RepetitiveProcess Check

[EvilBytecode]

i was exploring a vt sbies, and yeah one of them deploy thing called RepetitiveProcess (to bypass count check on how many programs are running) you can check godefender and maybe implement it. PoC:

ProcessName               Id
-----------               --
conhost                 2888
conhost                 5652
conhost                 5828
csrss                    432
csrss                    532
ctfmon                  3408
dwm                     1008
explorer                3652
fontdrvhost              820
fontdrvhost              824
Idle                       0
jjDqCcyUYXzHxYpufe       364
jjDqCcyUYXzHxYpufe       436
jjDqCcyUYXzHxYpufe       588
jjDqCcyUYXzHxYpufe       604
jjDqCcyUYXzHxYpufe       748
jjDqCcyUYXzHxYpufe       816
jjDqCcyUYXzHxYpufe       836
jjDqCcyUYXzHxYpufe      1032
jjDqCcyUYXzHxYpufe      1064
jjDqCcyUYXzHxYpufe      1140
jjDqCcyUYXzHxYpufe      1148
jjDqCcyUYXzHxYpufe      1204
jjDqCcyUYXzHxYpufe      1256
jjDqCcyUYXzHxYpufe      1296
jjDqCcyUYXzHxYpufe      1364
jjDqCcyUYXzHxYpufe      1384
jjDqCcyUYXzHxYpufe      1788
jjDqCcyUYXzHxYpufe      1800
jjDqCcyUYXzHxYpufe      1896
jjDqCcyUYXzHxYpufe      1928
jjDqCcyUYXzHxYpufe      2024
jjDqCcyUYXzHxYpufe      2032
jjDqCcyUYXzHxYpufe      2268
jjDqCcyUYXzHxYpufe      2412
jjDqCcyUYXzHxYpufe      2416
jjDqCcyUYXzHxYpufe      2424
jjDqCcyUYXzHxYpufe      2548
jjDqCcyUYXzHxYpufe      2596
jjDqCcyUYXzHxYpufe      2692
jjDqCcyUYXzHxYpufe      2696
jjDqCcyUYXzHxYpufe      2732
jjDqCcyUYXzHxYpufe      2772
jjDqCcyUYXzHxYpufe      2784
jjDqCcyUYXzHxYpufe      2800
jjDqCcyUYXzHxYpufe      2832
jjDqCcyUYXzHxYpufe      2892
jjDqCcyUYXzHxYpufe      2944
jjDqCcyUYXzHxYpufe      2972
jjDqCcyUYXzHxYpufe      3040
jjDqCcyUYXzHxYpufe      3056
jjDqCcyUYXzHxYpufe      3068
jjDqCcyUYXzHxYpufe      3088
jjDqCcyUYXzHxYpufe      3180
jjDqCcyUYXzHxYpufe      3204
jjDqCcyUYXzHxYpufe      3216
jjDqCcyUYXzHxYpufe      3224
jjDqCcyUYXzHxYpufe      3352
jjDqCcyUYXzHxYpufe      3540
jjDqCcyUYXzHxYpufe      3604
jjDqCcyUYXzHxYpufe      3632
jjDqCcyUYXzHxYpufe      3636
jjDqCcyUYXzHxYpufe      3700
jjDqCcyUYXzHxYpufe      3716
jjDqCcyUYXzHxYpufe      3752
jjDqCcyUYXzHxYpufe      3832
jjDqCcyUYXzHxYpufe      3896
jjDqCcyUYXzHxYpufe      3936
jjDqCcyUYXzHxYpufe      4072
jjDqCcyUYXzHxYpufe      4092
jjDqCcyUYXzHxYpufe      4244
jjDqCcyUYXzHxYpufe      4256
jjDqCcyUYXzHxYpufe      4332
jjDqCcyUYXzHxYpufe      4468
jjDqCcyUYXzHxYpufe      4508
jjDqCcyUYXzHxYpufe      4548
jjDqCcyUYXzHxYpufe      4844
jjDqCcyUYXzHxYpufe      4880
jjDqCcyUYXzHxYpufe      4884
jjDqCcyUYXzHxYpufe      4888
jjDqCcyUYXzHxYpufe      4972
jjDqCcyUYXzHxYpufe      4980
jjDqCcyUYXzHxYpufe      4984
jjDqCcyUYXzHxYpufe      5124
jjDqCcyUYXzHxYpufe      5144
jjDqCcyUYXzHxYpufe      5164
jjDqCcyUYXzHxYpufe      5184
jjDqCcyUYXzHxYpufe      5208
jjDqCcyUYXzHxYpufe      5232
jjDqCcyUYXzHxYpufe      5248
jjDqCcyUYXzHxYpufe      5296
lsass                    676
obf                     5644
powershell              5772
powershell              5788
powershell              5800
Registry                  92
RuntimeBroker           3284
RuntimeBroker           4224
RuntimeBroker           4720
SearchApp               4140
services                 664
SgrmBroker              1244
SIHClient               6120
sihost                  3092
smss                     340
StartMenuExperienceHost 3824
svchost                  380
svchost                  660
svchost                  792
svchost                  912
svchost                  964
svchost                 1056
svchost                 1096
svchost                 1104
svchost                 1124
svchost                 1152
svchost                 1168
svchost                 1236
svchost                 1288
svchost                 1320
svchost                 1324
svchost                 1332
svchost                 1392
svchost                 1436
svchost                 1480
svchost                 1544
svchost                 1556
svchost                 1644
svchost                 1672
svchost                 1684
svchost                 1704
svchost                 1792
svchost                 1820
svchost                 1848
svchost                 1860
svchost                 1884
svchost                 1960
svchost                 1968
svchost                 2056
svchost                 2136
svchost                 2144
svchost                 2260
svchost                 2276
svchost                 2296
svchost                 2300
svchost                 2336
svchost                 2344
svchost                 2352
svchost                 2368
svchost                 2432
svchost                 2572
svchost                 2916
svchost                 2984
svchost                 3112
svchost                 3160
svchost                 3324
svchost                 3360
svchost                 3372
svchost                 3564
svchost                 3660
svchost                 3840
svchost                 4864
System                     4
wininit                  524
winlogon                 592
WmiPrvSE                 864
WmiPrvSE                2940
WmiPrvSE                5044
WmiPrvSE                5632

As you can see jjDqCcyUYXzHxYpufe is just a some process that is supposed to be deployed there to bypass antivm check.

[kernelwernel]

Oh hi, I was about to ask you on discord if I could implement some of your technique ideas from GoDefender lmao, good timing :)

is the jjDqCcyUYXzHxYpufe process not randomised? Like if I create a new VM, would that string still be present in the task list? Also, is this technique specific to a VM/sandbox brand?

Cool project btw :+1:

[EvilBytecode]

no, its randomized thats why i did thing that checks running processes and it excludes svchost etc, and it checks for these. also you can but credit would be appreciated. (Check checks if any non-svchost process with the same name is running more than 60 times and exits if so.)

[EvilBytecode]

contact me on discord, : codepulze1 / https://t.me/codepulze