Search For Content
Search Result
154 item(s) found so far for this keyword.
Detecting Virtual Environment Artefacts
Malware often checks for artifacts left by virtualization platforms to determine if it is running inside a virtual environment. Detecting such artifacts allows the malware to adapt its behavior, delay execution, or avoid exposing malicious functionality during analysis.
-
QEMU: QEMU registers artifacts in the Windows registry. For example, the key
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical …
Detecting Hooked Function
To avoid some actions on the system by the malware like deleted a file. Cuckoo will hook some function and performs another action instead of the original one. For example the function DeleteFileW could be hooked to avoid file deletion.
Read moreChecking Pipe
Cuckoo is an open-source automated malware analysis system that performs dynamic analysis by running suspicious files in isolated virtual environments.
To facilitate communication between the host system (analysis environment) and the guest system (execution environment), Cuckoo uses a named pipe: \.\pipe\cuckoo
Detection Technique
Malware running inside the guest can check for the existence of this named pipe. …
Read moreChecking Installed Software
By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox.
This inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis …
Read moreDetecting Hostname, Username
Most sandbox are using name like Sandbox, Cuckoo, Maltest, Malware, malsand, ClonePC.... All this hostname can provide the information to the malware. The username can also be checked by malware.
Read moreDetecting USB Drive
To detect whether a program is running in a sandbox environment, malware can look for the presence of USB drives. Many sandboxes do not have USB ports or do not allow access to USB drives, and detecting the absence of USB drives can help identify whether the program is being run in a sandbox.
Read moreEvading Hash Signature
AV are able to detect if it's a known malware by calculating the file hash, by changing a simple bit into the binary can sometimes allow the sample to evade hash detection. This technique is unlikely to work anymore.
Read moreFingerprinting Emulator
Fingerprinting the AV emulator can allow the malware to detect the AV. For example, specific mutex can be used by the AV emulator, trying to detect it allow the sample to detect the AV.
Read moreAPI Obfuscation
API obfuscation is a technique used by malware to make it more difficult for security analysts to understand and analyze the code. This is typically done by using a technique called API hashing, which replaces the names of API functions with a hashed value. When an analyst runs the malware through a disassembler tool, the hashed values are printed instead …
Read moreGeofencing
Geofencing in malware refers to a technique used by cybercriminals to restrict the distribution or activation of malicious software based on geographical location. Malware authors use geofencing to target specific regions or avoid certain areas, such as their home country, in order to evade detection, minimize the chances of being investigated, or maximize the effectiveness of their attacks.
Geofencing …
Read more