Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
171 item(s) found so far for this keyword.
Checking Malware Name Sandbox Evasion Anti-Monitoring
Malware can use various techniques to evade detection by security analysts and researchers. One such technique is to check the name of the malware sample before fully executing on the infected machine. If the sample has been renamed to a blacklisted name, such as "malware.exe" or "sample.exe", or even with the file hash, the malware can detect this and change …
Checking Specific Folder Name Sandbox Evasion
Specific directories, such as "C:\Cuckoo", can serve as indicators of a sandboxed or virtualized environment when present on a guest system. Consequently, a savvy piece of malware could potentially use the detection of this particular directory as a means of evading analysis. This would allow the malicious software to alter its behavior or even halt its execution altogether when it …
VMCPUID Sandbox Evasion
The VMCPUID instruction is a sophisticated mechanism often employed by malware to ascertain if it is operating within a virtual environment.
This instruction is part of the x86 architecture's virtual machine extensions (VMX) and is designed to provide information about the capabilities and status of the virtual machine.
By using VMCPUID, malware can adapt its behavior based on …
Checking Screen Resolution Sandbox Evasion
Sandbox environments typically do not function as standard user workspaces; as a result, they often maintain a minimum screen resolution of 800x600 or even lower. In practice, users seldom work with such limited screen dimensions. Malware may leverage this information, detecting the screen resolution to ascertain whether it is operating on a genuine user machine or within a sandbox environment.
Checking Memory Size Sandbox Evasion
Most modern user machines have at least 4GB of memory. Malware programs can detect whether they are running in a sandbox environment by checking the available memory size. If the available memory size is less than 4GB, it is likely that the program is running in a sandbox.
Checking Hard Drive Size Sandbox Evasion
Many user machines have hard drives that are larger than 80GB. A malware program can detect whether it is running in a virtual environment by checking the size of the hard drive. If the size is less than 80GB, it is likely that the program is running in a sandbox or virtual environment.
Process Hollowing, RunPE Process Manipulating
Process hollowing is a technique used by malware to evade detection by injecting malicious code into a legitimate process. This technique involves creating a new instance of a legitimate process and replacing its original code with the malicious payload.
The process is the following:
CreateProcess: in a suspended mode with the CreationFlag at 0x0000 0004.…
Process Camouflage, Masquerading Process Manipulating
Masquerading is a technique used by malware to evade detection by disguising itself as a legitimate file. This is typically achieved by renaming the malicious file to match the name of a commonly found and trusted file, such as svchost.exe, and placing it in a legitimate folder.
Masquerading can occur when the name or location of an executable, …
Entry Point Modification Process Manipulating
The entry point is the starting point of an executable file during execution. Some malware use techniques such as changing or relocating the real entry point to protect their code from analysis. This makes it difficult for security software to identify and detect the malware as the code is not executed in the usual way.
Hook Injection Process Manipulating
Hook injection is a technique used by malware to alter the behavior of internal functions in an operating system or application. This is typically achieved by inserting malicious code into existing function calls, allowing the malware to intercept and manipulate the normal flow of execution.
In the case of Windows, the SetWindowsHookEx function can be used by programs to …