Merge pull request #17 from chkp-alexeybu/ab_styx_evasions

Added evasions from Styx Stealer
CheckPointSW · Jul 10, 2024 · 9d31a14 · 9d31a14
2 parents dc3e3a7 + 4cda4b0
commit 9d31a14
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/_src/Evasions/techniques/processes.md b/_src/Evasions/techniques/processes.md
@@ -129,7 +129,7 @@ bool check_process_is_running(const std::string &proc_name) {
     <td>vmusrvc.exe</td>
   </tr>
   <tr>
-    <th rowspan="6">VMware</th>
+    <th rowspan="7">VMware</th>
     <td>vmtoolsd.exe</td>
   </tr>
   <tr>
@@ -147,21 +147,36 @@ bool check_process_is_running(const std::string &proc_name) {
   <tr>
     <td>vmount2.exe</td>
   </tr>
+  <tr>
+    <td>vmwareservice.exe</td>
+  </tr>
   <tr>
     <th rowspan="2">Xen</th>
     <td>xenservice.exe</td>
   </tr>
   <tr>
     <td>xsvc_depriv.exe</td>
   </tr>
+  <tr>
+    <th>QEMU</th>
+    <td>qemu-ga.exe</td>
+  </tr>
   <tr>
     <th>WPE Pro</th>
     <td>WPE Pro.exe</td>
   </tr>
+  <tr>
+    <th>KsDumper</th>
+    <td>ksdumperclient.exe</td>
+  </tr>
 </table>
 
 <br />
-<i>Note: WPE Pro is a sniffer, not VM, however it is used along with VM detects.</i>
+<i>Notes:</i> 
+<ul>
+  <li><tt><i>WPE Pro is a sniffer, not a VM or a sandbox, however it is used along with VM detects.</i></tt></li>
+  <li><tt><i>KsDumper is a kernel-mode process dumper, not a VM or a sandbox, however it is used along with VM detects in Styx Stealer.</i></tt></li>
+</ul>
 
 <br />
 <h4><a class="a-dummy" name="check-if-specific-libraries-are-loaded">1.2. Check if specific libraries are loaded in the process address space</a></h4>