CPUID Sandbox Evasion

The CPUID instruction is a low-level command that allows you to retrieve information about the CPU that is currently running. This instruction, which is executed at the CPU level (using the bytecode 0FA2), is available on all processors that are based on the Pentium architecture or newer.

You can use the CPUID instruction to retrieve various pieces of information …

Process Camouflage, Masquerading Process Manipulating

Masquerading is a technique used by malware to evade detection by disguising itself as a legitimate file. This is typically achieved by renaming the malicious file to match the name of a commonly found and trusted file, such as svchost.exe, and placing it in a legitimate folder.

Masquerading can occur when the name or location of an executable, …

Detecting Online Sandbox Sandbox Evasion

Online sandboxes are widely used for malware analysis. To evade detection, many malware families implement checks to identify if they are running in such environments. Below are examples of detection techniques for Any.Run and Tria.ge.

Detecting Any.Run

Any.Run uses a fake root certificate to spy on sandbox traffic. System information can be obtained by querying …

Detecting Virtual Environment Artefacts Sandbox Evasion

Malware often checks for artifacts left by virtualization platforms to determine if it is running inside a virtual environment. Detecting such artifacts allows the malware to adapt its behavior, delay execution, or avoid exposing malicious functionality during analysis.

QEMU: QEMU registers artifacts in the Windows registry. For example, the key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical …

Detecting Hooked Function Sandbox Evasion

To avoid some actions on the system by the malware like deleted a file. Cuckoo will hook some function and performs another action instead of the original one. For example the function DeleteFileW could be hooked to avoid file deletion.

Checking Pipe Sandbox Evasion

Cuckoo is an open-source automated malware analysis system that performs dynamic analysis by running suspicious files in isolated virtual environments.

To facilitate communication between the host system (analysis environment) and the guest system (execution environment), Cuckoo uses a named pipe: \.\pipe\cuckoo

Detection Technique

Malware running inside the guest can check for the existence of this named pipe. …

Disabling Antivirus Antivirus/EDR Evasion

Some forms of malware are programmed to disable antivirus software and evade detection by security measures. These malicious programs can use specific commands or techniques to undermine the antivirus software's effectiveness and remain hidden from detection..

C2 via Social Networks Network Evasion

Malware often relies on a communication channel with its operator in order to receive instructions and updates. This channel is known as a command and control (C&C or C2) channel. C&C channels can take various forms, such as internet relay chat (IRC), peer-to-peer protocols, and even social media. The use of C&C channels allows the operator to remotely control the …

DTPacker Packers

DTPacker is a .NET packer or downloader which although seeing considerable variety in the first stage, uses a second stage with a fixed password as part of the decoding.

The main difference between a packer and a downloader is the location of the payload data which is embedded in the former and downloaded in the latter. DTPacker uses both …

Impair Defenses: Disable or Modify Tools Defense Evasion [Mitre]

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable …

Search Evasion Techniques

Search Result