Andrew Williams

FYI: https://twitter.com/MalwareRE/status/1384193510245474313 > The Hyper-V interface of Windows Sandbox gets assigned a new pseudo-randomly generated MAC every time Windows Sandbox is launched (i.e. would not equal c8:27:cc:c2:37:5a / C8-27-CC-C2-37-5A in...

Assuming most people use al-khaser to assess ways in which their malware analysis environment might be susceptible to detection, it seems like it'd be useful for them to be made...

Great points regarding the paper. This OSTap behavior is relatively new AFAIK, so it seems plausible to me that a sandbox still uses 'abby' as the username. Assuming that's true,...

@gsuberland I confirmed that this works, using isVMWare from the github link above and VMWare Fusion 12.1.0: ``` #include #include bool IsVMWare() { bool res = true; __try { __asm...

I was thinking it'd be useful to replicate specific antivirus checks that malware performs so that someone could use al-khaser to determine whether their analysis environment is susceptible to any...

Awesome, I'll start putting these lists together

From [1]: ``` 76487-640-1457236-23837 // Anubis 76497-640-6308873-23835 // CWSandbox 2.1.22 76487-640-8834005-23195 76487-640-0716662-23535 76487-644-8648466-23106 00426-293-8170032-85146 76487-341-5883812-22420 76487-OEM-0027453-63796 // Comodo Camas ``` From [2]: ``` 76487-640-1464517-23259 // malwr.com sandbox 76487-341-0620571-22546 // From...

Thank you so much for the quick, thorough response - it was a big help! I've started work on a proof of concept using the intermediate database parsed by read_xed_db.py,...

I decided to take a step back and have been working with the ex1 program for now. I had two questions from that: 1. If an instruction has a REX...

@pgoodman thanks for the suggestion, I'll take a look at microx! @markcharney I had a question about some of the patterns that leverage the `IMMUNE66()` tag. Specifically, the following: (the...