Andrew Williams
Andrew Williams
From: https://twitter.com/fr0gger_/status/1387694972976128003 https://search.unprotect.it/technique/localsize0/ I haven't tested that this does in fact work
References: - https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html > Once executed, the SUNSHUTTLE backdoor enumerates the victim’s MAC address and compares it to a hardcoded MAC address value “c8:27:cc:c2:37:5a”. If a match is found the...
New hostname / username that we could add to the `known_usernames` and `known_hostnames` checks: Hostnames checked for by OSTap [1] ``` VBOX7-PC JANUSZ-PC ABBY-PC DESKTOP-HRW10 AMAZING-LINGON SANDBOX-O365 ``` Usernames checked...
Reference: https://shasaurabh.blogspot.com/2017/07/virtual-machine-detection-techniques.html Example: https://github.com/lyzsea/WPM/blob/421f82372e71feb8690b45cd59e33fb4467aa75d/NewGdp/AntiVm/VMDetect.cpp#L80-L110
Does it make sense to expand al-khaser to detect the presence of known anti-virus programs as well, since some malware will check for these and not run because of it?...
I didn't see an existing implementation in al-khaser for the technique detailed here - https://search.unprotect.it/technique/smsw/ Reference: https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/
It'd be cool to make calls to `FindWindow` and look for window names associated with debuggers. From [1]: ``` OLLYDBG WinDbgFrameClass Zeta Debugger Rock Debugger ObsidianGUI ``` From [2] (not...
Some malware will look for ProductIds associated with commercial sandboxes and stop running if detected. For example, from [1]: ``` 76487-337-8429955-22614 // Anubis Sandbox 76487-644-3177037-23510 // CW Sandbox 55274-640-2673064-23950 //...
It'd be great to have a working example that demonstrates the script in action, so I tried reproducing the results shown at http://decalage.info/vba_emulation (Specifically Sample 2, using file with hash...
It'd be great to have an executable that contains every valid, non-privileged x86 instruction for testing things like binary disassembly engines. Even better, it'd be great if this executable could...