Closed Toxenskiy closed 3 years ago
Yes I obfuscated Mandark although not through ConfuserEx
And you can obfuscate the Watchdog as I said before if you want to decrease the detection
This is the obfuscated version. You can throw off the original Mondark, I myself want it crypting
This is the unobfuscated Mandark but the detection you sent doesn't have anything to do with that. Mandark.zip
i know
obfuscated miner
Is that from Windows Defender when you run the miner?
+
yea
Interesting
I think obfuscation is not enough, we still need to impose something
Can you try building a miner with this version (it's using the old injector) and see if you get the same detection? Silent XMR Miner Builder.zip
try. but first I want to try to impose a different defense
What kind of defense?
helped
Did you do that on the Mandark?
not on the whole miner, Mondark I encrypted in order to make it unique, otherwise it’s not a fact that yours will not be killed
Yes obfuscating the miner should always be done but if you try building a miner with the latest file I sent does it still get detected as CoinMiner when you start it? Or when did it detect it as CoinMiner?
obfuscation works for 10 minutes, after 10 minutes it writes detection
the only thing that smartscreen complains about every launch
Yes that will always happen unless you get it certified from Microsoft which you can't really do https://docs.microsoft.com/en-us/windows/win32/win_cert/windows-certification-portal?redirectedfrom=MSDN
But it never happened before
That only happens on computers that have it on, I don't get any messages like that and most others don't either
Do you get the same message if you use Silent XMR Miner Builder.zip?
ok try
to impose obfuscation? If so, at what level
Use any, I just want to see if you experience any difference when using the old injector (that builder has the old one).
well, it seems like there are no complaints from the antivirus, but this is only after launch
and how do injectors differ?
The code is a bit different, I wanted to upgrade it since I was worried that the injector was a bit unstable but maybe it works fine with the old one. So now I have to decide whether to use the old one or revert to the old one.
It would be cool if you did 2 versions, one uploaded in telegram and the other here.
So that there are not many detections straight.
Well the code will still be the same so the detections wouldn't differ too much since I don't have the time to change the entire code signature.
old injector detected
sihost64 detected last version obfuscated maximum
Yeah, that's not the sihost64 getting detected but the obfuscator being detected
Some protections do get detected sometimes
I can't find a normal obfuscator in any way
Eziriz detected, confuserex detected
Yeah, obfuscators get detected after a while, sometimes it works by using less protections
you thought to make a config, just every time it takes a very long time to enter everything
Yeah, it's just that making a config will be a lot of code so I haven't had time yet.
sihost64.exe detected new detect