Author Topic: Creation of an Valkyrie Indicator for Shell function calls  (Read 172 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 408
  • I like CIS , Kali Linux and IDA Pro ! ;)
Creation of an Valkyrie Indicator for Shell function calls
« on: July 25, 2017, 02:59:21 AM »
Another interpreter that can be added to heuristics command-line analysis: vssadmin.exe. A command can be executed to vssadmin to delete volume snapshots. This is commonly used by ransomware to ensure that user cannot recover files, and I also think I have seen it used in a weaponized document once.

Deletes volume snapshots ( via shell commands > "%WINDIR%\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet")

As far as I know, valkyrie is based on cuckoos sandbox . So it should be possible to create a corresponding indicator for Valkyrie as well . In this way, it would be possible to recognize the types of ransomware using these function calls , or respectively create a general indicator for the execution of shell commands .
« Last Edit: July 25, 2017, 03:01:26 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek