From e45511bec06b7f3656697a76e353a6f6e8f31dc8 Mon Sep 17 00:00:00 2001 From: pe3zx Date: Thu, 30 Sep 2021 16:14:44 +0700 Subject: [PATCH 1/3] Add: Dragonfly to Malware Analysis section --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index fe95f07..328475e 100644 --- a/README.md +++ b/README.md @@ -1961,6 +1961,10 @@ This repository is created as an online bookmark for useful links, resources and DoctorWebLtd/malware-iocs This repository contains Indicators of Compromise (IOCs) related to our investigations. + + Dragonfly + An automated sandbox to emulate and analyze malware + droidefense/engine Droidefense: Advance Android Malware Analysis Framework From 7d555e2e3137a361c8e67fbd758cfdefa9d53036 Mon Sep 17 00:00:00 2001 From: pe3zx Date: Thu, 30 Sep 2021 16:16:39 +0700 Subject: [PATCH 2/3] Add: mgeeky/ThreadStackSpoofer to Defense Evasion section --- Offensive.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Offensive.md b/Offensive.md index 55d41fb..ff9daa9 100644 --- a/Offensive.md +++ b/Offensive.md @@ -1335,6 +1335,10 @@ Some tools can be categorized in more than one category. But because the current mgeeky/Stracciatella OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup + + mgeeky/ThreadStackSpoofer + Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts. + MinervaLabsResearch/CoffeeShot CoffeeShot: Avoid Detection with Memory Injection From c920ab6f3fab9dfbc0d1058be53f61c8c97aa3ee Mon Sep 17 00:00:00 2001 From: pe3zx Date: Thu, 30 Sep 2021 17:06:41 +0700 Subject: [PATCH 3/3] Add: mgeeky/ShellcodeFluctuation to Defense Evasion section --- Offensive.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Offensive.md b/Offensive.md index ff9daa9..8fbc5cb 100644 --- a/Offensive.md +++ b/Offensive.md @@ -1331,6 +1331,10 @@ Some tools can be categorized in more than one category. But because the current med0x2e/SigFlip SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature. + + mgeeky/ShellcodeFluctuation + An in-memory evasion technique fluctuating shellcode memory protection between RW & RX and encrypting/decrypting contents + mgeeky/Stracciatella OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup @@ -1423,7 +1427,6 @@ Some tools can be categorized in more than one category. But because the current secretsquirrel/SigThief Stealing Signatures and Making One Invalid Signature at a Time - sinfulz/JustEvadeBro JustEvadeBro, a cheat sheet which will aid you through AMSI/AV evasion & bypasses.