MalFe

Please wait ...

Public Datasets

Ransomware_Detection_Using_Features_of_PE_Imports Rows: 1831 | Cols: 9 | Reports Used: 3084

Description: A dataset of features of the imports of portable executables (PE Imports). The features extracted are: a ratio of the number of functions utilized per DLL imported, the number of functions that have additional (non-alphabetic) characters, the number of 'blacklisted functions' utilized by that PE file, the number of 'whitelisted' functions, whether all Register keys opened/ created are deleted at the end of the application, the number of native functions utilized, and how many times a function is accessed from Python.

Dataset SHA256: 3d2c04d8760adc7ea174836c158d1ce92cfbb8665419113b79aedff27139c2cc

Features (sample):

	label	ave_functions_utilised_from_dlls_imported	bogus_functions	num_blacklisted_functions	num_whitelisted_functions	persistent_reg_key	num_of_native_functions	num_of_accesses_from_python	SHA256
0	M	1.115312	37	0.133333	0.333333	1	0	0	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
1	M	24.500000	0	0.066667	0.000000	0	0	0	bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
...	...	...	...	...	...	...	...	...	...
1829	M	2.950617	2	0.200000	0.000000	0	0	0	7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51
1830	M	0.813333	0	0.000000	0.333333	0	0	0	eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

1831 rows × 9 columns

Created by: Tanatswa Dendere
Downloaded 4 times
Comments Enabled: True
Comments: 0
Related Dataset: Ransomware_Detection_Using_PE_Imports

def process(data, filename, sha256, category, malicious):
    try:
        # Implement your data processing here, this function will get called with the data of each 
        # report in the category you have selected along with the filename of the report and hash. 
        # Do your processing and add your data to the features array, and return the features_lables, features, and sha256
        # PLEASE NOTE: THE CODE BELOW SERVES AS AN EXAMPLE ONLY! This example extracts the entropy of the PE Sections. Which can be seen here: https://malfe.cs.up.ac.za/datasets/view/Entropy_of_PE_Sections/5
        ###

features_labels = ["label", "ave_functions_utilised_from_dlls_imported", "bogus_functions",
                           "num_blacklisted_functions", "num_whitelisted_functions", "persistent_reg_key",
                           "num_of_native_functions", "num_of_accesses_from_python"]
        features = []
        label = "M" if malicious else "B"

# ## Array for Feature 3 (the blacklisted functions - functions prevalent in ransomware)
        blacklisted_functions = ["WriteConsoleW", "Process32NextW", "Process32FirstW", "CreateToolhelp32Snapshot",
                                 "CoInitializeSecurity", "MoveFileWithProgressW", "CryptEncrypt", "CryptExportKey",
                                 "CryptGenKey", "CryptDeriveKey", "CryptDecodeObject", "CryptImportPublicKeyInfo",
                                 "socket", "DrawTextExW", "GetForegroundWindow"]

# ## Array for Feature 4 (the functions that are most likely to be invoked in good-ware than in ransomware)
        whitelisted_functions = ["DeviceIoControl", "SetFileTime", "SHGetFolderPathW"]

ratio_functions_total = 0
        ave_functions_utilised_from_dlls_imported = 0
        bogus_functions = 0
        num_blacklisted_functions = 0
        num_whitelisted_functions = 0

persistent_reg_key = 0
        num_opened_reg_key = 0
        num_closed_reg_key = 0

num_of_native_functions = 0
        num_of_accesses_from_python = 0

if "static" in data:
            if "pe_imports" in data["static"]:

num_imported_dlls = 0
                if "imported_dll_count" in data["static"]:
                    num_imported_dlls = data["static"]["imported_dll_count"]

for pe_import in data["static"]["pe_imports"]:
                    # ## Feature 1
                    if num_imported_dlls > 0:
                        ratio_functions_total = ratio_functions_total + len(pe_import["imports"]) / num_imported_dlls
                    for i in pe_import["imports"]:

if "name" in i:
                            function_name = str(i["name"])
                            # ## Feature 2
                            if not function_name.isalpha():
                                bogus_functions = bogus_functions + 1
                            # ## Feature 3
                            if function_name.lower() in (func_name.lower() for func_name in blacklisted_functions):
                                num_blacklisted_functions = num_blacklisted_functions + 1
                            # ## Feature 4
                            if function_name.lower() in (func_name.lower() for func_name in whitelisted_functions):
                                num_whitelisted_functions = num_whitelisted_functions + 1
                            # ## Feature 5
                            if function_name.lower().startswith("regcreate"):
                                num_opened_reg_key = num_opened_reg_key + 1
                            if function_name.lower().startswith("regdelete"):
                                num_closed_reg_key = num_closed_reg_key + 1
                            # ## Feature 6
                            if function_name.lower().startswith("nt") or function_name.lower().startswith("zw"):
                                num_of_native_functions = num_of_native_functions + 1
                            # ## Feature 7
                            if function_name.lower().startswith("py") or function_name.lower().startswith("_py"):
                                num_of_accesses_from_python = num_of_accesses_from_python + 1

# ## for Feature 1
                if num_imported_dlls > 0:
                    ave_functions_utilised_from_dlls_imported = float(ratio_functions_total / num_imported_dlls)

# ## for Feature 5
                if num_opened_reg_key != num_closed_reg_key:
                    persistent_reg_key = 1

features.append([label, float(ave_functions_utilised_from_dlls_imported), bogus_functions,
                             float(num_blacklisted_functions / len(blacklisted_functions)),
                             float(num_whitelisted_functions / len(whitelisted_functions)), persistent_reg_key,
                             num_of_native_functions, num_of_accesses_from_python])                
        
        ###
        return features_labels, features, sha256
        
    except Exception as e:
        log("|process error| " + filename + " -> " + sha256 + " (" + str(e) + ")")
        pass

Sept. 19, 2023, 8:34 p.m. Public Create New Vesion Download Dataset (188.6 KB)

Please wait ...

Public Datasets

Ransomware_Detection_Using_Features_of_PE_Imports Rows: 1831 | Cols: 9 | Reports Used: 3084

Reports Used

Dataset Code

Comments

No comments to display