Viewing Collection: capa_analysis

Simple
Advanced

_id	file_info	hashes	metadata	attack_tactics	maec_categories	mbc_behaviors	capabilities	sha256	analysis_data	timestamp	md5
69184e3f0999409cf96ec55a	{ "path": "/home/apogean/projects/malware/windows/samples/dll_sample.dll", "name": "dll_sample.dll", "size": "52224 bytes", "analysis_date": "2025-11-13 12:35:21" }	{ "md5": "40784dca35fa06d4c4cb932e101e56ab", "sha1": "b105724b5bee4ad43b23cf35d8d29ff231f94aec", "sha256": "cf9cdd5d26283d31c43eb4df35a0dfc867da74441e5363890a84b988d8514c62" }	{ "md5": "40784dca35fa06d4c4cb932e101e56ab", "sha1": "b105724b5bee4ad43b23cf35d8d29ff231f94aec", "sha256": "cf9cdd5d26283d31c43eb4df35a0dfc867da74441e5363890a84b988d8514c62", "analysis": "static", "os": "windows", "format": "pe", "arch": "i386", "path": "/home/apogean/projects/malware/windows/samples/dll_sample.dll" }	[ { "tactic": "DEFENSE EVASION", "technique": "Obfuscated Files or Information", "id": "T1027" }, { "tactic": "DISCOVERY", "technique": "File and Directory Discovery", "id": "T1083" }, { "tactic": "EXECUTION", "technique": "Shared Modules", "id": "T1129" } ]	[ { "category": "malware-category", "value": "launcher" } ]	[ { "objective": "DATA", "behavior": "Encode Data::XOR", "code": "C0026.002" }, { "objective": "DEFENSE EVASION", "behavior": "Obfuscated Files or Information::Encoding-Standard Algorithm", "code": "E1027.m02" }, { "objective": "DISCOVERY", "behavior": "Code Discovery::Enumerate PE Sections", "code": "B0046.001" }, { "objective": "DISCOVERY", "behavior": "File and Directory Discovery", "code": "E1083" }, { "objective": "FILE SYSTEM", "behavior": "Create Directory", "code": "C0046" }, { "objective": "FILE SYSTEM", "behavior": "Delete File", "code": "C0047" }, { "objective": "FILE SYSTEM", "behavior": "Get File Attributes", "code": "C0049" }, { "objective": "FILE SYSTEM", "behavior": "Read File", "code": "C0051" }, { "objective": "FILE SYSTEM", "behavior": "Writes File", "code": "C0052" }, { "objective": "PROCESS", "behavior": "Create Process", "code": "C0017" }, { "objective": "PROCESS", "behavior": "Terminate Process", "code": "C0018" } ]	[ { "capability": "encode data using XOR", "namespace": "data-manipulation/encoding/xor" }, { "capability": "contains PDB path", "namespace": "executable/pe/pdb" }, { "capability": "create directory", "namespace": "host-interaction/file-system/create" }, { "capability": "delete file", "namespace": "host-interaction/file-system/delete" }, { "capability": "check if file exists", "namespace": "host-interaction/file-system/exists" }, { "capability": "get file attributes (2 matches)", "namespace": "host-interaction/file-system/meta" }, { "capability": "read file on Windows", "namespace": "host-interaction/file-system/read" }, { "capability": "write file on Windows (4 matches)", "namespace": "host-interaction/file-system/write" }, { "capability": "create process on Windows (3 matches)", "namespace": "host-interaction/process/create" }, { "capability": "terminate process", "namespace": "host-interaction/process/terminate" }, { "capability": "enumerate PE sections", "namespace": "load-code/pe" }, { "capability": "parse PE header", "namespace": "load-code/pe" }, { "capability": "resolve function by parsing PE exports", "namespace": "load-code/pe" } ]
693183ff21f7c0a343defdc6	{ "path": "/home/apogean/projects/malware/windows/all_runs/360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe", "name": "360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe", "size": "228352 bytes", "analysis_date": "2025-12-04 12:52:06" }	{ "md5": "9a5ff998dbf0f6923d0b454d89800fb4", "sha1": "4f4fa23e9c503b941a5e91584d6ecc3813962ba1", "sha256": "360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f" }	{ "md5": "9a5ff998dbf0f6923d0b454d89800fb4", "sha1": "4f4fa23e9c503b941a5e91584d6ecc3813962ba1", "sha256": "360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f", "analysis": "static", "os": "any", "format": "dotnet", "arch": "any", "path": "/home/apogean/projects/malware/windows/all_runs/360e6f2288b6c836…" }	[ { "tactic": "COLLECTION", "technique": "Clipboard Data", "id": "T1115" }, { "tactic": "", "technique": "Data from Information Repositories", "id": "T1213" }, { "tactic": "", "technique": "Input Capture::Keylogging", "id": "T1056.001" }, { "tactic": "", "technique": "Screen Capture", "id": "T1113" }, { "tactic": "", "technique": "Web Browsers", "id": "T1555.003" }, { "tactic": "DEFENSE EVASION", "technique": "Deobfuscate/Decode Files or Information", "id": "T1140" }, { "tactic": "", "technique": "File and Directory Permissions Modification", "id": "T1222" }, { "tactic": "", "technique": "Hide Artifacts", "id": "T1564" }, { "tactic": "", "technique": "Hide Artifacts::Hidden Window", "id": "T1564.003" }, { "tactic": "", "technique": "Impair Defenses::Disable or Modify Tools", "id": "T1562.001" }, { "tactic": "", "technique": "Indicator Removal::File Deletion", "id": "T1070.004" }, { "tactic": "", "technique": "Modify Registry", "id": "T1112" }, { "tactic": "", "technique": "Obfuscated Files or Information", "id": "T1027" }, { "tactic": "", "technique": "Delivery", "id": "T1027.004" }, { "tactic": "", "technique": "Reflective Code Loading", "id": "T1620" }, { "tactic": "DISCOVERY", "technique": "Account Discovery", "id": "T1087" }, { "tactic": "", "technique": "Application Window Discovery", "id": "T1010" }, { "tactic": "", "technique": "File and Directory Discovery", "id": "T1083" }, { "tactic": "", "technique": "Process Discovery", "id": "T1057" }, { "tactic": "", "technique": "Query Registry", "id": "T1012" }, { "tactic": "", "technique": "Software Discovery", "id": "T1518" }, { "tactic": "", "technique": "System Information Discovery", "id": "T1082" }, { "tactic": "", "technique": "System Location Discovery", "id": "T1614" }, { "tactic": "", "technique": "System Network Configuration Discovery", "id": "T1016" }, { "tactic": "", "technique": "System Owner/User Discovery", "id": "T1033" }, { "tactic": "EXECUTION", "technique": "Windows Management Instrumentation", "id": "T1047" }, { "tactic": "IMPACT", "technique": "Resource Hijacking", "id": "T1496" }, { "tactic": "", "technique": "/ Startup Folder", "id": "T1547.001" }, { "tactic": "", "technique": "Association", "id": "T1546.001" }, { "tactic": "", "technique": "Scheduled Task/Job::Scheduled Task", "id": "T1053.005" }, { "tactic": "PRIVILEGE ESCALATION", "technique": "Access Token Manipulation", "id": "T1134" } ]	[ { "category": "malware-category", "value": "launcher" } ]	[ { "objective": "COLLECTION", "behavior": "Keylogging::Application Hook", "code": "F0002.001" }, { "objective": "COLLECTION", "behavior": "Keylogging::Polling", "code": "F0002.002" }, { "objective": "COLLECTION", "behavior": "Screen Capture::WinAPI", "code": "E1113.m01" }, { "objective": "COMMAND AND CONTROL", "behavior": "C2 Communication::Receive Data", "code": "B0030.002" }, { "objective": "COMMAND AND CONTROL", "behavior": "C2 Communication::Send Data", "code": "B0030.001" }, { "objective": "COMMUNICATION", "behavior": "HTTP Communication", "code": "C0002" }, { "objective": "COMMUNICATION", "behavior": "HTTP Communication::Create Request", "code": "C0002.012" }, { "objective": "COMMUNICATION", "behavior": "HTTP Communication::Get Response", "code": "C0002.017" }, { "objective": "COMMUNICATION", "behavior": "HTTP Communication::Read Header", "code": "C0002.014" }, { "objective": "COMMUNICATION", "behavior": "HTTP Communication::Send Request", "code": "C0002.003" }, { "objective": "COMMUNICATION", "behavior": "Socket Communication::Create TCP Socket", "code": "C0001.011" }, { "objective": "COMMUNICATION", "behavior": "Socket Communication::TCP Client", "code": "C0001.008" }, { "objective": "CRYPTOGRAPHY", "behavior": "Decrypt Data", "code": "C0031" }, { "objective": "CRYPTOGRAPHY", "behavior": "Encrypt Data", "code": "C0027" }, { "objective": "CRYPTOGRAPHY", "behavior": "Generate Pseudo-random Sequence::Use API", "code": "C0021.003" }, { "objective": "DATA", "behavior": "Check String", "code": "C0019" }, { "objective": "DATA", "behavior": "Decode Data::Base64", "code": "C0053.001" }, { "objective": "DATA", "behavior": "Encode Data::Base64", "code": "C0026.001" }, { "objective": "DEFENSE EVASION", "behavior": "Disable or Evade Security Tools", "code": "F0004" }, { "objective": "DEFENSE EVASION", "behavior": "Self Deletion::COMSPEC Environment Variable", "code": "" }, { "objective": "DEFENSE EVASION", "behavior": "[F0007.001]", "code": "" }, { "objective": "DISCOVERY", "behavior": "File and Directory Discovery", "code": "E1083" }, { "objective": "DISCOVERY", "behavior": "System Information Discovery", "code": "E1082" }, { "objective": "DISCOVERY", "behavior": "Taskbar Discovery", "code": "B0043" }, { "objective": "FILE SYSTEM", "behavior": "Copy File", "code": "C0045" }, { "objective": "FILE SYSTEM", "behavior": "Create Directory", "code": "C0046" }, { "objective": "FILE SYSTEM", "behavior": "Delete Directory", "code": "C0048" }, { "objective": "FILE SYSTEM", "behavior": "Delete File", "code": "C0047" }, { "objective": "FILE SYSTEM", "behavior": "Get File Attributes", "code": "C0049" }, { "objective": "FILE SYSTEM", "behavior": "Move File", "code": "C0063" }, { "objective": "FILE SYSTEM", "behavior": "Read File", "code": "C0051" }, { "objective": "FILE SYSTEM", "behavior": "Set File Attributes", "code": "C0050" }, { "objective": "FILE SYSTEM", "behavior": "Writes File", "code": "C0052" }, { "objective": "OPERATING SYSTEM", "behavior": "Console", "code": "C0033" }, { "objective": "OPERATING SYSTEM", "behavior": "Registry::Delete Registry Key", "code": "C0036.002" }, { "objective": "OPERATING SYSTEM", "behavior": "Registry::Delete Registry Value", "code": "C0036.007" }, { "objective": "OPERATING SYSTEM", "behavior": "Registry::Query Registry Key", "code": "C0036.005" }, { "objective": "OPERATING SYSTEM", "behavior": "Registry::Query Registry Value", "code": "C0036.006" }, { "objective": "OPERATING SYSTEM", "behavior": "Registry::Set Registry Key", "code": "C0036.001" }, { "objective": "OPERATING SYSTEM", "behavior": "Wallpaper", "code": "C0035" }, { "objective": "PERSISTENCE", "behavior": "Registry Run Keys / Startup Folder", "code": "F0012" }, { "objective": "PROCESS", "behavior": "Create Mutex", "code": "C0042" }, { "objective": "PROCESS", "behavior": "Create Process", "code": "C0017" }, { "objective": "PROCESS", "behavior": "Create Thread", "code": "C0038" }, { "objective": "PROCESS", "behavior": "Suspend Thread", "code": "C0055" }, { "objective": "PROCESS", "behavior": "Terminate Process", "code": "C0018" } ]	[ { "capability": "self delete (3 matches)", "namespace": "anti-analysis/anti-forensic/self-de…" }, { "capability": "get geographical location", "namespace": "collection" }, { "capability": "save image in .NET", "namespace": "collection" }, { "capability": "gather firefox profile information", "namespace": "collection/browser" }, { "capability": "reference SQL statements (2 matches)", "namespace": "collection/database/sql" }, { "capability": "reference WMI statements", "namespace": "collection/database/wmi" }, { "capability": "log keystrokes (2 matches)", "namespace": "collection/keylog" }, { "capability": "log keystrokes via application hook", "namespace": "collection/keylog" }, { "capability": "log keystrokes via polling (2", "namespace": "collection/keylog" }, { "capability": "matches)", "namespace": "│" }, { "capability": "collection/network", "namespace": "│ capture screenshot" }, { "capability": "│ receive data", "namespace": "communication" }, { "capability": "send data", "namespace": "communication" }, { "capability": "manipulate network credentials in", "namespace": "communication/authentication" }, { "capability": ".NET", "namespace": "│" }, { "capability": "communication/http", "namespace": "│ reference HTTP User-Agent string" }, { "capability": "│ create HTTP request", "namespace": "communication/http/client" }, { "capability": "receive HTTP response", "namespace": "communication/http/client" }, { "capability": "create TCP socket (3 matches)", "namespace": "communication/socket/tcp" }, { "capability": "act as TCP client", "namespace": "communication/tcp/client" }, { "capability": "create zip archive in .NET (3", "namespace": "data-manipulation/compression" }, { "capability": "matches)", "namespace": "│" }, { "capability": "data-manipulation/encoding/base64", "namespace": "│ decode data using Base64 via WinAPI" }, { "capability": "│ reference Base64 string", "namespace": "data-manipulation/encoding/base64" }, { "capability": "encrypt or decrypt data via BCrypt (2", "namespace": "data-manipulation/encryption" }, { "capability": "matches)", "namespace": "│" }, { "capability": "data-manipulation/encryption/dpapi", "namespace": "│ generate random numbers in .NET" }, { "capability": "│ contains PDB path", "namespace": "executable/pe/pdb" }, { "capability": "extract resource via kernel32", "namespace": "executable/resource" }, { "capability": "functions", "namespace": "│" }, { "capability": "host-interaction/clipboard", "namespace": "│ monitor clipboard content" }, { "capability": "│ read clipboard data (2 matches)", "namespace": "host-interaction/clipboard" }, { "capability": "manipulate console buffer (8 matches)", "namespace": "host-interaction/console" }, { "capability": "query environment variable (3", "namespace": "host-interaction/environment-variab…" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/file-system", "namespace": "│ get common file path (7 matches)" }, { "capability": "│ copy file (7 matches)", "namespace": "host-interaction/file-system/copy" }, { "capability": "create directory (8 matches)", "namespace": "host-interaction/file-system/create" }, { "capability": "delete directory (2 matches)", "namespace": "host-interaction/file-system/delete" }, { "capability": "delete file (12 matches)", "namespace": "host-interaction/file-system/delete" }, { "capability": "check if directory exists (15", "namespace": "host-interaction/file-system/exists" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/file-system/exists", "namespace": "│ enumerate files in .NET (6 matches)" }, { "capability": "│ get file attributes", "namespace": "host-interaction/file-system/meta" }, { "capability": "get file size (5 matches)", "namespace": "host-interaction/file-system/meta" }, { "capability": "set file attributes (2 matches)", "namespace": "host-interaction/file-system/meta" }, { "capability": "move file (2 matches)", "namespace": "host-interaction/file-system/move" }, { "capability": "read file on Windows (7 matches)", "namespace": "host-interaction/file-system/read" }, { "capability": "write file on Windows (11 matches)", "namespace": "host-interaction/file-system/write" }, { "capability": "enumerate gui resources (2 matches)", "namespace": "host-interaction/gui" }, { "capability": "change the wallpaper", "namespace": "host-interaction/gui/session" }, { "capability": "hide the Windows taskbar", "namespace": "host-interaction/gui/taskbar/hide" }, { "capability": "get disk information", "namespace": "host-interaction/hardware/storage" }, { "capability": "get disk size", "namespace": "host-interaction/hardware/storage" }, { "capability": "allocate unmanaged memory in .NET (3", "namespace": "host-interaction/memory" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/memory", "namespace": "│ (14 matches)" }, { "capability": "│ create or open mutex on Windows", "namespace": "host-interaction/mutex" }, { "capability": "get networking interfaces", "namespace": "host-interaction/network/interface" }, { "capability": "get hostname (2 matches)", "namespace": "host-interaction/os/hostname" }, { "capability": "get OS version in .NET", "namespace": "host-interaction/os/version" }, { "capability": "get process image filename (5", "namespace": "host-interaction/process" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/process/create", "namespace": "│ handles and window (14 matches)" }, { "capability": "│ create process on Windows (22", "namespace": "host-interaction/process/create" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/process/list", "namespace": "│ find process by PID (2 matches)" }, { "capability": "│ find process by name", "namespace": "host-interaction/process/list" }, { "capability": "acquire debug privileges", "namespace": "host-interaction/process/modify" }, { "capability": "terminate process (14 matches)", "namespace": "host-interaction/process/terminate" }, { "capability": "query or enumerate registry key (7", "namespace": "host-interaction/registry" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/registry", "namespace": "│ matches)" }, { "capability": "│ delete registry key", "namespace": "host-interaction/registry/delete" }, { "capability": "delete registry value (2 matches)", "namespace": "host-interaction/registry/delete" }, { "capability": "get session integrity level (3", "namespace": "host-interaction/session" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/session", "namespace": "│ create thread (3 matches)" }, { "capability": "│ suspend thread (9 matches)", "namespace": "host-interaction/thread/suspend" }, { "capability": "access WMI data in .NET", "namespace": "host-interaction/wmi" }, { "capability": "reference cryptocurrency strings", "namespace": "impact/cryptocurrency" }, { "capability": "disable system features via registry", "namespace": "impact/features" }, { "capability": "on Windows", "namespace": "│" }, { "capability": "load-code/dotnet", "namespace": "│ matches)" }, { "capability": "│ load .NET assembly", "namespace": "load-code/dotnet" }, { "capability": "compile CSharp in .NET", "namespace": "load-code/dotnet/csharp" }, { "capability": "persist via default file association", "namespace": "persistence/registry" }, { "capability": "registry key (2 matches)", "namespace": "│" }, { "capability": "persistence/registry/run", "namespace": "│ schedule task via schtasks (2" }, { "capability": "│ matches)", "namespace": "│" }, { "capability": "runtime", "namespace": "│ compiled to the .NET platform" } ]
697dd9b63d04a01d9782709c	{}	{}	{ "md5": "9a5ff998dbf0f6923d0b454d89800fb4", "sha1": "4f4fa23e9c503b941a5e91584d6ecc3813962ba1", "sha256": "360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f", "analysis": "static", "os": "any", "format": "dotnet", "arch": "any", "path": "/home/apogean/projects/malware/windows/all_runs/360e6f2288b6c836…" }	[ { "tactic": "COLLECTION", "technique": "Clipboard Data", "id": "T1115" }, { "tactic": "", "technique": "Data from Information Repositories", "id": "T1213" }, { "tactic": "", "technique": "Input Capture::Keylogging", "id": "T1056.001" }, { "tactic": "", "technique": "Screen Capture", "id": "T1113" }, { "tactic": "", "technique": "Web Browsers", "id": "T1555.003" }, { "tactic": "DEFENSE EVASION", "technique": "Deobfuscate/Decode Files or Information", "id": "T1140" }, { "tactic": "", "technique": "File and Directory Permissions Modification", "id": "T1222" }, { "tactic": "", "technique": "Hide Artifacts", "id": "T1564" }, { "tactic": "", "technique": "Hide Artifacts::Hidden Window", "id": "T1564.003" }, { "tactic": "", "technique": "Impair Defenses::Disable or Modify Tools", "id": "T1562.001" }, { "tactic": "", "technique": "Indicator Removal::File Deletion", "id": "T1070.004" }, { "tactic": "", "technique": "Modify Registry", "id": "T1112" }, { "tactic": "", "technique": "Obfuscated Files or Information", "id": "T1027" }, { "tactic": "", "technique": "Delivery", "id": "T1027.004" }, { "tactic": "", "technique": "Reflective Code Loading", "id": "T1620" }, { "tactic": "DISCOVERY", "technique": "Account Discovery", "id": "T1087" }, { "tactic": "", "technique": "Application Window Discovery", "id": "T1010" }, { "tactic": "", "technique": "File and Directory Discovery", "id": "T1083" }, { "tactic": "", "technique": "Process Discovery", "id": "T1057" }, { "tactic": "", "technique": "Query Registry", "id": "T1012" }, { "tactic": "", "technique": "Software Discovery", "id": "T1518" }, { "tactic": "", "technique": "System Information Discovery", "id": "T1082" }, { "tactic": "", "technique": "System Location Discovery", "id": "T1614" }, { "tactic": "", "technique": "System Network Configuration Discovery", "id": "T1016" }, { "tactic": "", "technique": "System Owner/User Discovery", "id": "T1033" }, { "tactic": "EXECUTION", "technique": "Windows Management Instrumentation", "id": "T1047" }, { "tactic": "IMPACT", "technique": "Resource Hijacking", "id": "T1496" }, { "tactic": "", "technique": "/ Startup Folder", "id": "T1547.001" }, { "tactic": "", "technique": "Association", "id": "T1546.001" }, { "tactic": "", "technique": "Scheduled Task/Job::Scheduled Task", "id": "T1053.005" }, { "tactic": "PRIVILEGE ESCALATION", "technique": "Access Token Manipulation", "id": "T1134" } ]	[ { "category": "malware-category", "value": "launcher" } ]	[ { "objective": "COLLECTION", "behavior": "Keylogging::Application Hook", "code": "F0002.001" }, { "objective": "COLLECTION", "behavior": "Keylogging::Polling", "code": "F0002.002" }, { "objective": "COLLECTION", "behavior": "Screen Capture::WinAPI", "code": "E1113.m01" }, { "objective": "COMMAND AND CONTROL", "behavior": "C2 Communication::Receive Data", "code": "B0030.002" }, { "objective": "COMMAND AND CONTROL", "behavior": "C2 Communication::Send Data", "code": "B0030.001" }, { "objective": "COMMUNICATION", "behavior": "HTTP Communication", "code": "C0002" }, { "objective": "COMMUNICATION", "behavior": "HTTP Communication::Create Request", "code": "C0002.012" }, { "objective": "COMMUNICATION", "behavior": "HTTP Communication::Get Response", "code": "C0002.017" }, { "objective": "COMMUNICATION", "behavior": "HTTP Communication::Read Header", "code": "C0002.014" }, { "objective": "COMMUNICATION", "behavior": "HTTP Communication::Send Request", "code": "C0002.003" }, { "objective": "COMMUNICATION", "behavior": "Socket Communication::Create TCP Socket", "code": "C0001.011" }, { "objective": "COMMUNICATION", "behavior": "Socket Communication::TCP Client", "code": "C0001.008" }, { "objective": "CRYPTOGRAPHY", "behavior": "Decrypt Data", "code": "C0031" }, { "objective": "CRYPTOGRAPHY", "behavior": "Encrypt Data", "code": "C0027" }, { "objective": "CRYPTOGRAPHY", "behavior": "Generate Pseudo-random Sequence::Use API", "code": "C0021.003" }, { "objective": "DATA", "behavior": "Check String", "code": "C0019" }, { "objective": "DATA", "behavior": "Decode Data::Base64", "code": "C0053.001" }, { "objective": "DATA", "behavior": "Encode Data::Base64", "code": "C0026.001" }, { "objective": "DEFENSE EVASION", "behavior": "Disable or Evade Security Tools", "code": "F0004" }, { "objective": "DEFENSE EVASION", "behavior": "Self Deletion::COMSPEC Environment Variable", "code": "" }, { "objective": "DEFENSE EVASION", "behavior": "[F0007.001]", "code": "" }, { "objective": "DISCOVERY", "behavior": "File and Directory Discovery", "code": "E1083" }, { "objective": "DISCOVERY", "behavior": "System Information Discovery", "code": "E1082" }, { "objective": "DISCOVERY", "behavior": "Taskbar Discovery", "code": "B0043" }, { "objective": "FILE SYSTEM", "behavior": "Copy File", "code": "C0045" }, { "objective": "FILE SYSTEM", "behavior": "Create Directory", "code": "C0046" }, { "objective": "FILE SYSTEM", "behavior": "Delete Directory", "code": "C0048" }, { "objective": "FILE SYSTEM", "behavior": "Delete File", "code": "C0047" }, { "objective": "FILE SYSTEM", "behavior": "Get File Attributes", "code": "C0049" }, { "objective": "FILE SYSTEM", "behavior": "Move File", "code": "C0063" }, { "objective": "FILE SYSTEM", "behavior": "Read File", "code": "C0051" }, { "objective": "FILE SYSTEM", "behavior": "Set File Attributes", "code": "C0050" }, { "objective": "FILE SYSTEM", "behavior": "Writes File", "code": "C0052" }, { "objective": "OPERATING SYSTEM", "behavior": "Console", "code": "C0033" }, { "objective": "OPERATING SYSTEM", "behavior": "Registry::Delete Registry Key", "code": "C0036.002" }, { "objective": "OPERATING SYSTEM", "behavior": "Registry::Delete Registry Value", "code": "C0036.007" }, { "objective": "OPERATING SYSTEM", "behavior": "Registry::Query Registry Key", "code": "C0036.005" }, { "objective": "OPERATING SYSTEM", "behavior": "Registry::Query Registry Value", "code": "C0036.006" }, { "objective": "OPERATING SYSTEM", "behavior": "Registry::Set Registry Key", "code": "C0036.001" }, { "objective": "OPERATING SYSTEM", "behavior": "Wallpaper", "code": "C0035" }, { "objective": "PERSISTENCE", "behavior": "Registry Run Keys / Startup Folder", "code": "F0012" }, { "objective": "PROCESS", "behavior": "Create Mutex", "code": "C0042" }, { "objective": "PROCESS", "behavior": "Create Process", "code": "C0017" }, { "objective": "PROCESS", "behavior": "Create Thread", "code": "C0038" }, { "objective": "PROCESS", "behavior": "Suspend Thread", "code": "C0055" }, { "objective": "PROCESS", "behavior": "Terminate Process", "code": "C0018" } ]	[ { "capability": "self delete (3 matches)", "namespace": "anti-analysis/anti-forensic/self-de…" }, { "capability": "get geographical location", "namespace": "collection" }, { "capability": "save image in .NET", "namespace": "collection" }, { "capability": "gather firefox profile information", "namespace": "collection/browser" }, { "capability": "reference SQL statements (2 matches)", "namespace": "collection/database/sql" }, { "capability": "reference WMI statements", "namespace": "collection/database/wmi" }, { "capability": "log keystrokes (2 matches)", "namespace": "collection/keylog" }, { "capability": "log keystrokes via application hook", "namespace": "collection/keylog" }, { "capability": "log keystrokes via polling (2", "namespace": "collection/keylog" }, { "capability": "matches)", "namespace": "│" }, { "capability": "collection/network", "namespace": "│ capture screenshot" }, { "capability": "│ receive data", "namespace": "communication" }, { "capability": "send data", "namespace": "communication" }, { "capability": "manipulate network credentials in", "namespace": "communication/authentication" }, { "capability": ".NET", "namespace": "│" }, { "capability": "communication/http", "namespace": "│ reference HTTP User-Agent string" }, { "capability": "│ create HTTP request", "namespace": "communication/http/client" }, { "capability": "receive HTTP response", "namespace": "communication/http/client" }, { "capability": "create TCP socket (3 matches)", "namespace": "communication/socket/tcp" }, { "capability": "act as TCP client", "namespace": "communication/tcp/client" }, { "capability": "create zip archive in .NET (3", "namespace": "data-manipulation/compression" }, { "capability": "matches)", "namespace": "│" }, { "capability": "data-manipulation/encoding/base64", "namespace": "│ decode data using Base64 via WinAPI" }, { "capability": "│ reference Base64 string", "namespace": "data-manipulation/encoding/base64" }, { "capability": "encrypt or decrypt data via BCrypt (2", "namespace": "data-manipulation/encryption" }, { "capability": "matches)", "namespace": "│" }, { "capability": "data-manipulation/encryption/dpapi", "namespace": "│ generate random numbers in .NET" }, { "capability": "│ contains PDB path", "namespace": "executable/pe/pdb" }, { "capability": "extract resource via kernel32", "namespace": "executable/resource" }, { "capability": "functions", "namespace": "│" }, { "capability": "host-interaction/clipboard", "namespace": "│ monitor clipboard content" }, { "capability": "│ read clipboard data (2 matches)", "namespace": "host-interaction/clipboard" }, { "capability": "manipulate console buffer (8 matches)", "namespace": "host-interaction/console" }, { "capability": "query environment variable (3", "namespace": "host-interaction/environment-variab…" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/file-system", "namespace": "│ get common file path (7 matches)" }, { "capability": "│ copy file (7 matches)", "namespace": "host-interaction/file-system/copy" }, { "capability": "create directory (8 matches)", "namespace": "host-interaction/file-system/create" }, { "capability": "delete directory (2 matches)", "namespace": "host-interaction/file-system/delete" }, { "capability": "delete file (12 matches)", "namespace": "host-interaction/file-system/delete" }, { "capability": "check if directory exists (15", "namespace": "host-interaction/file-system/exists" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/file-system/exists", "namespace": "│ enumerate files in .NET (6 matches)" }, { "capability": "│ get file attributes", "namespace": "host-interaction/file-system/meta" }, { "capability": "get file size (5 matches)", "namespace": "host-interaction/file-system/meta" }, { "capability": "set file attributes (2 matches)", "namespace": "host-interaction/file-system/meta" }, { "capability": "move file (2 matches)", "namespace": "host-interaction/file-system/move" }, { "capability": "read file on Windows (7 matches)", "namespace": "host-interaction/file-system/read" }, { "capability": "write file on Windows (11 matches)", "namespace": "host-interaction/file-system/write" }, { "capability": "enumerate gui resources (2 matches)", "namespace": "host-interaction/gui" }, { "capability": "change the wallpaper", "namespace": "host-interaction/gui/session" }, { "capability": "hide the Windows taskbar", "namespace": "host-interaction/gui/taskbar/hide" }, { "capability": "get disk information", "namespace": "host-interaction/hardware/storage" }, { "capability": "get disk size", "namespace": "host-interaction/hardware/storage" }, { "capability": "allocate unmanaged memory in .NET (3", "namespace": "host-interaction/memory" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/memory", "namespace": "│ (14 matches)" }, { "capability": "│ create or open mutex on Windows", "namespace": "host-interaction/mutex" }, { "capability": "get networking interfaces", "namespace": "host-interaction/network/interface" }, { "capability": "get hostname (2 matches)", "namespace": "host-interaction/os/hostname" }, { "capability": "get OS version in .NET", "namespace": "host-interaction/os/version" }, { "capability": "get process image filename (5", "namespace": "host-interaction/process" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/process/create", "namespace": "│ handles and window (14 matches)" }, { "capability": "│ create process on Windows (22", "namespace": "host-interaction/process/create" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/process/list", "namespace": "│ find process by PID (2 matches)" }, { "capability": "│ find process by name", "namespace": "host-interaction/process/list" }, { "capability": "acquire debug privileges", "namespace": "host-interaction/process/modify" }, { "capability": "terminate process (14 matches)", "namespace": "host-interaction/process/terminate" }, { "capability": "query or enumerate registry key (7", "namespace": "host-interaction/registry" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/registry", "namespace": "│ matches)" }, { "capability": "│ delete registry key", "namespace": "host-interaction/registry/delete" }, { "capability": "delete registry value (2 matches)", "namespace": "host-interaction/registry/delete" }, { "capability": "get session integrity level (3", "namespace": "host-interaction/session" }, { "capability": "matches)", "namespace": "│" }, { "capability": "host-interaction/session", "namespace": "│ create thread (3 matches)" }, { "capability": "│ suspend thread (9 matches)", "namespace": "host-interaction/thread/suspend" }, { "capability": "access WMI data in .NET", "namespace": "host-interaction/wmi" }, { "capability": "reference cryptocurrency strings", "namespace": "impact/cryptocurrency" }, { "capability": "disable system features via registry", "namespace": "impact/features" }, { "capability": "on Windows", "namespace": "│" }, { "capability": "load-code/dotnet", "namespace": "│ matches)" }, { "capability": "│ load .NET assembly", "namespace": "load-code/dotnet" }, { "capability": "compile CSharp in .NET", "namespace": "load-code/dotnet/csharp" }, { "capability": "persist via default file association", "namespace": "persistence/registry" }, { "capability": "registry key (2 matches)", "namespace": "│" }, { "capability": "persistence/registry/run", "namespace": "│ schedule task via schtasks (2" }, { "capability": "│ matches)", "namespace": "│" }, { "capability": "runtime", "namespace": "│ compiled to the .NET platform" } ]
69e716dd59a6632dae07ddfa								e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b…	{ "success": true, "results": { "normal": { "success": true, "path": "/tmp/sdm_capa_7y0wi49q/2_normal.txt" }, "verbose": { "success": true, "path": "/tmp/sdm_capa_7y0wi49q/2_verbose.txt" }, "very_verbose": { "success": true, "path": "/tmp/sdm_capa_7y0wi49q/2_very_verbose.txt" } }, "outputs": { "normal": "┌───────────┬──────────────────────────────────────────────────────────────────┐\n│ md5 │ be0930fc1d862072effdd01493361fb5 │\n│ sha1 │ e421261bf9c56bc5390d1f1b5be10f4fa53ba34c │\n│ sha256 │ e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8 │\n│ analysis │ static │\n│ os │ any │\n│ format │ dotnet │\n│ arch │ i386 │\n│ path │ /home/apogean/projects/malware/windows/all_runs/2 │\n└───────────┴──────────────────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ ATT&CK Tactic ┃ ATT&CK Technique ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ DEFENSE EVASION │ Reflective Code Loading [T1620] │\n│ DISCOVERY │ File and Directory Discovery [T1083] │\n└─────────────────────────────┴────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ MBC Objective ┃ MBC Behavior ┃\n┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ CRYPTOGRAPHY │ Generate Pseudo-random Sequence::Use API [C0021.003] │\n│ DISCOVERY │ Analysis Tool Discovery::Process detection │\n│ │ [B0013.001] │\n│ │ File and Directory Discovery [E1083] │\n│ FILE SYSTEM │ Create Directory [C0046] │\n└──────────────────────┴───────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Capability ┃ Namespace ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ reference analysis tools strings │ anti-analysis │\n│ generate random numbers in .NET (9 │ data-manipulation/prng │\n│ matches) │ │\n│ access .NET resource │ executable/resource │\n│ get common file path │ host-interaction/file-system │\n│ create directory │ host-interaction/file-system/create │\n│ check if directory exists │ host-interaction/file-system/exists │\n│ check if file exists │ host-interaction/file-system/exists │\n│ invoke .NET assembly method (2 │ load-code/dotnet │\n│ matches) │ │\n│ load .NET assembly │ load-code/dotnet │\n│ compiled to the .NET platform │ runtime/dotnet │\n└────────────────────────────────────────┴─────────────────────────────────────┘\n\n", "verbose": "md5 be0930fc1d862072effdd01493361fb5 \nsha1 e421261bf9c56bc5390d1f1b5be10f4fa53ba34c \nsha256 e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950…\npath /home/apogean/projects/malware/windows/all_runs/2 \ntimestamp 2026-04-26 23:28:52.816720 \ncapa version 9.2.1 \nos any \nformat dotnet \narch i386 \nanalysis static \nextractor DnfileFeatureExtractor \nbase address global \nrules /tmp/_MEIKH7B9s/rules \nfunction count 455 \nlibrary function count 0 \ntotal feature count 28675 \n\nreference analysis tools strings\nnamespace anti-analysis\nscope file \n\ngenerate random numbers in .NET (9 matches)\nnamespace data-manipulation/prng\nscope function \nmatches token(0x6000145) \n token(0x6000172) \n token(0x6000192) \n token(0x6000193) \n token(0x6000194) \n token(0x6000195) \n token(0x6000196) \n token(0x6000197) \n token(0x6000198) \n\naccess .NET resource\nnamespace executable/resource\nscope function \nmatches token(0x60001AF) \n\nget common file path\nnamespace host-interaction/file-system\nscope function \nmatches token(0x60000CB) \n\ncreate directory\nnamespace host-interaction/file-system/create\nscope function \nmatches token(0x60000CB) \n\ncheck if directory exists\nnamespace host-interaction/file-system/exists\nscope function \nmatches token(0x60000CB) \n\ncheck if file exists\nnamespace host-interaction/file-system/exists\nscope function \nmatches token(0x60000CA) \n\ninvoke .NET assembly method (2 matches)\nnamespace load-code/dotnet\nscope function \nmatches token(0x6000123)\n token(0x6000154)\n\nload .NET assembly\nnamespace load-code/dotnet\nscope function \nmatches token(0x60000EA)\n\ncompiled to the .NET platform\nnamespace runtime/dotnet\nscope file \n\n\n\n", "very_verbose": "md5 be0930fc1d862072effdd01493361fb5 \nsha1 e421261bf9c56bc5390d1f1b5be10f4fa53ba34c \nsha256 e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950…\npath /home/apogean/projects/malware/windows/all_runs/2 \ntimestamp 2026-04-26 23:29:01.820826 \ncapa version 9.2.1 \nos any \nformat dotnet \narch i386 \nanalysis static \nextractor DnfileFeatureExtractor \nbase address global \nrules /tmp/_MEIqYtxZp/rules \nfunction count 455 \nlibrary function count 0 \ntotal feature count 28675 \n\nreference analysis tools strings\nnamespace anti-analysis \nauthor michael.hunhoff@mandiant.com \nscope file \nmbc Discovery::Analysis Tool Discovery::Process detection [B0013.001] \nreferences https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n regex: /(?<!\\w)ida?(\\.exe)?$/i\n - \"IDAT\" @ file+0x4E849, file+0x5E849, file+0x8E849, file+0xBE849, and 4 more...\n\ngenerate random numbers in .NET (9 matches)\nnamespace data-manipulation/prng \nauthor anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com \nscope function \nmbc Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\nfunction @ token(0x6000145)\n or:\n api: System.Random::NextDouble @ token(0x6000145)+0x34, token(0x6000145)+0x1C5\nfunction @ token(0x6000172)\n or:\n api: System.Random::Next @ token(0x6000172)+0x2B6\nfunction @ token(0x6000192)\n or:\n api: System.Random::Next @ token(0x6000192)+0x6\nfunction @ token(0x6000193)\n or:\n api: System.Random::Next @ token(0x6000193)+0x6\nfunction @ token(0x6000194)\n or:\n api: System.Random::Next @ token(0x6000194)+0x6\nfunction @ token(0x6000195)\n or:\n api: System.Random::Next @ token(0x6000195)+0x6\nfunction @ token(0x6000196)\n or:\n api: System.Random::Next @ token(0x6000196)+0x6\nfunction @ token(0x6000197)\n or:\n api: System.Random::Next @ token(0x6000197)+0x6\nfunction @ token(0x6000198)\n or:\n api: System.Random::Next @ token(0x6000198)+0x6\n\naccess .NET resource\nnamespace executable/resource\nauthor @mr-tz \nscope function \nfunction @ token(0x60001AF)\n and:\n format: dotnet\n or:\n api: System.Resources.ResourceManager::ctor @ token(0x60001AF)+0x4C\n\nget common file path\nnamespace host-interaction/file-system \nauthor moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, \n anushka.virgaonkar@mandiant.com \nscope function \natt&ck Discovery::File and Directory Discovery [T1083] \nmbc Discovery::File and Directory Discovery [E1083] \nfunction @ token(0x60000CB)\n or:\n api: System.Environment::GetFolderPath @ token(0x60000CB)+0x26\n\ncreate directory\nnamespace host-interaction/file-system/create \nauthor moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope function \nmbc File System::Create Directory [C0046] \nfunction @ token(0x60000CB)\n or:\n api: System.IO.Directory::CreateDirectory @ token(0x60000CB)+0x18\n\ncheck if directory exists\nnamespace host-interaction/file-system/exists \nauthor michael.hunhoff@mandiant.com \nscope function \natt&ck Discovery::File and Directory Discovery [T1083]\nfunction @ token(0x60000CB)\n or:\n api: System.IO.Directory::Exists @ token(0x60000CB)+0x7\n\ncheck if file exists\nnamespace host-interaction/file-system/exists \nauthor moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope function \natt&ck Discovery::File and Directory Discovery [T1083] \nmbc Discovery::File and Directory Discovery [E1083] \nfunction @ token(0x60000CA)\n or:\n api: System.IO.File::Exists @ token(0x60000CA)+0x37\n\n(internal) .NET file limitation\nnamespace internal/limitation/dynamic \nauthor @v1bh475u \nscope file \ndescription This dynamic analysis trace describes a .NET file. \n \n capa rules are not yet tuned for the .NET runtime, \n so its analysis may be incomplete or misleading. \n \nor:\n format: dotnet\n\ninvoke .NET assembly method (2 matches)\nnamespace load-code/dotnet \nauthor anushka.virgaonkar@mandiant.com, mehunhoff@google.com\nscope function \natt&ck Defense Evasion::Reflective Code Loading [T1620] \nfunction @ token(0x6000123)\n and:\n format: dotnet\n or:\n api: System.Reflection.MethodBase::Invoke @ token(0x6000123)+0x1A\nfunction @ token(0x6000154)\n and:\n format: dotnet\n or:\n api: System.Type::InvokeMember @ token(0x6000154)+0x9E\n\nload .NET assembly\nnamespace load-code/dotnet \nauthor anushka.virgaonkar@mandiant.com \nscope function \natt&ck Defense Evasion::Reflective Code Loading [T1620]\nfunction @ token(0x60000EA)\n or:\n api: System.AppDomain::Load @ token(0x60000EA)+0x52E\n\ncompiled to the .NET platform\nnamespace runtime/dotnet \nauthor william.ballenthin@mandiant.com\nscope file \nor:\n format: dotnet\n\n\n\n" }, "hashes": { "md5": "be0930fc1d862072effdd01493361fb5", "sha1": "e421261bf9c56bc5390d1f1b5be10f4fa53ba34c", "sha256": "e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8" }, "interactive_graph": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n <title>Malware Analysis Network Graph</title>\n <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n <style>\n * {\n margin: 0;\n padding: 0;\n box-sizing: border-box;\n }\n\n body {\n font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n color: #fff;\n overflow: hidden;\n }\n\n #container {\n display: flex;\n height: 100vh;\n }\n\n #graph {\n flex: 1;\n position: relative;\n }\n\n #sidebar {\n width: 350px;\n background: rgba(30, 30, 50, 0.95);\n padding: 20px;\n overflow-y: auto;\n border-left: 2px solid rgba(100, 100, 255, 0.3);\n backdrop-filter: blur(10px);\n }\n\n h1 {\n font-size: 20px;\n margin-bottom: 10px;\n color: #6c63ff;\n text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n }\n\n h2 {\n font-size: 16px;\n margin-top: 20px;\n margin-bottom: 10px;\n color: #00d9ff;\n }\n\n .info-section {\n background: rgba(50, 50, 80, 0.5);\n padding: 12px;\n border-radius: 8px;\n margin-bottom: 15px;\n border: 1px solid rgba(108, 99, 255, 0.3);\n }\n\n .info-item {\n margin: 8px 0;\n font-size: 13px;\n line-height: 1.6;\n word-break: break-all;\n }\n\n .label {\n color: #00d9ff;\n font-weight: bold;\n }\n\n .legend {\n margin-top: 20px;\n }\n\n .legend-item {\n display: flex;\n align-items: center;\n margin: 8px 0;\n font-size: 13px;\n }\n\n .legend-color {\n width: 20px;\n height: 20px;\n border-radius: 50%;\n margin-right: 10px;\n border: 2px solid rgba(255, 255, 255, 0.3);\n }\n\n .controls {\n position: absolute;\n top: 20px;\n left: 20px;\n z-index: 1000;\n background: rgba(30, 30, 50, 0.95);\n padding: 15px;\n border-radius: 10px;\n border: 1px solid rgba(108, 99, 255, 0.3);\n backdrop-filter: blur(10px);\n }\n\n button {\n background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n color: white;\n border: none;\n padding: 8px 16px;\n margin: 5px;\n border-radius: 5px;\n cursor: pointer;\n font-size: 12px;\n transition: all 0.3s;\n }\n\n button:hover {\n transform: translateY(-2px);\n box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n }\n\n .node {\n cursor: pointer;\n transition: all 0.3s;\n }\n\n .node:hover {\n filter: brightness(1.5);\n }\n\n .link {\n stroke-opacity: 0.6;\n transition: all 0.3s;\n }\n\n .link:hover {\n stroke-opacity: 1;\n stroke-width: 3px;\n }\n\n text {\n font-size: 11px;\n pointer-events: none;\n text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n }\n\n .severity-high {\n animation: pulse 2s infinite;\n }\n\n @keyframes pulse {\n 0%, 100% { opacity: 1; }\n 50% { opacity: 0.6; }\n }\n\n ::-webkit-scrollbar {\n width: 8px;\n }\n\n ::-webkit-scrollbar-track {\n background: rgba(30, 30, 50, 0.5);\n }\n\n ::-webkit-scrollbar-thumb {\n background: rgba(108, 99, 255, 0.5);\n border-radius: 4px;\n }\n\n ::-webkit-scrollbar-thumb:hover {\n background: rgba(108, 99, 255, 0.8);\n }\n </style>\n</head>\n<body>\n <div id=\"container\">\n <div id=\"graph\">\n <div class=\"controls\">\n <button onclick=\"resetZoom()\">Reset View</button>\n <button onclick=\"toggleLabels()\">Toggle Labels</button>\n <button onclick=\"togglePhysics()\">Toggle Physics</button>\n </div>\n </div>\n <div id=\"sidebar\">\n <h1>🔍 Malware Analysis</h1>\n <div id=\"node-info\" class=\"info-section\">\n <p style=\"color: #888;\">Click on a node to see details</p>\n </div>\n \n <div class=\"legend\">\n <h2>Legend</h2>\n <div class=\"legend-item\">\n <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n <span>File</span>\n </div>\n <div class=\"legend-item\">\n <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n <span>Capability (High)</span>\n </div>\n <div class=\"legend-item\">\n <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n <span>Capability (Medium)</span>\n </div>\n <div class=\"legend-item\">\n <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n <span>Function</span>\n </div>\n <div class=\"legend-item\">\n <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n <span>API Call</span>\n </div>\n <div class=\"legend-item\">\n <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n <span>Basic Block</span>\n </div>\n </div>\n\n <div class=\"info-section\">\n <h2>Analysis Info</h2>\n <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n <div class=\"info-item\"><span class=\"label\">Functions:</span> 455</div>\n <div class=\"info-item\"><span class=\"label\">Features:</span> 28675</div>\n </div>\n </div>\n </div>\n\n <script>\n const graphData = {\n \"nodes\": [\n {\n \"id\": \"malware_file\",\n \"label\": \"2\",\n \"type\": \"file\",\n \"properties\": {\n \"md5\": \"be0930fc1d862072effdd01493361fb5\",\n \"sha256\": \"e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950\",\n \"arch\": \"i386\",\n \"os\": \"any\",\n \"format\": \"dotnet\"\n }\n },\n {\n \"id\": \"cap_reference_analysis_tools_strings\",\n \"label\": \"reference analysis tools strings\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Discovery::Analysis Tool Discovery::Process detection [B0013.001]\"\n ]\n },\n {\n \"id\": \"cap_author______michael_hunhoff_mandiant_com\",\n \"label\": \"author michael.hunhoff@mandiant.com\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Discovery::Analysis Tool Discovery::Process detection [B0013.001]\"\n ]\n },\n {\n \"id\": \"cap_generate_random_numbers_in__net__9_matches_\",\n \"label\": \"generate random numbers in .NET (9 matches)\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\"\n ]\n },\n {\n \"id\": \"api_System\",\n \"label\": \"System\",\n \"type\": \"api\",\n \"category\": \"other\"\n },\n {\n \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n \"label\": \"author anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\"\n ]\n },\n {\n \"id\": \"cap_access__net_resource\",\n \"label\": \"access .NET resource\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\"\n },\n {\n \"id\": \"cap_author______mr_tz\",\n \"label\": \"author @mr-tz\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\"\n },\n {\n \"id\": \"cap_get_common_file_path\",\n \"label\": \"get common file path\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Discovery::File and Directory Discovery [E1083]\"\n ]\n },\n {\n \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n \"label\": \"anushka.virgaonkar@mandiant.com\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Discovery::File and Directory Discovery [E1083]\"\n ]\n },\n {\n \"id\": \"cap_create_directory\",\n \"label\": \"create directory\",\n \"type\": \"capability\",\n \"severity\": \"medium\",\n \"category\": \"\",\n \"mitre\": [\n \"File System::Create Directory [C0046]\"\n ]\n },\n {\n \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n \"label\": \"author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"File System::Create Directory [C0046]\"\n ]\n },\n {\n \"id\": \"cap_check_if_directory_exists\",\n \"label\": \"check if directory exists\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Discovery::File and Directory Discovery [T1083]\"\n ]\n },\n {\n \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n \"label\": \"author michael.hunhoff@mandiant.com\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Discovery::File and Directory Discovery [T1083]\"\n ]\n },\n {\n \"id\": \"cap_check_if_file_exists\",\n \"label\": \"check if file exists\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Discovery::File and Directory Discovery [E1083]\"\n ]\n },\n {\n \"id\": \"cap__internal___net_file_limitation\",\n \"label\": \"(internal) .NET file limitation\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\"\n },\n {\n \"id\": \"cap_author________v1bh475u\",\n \"label\": \"author @v1bh475u\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\"\n },\n {\n \"id\": \"cap_invoke__net_assembly_method__2_matches_\",\n \"label\": \"invoke .NET assembly method (2 matches)\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Defense Evasion::Reflective Code Loading [T1620]\"\n ]\n },\n {\n \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com__mehunhoff_google_com\",\n \"label\": \"author anushka.virgaonkar@mandiant.com, mehunhoff@google.com\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Defense Evasion::Reflective Code Loading [T1620]\"\n ]\n },\n {\n \"id\": \"cap_load__net_assembly\",\n \"label\": \"load .NET assembly\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Defense Evasion::Reflective Code Loading [T1620]\"\n ]\n },\n {\n \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com\",\n \"label\": \"author anushka.virgaonkar@mandiant.com\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\",\n \"mitre\": [\n \"Defense Evasion::Reflective Code Loading [T1620]\"\n ]\n },\n {\n \"id\": \"cap_compiled_to_the__net_platform\",\n \"label\": \"compiled to the .NET platform\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\"\n },\n {\n \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n \"label\": \"author william.ballenthin@mandiant.com\",\n \"type\": \"capability\",\n \"severity\": \"low\",\n \"category\": \"\"\n }\n ],\n \"edges\": [\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_reference_analysis_tools_strings\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_author______michael_hunhoff_mandiant_com\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_generate_random_numbers_in__net__9_matches_\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_access__net_resource\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_author______mr_tz\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_get_common_file_path\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_create_directory\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_check_if_directory_exists\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_check_if_file_exists\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap__internal___net_file_limitation\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_author________v1bh475u\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_invoke__net_assembly_method__2_matches_\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com__mehunhoff_google_com\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_load__net_assembly\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_compiled_to_the__net_platform\",\n \"relationship\": \"exhibits\"\n },\n {\n \"source\": \"malware_file\",\n \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n \"relationship\": \"exhibits\"\n }\n ],\n \"metadata\": {\n \"analysis_type\": \"static\",\n \"version\": \"9.2.1\",\n \"timestamp\": \"2026-04-26 23:29:01.820826\",\n \"total_functions\": \"455\",\n \"total_features\": \"28675\",\n \"pdb_path\": \"\"\n }\n};\n\n const width = window.innerWidth - 350;\n const height = window.innerHeight;\n\n const svg = d3.select(\"#graph\")\n .append(\"svg\")\n .attr(\"width\", width)\n .attr(\"height\", height);\n\n const g = svg.append(\"g\");\n\n const zoom = d3.zoom()\n .scaleExtent([0.1, 4])\n .on(\"zoom\", (event) => {\n g.attr(\"transform\", event.transform);\n });\n\n svg.call(zoom);\n\n const colorMap = {\n \"file\": \"#ff4757\",\n \"capability\": \"#ff6348\",\n \"function\": \"#5f27cd\",\n \"api\": \"#00d2d3\",\n \"basic_block\": \"#1dd1a1\"\n };\n\n const simulation = d3.forceSimulation(graphData.nodes)\n .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n .force(\"charge\", d3.forceManyBody().strength(-300))\n .force(\"center\", d3.forceCenter(width / 2, height / 2))\n .force(\"collision\", d3.forceCollide().radius(40));\n\n const linkColorMap = {\n \"exhibits\": \"#ff6b6b\",\n \"implemented_by\": \"#4ecdc4\",\n \"calls\": \"#45b7d1\",\n \"part_of\": \"#96ceb4\",\n \"depends_on\": \"#ffeaa7\"\n };\n\n const link = g.append(\"g\")\n .selectAll(\"line\")\n .data(graphData.edges)\n .enter()\n .append(\"line\")\n .attr(\"class\", \"link\")\n .attr(\"stroke\", d => linkColorMap[d.relationship] \|\| \"#999\")\n .attr(\"stroke-width\", 2);\n\n const node = g.append(\"g\")\n .selectAll(\"circle\")\n .data(graphData.nodes)\n .enter()\n .append(\"circle\")\n .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n .attr(\"r\", d => {\n if (d.type === \"file\") return 20;\n if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n if (d.type === \"function\") return 10;\n return 8;\n })\n .attr(\"fill\", d => {\n if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n return colorMap[d.type] \|\| \"#666\";\n })\n .attr(\"stroke\", \"#fff\")\n .attr(\"stroke-width\", 2)\n .on(\"click\", (event, d) => showNodeInfo(d))\n .call(d3.drag()\n .on(\"start\", dragstarted)\n .on(\"drag\", dragged)\n .on(\"end\", dragended));\n\n let labelsVisible = true;\n const labels = g.append(\"g\")\n .selectAll(\"text\")\n .data(graphData.nodes)\n .enter()\n .append(\"text\")\n .text(d => d.label)\n .attr(\"fill\", \"#fff\")\n .attr(\"dx\", 15)\n .attr(\"dy\", 4);\n\n simulation.on(\"tick\", () => {\n link\n .attr(\"x1\", d => d.source.x)\n .attr(\"y1\", d => d.source.y)\n .attr(\"x2\", d => d.target.x)\n .attr(\"y2\", d => d.target.y);\n\n node\n .attr(\"cx\", d => d.x)\n .attr(\"cy\", d => d.y);\n\n labels\n .attr(\"x\", d => d.x)\n .attr(\"y\", d => d.y);\n });\n\n function dragstarted(event, d) {\n if (!event.active) simulation.alphaTarget(0.3).restart();\n d.fx = d.x;\n d.fy = d.y;\n }\n\n function dragged(event, d) {\n d.fx = event.x;\n d.fy = event.y;\n }\n\n function dragended(event, d) {\n if (!event.active) simulation.alphaTarget(0);\n d.fx = null;\n d.fy = null;\n }\n\n function showNodeInfo(node) {\n let html = `<h2>${node.label}</h2>`;\n html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n \n if (node.severity) {\n html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n }\n \n if (node.category) {\n html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n }\n \n if (node.mitre) {\n html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n }\n \n if (node.operations) {\n html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n }\n \n if (node.properties) {\n html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n }\n \n if (node.address) {\n html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n }\n \n document.getElementById(\"node-info\").innerHTML = html;\n }\n\n function resetZoom() {\n svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n }\n\n function toggleLabels() {\n labelsVisible = !labelsVisible;\n labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n }\n\n let physicsEnabled = true;\n function togglePhysics() {\n physicsEnabled = !physicsEnabled;\n if (physicsEnabled) {\n simulation.alphaTarget(0.3).restart();\n setTimeout(() => simulation.alphaTarget(0), 1000);\n } else {\n simulation.stop();\n }\n }\n\n window.addEventListener(\"resize\", () => {\n const w = window.innerWidth - 350;\n const h = window.innerHeight;\n svg.attr(\"width\", w).attr(\"height\", h);\n simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n simulation.alpha(0.3).restart();\n });\n </script>\n</body>\n</html>" }	2026-04-26 23:29:02
69e917b359a6632dae07de10									* LARGE PROPERTY * ~466 KB Preview:{"success":true,"results" Click to fetch this property	2026-04-23 00:40:20	9a5ff998dbf0f6923d0b454d89800fb4
69e9ba7159a6632dae07de1f								360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e…	* LARGE PROPERTY * ~466 KB Preview:{"success":true,"results" Click to fetch this property	2026-04-29 20:28:59
69edc49459a6632dae07de34								2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009…	* LARGE PROPERTY * ~875 KB Preview:{"success":true,"results" Click to fetch this property	2026-05-15 14:33:03
69edf02059a6632dae07de43								02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd19…	* LARGE PROPERTY * ~223 KB Preview:{"success":true,"results" Click to fetch this property	2026-04-29 18:18:28
69edf1b159a6632dae07de54								6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc7…	* LARGE PROPERTY * ~343 KB Preview:{"success":true,"results" Click to fetch this property	2026-04-27 00:05:27
69f0fc1c59a6632dae07de68								c5ae6f6ec23fd8d5ba1343e49bf805bbc016545715a413227…	* LARGE PROPERTY * ~874 KB Preview:{"success":true,"results" Click to fetch this property	2026-04-28 23:57:40

Rename Collection

Tools

Export Standard

Export --jsonArray

Import --mongoexport json

Collection Stats

Documents	18
Total doc size	2.47 MB
Average doc size	140.43 KB
Pre-allocated size	728 KB
Indexes	1
Total index size	36 KB
Padding factor
Extents

Indexes

Name	Columns	Size	Attributes	Actions
_id_	_id ASC	36 KB		DEL