Skip to content

Blender Scanner

Jump to bottom Edit New page
BlackSnufkin edited this page Sep 6, 2025 · 2 revisions

Blender Scanner

The Blender Scanner compares your payload's IOCs with running processes to find which ones have similar IOCs, giving you better injection targets.

How It Works

1. System Baseline Collection

take_system_sample() creates a baseline of system behavior:

  1. Scanner Execution - Runs three analyzers on all processes:

    • Moneta - Memory IOC detection
    • HSB - Hunt Sleeping Beacons analysis
    • HollowsHunter - Process hollowing detection

  2. Data Parsing - Extracts IOCs from each analyzer's output

  3. Process Grouping - Combines IOCs by process (process_name + PID)

  4. Storage - Saves results to BlenderScan_MMDDYYYY.json

2. Payload Analysis Comparison

compare_payload(payload_hash) matches payload behavior against system baseline:

  1. Load Data - Retrieves payload's dynamic analysis results and latest system scan
  2. IOC Matching - Compares IOC patterns between payload and system processes
  3. Scoring - Calculates match percentages based on IOC overlap

IOC Extraction

Moneta Parser

parse_moneta_findings() processes raw text output:

  • Process Detection - Finds lines with ' : ' separator for process name/PID
  • DLL Tracking - Identifies DLL names from 'DLL Image' entries
  • IOC Types - Extracts: Modified Code, Unsigned Module, Missing PEB Module, Modified PE Header, Inconsistent Execution, Abnormal Mapped Executable, Phantom Image, Abnormal Private Executable, Non-Image Thread, Non-Image Base

HSB Parser

parse_hsb_findings() processes structured detections:

  • Process Info - Extracts process_name and pid fields
  • Findings - Collects type and description from findings array

Process Scanner Parser

parse_process_scanner_findings() handles PE-Sieve and HollowsHunter:

  • Detection Mapping - Converts tool-specific results to standard IOC types
  • Severity Assignment - Assigns HIGH/MEDIUM severity levels
  • Instance Counting - Tracks occurrence counts for each IOC type

Comparison Algorithm

compare_processes() matching logic:

IOC Grouping

  • Groups payload and system IOCs by DLL
  • Matches IOCs by type between payload and system processes

Scoring Logic

  • Instance Comparison - Compares occurrence counts between payload and system
  • Description Normalization - Removes memory addresses and file paths for pattern matching
  • Match Calculation - Returns percentage based on IOC overlap ratio

Results

  • Processes with matching IOCs are ranked by match percentage
  • Detailed breakdown shows which specific IOCs matched

File Storage

System Scans: Utils\DoppelgangerDB\Blender\BlenderScan_MMDDYYYY.json

Payload Results: Loaded from Results\<hash>_*\dynamic_analysis_results.json

Add a custom footer
Add a custom sidebar

Clone this wiki locally