IN

Sandbox Evasion

The IN instruction is a type of machine code instruction that is used to read data from an input port. This instruction can only be executed in privileged mode, such as in kernel mode, and an attempt to execute it in user mode will generate an exception.

However, some virtual machine monitors, such as VMWare, use a special port …

VPCEXT

Sandbox Evasion

The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.

Onset Delay

Sandbox Evasion

Malware will delay execution to avoid analysis by the sample. For example, a Ping can be perform during a time defined. Unlike extended sleep that will use the Sleep function, onset delay will use another way to delay execution.

The purpose of such evasive code is to delay the execution of malicious activity long enough so that automated analysis …

Checking Recent Office Files

Sandbox Evasion

Another way to detect if the malware is running in a real user machine is to check if some recent Office files was opened.

Evading Hash Signature

Antivirus/EDR Evasion

AV are able to detect if it's a known malware by calculating the file hash, by changing a simple bit into the binary can sometimes allow the sample to evade hash detection. This technique is unlikely to work anymore.

Fingerprinting Emulator

Antivirus/EDR Evasion

Fingerprinting the AV emulator can allow the malware to detect the AV. For example, specific mutex can be used by the AV emulator, trying to detect it allow the sample to detect the AV.

Big File

Antivirus/EDR Evasion

Because of the imposed file size limit, you can trick the scanner into skipping a file by changing the file’s size to make it larger than the hard-coded size limit. This file size limit applies especially with heuristic engines based on static data (data extracted from the portable executable, or PE, header). This is an old trick still apply in …

File Format Confusion

Antivirus/EDR Evasion

By looking the structure of the PE and the content of the file, the engine is able to detect if the file is malicious or not. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious.

Confusing file format is another trick …

CheckRemoteDebuggerPresent

Anti-Debugging

CheckRemoteDebuggerPresent is a kernel32.dll function that sets (-1)0xffffffff in the DebuggerPresent parameter if a debugger is present. Internally, it also uses NtQueryInformationProcess with ProcessDebugPort as a ProcessInformationClass parameter.

NtQueryInformationProcess

Anti-Debugging

This function retrieves information about a running process. Malware are able to detect if the process is currently being attached to a debugger using the ProcessDebugPort (0x7) information class.

A nonzero value returned by the call indicates that the process is being debugged.

Search For Content

Search Result

IN

Sandbox Evasion

VPCEXT

Sandbox Evasion

Onset Delay

Sandbox Evasion

Checking Recent Office Files

Sandbox Evasion

Evading Hash Signature

Antivirus/EDR Evasion

Fingerprinting Emulator

Antivirus/EDR Evasion

Big File

Antivirus/EDR Evasion

File Format Confusion

Antivirus/EDR Evasion

CheckRemoteDebuggerPresent

Anti-Debugging

NtQueryInformationProcess

Anti-Debugging