Behavior hunting

Creating rules based on file behavior

The vt module provides a comprehensive view of a file, including its static properties, antivirus detection details, and also exposes information about how the file behaves.

To achieve this, we run the executable file through multiple sandbox environments, including our own Jujubox, CAPE, CAPA and other third-party solutions. The behavioral information generated by all those sandboxes is normalized into a common format, and mixed together as if it was generated by a single sandbox. This aggregated behavior report is what the vt module exposes to your rule.

Here are some examples of how this behavioral information can be used:

import "vt"  
  
rule drops_foo_exe {  
  condition:  
    for any file_dropped in vt.behaviour.files_dropped : (
      file_dropped.path contains "foo.exe"  
    )  
}
import "vt"  
  
rule mutex_hgl345 {  
  condition:  
    for any mutex in vt.behaviour.mutexes_created : (
       mutex == "HGL345"  
    )  
}
import "vt"  
  
rule persistence_and_self_deletion {  
  condition:  
    for any trait in vt.behaviour.traits : ( trait == vt.BehaviourTrait.PERSISTENCE ) and  
    for any trait in vt.behaviour.traits : ( trait == vt.BehaviourTrait.SELF_DELETE )  
}

Fields

The list below describes all the existing behaviour-related fields:

Detection

FieldTypeDescriptionExample
vt.behaviour.calls_highlightedarray of stringsAPI calls that are worth remarking because they are suspicious (e.g. "android.media.AudioRecord.startRecording", "GetTickCount"
vt.behaviour.text_highlightedarray of stringsText that can provide further context about the file, this might be windows titles, dialogs, outputs streams, etc.
vt.behaviour.text_decodedarray of stringsStrings that are either encoded or decoded during the observed time frame, we just record the decoded strings in plain form.
vt.behaviour.traitsarray of integersList that contains a subset of the values listed in the behaviour traits table.for any t in vt.behaviour.traits : (
 t == vt.BehaviourTrait.LONG_SLEEPS
)
vt.behaviour.invokesarray of strings
vt.behaviour.verdictsarray of integersSome sandboxes produce a verdict based on the file behaviour. This list contains one or more of the values listed in the behaviour verdicts table.for any t in vt.behaviour.verdicts : (
 t == vt.BehaviourVerdict.RANSOM
)
vt.behaviour.verdict_labelsstringList that contains the verdict labels based on the file behaviour sandboxes.for any label in vt.behaviour.verdict_labels : (
 label contains "PDFPhish"
)
vt.behaviour.mitre_attack_techniquesstringString containing the mitre attack techniques.for any technique in vt.behaviour.mitre_attack_techniques : (
 technique.id == "t1012"
)
vt.behaviour.mbc[x].idstringMBC identifier. Check Malware Behavior Catalog for more info.for any catalog in vt.behaviour.mbc: (
 catalog.id == "B0003.003"
)
vt.behaviour.mbc[x].methodstringTextual description of the method used.for any catalog in vt.behaviour.mbc: (
 catalog.method == "Delayed Execution"
)
vt.behaviour.mbc[x].objectivestringTextual description of the objective used.for any catalog in vt.behaviour.mbc: (
 catalog.objective == "Anti-Behavioral Analysis"
)
vt.behaviour.mbc[x].behaviorstringTextual description of the behavior used.for any catalog in vt.behaviour.mbc: (
 catalog.behavior == "Dynamic Analysis Evasion"
)

Files

FieldTypeDescriptionExample
vt.behaviour.files_attribute_changedarray of stringsPaths of the files whose attributes have changed.for any f in vt.behaviour.files_attribute_changed : (
 f contains ".exe"
)
vt.behaviour.files_copiedarray of structsStructures with information about files that have been copied.for any f in vt.behaviours.files_copied : (
 f.source contains ".exe" and
 f.destination contains "system32"
)
vt.behaviour.files_copied[x].sourcestringPath where the file was copied from.
vt.behaviour.files_copied[x].destinationstringPath where the file was copied to.
vt.behaviour.files_deletedarray of stringsPaths of the files that have been deleted.
vt.behaviour.files_droppedarray of structsStructures with information about files that have been dropped.
vt.behaviour.files_dropped[x].pathstringPath of the dropped file.
vt.behaviour.files_dropped[x].sha256stringSHA-256 of the dropped file.
vt.behaviour.files_dropped[x].typeintegerType of the dropped file.
vt.behaviour.files_dropped[x].process_namestringName of the process that dropped the file.
vt.behaviour.files_dropped[x].process_idstringID of the process that dropped the file.
vt.behaviour.files_openedarray of stringsPaths of the files that have been opened.
vt.behaviour.files_writtenarray of stringsPaths of the files that have been written.

Network

FieldTypeDescriptionExample
vt.behaviour.dns_lookupsarray of structsList of DNS resolutions performed.
vt.behaviour.dns_lookups[x].hostnamestringHostname in the DNS lookup request.
vt.behaviour.dns_lookups[x].resolved_ipsarray of stringsList of IP address returned for the requested hostname.
vt.behaviour.hosts_filestringContent of the "hosts" file.
vt.behaviour.ip_trafficarray of structsList of established IP connections.
vt.behaviour.ip_traffic[x].destination_ipstringDestination IP address.
vt.behaviour.ip_traffic[x].destination_ip_as_intintegerDestination IP address dotless decimal number notation.for any t in vt.behaviour.ip_traffic : (
 t.destination_ip_as_int == 3941835776
)
vt.behaviour.ip_traffic[x].destination_ip_asnintegerDestination IP Autonomous System Number.for any t in vt.behaviour.ip_traffic : (
 t.destination_ip_asn == 74838
)
vt.behaviour.ip_traffic[x].destination_portintegerDestination port.
vt.behaviour.ip_traffic[x].transport_layer_protocolintegerOne of the constants listed in network protocols
vt.behaviour.http_conversationsarray of structsList of HTTP requests performed.
vt.behaviour.http_conversations[x].urlstringRequested URL.
vt.behaviour.http_conversations[x].request_methodintegerOne of the constants listed in HTTP methodsfor any c in vt.behaviour.http_conversations : (
 c.request_method == vt.Http.Method.GET
)
vt.behaviour.http_conversations[x].request_headersdictionaryHTTP request headers. Notice that dictionary keys are case-sensitive and therefore request_headers["user-agent"] is not the same than request_headers["User-Agent"]. The header name appears as reported by the sandbox.for any c in vt.behaviour.http_conversations : (
 c.request_headers["user-agent"] == "Moxilla"
)
vt.behaviour.http_conversations[x].response_headersdictionaryHTTP response headers.
vt.behaviour.http_conversations[x].response_status_codeintegerHTTP status code returned by the server.
vt.behaviour.http_conversations[x].response_body_filetypeintegerType of the response's body, if it was one of the recognizable file types.
vt.behaviour.smtp_conversations[x].hostnamestringHost name of the SMTP server.
vt.behaviour.smtp_conversations[x].destination_ipintegerIP address of the SMTP server.
vt.behaviour.smtp_conversations[x].destination_portintegerPort number of the SMTP server (usually 25).
vt.behaviour.smtp_conversations[x].smtp_fromstringMAIL FROM: field in the SMTP protocol.
vt.behaviour.smtp_conversations[x].smtp_toarray of stringsMAIL TO: field in the SMTP protocol.
vt.behaviour.smtp_conversations[x].message_fromarray of strings"from" field in message header.
vt.behaviour.smtp_conversations[x].message_toarray of strings"to" field in message header.
vt.behaviour.smtp_conversations[x].message_ccarray of strings"cc" field in message header.
vt.behaviour.smtp_conversations[x].message_bccarray of strings"bcc" field in message header.
vt.behaviour.smtp_conversations[x].timestampstringMessage timestamp. Example: "Thu, 16 Jul 2020 6:1:58 GMT".
vt.behaviour.smtp_conversations[x].subjectstringMessage subject.
vt.behaviour.smtp_conversations[x].html_bodystringMessage body in HTML form.
vt.behaviour.smtp_conversations[x].txt_bodystringMessage body in text form.
vt.behaviour.smtp_conversations[x].x_mailerstringProgram used for sending the email. Same than "X-Mailer" header.
vt.behaviour.tlsarray of structsContacted domains/IPs certificates.
vt.behaviour.tls[x].issuerdictionaryCertificate issuer information. Keys are certificate fields (C, CN, O, etc.) as strings and values are strings.for any t in vt.behaviour.tls: (
 t.issuer["CN"] == "Foobar"
)
vt.behaviour.tls[x].ja3stringJA3 client fingerprint.for any t in vt.behaviour.tls: (
 t.ja3 == "00112233445566778899aabbccddeeff"
)
vt.behaviour.tls[x].ja3sstringJA3S server fingerprint.for any t in vt.behaviour.tls: (
 t.ja3s == "00112233445566778899aabbccddeeff"
)
vt.behaviour.tls[x].ja4stringJA4 client fingerprint. More info in Unveiling Hidden Connections: JA4 Client Fingerprinting on VirusTotal.for any t in vt.behaviour.tls: (
 t.ja4 matches /t10d070600_.*_1a3805c3aa63/
)
vt.behaviour.tls[x].serial_numberstringCertificate serial number.for any t in vt.behaviour.tls: (
 t.serial_number == "00112233445566778899aabbccddeeff"
)
vt.behaviour.tls[x].snistringCertificate's server name indication.for any t in vt.behaviour.tls: (
 t.sni matches /example.com/
)
vt.behaviour.tls[x].thumbprintstringCertificate thumbprint.for any t in vt.behaviour.tls: (
 t.thumbprint == "00112233445566778899aabbccddeeff00112233"
)
vt.behaviour.tls[x].subjectdictionaryCertificate subject information. Same format as issuer field.for any t in vt.behaviour.tls: (
 t.issuer["CN"] == "example.com"
)
vt.behaviour.tls[x].versionstringTLS version.for any t in vt.behaviour.tls: (
 t.version == "TLS 1.2"
)

Permissions

FieldTypeDescriptionExample
vt.behaviour.permissions_checkedarray of structsPermissions checked by the application.
vt.behaviour.permissions_checked[x].permissionstringPermission checkedfor any p in vt.behaviour.permissions_checked : (
 p.permission == "android.permission.INTERNET"
)
vt.behaviour.permissions_checked[x].ownerstring
vt.behaviour.permissions_requestedarray of stringsPermissions requested by the application.for any p in vt.behaviour.permissions_requested : (
 p == "android.permission.BLUETOOTH"
)

Processes

FieldTypeDescriptionExample
vt.behaviour.command_executionsarray of stringsCommands executed, including their command-line arguments.for any cmd in vt.behaviour.command_executions : (
 cmd contains "cmd.exe /Q /c"
)
vt.behaviour.modules_loadedarray of stringsModules or libraries dynamically loaded (e.g. DLLs loaded with LoadLibrary in Windows, DEX and .class files dynamically loaded in Android)for any lib in vt.behaviour.modules_loaded : (
 lib == "zlib.dll"
)
vt.behaviour.mutexes_createdarray of stringsMutexes created.for any mutex in vt.behaviour.mutexes_created : (
 mutex contains "HGL345"
)
vt.behaviour.mutexes_openedarray of stringsMutexes opened.
vt.behaviour.processes_createdarray of stringsProcesses created.
vt.behaviour.processes_injectedarray of stringsProcesses in which some kind of code was injected. For instance, in Window this is commonly done using CreateRemoteThread.
vt.behaviour.processes_killedarray of stringsProcesses that were explicitly killed.
vt.behaviour.processes_terminatedarray of stringsProcesses that terminated during the observed time, not necessarily killed.
vt.behaviour.signals_hookedarray of stringsSignals hooked.
In Windows this includes the windows messages hooked with SetWindowsHook and the string contains both the hook type and the function used (i.e "WH_KEYBOARD - SetWindowsHook")
In Android registered receivers are considered hooks.
Windows:
for any s in vt.behaviour.signals_hooked : (
 s contains "WH_KEYBOARD"
)

Android:
for any s in vt.behaviour.signals_hooked: (
 s == "android.intent.action.PROXY_CHANGE"
)
vt.behaviour.signals_observedarray of stringsFrom the signals hooked which were actually observed.

Services

FieldTypeDescriptionExample
vt.behaviour.services_createdarray of stringsServices created. In some OSes services are simply any program that runs in the background without user interaction.for any svc in vt.behaviour.services_created : (
 svc == "eckwIIMB")
vt.behaviour.services_openedarray of stringsServices opened.
vt.behaviour.services_startedarray of stringsServices started.
vt.behaviour.services_stoppedarray of stringsServices stopped.

Registry

FieldTypeDescriptionExample
vt.behaviour.registry_keys_deletedarray of stringsDeleted registry keys.for any key in vt.behaviour.registry_key_deleted : (
 key contains ""
)
vt.behaviour.registry_keys_openedarray of stringsOpened registry keys.
vt.behaviour.registry_keys_setarray of structsModified registry keys and their new values.for any r in vt.behaviour.registry_keys_set : (
 r.key matches /\windows\currentversion\run/i and r.value contains "VMIntel386.exe"
)
vt.behaviour.registry_keys_set[x].keystringRegistry key.
vt.behaviour.registry_keys_set[x].valuestringNew value for registry key.

Windows specific

FieldTypeDescriptionExample
vt.behaviour.windows_hiddenarray of stringsInformation about windows that have been hidden. The string contains the caption of the hidden Window and the name of the process owning the window.for any w in vt.behaviour.windows_hidden : (
 w contains "cmd.exe /C")
vt.behaviour.windows_searchedarray of stringsWindows that have been searched for (e.g. using FindWindow). The strings can contain the window's name, the window's class name, or both.for any w in vt.behaviour.windows_searched : (
 w contains "BANCO REAL")

Android specific

FieldTypeDescriptionExample
vt.behaviour.services_boundarray of stringsService binding applies only to Android. A bind operation takes a component, an action, and potentially multiple extras. These are represented as: <component><action><extra>for any svc in vt.behaviour.services_bound : (
 svc contains "gms.analytics.service.START")
vt.behaviour.shared_preferences_lookupsarray of stringsShared preferences that have been read.
vt.behaviour.shared_preferences_setsarray of structsShared preferences that have been modified.
vt.behaviour.shared_preferences_sets[x].keystringShared preference key.
vt.behaviour.shared_preferences_sets[x].valuestringNew value for preference.
vt.behaviour.system_property_lookupsarray of stringsSystem properties that have been read.
vt.behaviour.system_property_setsarray of structsSystem properties that have been modified.
vt.behaviour.system_property_sets[x].keystringProperty key.
vt.behaviour.system_property_sets[x].valuestringNew value for property.

Back to top