This repository contains sample dynmx signatures for detecting malware features in API call traces. The signatures can be used with the tool dynmx which can be found in this repository. Please consider that the signatures are developed based on the MSDN definition of API calls and are tested with VMRay function logs only. If the sandbox API trace does not comply with the MSDN in terms of naming API functions and arguments, the signatures will not work. In this case, you will need to adapt the signatures according to the naming used by the individual sandbox.
For the an in-detail description of the features of the dynmx signature DSL and the syntax, please refer to the corresponding master thesis Signature-Based Detection of Behavioural Malware Features with Windows API Calls.