What's My (File)Name?
Modern malware implements a lot of anti-debugging and anti-analysis features. Today, when a malware is spread in the wild, there are chances that it will be automatically sent into a automatic analysis pipe, and a sandbox. To analyze a sample in a sandbox, it must be "copied" into the sandbox and executed. This can happen manually or automatically. When people start the analysis of a suspicious file, they usually call it "sample.exe", "malware.exe" or "suspicious.exe". It's not always a good idea because it's can be detected by the malware and make it aware that "I'm being analyzed".
From a malware point of view, it's easy to detect this situation. Microsoft offers to Developers thousands of API calls that can be used for "malicious purposes". Let's have a look at GetModuleFileName()[1]. This API call retrieves the fully qualified path for the file that contains the specified module. The module must have been loaded by the current process. Normally, a "module" refers to a DLL but, in the Microsoft ecosystem, the main program is also a "module" (like a DLL is also a PE file but with exported functions)
If you read carefully the API description, it expects 3 parameters but the first name can be omitted (set to NULL):
"If this parameter is NULL, GetModuleFileName retrieves the path of the executable file of the current process."
Let's write a small program:
using System; using System.Runtime.InteropServices; class Program { // Invoke declaration for GetModuleFileName [DllImport("kernel32.dll", CharSet = CharSet.Auto)] static extern uint GetModuleFileName(IntPtr hModule, [Out] char[] lpFilename, uint nSize); static void Main(string[] args) { const int maxPath = 260; char[] buffer = new char[maxPath]; uint length = GetModuleFileName(IntPtr.Zero, buffer, (uint)buffer.Length); // Get the exec basename string fullPath = new string(buffer, 0, (int)length); string exeName = System.IO.Path.GetFileName(fullPath); // List of potential sample names string[] allowedNames = { "sample.exe", "malware.exe", "malicious.exe", "suspicious.exe", "test.exe", "submitted_sample.exe", "file.bin", "file.exe", "virus.exe", "program.exe" }; foreach (var name in allowedNames) { if (string.Equals(exeName, name, StringComparison.OrdinalIgnoreCase)) { // Executable name matched, silenyly exit! return; } } Console.WriteLine($"I'm {exeName}, looks good! Let's infect this host! }}:->"); } }
Let's compile and execute this file named "ISC_20250707.exe":
Once renamed as "malware.exe", the program will just silently exit! Simple but effective!
Of course, this is a simple proof-of-concept. In a real malware, there will be more tests implemented (ex: ignore the case) and the list of potential suspicious filenames will be obfuscated (or a dynamic list will be loaded from a 3rd-party website).
[1] https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
A few interesting and notable ssh/telnet usernames
Just looked at our telnet/ssh honeypot data, and found some interesting new usernames that attackers attempted to use:
"notachancethisisreal
"
This username is likely used to detect Cowrie (and other) honeypots. Cowrie is often configured to accept logins randomly. No matter the username/password combination used, the login will succeed every few times. This is supposed to provide the illusion of a more "real" system, not just allowing some common default password, and not allowing each login to succeed. The password used with the username is "nopasswordforme73baby.
" Likely to pick a password that is highly unlikely to be used in a real system.
Any login that succeeds with this username and password will indicate that the system is a honeypot. So far, we have only had 31 login attempts with this username and password, all on July 1st.
"scadaadmin"
The name says it: It looks like they are looking for SCADA systems. The password used with this username is "P@$$W0rd". The password has been used "forever" and is popular, but the username is new.
The username appears to be associated with "Rapid SCADA" systems, according to some AI results, but I was not able to confirm this in the manuals. Maybe just a hallucination. However, the default password is either 12345 or blank. They are looking for users who have tried to be more secure. I am not sure how they ended up with P@$$W0rd. They also appear to use "admin" and "12345" as default credentials. It isn't a serious SCADA system if it doesn't have simple default credentials like this.
"gpu001", "gpu002"
These appear to be common hostnames for network-accessible GPUs, but I wasn't able to confirm that these are actual usernames often used for these systems. But attackers are always out for more GPU/CPU power, so they may just give this a try hoping for the best. There are a few passwords that are used with these usernames, like '7777777', 'gpu001@2025', and '1111111'.
See anything else that is new and interesting? Or have any insight into the three usernames I listed above? Let me know! (see contact link on the left).
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
0 Comments
0 Comments