RedMimicry is currently not publicly available. Contact me directly in case you know me personally and want access.

[v1.0.4] RedMimicry - Winnti Emulation

This RedMimicry release emulates the behavior of the Winnti version from around 2015.

Emulated behavior includes among other things

• network traffic encoding
• original “Cooper” loader with RedMimicry agent payload
• payload injection in svchost process
• event creation

Known Issues

If you discover a bug or unexpected behavior feel free to send me an email to bugs@redmimicry.com.

• the shell command can only handle ANSI input
• frontend in Safari broken
• disable_sysmon does not work on older Sysmon versions (tested with Sysmon 11.10)

Signatures

You can download signatures matching the winnti IOCs as well as the RedMimicry agent payload below.

• redmimicry_winnti_2015.yar
• redmimicry_winnti_2015_sigma.zip