bin": 0.0016778523489932886, + "stop service": 0.017337807606263984, + "obtain TransmitPackets callback function via WSAIoctl": 0.0, + "connect pipe": 0.0011185682326621924, + "write clipboard data": 0.007829977628635347, + "set application hook": 0.0050335570469798654, + "patch Event Tracing for Windows function": 0.0, + "get kernel32 base address": 0.026845637583892617, + "inspect section memory permissions": 0.005592841163310962, + "validate payment card number using luhn algorithm": 0.002796420581655481, + "enumerate domain computers via LDAP": 0.0011185682326621924, + "get domain information": 0.0005592841163310962, + "steal KeePass passwords using KeeFarce": 0.0, + "inject thread": 0.010067114093959731, + "timestomp file": 0.008948545861297539, + "encrypt data using AES MixColumns step": 0.0, + "list user accounts": 0.0005592841163310962, + "get storage device properties": 0.0039149888143176735, + "access the Windows event log": 0.006711409395973154, + "persist via IIS module": 0.0, + "persist via ISAPI extension": 0.0, + "forwarded export": 0.0016778523489932886, + "linked against PolarSSL/mbed TLS": 0.0, + "linked against XZip": 0.002796420581655481, + "hide thread from debugger": 0.0005592841163310962, + "switch active desktop": 0.0005592841163310962, + "get MAC address on Windows": 0.0039149888143176735, + "send ICMP echo request": 0.003355704697986577, + "decode data using Base64 via WinAPI": 0.011185682326621925, + "empty recycle bin quietly": 0.0, + "get current user on Linux": 0.0005592841163310962, + "enumerate files on Linux": 0.0005592841163310962, + "read file on Linux": 0.006711409395973154, + "write file on Linux": 0.01174496644295302, + "create semaphore on Linux": 0.0, + "lock semaphore on Linux": 0.005592841163310962, + "unlock semaphore on Linux": 0.01174496644295302, + "get networking interfaces": 0.0011185682326621924, + "get kernel version": 0.0005592841163310962, + "create process on Linux": 0.003355704697986577, + "decrypt data via SSPI": 0.0, + "encrypt data via SSPI": 0.0, + "get client handle via SChannel": 0.0, + "check mutex": 0.006711409395973154, + "get system information on Linux": 0.0, + "terminate process via kill": 0.0022371364653243847, + "write pipe": 0.003355704697986577, + "spawn thread to RWX shellcode": 0.007829977628635347, + "obfuscated with SmartAssembly": 0.0, + "encrypt data using AES via .NET": 0.0, + "generate method via reflection in .NET": 0.008389261744966443, + "mixed mode": 0.0, + "execute syscall instruction": 0.011185682326621925, + "block operations on executable memory pages using Arbitrary Code Guard": 0.0, + "protect spawned processes with mitigation policies": 0.0, + "spoof parent PID": 0.0022371364653243847, + "get ntdll base address": 0.026286353467561523, + "bypass UAC via AppInfo ALPC": 0.0, + "bypass UAC via RPC": 0.0005592841163310962, + "bypass UAC via token manipulation": 0.0, + "manually build AES constants": 0.0011185682326621924, + "reference cryptocurrency strings": 0.0011185682326621924, + "encrypt data using XXTEA": 0.0005592841163310962, + "modify service": 0.01174496644295302, + "save image in .NET": 0.0, + "gather chrome based browser login information": 0.0050335570469798654, + "reference WMI statements": 0.03523489932885906, + "decode data using Base64 in .NET": 0.0039149888143176735, + "find data using regex in .NET": 0.002796420581655481, + "load XML in .NET": 0.0011185682326621924, + "enumerate drives": 0.0005592841163310962, + "access WMI data in .NET": 0.0016778523489932886, + "resolve path using msvcrt": 0.0, + "send file using FTP": 0.0016778523489932886, + "enumerate processes via NtQuerySystemInformation": 0.0044742729306487695, + "disable driver code integrity": 0.0005592841163310962, + "install driver": 0.002796420581655481, + "get Windows directory from KUSER_SHARED_DATA": 0.007829977628635347, + "set console window title": 0.002796420581655481, + "map section object": 0.015100671140939598, + "hijack thread execution": 0.0016778523489932886, + "check for time delay via QueryPerformanceCounter": 0.0044742729306487695, + "compiled with dmd": 0.0, + "read virtual disk": 0.0, + "create Restart Manager session": 0.0, + "delete volume shadow copies": 0.0022371364653243847, + "detect VM via disk hardware WMI queries": 0.0, + "detect VM via motherboard hardware WMI queries": 0.0, + "manipulate safe mode programs": 0.0011185682326621924, + "read raw disk data": 0.002796420581655481, + "query service configuration": 0.008389261744966443, + "get token privileges": 0.0011185682326621924, + "obfuscated with DeepSea Obfuscator": 0.0, + "delete internet cache": 0.0, + "check for PEB NtGlobalFlag flag": 0.015100671140939598, + "implement COM DLL": 0.0005592841163310962, + "act as DHCP server callout DLL": 0.0, + "act as DNS server plugin DLL": 0.0, + "act as Security Support Provider DLL": 0.0, + "act as SubAuthentication Package DLL": 0.0, + "act as credential manager DLL": 0.0005592841163310962, + "reference public RSA key": 0.0016778523489932886, + "get domain controller name": 0.0011185682326621924, + "self delete": 0.0044742729306487695, + "extract HTTP body": 0.0, + "clear Windows event logs": 0.0050335570469798654, + "lock the desktop": 0.0022371364653243847, + "hide the Windows taskbar": 0.0022371364653243847, + "manipulate CD-ROM drive": 0.0005592841163310962, + "power down monitor": 0.0050335570469798654, + "swap mouse buttons": 0.0005592841163310962, + "execute command": 0.0044742729306487695, + "overwrite Master Boot Record (MBR)": 0.0005592841163310962, + "linked against ZLIB": 0.006711409395973154, + "compiled with nuitka": 0.0, + "contain anti-disasm techniques": 0.0, + "terminate process by name": 0.0011185682326621924, + "reference anti-VM strings targeting Qemu": 0.002796420581655481, + "decompress data using UCL": 0.009507829977628635, + "get CPU information": 0.002796420581655481, + "create device object": 0.0022371364653243847, + "enumerate minifilter drivers": 0.0, + "find process by PID": 0.0016778523489932886, + "inspect load icon resource": 0.0022371364653243847, + "capture screenshot via keybd event": 0.0, + "decrypt data using TEA": 0.0011185682326621924, + "encrypt data using TEA": 0.0011185682326621924, + "encrypt data using RC6": 0.0005592841163310962, + "check for sandbox and av modules": 0.0039149888143176735, + "check if process is running under wine": 0.002796420581655481, + "create shortcut via IShellLink": 0.0005592841163310962, + "send TCP data via WFP API": 0.0, + "copy network traffic": 0.0, + "register network filter via WFP API": 0.0, + "allocate user process RWX memory": 0.0, + "free user process memory": 0.0, + "get OS information via KUSER_SHARED_DATA": 0.0005592841163310962, + "compiled with Go": 0.0, + "decompress data using QuickLZ": 0.0011185682326621924, + "schedule task via schtasks": 0.0005592841163310962, + "encrypt data using XTEA": 0.0022371364653243847, + "compiled with Borland Delphi": 0.002796420581655481, + "load NCR ATM library": 0.0022371364653243847, + "encrypt data using RC4 with custom key via WinAPI": 0.0005592841163310962, + "act as password filter DLL": 0.0, + "schedule task via ITaskService": 0.0, + "reference absolute stream path on Windows": 0.0, + "linked against CPP JSON library": 0.0, + "access PE header": 0.012304250559284116, + "compiled with cx_Freeze": 0.0, + "acquire credentials from Windows Credential Manager": 0.0022371364653243847, + "execute shell command and capture output": 0.0039149888143176735, + "encrypt data using OpenSSL DSA": 0.0005592841163310962, + "encrypt data using OpenSSL RSA": 0.0005592841163310962, + "enumerate browser history": 0.0, + "linked against wolfCrypt": 0.0, + "compiled with Nim": 0.0, + "compiled with MinGW for Windows": 0.0011185682326621924, + "disable AppInit_DLLs code signature enforcement": 0.0, + "persist via AppInit_DLLs registry key": 0.0016778523489932886, + "inject shellcode using extra window memory": 0.0, + "gather 3d-ftp information": 0.0, + "gather alftp information": 0.0, + "gather bitkinex information": 0.0, + "gather blazeftp information": 0.0, + "gather bulletproof-ftp information": 0.0005592841163310962, + "gather classicftp information": 0.0, + "gather coreftp information": 0.0005592841163310962, + "gather cuteftp information": 0.0005592841163310962, + "gather cyberduck information": 0.0005592841163310962, + "gather direct-ftp information": 0.002796420581655481, + "gather directory-opus information": 0.0, + "gather expandrive information": 0.0, + "gather faststone-browser information": 0.0, + "gather fasttrack-ftp information": 0.0, + "gather ffftp information": 0.0005592841163310962, + "gather filezilla information": 0.0011185682326621924, + "gather flashfxp information": 0.0011185682326621924, + "gather fling-ftp information": 0.0005592841163310962, + "gather freshftp information": 0.0, + "gather frigate3 information": 0.0, + "gather ftp-commander information": 0.0, + "gather ftp-explorer information": 0.0005592841163310962, + "gather ftp-voyager information": 0.0, + "gather ftpgetter information": 0.0, + "gather ftpinfo information": 0.0, + "gather ftpnow information": 0.0, + "gather ftprush information": 0.0, + "gather ftpshell information": 0.0, + "gather global-downloader information": 0.0, + "gather goftp information": 0.0, + "gather leapftp information": 0.0011185682326621924, + "gather netdrive information": 0.0, + "gather nexusfile information": 0.0, + "gather nova-ftp information": 0.0, + "gather robo-ftp information": 0.0011185682326621924, + "gather securefx information": 0.0, + "gather smart-ftp information": 0.0, + "gather softx-ftp information": 0.0, + "gather southriver-webdrive information": 0.0005592841163310962, + "gather staff-ftp information": 0.0, + "gather total-commander information": 0.0005592841163310962, + "gather turbo-ftp information": 0.0005592841163310962, + "gather ultrafxp information": 0.0, + "gather winscp information": 0.0, + "gather winzip information": 0.0005592841163310962, + "gather wise-ftp information": 0.0005592841163310962, + "gather ws-ftp information": 0.0, + "gather xftp information": 0.0, + "impersonate user": 0.0005592841163310962, + "linked against aPLib": 0.0011185682326621924, + "reference NCR ATM library routines": 0.0039149888143176735, + "read and send data from client to server": 0.006152125279642058, + "set global application hook": 0.0011185682326621924, + "change the wallpaper": 0.0, + "disable automatic Windows recovery features": 0.0, + "listen for remote procedure calls": 0.0016778523489932886, + "encode data using Base64 via WinAPI": 0.003355704697986577, + "get outbound credentials handle via CredSSP": 0.0005592841163310962, + "encrypt data using DES via WinAPI": 0.0022371364653243847, + "get user security identifier": 0.0022371364653243847, + "create registry key via offline registry library": 0.0, + "open registry key via offline registry library": 0.0011185682326621924, + "query registry key via offline registry library": 0.0011185682326621924, + "set registry key via offline registry library": 0.0005592841163310962, + "set HTTP header": 0.002796420581655481, + "check Internet connectivity via WinINet": 0.002796420581655481, + "resolve function by Brute Ratel Badger hash": 0.0, + "resolve function by hash": 0.0005592841163310962, + "load Diebold Nixdorf ATM library": 0.0, + "linked against Crypto++": 0.0016778523489932886, + "receive HTTP request": 0.0, + "register HTTP server URL": 0.0, + "send HTTP response": 0.0, + "create mailslot": 0.0016778523489932886, + "read from mailslot": 0.0011185682326621924, + "compiled with exe4j": 0.0, + "resolve function by djb2 hash": 0.0, + "inject shellcode using window subclass procedure": 0.0, + "hash data using RIPEMD128": 0.0005592841163310962, + "hash data using SHA224": 0.0011185682326621924, + "execute .NET assembly via CLR host": 0.0, + "load Windows Common Language Runtime": 0.0, + "create new application domain in .NET": 0.0, + "get HTTP response content encoding": 0.0, + "get Explorer PID": 0.0016778523489932886, + "obfuscated with callobfuscator": 0.0, + "capture network configuration via ipconfig": 0.0, + "connect to URL": 0.0016778523489932886, + "decompress HTTP response via IEncodingFilterFactory": 0.0005592841163310962, + "create reverse shell on Linux": 0.0, + "execute shell command received from socket on Linux": 0.0, + "change file permission on Linux": 0.0022371364653243847, + "get memory information": 0.0, + "lock file": 0.0, + "get Linux distribution": 0.0, + "persist via .desktop autostart": 0.0, + "persist via shell profile or rc file": 0.0, + "persist via rc script": 0.0, + "execute anti-debugging instructions": 0.0050335570469798654, + "reference DNS over HTTPS endpoints": 0.0, + "deserialize JSON in .NET": 0.0, + "compiled with Zig": 0.0, + "get proxy": 0.0005592841163310962, + "check for Windows sandbox via device": 0.0, + "check for Windows sandbox via dns suffix": 0.0, + "check for Windows sandbox via genuine state": 0.0, + "check for Windows sandbox via process name": 0.0, + "check for Windows sandbox via registry": 0.0, + "check for microsoft office emulation": 0.0, + "check for sandbox username or hostname": 0.0011185682326621924, + "64-bit execution via heavens gate": 0.0, + "hash data using CRC32b": 0.0005592841163310962, + "persist via Winlogon Helper DLL registry key": 0.0011185682326621924, + "compiled with ps2exe": 0.0005592841163310962, + "run PowerShell expression": 0.0005592841163310962, + "crash the Windows event logging service": 0.0, + "capture public ip": 0.0, + "compiled with perl2exe": 0.0, + "inject shellcode using a file mapping object": 0.0, + "encrypt data using HC-128 via WolfSSL": 0.0, + "read data from CLFS log container": 0.0, + "rebuild import table": 0.0005592841163310962, + "encrypt data using skipjack": 0.0, + "get session integrity level": 0.0, + "decode data using Base64 via dword translation table": 0.0005592841163310962, + "encrypt data using vest": 0.0022371364653243847, + "get logon sessions": 0.0005592841163310962, + "discover Group Policy via gpresult": 0.0, + "create VMCI socket": 0.0, + "capture microphone audio": 0.006152125279642058, + "start TCP server": 0.0005592841163310962, + "open clipboard": 0.0005592841163310962, + "compiled with pyarmor": 0.0, + "create TCP socket": 0.0, + "act as Exchange transport agent": 0.0, + "execute shellcode via CreateThreadpoolWait": 0.0, + "hash data using MD4": 0.0, + "check for OutputDebugString error": 0.0011185682326621924, + "check for protected handle exception": 0.0005592841163310962, + "check for trap flag exception": 0.0005592841163310962, + "check for unexpected memory writes": 0.0039149888143176735, + "check process job object": 0.0005592841163310962, + "reference anti-VM strings targeting Parallels": 0.0005592841163310962, + "reference anti-VM strings targeting VirtualPC": 0.0005592841163310962, + "get number of processor cores": 0.0005592841163310962, + "enumerate disk properties": 0.0005592841163310962, + "inject APC": 0.0005592841163310962, + "inject dll": 0.002796420581655481, + "check for hardware breakpoints": 0.0, + "check for kernel debugger via shared user data structure": 0.0, + "identify ATM dispenser service provider": 0.0005592841163310962, + "reference Diebold ATM routines": 0.0005592841163310962, + "resolve function by FIN8 fasthash": 0.0005592841163310962, + "register minifilter driver": 0.0, + "start minifilter driver": 0.0, + "simulate CTRL ALT DEL": 0.0011185682326621924, + "get session information": 0.0005592841163310962, + "create virtual file system in .NET": 0.0, + "invoke .NET assembly method": 0.0005592841163310962, + "make an HTTP request with a Cookie": 0.0005592841163310962, + "obfuscated with ADVobfuscator": 0.0, + "execute shellcode via CopyFile2": 0.0, + "compiled with rust": 0.0, + "list groups for user account": 0.0, + "references logon banner": 0.0, + "enumerate internet cache": 0.0, + "log keystrokes via raw input data": 0.0, + "register raw input devices": 0.0, + "get routing table": 0.0005592841163310962, + "inject pe": 0.0, + "rebuilt by ImpRec": 0.0, + "patch process command line": 0.0, + "inject DLL reflectively": 0.0, + "impersonate file version information": 0.0, + "list drag and drop files": 0.0, + "encrypt data using HC-128": 0.0005592841163310962, + "compiled with V": 0.0, + "encrypt data using Sosemanuk": 0.010626398210290829, + "compiled with py2exe": 0.0005592841163310962, + "compress data using LZO": 0.0, + "decompress data using LZO": 0.0022371364653243847, + "obfuscated with vs-obfuscation": 0.0, + "execute shellcode via Windows fibers": 0.0, + "check ProcessDebugPort": 0.0005592841163310962, + "check SystemKernelDebuggerInformation": 0.0, + "bypass Windows File Protection": 0.0016778523489932886, + "continue service": 0.0005592841163310962, + "pause service": 0.0005592841163310962, + "persist via GinaDLL registry key": 0.0 +} \ No newline at end of file diff --git a/capa/render/default.py b/capa/render/default.py index ac2c2eef50..17c3c6cf17 100644 --- a/capa/render/default.py +++ b/capa/render/default.py @@ -94,7 +94,8 @@ def load_rules_prevalence(file: Path) -> dict: raise RuntimeError(f"An error occurred while loading '{file}': {e}") subrule_matches = find_subrule_matches(doc) - rules_prevalence = load_rules_prevalence(Path("./assets/rules_prevalence.json")) + CD = Path(__file__).resolve().parent.parent.parent + rules_prevalence = load_rules_prevalence(CD / "assets" / "rules_prevalence.json") # seperate rules based on their prevalence common = []