Miscellaneous indicators
This section lists the indicators that do not fit into the other categories.
Indicator | Description |
|---|---|
AutoitFileOperations | The AutoIt script can perform multiple actions on files. This may be used for information gathering, persistence, or destruction. |
AutorunString | The file has the capability to achieve persistence by using autorun mechanisms. |
CodepageLookupImports | The file imports functions used to look up the codepage (location) of a running system. Malware uses this to differentiate in which country/region a system is running in to better target particular groups. |
MutexImports | The file imports functions to create and manipulate mutex objects. Malware frequently uses mutexes to avoid infecting a system multiple times. |
OpenSSL Static | The file contains a version of OpenSSL compiled to appear stealthy. Malware does this to include cryptography functionality without leaving strong evidence of it. |
PListString | The file has the capability to interact with property lists that are used by the operating system. This may be used to achieve persistence or to subvert various processes. |
PrivEscalationCryptBase | The file shows evidence of attempting to use a privilege escalation using CryptBase. Malware uses this to gain more privileges on the affected system. |
ShellCommandString | The file has the capability to use sensitive shell commands for reconnaissance, elevation of privilege, or data destruction. |
SystemCallSuspicious | The file has the capability to monitor or control system and other processes, performing debug-like actions. |