Virtualization/Sandbox Evasion: System Checks Defense Evasion [Mitre]

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions …

Virtualization/Sandbox Evasion: User Activity Based Checks Defense Evasion [Mitre]

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core …

Virtualization/Sandbox Evasion: Time Based Evasion Defense Evasion [Mitre]

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.

…

Evasion using direct Syscalls Antivirus/EDR Evasion

In the Windows operating system, conventional malware frequently utilizes strategies involving the invocation of specific functions from the kernel32.dll library, such as VirtualAlloc, VirtualProtect, and CreateThread. A closer inspection of the call stack reveals that the functions employed from kernel32.dll eventually trigger corresponding functions within the ntdll.dll library. This is facilitated by the ntdll.dll library, which serves …

Shikata Ga Nai (SGN) Data Obfuscation

Shikata Ga Nai (SGN) is a data obfuscation technique that employs a polymorphic binary encoding scheme. It was initially developed by Ege Balci and gained popularity through its implementation in Metasploit Framework's msfvenom. SGN takes a binary input and generates a self-decoding obfuscated shellcode. The algorithm utilizes a XOR feedback loop for encoding and prefixes a decoding routine to the …

FuncIn Antivirus/EDR Evasion Anti-Debugging Anti-Disassembly Anti-Forensic

FuncIn involves a payload staging strategy wherein the entire set of malicious functionalities is not contained within the malware file itself or any third-party file/network location (e.g., a web server). Instead, these functionalities are transmitted over the network by the Command and Control (C2) server when required.

This approach addresses three primary issues in malware development. Firstly, it mitigates …

PowerShell Special Characters Obfuscation Data Obfuscation

PowerShell scripts can be obfuscated using methods that encode commands exclusively with special characters. This technique aims to complicate analysis and potentially evade detection mechanisms.

Attackers frequently employ these tactics to hide the true functionalities of the script, making the analysis more challenging.

NixImports Packers

A .NET malware loader employs API-Hashing and dynamic invocation to circumvent static analysis. NixImports utilizes managed API-Hashing to dynamically determine most of its required functions during runtime. For function resolution, HInvoke needs two specific hashes: typeHash and methodHash, representing the type name and the method's full name, respectively. At runtime, HInvoke scans the entire mscorlib to locate the corresponding type …

PyArmor Packers

Pyarmor is a command-line tool primarily used for the obfuscation of Python scripts. While its original design aims to protect Python code from unauthorized access and reverse engineering, its capabilities also make it a tool of interest for malware obfuscation. Pyarmor achieves this through several key features, each with potential applications in both legitimate protection and malicious exploitation:

…

BlockInput Others

As per Microsoft's documentation, BlockInput function "prevents keyboard and mouse input events from reaching applications," effectively restricting user interaction with the system.

Malware occasionally employs this tactic to hinder analysis by debuggers or other analysis tools throughout the process' runtime. To deactivate the block, the program must make a live call to BlockInput with the parameter 0. Windows automatically …

Search Evasion Techniques

Search Result