Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Greg Linares (Laughing Mantis) Profile picture
@Laughing_Mantis
Jul 2, 2020 8 tweets 4 min read Read on X
Todays #VBALostArts Topic: #Sandbox Detection

So a few hours ago I whipped up a super basic Office #malware whose goal was to extract as much info from sandboxes as possible and send it in the clear so you can gather all the configurations of the sandbox.

I named it Thumper
Thumper does 4 things:
- Built In Office/VBA Info Gathering
- Registry Reading (USER & LM)
- RecentFiles Methods
- Shoots results via HTTP (so you can see)

It does this (by design) with the elegance of a herd of drunken water buffaloes dancing to Russian hard bass in a tea shop.
As the reference to the name, it's meant to call the sandworms hidding in the dunes.

And if you want to detect and avoid almost all of the sandboxes - easiest way is to check the DateTime stamps of RecentFile methods of Word.

Like This: Image
This method isnt new by any means and in many sandboxes I found the last time a recent file was accessed to be > 600 days.

Meaning your image is nearly 2 years old without any environment updates.

While I applaud your uptime, its a easy way to see that no real human uses it
In addition to that, most online sandboxes dont hide any unique data nor do they attempt to mimic any hardware values in registry =(

Another common one was NMAP installed on an Office machine.

Because Sam in Accounting def needs to deep inspect them packetz
Anyways you can inspect the reports of a few yourselves and see what configurations Online Sandboxes have so you can just bypass them on your next upload.

joesandbox.com/analysis/24305…

hybrid-analysis.com/sample/14307d1…

app.any.run/tasks/4775b935…
If you would like to see how blatant the sample is doing all of this feel free to inspect it here:

labs.inquest.net/dfi/sha256/143…

SHA256: 14307d1bc115d834ad4af97c2806b21f5537e031884c051491dc024a2be0c681
So for #BlueTeams and Sandbox Developers the take away is this:

Run Thumper and see what data is found on your sandbox.

Make sure you take your Sandbox images and shuffle around the recent files and then resave the image - you can easily script this out.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Greg Linares (Laughing Mantis)

Greg Linares (Laughing Mantis) Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Laughing_Mantis

Greg Linares (Laughing Mantis) Profile picture
Mar 27
Fam

It's 11pm and the VC bros next to me are starting a company and are gonna roll out WordPress as their CRM, and they think they can manage it themselves with a Microsoft Azure cloud and MongoDB. None of them have admin experience

💀💀💀💀
This is at a hotel bar

They are in the carbon footprint reduction industry, I have no clue wtaf that involves but it sounds like a lot of cold calling and selling people materials from what I heard
Guys they are discussing WordPress security and how one is their previous companies had to wipe everything "because a baddie broke their WordPress and shit"
Read 28 tweets
Greg Linares (Laughing Mantis) Profile picture
Mar 26
Hello,

Are these your sandboxes leaking out information that allows attackers to visibly fingerprint your environment and evade analysis?

This 🧵is a deep dive into this method and why I find it relatively primitive yet, elegant & efficient as a sandbox system bypass.


Image
Image
Image
Image
For those watchful eyes, they might have noticed the leaked information in the above screenshot is XML format of the entire system settings.

How much settings? 118,000 bytes worth detailing everything from Hardware, Firmware, BIOS, manufacturers, PNP devices, printers etc.
This information comes from Microsoft Windows System Assessment Tool aka WinSAT. It has been implemented since Windows Vista and can be read all about here:



Usually this is achieved via executing the binary Winsat.exe but that isn't fun...learn.microsoft.com/en-us/windows/…
Read 17 tweets
Greg Linares (Laughing Mantis) Profile picture
Nov 30, 2023
PSA In the last week I have seen 3 examples of a relatively new strategy targeting telcos & iPhones of victims

With the increased measures against SIM Swapping, it seems attackers are switching over to 2 other methods to compromise phones

- Call Forwarding
- Parental Tools
Both attacks are similar in which attackers (likely related to Lazarus) are either social engineering telcos or using an insider at these companies to conduct these attacks.

In all of these cases it was leading up to ATO of iCloud and/or password managers
The call forwarding attack is relatively straight forward:

Attacker calls in telco and social engineers the operator to convince the agent to switch a line to call forwarding because of vacation.

The attacker then forwards the number to a VOIP number they control
Read 9 tweets
Greg Linares (Laughing Mantis) Profile picture
Mar 23, 2023
So for all my followers who are wondering why TikTok is being investigated and potentially banned is because of several reasons heres a 🧵

A. they used data from their app to geolocate whistleblower journalists and physically go to their location

B. They violated policy on data
Harvesting by using their inapp browser instead of the supplied mobile browser, this obtains much more data than what is normally collected and it's shady practices

C. They have repeatedly been caught using methods that get information using your phones gyroscope and other
Sensors on the phone in order to locate you and track your location even without geodata and tracking enabled

D. they have questionable ties to the Chinese government even when they deny it. This is the same group of people that hacked many sensitive data repositories and
Read 11 tweets
Greg Linares (Laughing Mantis) Profile picture
Mar 9, 2023
So I've been just been briefed on a very disturbing trend of events that I think everyone should know.

Ransomware attackers have been targeting legal firms quite heavily in the last 6 months or so.

I thought this was because pretty poor security, but there's much more.

A 🧵
A large portion of announced ransomware attacks have hit medium sized law firms very heavily, by some metrics close to 12% targeted are law offices

Just learned the attackers are also extorting the clients or pretending to be the law firm and asking for lawyer or retainer fees.
Attackers are also contacting individuals & are telling them they will anonymously send district attorneys, friend and family, or even in some cases the victims evidence & legal content that they have grabbed or otherwise pay to keep them quiet

Some cases are 10+ yrs old
Read 7 tweets
Greg Linares (Laughing Mantis) Profile picture
Oct 10, 2022
This will be a thread discussing a real world breach involving a drone delivered exploit system that occurred this summer

Some details I am not able to discuss, however for the blue teams & red teams out there I hope this provides a good measure of capability.

🧵🚁 🎮🖥️🦠
During this summer an east coast company specializing in private investments detected unusual activity on their internal confluence page that was originating on their own network.

The team isolated the confluence server and began incident response.
During the incident response they discovered that the user's who MAC address was used to gain partial access to their WIFI was also logged in from their home several miles away

The team deployed embedded WIFI signal tracing and a Fluke system to identify the WIFI device
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(