Noriben icon indicating copy to clipboard operation
Noriben copied to clipboard

Published 20 hours ago verified publisher icon Rurik

PML file being encrypted by malware

Open oasec1 opened this issue 4 years ago • 2 comments

I'm still encountering these issue daily with ransomware. What are you thoughts about adding an option to just eliminate the extension of the output file altogether? Many of the samples that I've encountered don't encrypt files that don't have extensions.

oasec1 avatar Dec 19 '20 19:12 oasec1

I've been playing with this issue for awhile, and apologies for the lengthy delay. It's an issue of the backing file being encrypted, but Procmon does have the ability to use virtual memory for the live data. Do you have a sample that you can test against, or provide hash for so I can test?

In Procmon if you enable File > Backing File... > Virtual Memory, that may be able to get around this issue. However, I can not guess the performance issues, or ultimate memory usage, of that.

Then one small edit to the script, within "launch_procmon_capture()" to force this:

Change: cmdline = '"{}" /BackingFile "{}" /Quiet /Minimized'.format(procmonexe, pml_file)

To: cmdline = '"{}" /PagingFile /Quiet /Minimized'.format(procmonexe)

Rurik avatar Jan 18 '21 16:01 Rurik

Thanks for the response, I can certainly get a relatively new sample for analysis and testing. Let me know when you'd like to start, we can do remote sessions with Anyconnect.

Robert

On Mon, Jan 18, 2021, 11:31 AM Brian Baskin [email protected] wrote:

I've been playing with this issue for awhile, and apologies for the lengthy delay. It's an issue of the backing file being encrypted, but Procmon does have the ability to use virtual memory for the live data. Do you have a sample that you can test against, or provide hash for so I can test?

In Procmon if you enable File > Backing File... > Virtual Memory, that may be able to get around this issue. However, I can not guess the performance issues, or ultimate memory usage, of that.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Rurik/Noriben/issues/42#issuecomment-762354960, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7UFORSNGKKHGYNBA7NTNTS2RO5RANCNFSM4VCQBDJA .

oasec1 avatar Jan 18 '21 17:01 oasec1