Tackling Gootkit's Traps
ATT&CK techniques detected
T1497.001System Checks
96%
“sandbox " - compare computer name to " sandbox " / " 7silvia " - hkey _ local _ machine \ hardware \ description \ system \ systembiosversion " compare with ami, virtualbox, bochs, intel 640000, 55274 - 640 - 2673064 - 23950, and other serials after patching a virtual machine and…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1497.001System Checks
94%
“is the function making all the environment checks. we ’ ll have to check each condition that leads to a trap and make sure to change the environment ( or patch the binary ) in a way that would bypass the trap. figure 8 shows a code snippet from the sub _ 409ae2 function. note tha…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Gootkit malware uses misleading code to hinder manual research and automated analysis.