Checking Malware Name

Created the Tuesday 22 September 2020. Updated 2 years ago.

Some analysts rename the malware as “malware.exe” or “sample.exe” or even with the file hash. Malware can detect the name before fully executing on the infected machine. If any of the blacklisted names are detected, the sample will run differently or end its process.

#include <iostream>
#include <cstring>
#include <windows.h>

using namespace std;

int main(int argc, char** argv)
{
    TCHAR szExeFileName[MAX_PATH];
    GetModuleFileName(NULL, szExeFileName, MAX_PATH);

    // full path
    cout << "[+] Fulle Path: " << szExeFileName << endl;

    //convert tchar to string
    std:string filename (szExeFileName);

    // Remove directory if present.
    const size_t last_slash_idx = filename.find_last_of("\\/");
    if (std::string::npos != last_slash_idx)
    {
        filename.erase(0, last_slash_idx + 1);
    }

    // Blacklist
    LPSTR fname[] = {"sample.exe",
                     "malware.exe",
                     // ADD YOUR PROCESS NAME HERE!
                    };
    for (int i = 0; i < (sizeof(fname) / sizeof(LPSTR)); i++)
    {
        if ((fname[i] == filename ))
        {
            cout << " [!] Filename is blacklisted: " << (fname[i]) << endl;
            exit(0);
        }
    }
    return 0;
}

Open Snippet

Additional Resources

External Links

https://twitter.com/hatching_io/status/1308051192661110784

Checking Malware Name

Technique Identifiers

Technique Tag

Code Snippets

Additional Resources

External Links

Subscribe to our Newsletter