←back to thread

Cyber Scarecrow

(www.cyberscarecrow.com)
606 points toby_tw | 1 comments | 18 Jun 24 08:08 UTC | HN request time: 0.001s | source
Show context
mafriese ◴[18 Jun 24 10:22 UTC] No.40715995[source]
I don't understand why the software is built how it's built. Why would you want to implement licensing in the future for a software product that only creates fake processes and registry keys from a list: https://pastebin.com/JVZy4U5i . The limitation to 3 processes and license dialog make me feel uncomfortable using the software. All the processes are 14.1MB in size (and basically the scarecrow_process.dll - https://www.virustotal.com/gui/file/83ea1c039f031aa2b05a082c...). I just don't understand why you create such a complex piece of software if you can just use a Powershell script that does exactly the same using less resources. The science behind it only kinda makes sense. There is some malware that is using techniques to check if there are those processes are running but by no means is this a good way to keep you protected. Most common malware like credential stealers (redline, vidar, blahblah) don't care about that and they are by far the most common type of malware deployed. Even ransomware like Lockbit doesn't care, even if it's attached to a debugger. I think this mostly creates a false sense of security and if you plan to grow a business out of this, it would probably only take hours until there would be an open source option available. Don't get me wrong - I like the idea of creating new ways of defending malware, what I don't like is the way you try to "sell" it.
replies(4): >>40716046 #>>40716158 #>>40716939 #>>40722787 #
jart ◴[18 Jun 24 10:46 UTC] No.40716158[source]
Are you telling me this thing spawned 50 new processes on your computer? Could you zip up all the executable files and whatever it installed and upload it somewhere so we can analyze the assembly?
replies(1): >>40716282 #
mafriese ◴[18 Jun 24 11:04 UTC] No.40716282[source]
This "thing" is always spawning 3 processes at the time. The processes are always the ones from the virustotal link. I can upload the DLL to a file sharing service of your choice if you don't have a VT premium license. I can also provide an any.run link: https://app.any.run/tasks/bc557b04-5025-46a1-a683-aad3b29b9a... (installer) https://app.any.run/tasks/e257e7f2-7837-4ed1-93c8-5d617d75cc... (zip file containing the files). Let me know if you need further info :).
replies(2): >>40716363 #>>40716506 #
jart ◴[18 Jun 24 11:32 UTC] No.40716506[source]
Is there a way for me to curl their executable into my UNIX terminal so I can read the assembly? Or does Any Run keep the samples to themselves? I know a lot about portable executable but very little about these online services.
replies(1): >>40716630 #
1. mafriese ◴[18 Jun 24 11:46 UTC] No.40716630[source]
https://github.com/mafriese/scarecrow Can upload any files you want there. Direct DL for one of the files: https://github.com/mafriese/scarecrow/raw/main/autoruns.exe