in ransomware/artifact.lua [3941:4077]
function Production:Main(inputData)
local currentProcessData = nil
local currentEventData = nil
if not utils.TableHasKey(self.processDataTable, inputData.processId) then
self.processDataTable[inputData.processId] = Ransomware.ProcessData(inputData.processId,
inputData.parentProcessId)
end
currentProcessData = self.processDataTable[inputData.processId]
if currentProcessData.activeAnalysis then
currentEventData = self:EventData(inputData)
else
return true
end
if not utils.TableHasKey(self.processDataTable, currentEventData.parentProcessId) then
self.processDataTable[currentEventData.parentProcessId] = Ransomware.ProcessData(
currentEventData.parentProcessId, globals.INVALID_PROCESS_ID)
elseif currentProcessData.parentProcessId ~= currentEventData.parentProcessId then
if currentProcessData.parentProcessId == globals.INVALID_PROCESS_ID then
currentProcessData.parentProcessId = currentEventData.parentProcessId
end
end
if not utils.TableHasValue(currentProcessData.uniqueDirectoriesByResponsibility, currentEventData.normalizedPath) then
table.insert(currentProcessData.uniqueDirectoriesByResponsibility, currentEventData.normalizedPath)
end
if currentEventData.operation == globals.FILE_CREATE_NEW then
if not utils.TableHasKey(currentProcessData.createFileNames, currentEventData.fileName) then
currentProcessData.createFileNames[currentEventData.fileName] = {}
end
table.insert(currentProcessData.createFileNames[currentEventData.fileName],
{['fileExtension'] = currentEventData.fileExtension, ['filePath'] = currentEventData.filePath})
end
currentProcessData.trendScore = 0.0
if self.DuplicateEventCheck(currentEventData, currentProcessData) then
return true
end
if (true == globals.canaryCompatible) and (true == globals.productionCanariesDropped) then
if Ransomware:CanaryCheck(currentEventData, currentProcessData) then
return true
end
end
self:HeaderCheck(currentEventData, currentProcessData)
self:EntropyCheck(currentEventData, currentProcessData)
self.PathHistory(currentEventData, currentProcessData)
if globals.FILE_RENAME == currentEventData.operation then
self:RenameCheck(currentEventData)
end
self.AbnormalExtensionCheck(currentEventData, currentProcessData)
if globals.PROCESS_TREND_FLOOR < #currentProcessData.events then
self.RansomNoteCheck(currentProcessData)
end
self:TotalIndividualScore(currentEventData, currentProcessData)
if globals.PROCESS_TREND_FLOOR < #currentProcessData.events then
self.TrendAnalysis(currentProcessData)
end
globals.UpdateExtensionTables(currentEventData, currentProcessData)
self:TotalProcessScore(currentEventData, currentProcessData)
table.insert(currentProcessData.events, currentEventData)
if globals.FILE_RENAME == currentEventData.operation then
utils.DebugLog(currentEventData.operation .. ' | ' .. string.sub(currentEventData.entropy, 1, 4) .. ' | ' ..
currentEventData.alertScore .. '-' .. currentProcessData.totalEventScore .. ' ' ..
currentEventData.filePreviousPath .. ' => ' .. currentEventData.filePath)
else
utils.DebugLog(currentEventData.operation .. ' | ' .. string.sub(currentEventData.entropy, 1, 4) .. ' | ' ..
currentEventData.alertScore .. '-' .. currentProcessData.totalEventScore .. ' ' ..
currentEventData.filePath)
end
if globals.PROCESS_ALERT_SCORE_THRESHOLD <= currentProcessData.totalScore then
alert.GenerateAlert(currentProcessData, self.diagnosticMode)
self:StopActiveAnalysis(currentProcessData)
elseif globals.PROCESS_EVENT_THRESHOLD == #currentProcessData.events then
if not self.ExtendEventThresholdCheck(currentProcessData) then
self:SendStopActiveAnalysisMsg(currentProcessData)
end
elseif globals.PROCESS_EXTENDED_EVENT_THRESHOLD == #currentProcessData.events then
if not self.ExtendEventThresholdCheck(currentProcessData) then
self:SendStopActiveAnalysisMsg(currentProcessData)
end
elseif globals.PROCESS_FINAL_EXTENDED_EVENT_THRESHOLD == #currentProcessData.events then
self:SendStopActiveAnalysisMsg(currentProcessData)
end
return true
end