Welcome to Scribd!

Blog 1

Uploaded by

0% found this document useful (0 votes)

17 views2 pages

Malware often checks registry keys to determine if it is running in a virtual machine in order to avoid detection. Some malware also modifies registry keys to maintain persistence, disable security tools, or enable privileges like remote desktop access. Ransomware like Maze, Conti, REvil, Netwalker, and Clop all use registry key queries and modifications for functions like maintaining persistence, disabling defenses, and enabling privileges.

Original Description:

Original Title

blog1

Copyright

Available Formats

DOCX, PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as DOCX, PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as docx, pdf, or txt

0% found this document useful (0 votes)

17 views2 pages

Blog 1

Uploaded by

Viren Choudhari

Copyright:

Available Formats

Download as DOCX, PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as docx, pdf, or txt

Jump to Page

You are on page 1of 2

Search inside document

Story 1:

Some malware reads registry key values and looks for substrings in them that suggest a virtual machine

 The Smoke Loader banking trojan, checks registry key values in System\CurrentControlSet\
Enum\IDE and System\CurrentControlSet\Enum\SCSI to search for substrings that match QEMU,
VirtualBox, VMware, or Xen virtualization products (Source)
 FinFisher verifies that HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid does not
equal "6ba1d002-21ed-4dbe-afb5-08cf8b81ca32 (Source)
 CozyCar checks the registry key values in SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall for security products (Source)

https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles

Story 2:

Top ransomware how they use registry keys

1. Maze (aka ChaCha ransomware) Maze ransomware, first spotted in 2019, quickly

rose to the top of its malware class. ...

T1112: Modify Registry

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v
fDenyTSConnections /t REG_DWORD /d 0 /f --- enable remote desktop

T1547.001 - Registry Run Keys / Startup Folder

T1012 - Query Registry

2. Conti (aka IOCP ransomware) ...

T1012 - Query Registry: Conti ransomware first checks the computer name belonging to the
victim, via the registry:

T1562.001 - Impair Defenses: Disable or Modify ToolsThe threat actors disabled Windows
Defender by adding the below to an already linked GPO.
T1547.001 - Registry Run Keys / Startup Folder

3. REvil (aka Sodin, Sodinokibi ransomware) ...

T1547.001 - Registry Run Keys / Startup Folder - a couple RunOnce registry keys and then
immediately rebooted the system into Safe Mode with Networking
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
aDTFUAIa7j :

https://malpedia.caad.fkie.fraunhofer.de/details/win.revil

4. Netwalker (aka Mailto ransomware) ...

Registry Run Key (T1547.001): Place a value on RunOnce key

Modify Registry key (T1112): Create its own registry key in \SOFTWARE\
<uniquename>

T1547.001: A registry key will be set to maintain persistency of the payload on the host in
the following: ‘HKLM/software/’ and ‘HKCU/software/’

T1112 Registry Modification HKLM\Software\CLasses\cmdfile\shell\open\command

5. Clop ransomware.
T1562.001: Impair Defenses: Disable or Modify Tools: Clop, disables
Windows Defender in the beginning of its execution. Cybereason detects the
malicious commands executed to silently modify related registry keys:

CA Skills Assessment 2 - Dion A Webiaswara
Document12 pages
CA Skills Assessment 2 - Dion A Webiaswara
filzah903150
No ratings yet
Indonesia Flexible Packaging Market Growth, Trends, COVID 19 Impact
Document135 pages
Indonesia Flexible Packaging Market Growth, Trends, COVID 19 Impact
Indah Yune
No ratings yet
Cybereason Cobalt Kitty - Answers
Document15 pages
Cybereason Cobalt Kitty - Answers
Muhammad Ali
No ratings yet
Rootkit Presentation
Document30 pages
Rootkit Presentation
Salma Zraibi
100% (2)
Ultimate Hacking Challenge: Hacking the Planet, #3
From Everand
Ultimate Hacking Challenge: Hacking the Planet, #3
sparc Flow
Rating: 5 out of 5 stars
5/5 (2)
General Standards (NDT)
Document2 pages
General Standards (NDT)
agniva datta
No ratings yet
Shocking Psychological Studies and The Lessons They Teach
Document99 pages
Shocking Psychological Studies and The Lessons They Teach
Arun Sharma
100% (1)
Cash Receipts System Narrative 2010 v3
Document4 pages
Cash Receipts System Narrative 2010 v3
cristel jane Fullones
No ratings yet
AP.1901 Inventories.
Document8 pages
AP.1901 Inventories.
Erlinda Esguerra Guiang
100% (9)
Story 2:: Source Source
Document3 pages
Story 2:: Source Source
Viren Choudhari
No ratings yet
7 2 Malware Behavior
Document28 pages
7 2 Malware Behavior
Jayesh Shinde
No ratings yet
Malware Dynamic Analysis Part-4
Document45 pages
Malware Dynamic Analysis Part-4
Mazhar Waqar
No ratings yet
Hunting Trogens
Document46 pages
Hunting Trogens
Ashley James Williams
No ratings yet
ZeroAccess Rootkit Analysis PDF
Document9 pages
ZeroAccess Rootkit Analysis PDF
zosite
No ratings yet
CA v1.0 Skills Assessment
Document3 pages
CA v1.0 Skills Assessment
Bryan Rijkard Flores Mora
No ratings yet
Ethical Hacking: by Sachin Tyagi
Document27 pages
Ethical Hacking: by Sachin Tyagi
Harsh Bajaj
No ratings yet
Malware Analysis
Document21 pages
Malware Analysis
Ayush rawal
100% (1)
Chapter 3. Basic Dynamic Analysis
Document10 pages
Chapter 3. Basic Dynamic Analysis
Jayesh Shinde
No ratings yet
Anti VM
Document26 pages
Anti VM
Anonymous Legions
No ratings yet
McAfee Labs Threat Advisory - Ransom-WanaCry
Document5 pages
McAfee Labs Threat Advisory - Ransom-WanaCry
Ioan Maxim
No ratings yet
Lateral movement playbook - Microsoft Defender for Identity _ Microsoft Learn
Document13 pages
Lateral movement playbook - Microsoft Defender for Identity _ Microsoft Learn
Berkay Yemen
No ratings yet
Information: Detailed Study of
Document13 pages
Information: Detailed Study of
api-19713775
No ratings yet
Source Email Worm - win32.Mydoom.A
Document88 pages
Source Email Worm - win32.Mydoom.A
etiennekraemer
No ratings yet
Microsoft Defender for Identity Domain Dominance Playbook - Microsoft Defender for Identity _ Microsoft Learn
Document14 pages
Microsoft Defender for Identity Domain Dominance Playbook - Microsoft Defender for Identity _ Microsoft Learn
Berkay Yemen
No ratings yet
Ca v10 Skills Assessment 1
Document6 pages
Ca v10 Skills Assessment 1
Noun Kely
No ratings yet
Practica Backdoor
Document6 pages
Practica Backdoor
Luis Alberto Gp
No ratings yet
FakeAlert-Smart Fortress 2012
Document4 pages
FakeAlert-Smart Fortress 2012
Masbooks
No ratings yet
(SOLVED) Trend Micro OfficeScan Install Issues - Antivirus - Spiceworks
Document2 pages
(SOLVED) Trend Micro OfficeScan Install Issues - Antivirus - Spiceworks
Lincoln
No ratings yet
2022-08-19 - Back in Black - Unlocking A LockBit 3.0 Ransomware Attack
Document6 pages
2022-08-19 - Back in Black - Unlocking A LockBit 3.0 Ransomware Attack
Roch
No ratings yet
Hunting Trojan Horses: January 2006
Document47 pages
Hunting Trojan Horses: January 2006
Arun cp
No ratings yet
Combating w32 Conficker Worm
Document29 pages
Combating w32 Conficker Worm
gbocanegrav
No ratings yet
Red Canary Intelligence Analyst Assessment (Publicly Available)
Document4 pages
Red Canary Intelligence Analyst Assessment (Publicly Available)
tim
No ratings yet
How Virus Loads
Document4 pages
How Virus Loads
maliciousbrains
100% (2)
Discovering Oracle Accounts With
Document40 pages
Discovering Oracle Accounts With
Steven Conley
No ratings yet
Abusing Notepad Plugins For Evasion and Persistence
Document8 pages
Abusing Notepad Plugins For Evasion and Persistence
unbiasedworkrelatedph
No ratings yet
Injection 7 Information On Ransomware Attack and Measures
Document8 pages
Injection 7 Information On Ransomware Attack and Measures
XayDung 56CD5
No ratings yet
The Madi Infostealers
Document26 pages
The Madi Infostealers
Juan Sebastian Lopez Villa
No ratings yet
Hack Terms & Definitions
Document6 pages
Hack Terms & Definitions
zulfiqar
No ratings yet
Malware Analysis
Document4 pages
Malware Analysis
pratik karguppikar
No ratings yet
Penetration - Testing Tutorial
Document3 pages
Penetration - Testing Tutorial
Prasanth Munusamy
No ratings yet
Conti Playbook Translated
Document32 pages
Conti Playbook Translated
jarot jarot
No ratings yet
How To Identify The Architecture of Installed HFM in A Machine After Its Installed?
Document4 pages
How To Identify The Architecture of Installed HFM in A Machine After Its Installed?
Rajesh Theodore
No ratings yet
Reversing & Malware Analysis Training 12
Document46 pages
Reversing & Malware Analysis Training 12
Abhas Gupta
No ratings yet
Ethical Hacking
Document29 pages
Ethical Hacking
Mannerless Kiko
No ratings yet
How I Cracked Your Windows Password (Part 2)
Document5 pages
How I Cracked Your Windows Password (Part 2)
vijaychutar
No ratings yet
Combatting W32 Conficker Worm
Document15 pages
Combatting W32 Conficker Worm
blood1987
No ratings yet
Uninstalling Clients or Agents in OfficeScan
Document6 pages
Uninstalling Clients or Agents in OfficeScan
Joao Teixeira
No ratings yet
2014 11 16 Traffic Analysis Exercise Answers
Document9 pages
2014 11 16 Traffic Analysis Exercise Answers
Vajra Yudha
No ratings yet
Windows Rootkits
Document17 pages
Windows Rootkits
swinki3
No ratings yet
Cheat Analysis
Document7 pages
Cheat Analysis
hackszubov
No ratings yet
Pink Group Attack
Document2 pages
Pink Group Attack
Farah Yamin
No ratings yet
CS 502
Document46 pages
CS 502
Ur Mn
No ratings yet
Wmic Trick O Hacker
Document12 pages
Wmic Trick O Hacker
josean
No ratings yet
Atomic Red Team
Document6 pages
Atomic Red Team
faridayasmindhk1207
No ratings yet
Malware Analysis Practical
Document9 pages
Malware Analysis Practical
sonik sarungale
No ratings yet
Lab 12
Document12 pages
Lab 12
Ngô Hải Anh
No ratings yet
Win32 Morto.a Malware PDF
Document6 pages
Win32 Morto.a Malware PDF
vishalpunjabi
No ratings yet
lab1_intro_malware_analysis
Document5 pages
lab1_intro_malware_analysis
Hoang Duc Hoan
No ratings yet
System Penetration With Metasploit Framework: Ajit Kumar Pradhan
Document5 pages
System Penetration With Metasploit Framework: Ajit Kumar Pradhan
Xman Returns
No ratings yet
2006 01 DC214 WinsysInternals
Document37 pages
2006 01 DC214 WinsysInternals
0esmon0
No ratings yet
Cybereason Labs Analysis Operation Cobalt Kitty-Part1
Document41 pages
Cybereason Labs Analysis Operation Cobalt Kitty-Part1
bank bank
No ratings yet
Prosedur Terjadinya Undang-Undang
Document5 pages
Prosedur Terjadinya Undang-Undang
neni
No ratings yet
Common Windows, Linux and Web Server Systems Hacking Techniques
From Everand
Common Windows, Linux and Web Server Systems Hacking Techniques
Dr. Hidaia Mahmood Alassouli
No ratings yet
Footprinting, Reconnaissance, Scanning and Enumeration Techniques of Computer Networks
From Everand
Footprinting, Reconnaissance, Scanning and Enumeration Techniques of Computer Networks
Dr. Hidaia Mahmood Alassouli
No ratings yet
Some Tutorials in Computer Networking Hacking
From Everand
Some Tutorials in Computer Networking Hacking
Dr. Hidaia Mahmood Alassouli
No ratings yet
DFIR Detection
Document9 pages
DFIR Detection
Viren Choudhari
No ratings yet
Threat Name Internet Exposure Impacted Organization(s) Description of Threat CVE Mode of Infection(s) Recommended Actions References
Document8 pages
Threat Name Internet Exposure Impacted Organization(s) Description of Threat CVE Mode of Infection(s) Recommended Actions References
Viren Choudhari
No ratings yet
Story 2:: Source Source
Document3 pages
Story 2:: Source Source
Viren Choudhari
No ratings yet
Threat Name Internet Exposure Impacted Organization(s) Description of Threat CVE Mode of Infection(s) Recommended Actions References
Document9 pages
Threat Name Internet Exposure Impacted Organization(s) Description of Threat CVE Mode of Infection(s) Recommended Actions References
Viren Choudhari
No ratings yet
Backdoored Browser Extensions
Document6 pages
Backdoored Browser Extensions
Viren Choudhari
No ratings yet
Threat Name: Sensitivity: Internal Restricted
Document2 pages
Threat Name: Sensitivity: Internal Restricted
Viren Choudhari
No ratings yet
Threat Name Internet Exposure Impacted Organization(s) Description of Threat CVE Mode of Infection(s) Recommended Actions References
Document6 pages
Threat Name Internet Exposure Impacted Organization(s) Description of Threat CVE Mode of Infection(s) Recommended Actions References
Viren Choudhari
100% (1)
China-Linked TA413 Group
Document9 pages
China-Linked TA413 Group
Viren Choudhari
No ratings yet
Boro Suker - English - COpy1
Document2 pages
Boro Suker - English - COpy1
Viren Choudhari
No ratings yet
Interview Questionafff
Document4 pages
Interview Questionafff
Viren Choudhari
No ratings yet
TrickBot Botnet Targeting Multiple Industries
Document3 pages
TrickBot Botnet Targeting Multiple Industries
Viren Choudhari
No ratings yet
Malware Analysis
Document3 pages
Malware Analysis
Viren Choudhari
No ratings yet
Io Cs
Document33 pages
Io Cs
Viren Choudhari
No ratings yet
CTI Data
Document2 pages
CTI Data
Viren Choudhari
No ratings yet
Melukote Yatra
Document3 pages
Melukote Yatra
Viren Choudhari
No ratings yet
Best BA Outline-Hague
Document195 pages
Best BA Outline-Hague
Asia Lemmon
No ratings yet
MINORS TRAVELLING ABROAD Application Form Affidavit of Support and Consent Affidavit of Undertaking
Document3 pages
MINORS TRAVELLING ABROAD Application Form Affidavit of Support and Consent Affidavit of Undertaking
Bhong canete
No ratings yet
Kurt Lewin
Document6 pages
Kurt Lewin
fotiadis
100% (2)
M607 L01 Solution
Document7 pages
M607 L01 Solution
Ronak Patel
No ratings yet
Tax Invoice/Bill of Supply/Cash Memo: (Original For Recipient)
Document1 page
Tax Invoice/Bill of Supply/Cash Memo: (Original For Recipient)
Pavan Kumar
No ratings yet
Annual Report 2020 V3
Document179 pages
Annual Report 2020 V3
Uswa Khurram
No ratings yet
Health and Physical Education Thesis
Document35 pages
Health and Physical Education Thesis
Zia Islam
No ratings yet
MLCF
Document27 pages
MLCF
Muhammad Hafeez
No ratings yet
Geffon
Document6 pages
Geffon
Daniel Hopsicker
No ratings yet
ED Hiring Guide
Document20 pages
ED Hiring Guide
chokx008
No ratings yet
STUDENT 2021-2022 Academic Calendar (FINAL)
Document1 page
STUDENT 2021-2022 Academic Calendar (FINAL)
Babar Imtiaz
No ratings yet
Swot Panasonic
Document2 pages
Swot Panasonic
XingMei Starszsis
No ratings yet
Aircraft Leasing
Document50 pages
Aircraft Leasing
Benchmarking84
100% (2)
Chapter On 'Aqidah - SH Abdulqadir Al-Jilani
Document12 pages
Chapter On 'Aqidah - SH Abdulqadir Al-Jilani
Ujjal Mazumder
No ratings yet
NILE Initiating Coverage JS
Document11 pages
NILE Initiating Coverage JS
Brian Bolan
No ratings yet
Acc21 March18
Document12 pages
Acc21 March18
Romero Mary Jane C.
No ratings yet
TZ 04 - Solid Waste Regulations Revised January - 2009 - Ver1 - 2
Document47 pages
TZ 04 - Solid Waste Regulations Revised January - 2009 - Ver1 - 2
Jonathan Masu
No ratings yet
ScarletLetter StudyGuide
Document8 pages
ScarletLetter StudyGuide
jongambia
No ratings yet
Indifference Curve Analysis
Document91 pages
Indifference Curve Analysis
Shweta Singh
No ratings yet
Savita
Document1 page
Savita
SDM Gurugram
No ratings yet
Merchandising
Document18 pages
Merchandising
hamida sarip
100% (2)
Dialogue Cause and Effect About Global Warming
Document4 pages
Dialogue Cause and Effect About Global Warming
Grace Hany
No ratings yet
2 Schools of Thoughts
Document4 pages
2 Schools of Thoughts
botiod
No ratings yet
INSTA September 2023 Current Affairs Quiz Questions 1
Document10 pages
INSTA September 2023 Current Affairs Quiz Questions 1
rsimback123
No ratings yet