Advertisement
Mutexes are referred to as mutants when they're in the Windows kernel but for the purpose of this post I'm going to only refer to mutexes even when mutant might be the correct technical term (deal with it). So in theory, and in practice, by enumerating mutexes on a system and then comparing them to a list of mutexes known to be used by malware you would have good reason to believe something malicious is/was on the system — or at least a starting point of something to dig into if you're in the "needle in a haystack" situation. During our conversation I remembered a script from the Malware Analysts Cookbook which scraped ThreatExpert reports and populated a DB (Note : This script requires the 'avsubmit.py' file from the MACB as well since it takes the ThreatExpert class from it). After taking another look at the script, I figured it would be less time consuming to modify it to fit my needs instead of starting from scratch. This idea can be implemented across other online sandboxes as well but in this instance I'm just going to touch on ThreatExpert.  Link: hiddenillusion

Advertisement
Advertisement