Closed tstromberg closed 2 weeks ago
Findings are now grouped by namespace, so it's easy to see all of the network-related functions, for example.
There is a small behavioral difference: diff mode again shows functionality that did not change. Example:
├─ ⚠️ Changed: ../malcontent-samples/linux/clean/ls.x86_64 [✅ LOW → ⚠️ MEDIUM] │ ≡ discovery [NONE->LOW] │ +++ system/hostname_get — get computer host name: gethostname │ ≡ execution [LOW] │ • shell/TERM — Look up or override terminal settings: TERM │ ≡ filesystem [LOW] │ --- directory/traverse — traverse filesystem hierarchy │ • link_read — read value of a symbolic link: readlink │ ≡ networking [NONE->LOW] │ +++ url/embedded — contains embedded HTTPS URLs: │ https://gnu.org/licenses/gpl.html, https://translationproject.org/team/, https:/… │ ≡ process [NONE->MEDIUM] │ +++ name_set — get or set the current process name: __progname │
Non-diff mode looks fairly boring yet compact:
🔎 Scanning "../malcontent-samples/windows/2024.Sharp/sharpil_RAT.exe" ├─ 🚨 ../malcontent-samples/windows/2024.Sharp/sharpil_RAT.exe [🚨 CRITICAL] │ ≡ credential [LOW] │ • password — references a 'password': Passwords │ ≡ data [MEDIUM] │ • embedded/app_manifest — Contains embedded Microsoft Windows application manifest: │ requestedExecutionLevel, requestedPrivileges │ ≡ hardware [LOW] │ • wireless — wireless network base station ID: BSSID │ ≡ networking [MEDIUM] │ • download — download files: DownloadString, Downloads │ ≡ third-party [CRITICAL] │ • ditekshen/telegramchatbot — Detects executables using Telegram Chat Bot, by ditekSHen: │ $p1, $p2, $s1, $s2, $s4 │ • threat_hunting/telegram — references 'telegram' tool, by mthcht: │ $string2_telegram_greyware_tool_keyword │
Findings are now grouped by namespace, so it's easy to see all of the network-related functions, for example.
There is a small behavioral difference: diff mode again shows functionality that did not change. Example:
Non-diff mode looks fairly boring yet compact: