MalFe

Please wait ...

Public Datasets

Ransomware_Detection_Using_Features_of_PE_Imports_2 Rows: 1831 | Cols: 8 | Reports Used: 3084

Description: A dataset of Portable Executable files and the features extracted from their imports (PE Imports). The following are the features extracted: 1. The number of functions utilized per DLL imported as a ratio, 2. The number of 'bogus' functions, that is functions that are made-up and typically have additional (non-alphabetic) characters in the name, 3. The number of functions utilized by that PE file that are blacklisted as functions typically imported by ransomware files, 4. The number of functions utilized by that PE file that are typically imported and used exclusively by good-ware files 'whitelisted' functions, 5. The difference of the number of register keys opened/ created and those deleted by the end of the application, and 6. The number of native functions utilized by the PE file.

Dataset SHA256: 76085f3bf41a81a90012299623d7cf6fcc0dac059e3dab271e0346b94e436316

Features (sample):

	label	ave_functions_utilised_from_dlls_imported	bogus_functions	num_blacklisted_functions	num_whitelisted_functions	persistent_reg_key	num_native_functions	SHA256
0	M	1.115312	37	2	1	-1	0	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
1	M	24.500000	0	1	0	0	0	bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
...	...	...	...	...	...	...	...	...
1829	M	2.950617	2	3	0	0	0	7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51
1830	M	0.813333	0	0	1	0	0	eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

1831 rows × 8 columns

Created by: Tanatswa Dendere
Downloaded 4 times
Comments Enabled: True
Comments: 0
Related Dataset: Ransomware_Detection_Using_PE_Imports

def process(data, filename, sha256, category, malicious):
    try:
        # Implement your data processing here, this function will get called with the data of each 
        # report in the category you have selected along with the filename of the report and hash. 
        # Do your processing and add your data to the features array, and return the features_lables, features, and sha256
        # PLEASE NOTE: THE CODE BELOW SERVES AS AN EXAMPLE ONLY! This example extracts the entropy of the PE Sections. Which can be seen here: https://malfe.cs.up.ac.za/datasets/view/Entropy_of_PE_Sections/5
        ###

features_labels = ["label", "ave_functions_utilised_from_dlls_imported", "bogus_functions",
                           "num_blacklisted_functions", "num_whitelisted_functions", "persistent_reg_key",
                           "num_native_functions"]
        features = []
        label = "M" if malicious else "B"

# ## Array for Feature 3 (the blacklisted functions - functions prevalent in ransomware)
        blacklisted_functions = ["WriteConsoleW", "Process32NextW", "Process32FirstW", "CreateToolhelp32Snapshot",
                                 "CoInitializeSecurity", "MoveFileWithProgressW", "CryptEncrypt", "CryptExportKey",
                                 "CryptGenKey", "CryptDeriveKey", "CryptDecodeObject", "CryptImportPublicKeyInfo",
                                 "socket", "DrawTextExW", "GetForegroundWindow"]

# ## Array for Feature 4 (the functions that are most likely to be invoked in good-ware than in ransomware)
        whitelisted_functions = ["DeviceIoControl", "SetFileTime", "SHGetFolderPathW"]

ratio_functions_total = 0
        ave_functions_utilised_from_dlls_imported = 0
        bogus_functions = 0
        num_blacklisted_functions = 0
        num_whitelisted_functions = 0

persistent_reg_key = 0
        num_opened_reg_key = 0
        num_closed_reg_key = 0

num_native_functions = 0

if "static" in data:
            if "pe_imports" in data["static"]:

num_imported_dlls = 0
                if "imported_dll_count" in data["static"]:
                    num_imported_dlls = data["static"]["imported_dll_count"]

for pe_import in data["static"]["pe_imports"]:
                    # ## Feature 1
                    if num_imported_dlls > 0:
                        ratio_functions_total = ratio_functions_total + len(pe_import["imports"]) / num_imported_dlls
                    for i in pe_import["imports"]:

if "name" in i:
                            function_name = str(i["name"])
                            # ## Feature 2
                            if not function_name.isalpha():
                                bogus_functions = bogus_functions + 1
                            # ## Feature 3
                            if function_name.lower() in (func_name.lower() for func_name in blacklisted_functions):
                                num_blacklisted_functions = num_blacklisted_functions + 1
                            # ## Feature 4
                            if function_name.lower() in (func_name.lower() for func_name in whitelisted_functions):
                                num_whitelisted_functions = num_whitelisted_functions + 1
                            # ## Feature 5
                            if function_name.lower().startswith("regcreate"):
                                num_opened_reg_key = num_opened_reg_key + 1
                            if function_name.lower().startswith("regdelete"):
                                num_closed_reg_key = num_closed_reg_key + 1
                            # ## Feature 6
                            if function_name.lower().startswith("nt") or function_name.lower().startswith("zw"):
                                num_native_functions = num_native_functions + 1

# ## for Feature 1
                if num_imported_dlls > 0:
                    ave_functions_utilised_from_dlls_imported = float(ratio_functions_total / num_imported_dlls)

# ## for Feature 5
                persistent_reg_key = num_opened_reg_key - num_closed_reg_key

features.append([label, float(ave_functions_utilised_from_dlls_imported), bogus_functions,
                             num_blacklisted_functions, num_whitelisted_functions, persistent_reg_key,
                             num_native_functions])                 
        
        ###
        return features_labels, features, sha256
        
    except Exception as e:
        log("|process error| " + filename + " -> " + sha256 + " (" + str(e) + ")")
        pass

Sept. 27, 2023, 10:28 p.m. Public Create New Vesion Download Dataset (163.5 KB)

Please wait ...

Public Datasets

Ransomware_Detection_Using_Features_of_PE_Imports_2 Rows: 1831 | Cols: 8 | Reports Used: 3084

Reports Used

Dataset Code

Comments

No comments to display