(CAPA) CAPA_SANBOX_AV_CHECK
rule:
meta:
name: check for sandbox and av modules
namespace: anti-analysis/anti-av
author: "@_re_fox"
scope: basic block
unprotect: U0508
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
- Anti-Behavioral Analysis::Sandbox Detection [B0007]
examples:
- ccbf7cba35bab56563c0fbe4237fdc41:0x0040a4a0
features:
- and:
- api: GetModuleHandle
- or:
- string: /avghook(x|a)\.dll/i
description: AVG
- string: /snxhk\.dll/i
description: Avast
- string: /sf2\.dll/i
description: Avast
- string: /sbiedll\.dll/i
description: Sandboxie
- string: /dbghelp\.dll/i
description: WindBG
- string: /api_log\.dll/i
description: iDefense Lab
- string: /dir_watch\.dll/
description: iDefense Lab
- string: /pstorec\.dll/i
description: SunBelt Sandbox
- string: /vmcheck\.dll/i
description: Virtual PC
- string: /wpespy\.dll/i
description: WPE Pro
- string: /cmdvrt(64|32).dll/i
description: Comodo Container
- string: /sxin.dll/i
description: 360 SOFTWARE
- string: /dbghelp\.dll/i
description: WINE
- string: /printfhelp\.dll/i
description: Unknown Sandbox
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Disabling Antivirus | U0508 F0004 |
Created
June 20, 2022
Last Revised
June 20, 2022