Search Evasion Techniques
Names, Techniques, Definitions, Keywords
Search Result
171 item(s) found so far for this keyword.
Detecting Virtual Environment Artefacts Sandbox Evasion
Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 with the value of Identifier and the data of QEMU or HARDWARE\\Description\\System with a value of SystemBiosVersion and data of QEMU.
The VirtualBox Guest addition leaves many …
Detecting Hooked Function Sandbox Evasion
To avoid some actions on the system by the malware like deleted a file. Cuckoo will hook some function and performs another action instead of the original one. For example the function DeleteFileW could be hooked to avoid file deletion.
Checking Pipe Sandbox Evasion
Cuckoo is a malware analysis system that uses a named pipe, called \.\pipe\cuckoo, for communication between the host system (where the malware is being analyzed) and the guest system (where the malware is running).
A malware that is running on the guest system can detect the presence of a virtual environment by attempting to access the \.\pipe\cuckoo named pipe. …
SIDT, Red Pill Sandbox Evasion
Red Pill is a technique used by malware to determine whether it is running on a physical machine or a virtual machine. The Red Pill technique involves executing the SIDT instruction, which retrieves the value of the Interrupt Descriptor Table Register (IDTR) and stores it in a memory location.
On a physical machine, the IDTR will contain the address …
SLDT, No Pill Sandbox Evasion
The No Pill technique is a method used by malware to determine whether it is running on a physical machine or a virtual machine. This technique relies on the fact that the Local Descriptor Table (LDT) is assigned to a processor, rather than to an operating system. On a physical machine, the location of the LDT will be zero, whereas …
IN Sandbox Evasion
The IN instruction is a type of machine code instruction that is used to read data from an input port. This instruction can only be executed in privileged mode, such as in kernel mode, and an attempt to execute it in user mode will generate an exception.
However, some virtual machine monitors, such as VMWare, use a special port …
VPCEXT Sandbox Evasion
The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.
Onset Delay Sandbox Evasion
Malware will delay execution to avoid analysis by the sample. For example, a Ping can be perform during a time defined. Unlike extended sleep that will use the Sleep function, onset delay will use another way to delay execution.
The purpose of such evasive code is to delay the execution of malicious activity long enough so that automated analysis …
Checking Mouse Activity Sandbox Evasion
Some Sandbox doesn't have the mouse moving or a fun wallpaper, malware can detect if there is any activities into the sandbox.
Checking Recent Office Files Sandbox Evasion
Another way to detect if the malware is running in a real user machine is to check if some recent Office files was opened.