Hey Guys!
Developing SiriusGPT was by far the most difficult project I have ever worked on, but I am super happy with the results. SiriusGPT utilizes 3 LLM / GPT models in an iterative configuration, and I have yet to see one false positive or negative, for both compiled and text based files, and for command line analysis as well.
If you scan a file or experience a block, you can click the Sirius logo to toggle between the Analysis Report and the event details. I am pretty happy with the user prompt, but we will probably refine it a little more as we go, and if anyone has any suggestions, please let me know.
A lite version of CyberLock is implemented into SiriusGPT, so you can select from AutoPilot and Dynamic Security Postures (Smart Mode), which is essentially a zero-trust security posture when you are browsing the web or checking emails. The LLM command line / LOLBin / fileless analysis is fully implemented, so we no longer have to worry about confusing command line blocks, they are all handled automatically, unless there is a malicious attack, in which case you will see a prompt that tells you to not allow the event. There should be close to zero bugs, but as soon as we are sure all of the bugs are worked out, we will be implementing the SiriusGPT engine into our other products.
The LLM analysis on these events are extremely accurate, usually with a confidence of 95% or higher. Here is a sample analysis report for these types of events.
Process path: c:\windows\system32\rundll32.exe
Parent process path: c:\windows\explorer.exe
Command line: "c:\windows\system32\rundll32.exe" using s=system;class p{static void main(){s.console.writeline((char)72+""+(char)101+(char)108+(char)108+(char)111);}}
Final Verdict: Not Safe with 95% confidence.
## Analysis Summary
The given command line execution event involves `rundll32.exe` being launched by `explorer.exe`. The command line argument passed to `rundll32.exe` is unusual and appears to be an attempt to execute arbitrary code. `rundll32.exe` is a known LOLBin (Living Off The Land Binary) that can be used to execute code in a DLL by calling a specific function within it.
The command line argument `using s=system;class p{static void main(){s.console.writeline((char)72+""+(char)101+(char)108+(char)108+(char)111);}}` is not a typical DLL function call expected by `rundll32.exe`. Instead, it resembles C# code that prints "Hello" to the console. This syntax is not directly executable by `rundll32.exe`, which typically requires a DLL name and an entry point.
The use of `rundll32.exe` with such an argument is suspicious because it attempts to abuse the binary for executing arbitrary code, potentially bypassing security restrictions. The code within the command line argument is obfuscated or encoded, as it uses character codes to represent the string "Hello". This behavior is indicative of an attempt to hide the true intent of the command.
The parent process, `explorer.exe`, launching `rundll32.exe` with such an argument is abnormal. While `explorer.exe` can launch various processes, the context and the command line argument used here suggest malicious intent.
## Malware Type and Name
Given the suspicious use of `rundll32.exe` and the encoded command line argument, this activity represents LOLBin Abuse. The specific behavior of executing C#-like code within the command line argument is not typical for legitimate applications.
## Final Verdict
Malware type: LOLBin Abuse (Thanks to @Trident for the malware name idea!)
Malware name: LOLBin.Rundll32.Exec (Thanks to @Trident for the malware name idea!)
Final verdict: Malicious with 95% confidence.
If you are curious and want to try SiriusGPT, but have CyberLock installed, you can uninstall CyberLock temporarily and then install SiriusGPT. You might want to click No when it asks if you want to delete the Settings and Logs during the CyberLock uninstall.
You can download the installer or portable version here:
Thank you guys!
Dan
Developing SiriusGPT was by far the most difficult project I have ever worked on, but I am super happy with the results. SiriusGPT utilizes 3 LLM / GPT models in an iterative configuration, and I have yet to see one false positive or negative, for both compiled and text based files, and for command line analysis as well.
If you scan a file or experience a block, you can click the Sirius logo to toggle between the Analysis Report and the event details. I am pretty happy with the user prompt, but we will probably refine it a little more as we go, and if anyone has any suggestions, please let me know.
A lite version of CyberLock is implemented into SiriusGPT, so you can select from AutoPilot and Dynamic Security Postures (Smart Mode), which is essentially a zero-trust security posture when you are browsing the web or checking emails. The LLM command line / LOLBin / fileless analysis is fully implemented, so we no longer have to worry about confusing command line blocks, they are all handled automatically, unless there is a malicious attack, in which case you will see a prompt that tells you to not allow the event. There should be close to zero bugs, but as soon as we are sure all of the bugs are worked out, we will be implementing the SiriusGPT engine into our other products.
The LLM analysis on these events are extremely accurate, usually with a confidence of 95% or higher. Here is a sample analysis report for these types of events.
Process path: c:\windows\system32\rundll32.exe
Parent process path: c:\windows\explorer.exe
Command line: "c:\windows\system32\rundll32.exe" using s=system;class p{static void main(){s.console.writeline((char)72+""+(char)101+(char)108+(char)108+(char)111);}}
Final Verdict: Not Safe with 95% confidence.
## Analysis Summary
The given command line execution event involves `rundll32.exe` being launched by `explorer.exe`. The command line argument passed to `rundll32.exe` is unusual and appears to be an attempt to execute arbitrary code. `rundll32.exe` is a known LOLBin (Living Off The Land Binary) that can be used to execute code in a DLL by calling a specific function within it.
The command line argument `using s=system;class p{static void main(){s.console.writeline((char)72+""+(char)101+(char)108+(char)108+(char)111);}}` is not a typical DLL function call expected by `rundll32.exe`. Instead, it resembles C# code that prints "Hello" to the console. This syntax is not directly executable by `rundll32.exe`, which typically requires a DLL name and an entry point.
The use of `rundll32.exe` with such an argument is suspicious because it attempts to abuse the binary for executing arbitrary code, potentially bypassing security restrictions. The code within the command line argument is obfuscated or encoded, as it uses character codes to represent the string "Hello". This behavior is indicative of an attempt to hide the true intent of the command.
The parent process, `explorer.exe`, launching `rundll32.exe` with such an argument is abnormal. While `explorer.exe` can launch various processes, the context and the command line argument used here suggest malicious intent.
## Malware Type and Name
Given the suspicious use of `rundll32.exe` and the encoded command line argument, this activity represents LOLBin Abuse. The specific behavior of executing C#-like code within the command line argument is not typical for legitimate applications.
## Final Verdict
Malware type: LOLBin Abuse (Thanks to @Trident for the malware name idea!)
Malware name: LOLBin.Rundll32.Exec (Thanks to @Trident for the malware name idea!)
Final verdict: Malicious with 95% confidence.
If you are curious and want to try SiriusGPT, but have CyberLock installed, you can uninstall CyberLock temporarily and then install SiriusGPT. You might want to click No when it asks if you want to delete the Settings and Logs during the CyberLock uninstall.
You can download the installer or portable version here:
Thank you guys!
Dan
