community-modified icon indicating copy to clipboard operation
community-modified copied to clipboard

Published 20 hours ago verified publisher icon brad-sp

Create file disables_safeboot.py

Open kevross33 opened this issue 10 years ago • 3 comments

A signature to detect the various modifications to safeboot

kevross33 avatar Aug 20 '15 13:08 kevross33

I noticed it is similar to the signature prevents_safeboot aside from that signature is a delete of the key where as this one is a modify. I have been testing with tools to disable safemode use in which it is effectively a modification to the values and things to break it but this signature is potentially redundant or could be applied to the existing signature.

kevross33 avatar Aug 20 '15 13:08 kevross33

Could you show me some logs or screenshots (or maybe a hash) of a sample that plays with safeboot via registry writes?

brad-sp avatar Aug 28 '15 17:08 brad-sp

Hi,

I can't find a malware sample again I am sure I have seen and noted in the past but you can trigger this functionality with MD5 d21a98b6f55d6e6bf6d4d6357e5028f4 which is a safeboot disabling tool https://www.raymond.cc/blog/disable-f8-key-to-block-access-to-safe-mode-during-windows-startup/

As such because it is effectively disable safemode without deleting the keys it may be worth covering this in case.

kevross33 avatar Sep 02 '15 10:09 kevross33