Detecting Online Sandbox Sandbox Evasion

Online sandbox has become very popular for malware analysis. Several malware authors employ such techniques to avoid detection and analysis. Some of these techniques will be summarized here.

Any.Run uses a fake root certificate to spy on sandbox traffic. The first information about the system can be obtained by querying the information of the root certificate. In …

Process Herpaderping Process Manipulating

Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on a disk after the image has been mapped. This results in curious behavior by security products and the OS itself.

To abuse this convention, we first write a binary to a target file on a disk. Then, we map an image of …

Process Ghosting Process Manipulating

Process Ghosting is a technique used to bypass detection by manipulating the executable image when a process is loaded.

Windows attempts to prevent mapped executables from being modified. Once a file is mapped into an image section, attempts to open it with FILE_WRITE_DATA (to modify it) will fail with ERROR_SHARING_VIOLATION. Deletion attempts via FILE_DELETE_ON_CLOSE/FILE_FLAG_DELETE_ON_CLOSE fail with …

Volume Shadow Copy Service (VSC,VSS) Deletion Anti-Forensic Defense Evasion [Mitre]

Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs.

On the other hand, deleting by using vssadmin and WMIC is on a file system level, the …

Anti-UPX Unpacking Others

Anti-UPX Unpacking is the technique to prevent malware from being unpacked by tools like UPX. UPX packed binary indicates that the section names starting with UPX followed by a number (UPX0 and UPX1) and the string “UPX!” at the end of the PE header. This UPX reference structure is located at the end of the PE header and the header …

Alternate EXE Packer Packers

EXE Packer is able to compress executable files (type EXE) or DLL-files. Already compressed files may also be decompressed with this program. There exist 12 different levels for file-compression. This program is also able to create backups of the files that shall be compressed.

If a file is compressed the physical file-size is reduced on the respective device. A …

ExeStealth Packers

ExeStealth is a tool that encrypts files to avoid detection and hacking. Designed by WebToolMaster, this free software is simple to implement and one of the best anti-hacking tools on the market, which also makes it effective at hiding malware code in your system.

Themida Packers

Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption...

Anti-debugger techniques that detect/fool any kind of debugger
Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers
Different encryption algorithms and keys in each protected application
Anti-API scanners techniques that avoids reconstruction …

MEW Packers

MEW is an EXE compression tool that was specifically designed to handle small files.

FSG Packers

The free, simple FSG software compresses both small and large files. While it is popular and commonly used to hide malware code, it is also relatively simple to unpack through a decompression loop that writes the data to the final destination.

Search Evasion Techniques

Search Result