Groups | Search | Server Info | Login | Register
Groups > alt.os.linux > #80225
| From | Richard Kettlewell <invalid@invalid.invalid> |
|---|---|
| Newsgroups | alt.comp.os.windows-10, alt.os.linux |
| Subject | Re: Linux Program |
| Date | 2024-07-28 17:06 +0100 |
| Organization | terraraq NNTP server |
| Message-ID | <wwv1q3d1oxt.fsf@LkoBDZeT.terraraq.uk> (permalink) |
| References | <v84l32$260bc$1@paganini.bofh.team> <v85ffp$3uip2$1@dont-email.me> |
Cross-posted to 2 groups.
Paul <nospam@needed.invalid> writes: > It's a Linux program with strings like this. Almost > like I'm looking at a Windows App manifest for something > being injected. > > numbers.runtime > config.json > numbers.dll <=== Yes, in a Linux program. Seems "plausible". Could happen. > System.Collections.Immutable.dll > System.Collections.dll > System.Console.dll That makes it a .Net program (and I think there’s an entire CLR runtime in there). Not particularly common in the Linux world but not an attack signature in its own right. > System.Diagnostics.StackTrace.dll > System.IO.Compression.dll > System.IO.MemoryMappedFiles.dll > System.Private.CoreLib.dll > System.Reflection.Metadata.dll > numbers.deps.json > > and this detection in it: > > Virtualization/Sandbox Evasion::System Checks [T1497.001] > > System Checks T1497.001 > reference anti-VM strings targeting Xen > reference anti-VM strings targeting VirtualBox > reference anti-VM strings targeting VMWare > > ( https://github.com/mandiant/capa-rules/blob/master/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml ) > > A table-of-numbers program would not need that kind of checking in it. A language runtime might well inspect details of the platform (to select optimizations, quirk workarounds, etc), but that’s nevertheless a lot more suspicious. -- https://www.greenend.org.uk/rjk/
Back to alt.os.linux | Previous | Next — Previous in thread | Next in thread | Find similar
Linux Program Murray <noreply@hhhhh.com> - 2024-07-28 05:45 +0000
Re: Linux Program VanguardLH <V@nguard.LH> - 2024-07-28 02:35 -0500
Re: Linux Program Richard Kettlewell <invalid@invalid.invalid> - 2024-07-28 10:59 +0100
Re: Linux Program "Carlos E.R." <robin_listas@es.invalid> - 2024-07-28 14:07 +0200
Re: Linux Program Newyana2 <newyana@invalid.nospam> - 2024-07-28 08:34 -0400
Re: Linux Program Big Al <alan@invalid.com> - 2024-07-28 08:41 -0400
Re: Linux Program Newyana2 <newyana@invalid.nospam> - 2024-07-28 12:42 -0400
Re: Linux Program Jasen Betts <usenet@revmaps.no-ip.org> - 2024-08-03 13:39 +0000
Re: Linux Program Paul <nospam@needed.invalid> - 2024-08-03 15:05 -0400
Re: Linux Program Paul <nospam@needed.invalid> - 2024-07-28 13:20 -0400
Re: Linux Program Newyana2 <newyana@invalid.nospam> - 2024-07-28 15:33 -0400
Re: Linux Program Paul <nospam@needed.invalid> - 2024-07-28 17:18 -0400
Re: Linux Program Paul <nospam@needed.invalid> - 2024-07-28 09:01 -0400
Re: Linux Program Richard Kettlewell <invalid@invalid.invalid> - 2024-07-28 17:06 +0100
Re: Linux Program "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2024-07-28 12:37 -0400
Re: Linux Program "Carlos E.R." <robin_listas@es.invalid> - 2024-07-30 04:10 +0200
Re: Linux Program Paul <nospam@needed.invalid> - 2024-07-30 00:21 -0400
Re: Linux Program "Carlos E.R." <robin_listas@es.invalid> - 2024-07-30 13:51 +0200
Re: Linux Program Newyana2 <newyana@invalid.nospam> - 2024-07-30 08:43 -0400
Re: Linux Program "Jeff Gaines" <jgnewsid@outlook.com> - 2024-07-30 13:27 +0000
Re: Linux Program Newyana2 <newyana@invalid.nospam> - 2024-07-30 12:40 -0400
Re: Linux Program "Jeff Gaines" <jgnewsid@outlook.com> - 2024-07-30 18:41 +0000
Re: Linux Program Newyana2 <newyana@invalid.nospam> - 2024-07-30 17:28 -0400
Re: Linux Program "Jeff Gaines" <jgnewsid@outlook.com> - 2024-07-31 07:12 +0000
Re: Linux Program "Carlos E.R." <robin_listas@es.invalid> - 2024-08-29 14:42 +0200
Re: Linux Program MR <MR@invalid.invalid> - 2024-07-29 01:20 +0100
Re: Linux Program vallor <vallor@cultnix.org> - 2024-08-03 18:24 +0000
Re: Linux Program Paul <nospam@needed.invalid> - 2024-08-03 14:40 -0400
Re: Linux Program John G <ghyhg@hyws.gfrd> - 2024-08-04 04:55 +0000
Re: Linux Program danmin@danminart-dot-com.no-spam.invalid (Danart) - 2024-08-29 10:57 +0000
csiph-web