XPost: alt.comp.os.windows-10   
   From: invalid@invalid.invalid   
      
   Paul  writes:   
   > It's a Linux program with strings like this. Almost   
   > like I'm looking at a Windows App manifest for something   
   > being injected.   
   >   
   > numbers.runtime   
   > config.json   
   > numbers.dll  <=== Yes, in a Linux program. Seems "plausible". Could happen.   
   > System.Collections.Immutable.dll   
   > System.Collections.dll   
   > System.Console.dll   
      
   That makes it a .Net program (and I think there’s an entire CLR runtime   
   in there). Not particularly common in the Linux world but not an attack   
   signature in its own right.   
      
   > System.Diagnostics.StackTrace.dll   
   > System.IO.Compression.dll   
   > System.IO.MemoryMappedFiles.dll   
   > System.Private.CoreLib.dll   
   > System.Reflection.Metadata.dll   
   > numbers.deps.json   
   >   
   > and this detection in it:   
   >   
   >    Virtualization/Sandbox Evasion::System Checks [T1497.001]   
   >   
   >    System Checks  T1497.001   
   >      reference anti-VM strings targeting Xen   
   >      reference anti-VM strings targeting VirtualBox   
   >      reference anti-VM strings targeting VMWare   
   >   
   >   ( https://github.com/mandiant/capa-rules/blob/master/anti-an   
   lysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml )   
   >   
   > A table-of-numbers program would not need that kind of checking in it.   
      
   A language runtime might well inspect details of the platform (to select   
   optimizations, quirk workarounds, etc), but that’s nevertheless a lot   
   more suspicious.   
      
   --   
   https://www.greenend.org.uk/rjk/   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)