maximum: the maximum required version of CAPE to successfully run this signature. minimum: the minimum required version of CAPE to successfully run this signature. alert: if set to True can be used to specify that the signature should be reported (perhaps by a dedicated reporting module). enabled: if set to False the signature will be skipped. references: a list of references (URLs) to give context to the signature. authors: a list of people who authored the signature. families: a list of malware family names, in case the signature specifically matches a known one. For a list of all categories, see Categories. categories: a list of categories that describe the type of event being matched (for example “ banker”, “ injection” or “ anti-vm”). This attribute acts as a multiplier of the product of severity and confidence. weight: a number used for calculating the malscore of a submission. confidence: a number between 1 and 100 that represents how confident the signature writer is that this signature will not be raised as a false positive. severity: a number identifying the severity of the events matched (generally between 1 and 3). description: a brief description of what the signature represents. If there is at least one, then the helper function will return True In the example above, the helper function is used to walk through all of the accessed files in the summary and check Some documentation for Helpers can be found below. These helper functionsĪssist with signature-writing and we highly recommend becoming familiar with what helper functions areīefore you start writing signatures. Note that on line 12 a helper function is used. exe$", regex = True )Īs you can see the structure of the signature is really simple and consistent with the other CAPE Crypto locker regex windows#
You can find signatures created by the CAPE administrators and other CAPE users on the Community repository.įrom import Signature class CreatesExe ( Signature ): name = "creates_exe" description = "Creates a Windows executable on the filesystem" severity = 2 categories = authors = minimum = "0.5" def run ( self ): return self.
Identify particular malware categories, such as Banking Trojans or Ransomware, by isolating typical actions that are commonly performed by these categories. Spot interesting modifications that the malware performs on the system, such as the installation of device drivers. Identify a particular malware family that you’re interested in, by isolating unique behaviors (like file names or mutexes). A few examples of what you can use CAPE’s signatures for are: Simplify the interpretation of the results and assist with automatically identifying 
These signatures are very useful to give context to the analyses. Pattern that represents a malicious behavior or an indicator that you’re interested in. These signatures can be used to identify a predefined
By taking advantage of CAPE’s customizability, you can write signatures which will thenīy run against analysis results.
0 kommentar(er)
