Binded file (your miner) detected upon execution ettempt even after I've adder more exclusions & with delay
Opened this issue · 2 comments
Hey mate,
So even after I've modified the Binder's code to add more exclusions (AppData folder, Local app data, System32 folder, and I've added extension .exe type too), when the binder drops the Unam's miner stub into the AppData folder (after delay) it immediately flags Defender about silent crypto miner detection.
I've also added delay of 13 seconds, but still didn't helped.
The strange thing is also is, the miner stub didn't get deleted from its dropped location. But the binder didn't executed it from there. Defender stopped execution somehow even with these exclusions added. The miner didn't install itself to its set location).
The binder stub was encrypted before execution (runPe crypter). I've also tried to encrypt the miner too, but then because of double encryption somehow it corrupts the miner stub and it's not working.
Do you have any idea how to block Defender's detection once the binder drops a miner stub?
Screenshot when detection occurs:
I've tried dropping it to different folders, Temp, local, but always it's same.
Detection happens when it's about to execute dropped miner i think. After delay ends.
BTW could it be that somehow exclusions commands are added just when the binder drops & execute files? Not when binded file is executed.
- how to check this?
Or maybe because the binded stub is x32 bit and miner x64 bit, could this be a reason something gets corrupted?
I'm using a "native C" option inside binder. Not "Managed (.NET C#)".
Also, since binded stub is 32bit, I'm making crypted file to 32bit too.
So should everything be x64 since the miner is x64 too?
Thank you very much!
Likely the exclusions aren't being added, check your Windows Defender exclusions to see if they are there.
BTW could it be that somehow exclusions commands are added just when the binder drops & execute files? Not when binded file is executed.
No, the commands are executed sequentially and each command will wait to complete before running the next one.
Or maybe because the binded stub is x32 bit and miner x64 bit, could this be a reason something gets corrupted?
I'm using a "native C" option inside binder. Not "Managed (.NET C#)".
No that won't matter since the stub never interacts with the bound files themselves (it only writes the bytes and executes a command).
Yes, exclusions are added. I've checked that multiple times. I have no idea why it's detecting it then. The miner stup gets left in AppData folder after detection. But it's not getting executed. The WD somehow blocking its execution, it catches it as soon as it gets copied to the targeted folder.