Create sig for writing EXE (and generic code sig) to memory of another process

cuckoosandbox / community

Repository of modules and signatures contributed by the community

324 stars 175 forks source link

Create sig for writing EXE (and generic code sig) to memory of another process #338

Closed kevross33 closed 6 years ago

kevross33 commented 7 years ago

Seen in Dridex MD5 2eaf243bad4b1c22089e7654524f0e5a

kevross33 commented 7 years ago

You can also write memory with NtWow64WriteVirtualMemory64 which is missing from being hooked.

kevross33 commented 7 years ago

On the sig for generic write which I have left as severity 2 it could be a severity 3 and very reliable if there was a way to make sure the process it is not writing to is a child process and it would be more reliable to code injection then

jbremer commented 6 years ago

Merged, thanks! Checking hash later.