![]() PowerStallion modifies the MAC times of its local log files to match that of the victim's desktop.ini file. POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013. OwaAuth has a command to timestop a file or directory. OSX_OCEANLOTUS.D can use the touch -t command to change timestamps. Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file. exe files (such as calc.exe or mspaint.exe) to its dropped files. Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate. Kobalos can modify timestamps of replaced files, such as ssh with the added credential stealer or sshd used to deploy Kobalos. Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics. KeyBoy time-stomped its DLL in order to evade detection. InvisiMole also has a built-in command to modify file times. InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. ![]() Gelsemium has the ability to perform timestomping of files on targeted systems. įor early Gazer versions, the compilation timestamp was faked. įALLCHILL can modify file or directory timestamps. ĮVILNUM has changed the creation date of files. Įmpire can timestomp any files or payloads placed on a target machine to help them blend in. Įlise performs timestomping of a CAB file it creates. The Derusbi malware supports timestomping. Ĭyclops Blink has the ability to use the Linux API function utime to change the timestamps of modified firmware update images. Ĭobalt Strike can timestomp any files or payloads placed on a target machine to help them blend in. Ĭhina Chopper's server component can change the timestamp of files. Ĭhimera has used a Windows version of the Linux touch command to modify the date and time stamp on DLLs. īLINDINGCAN has modified file and directory timestamps. īitPaymer can modify the timestamp of an executable so that it can be identified and restored by the decryption tool. ![]() īankshot modifies the time of a file as specified by the control server. Īttor has manipulated the time of last access to files and registry keys after they have been created or modified. ĪPT38 has modified data timestamps to mimic files that are in the same folder on a compromised host. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. ĪPT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. ĪPT29 modified timestamps of backdoors to match legitimate Windows files. ĪPT28 has performed timestomping on victim files. 3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |