Rairii -DM me the word 'bread' · @Rairii
1407 followers · 482 posts · Server haqueers.comOh look, more dubious drivers protected by vmprotect.
A driver protected by vmp should be an indicator of compromise at this point.
Andrew 🌻 Brandt :verified: 🐇 · @threatresearch
888 followers · 373 posts · Server infosec.exchange
In the course of doing our research, we studied older variants of #BURNTCIGAR #drivers, and compared them to the new ones we were encountering during the incident response.
We found that these new drivers had been obfuscated with a variety of techniques, specifically that the drivers were packed using a commercial runtime #packer called #VMprotect. The packer makes it more difficult for an analyst to reverse-engineer a #malware sample, but we don't see a lot of drivers that are packed, at all. It was kind of unusual.
In addition, the malware drivers requires the threat actor to run an executable called a loader, which simply does the mechanical work of creating Services entries in the Windows Registry, and moving the driver into the %temp% directory. The loader isn't packed.
#burntcigar #drivers #packer #vmprotect #malware
Alexandre Cheron :verified: · @axcheron
18 followers · 14 posts · Server infosec.exchangeExtracting VMProtect handlers with Binary Ninja https://www.lodsb.com/extracting-vmprotect-handlers-with-binary-ninja #VMProtect
Tarnkappe.info · @tarnkappeinfo
1533 followers · 3788 posts · Server social.tchncs.de
📬Assassin’s Creed: Origins – Denuvo-freie Version lädt schneller📬 https://tarnkappe.info/assassins-creed-origins-denuvo-freie-version-laedt-schneller/ #Assassin'sCreed:Origins #DarkSideofGaming #JohnPapadopoulos #VMProtect #Artikel #Denuvo #CODEX
#assassin #JohnPapadopoulos #vmprotect #artikel #denuvo #codex #darksideofgaming