BuildCommDCBAndTimeoutA

Created the Wednesday 20 March 2024. Updated 8 months, 1 week ago.

This technique uses a BuildCommDCBAndTimeoutsA API call to determine if the malware is detonating in a sandbox. Normally, a bogus device string would cause this API call to fail. However, some malware sandbox environments may emulate in a way that allows the API call to succeed even when given a bogus device string.

Technique Identifiers

U1342 T1497.002

Technique Tags

BuildCommDCBAndTimeoutsA sandbox evasion

Code Snippets

Description

This code compiles a C program on Windows that tests if it's running in an emulation environment by attempting to configure a bogus device string with BuildCommDCBAndTimeouts; if the call succeeds, it terminates the program, suggesting it might not be running on a genuine Windows system.

// $ x86_64-w64-mingw32-gcc -o main.exe main.c

#include <windows.h>
#include <stdio.h>

int main()
{
    printf("[*] Running...\n");
    HANDLE currentProcess;

    // If we pass a bogus device string into this API call, the return value should always be zero to indicate failure.
    // The hypothesis here is that if this API call ever succeeds, it is in some kind of emulation environment that will allow a bogus device string.
    // https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-buildcommdcbandtimeoutsa

    // device string from the POC: "jhl46745fghb"
    // properly formatted device string: "COM1:9600,n,8,1"
    if (BuildCommDCBAndTimeouts("jhl46745fghb", NULL, NULL))
    {
        printf("[*] Nope.\n");
        currentProcess = GetCurrentProcess();
        TerminateProcess(currentProcess, 0);
    }

    printf("[+] Boom!\n");

    return 0;
}

About Author Open Snippet

Author: Huntress Research Team / Target Platform: Windows

Detection Rules

rule BuildCommDCBAndTimeouts 
{
    meta:
        author = "Unprotect"
        contributors = "Huntress Research Team | Unprotect Project"
        description = "Detects usage of BuildCommDCBAndTimeouts function call"
        status = "experimental"

    strings:
        $s1 = "jhl46745fghb" ascii wide nocase
        $s2 = "BuildCommDCBAndTimeouts" ascii wide nocase

    condition:
        uint16(0) == 0x5a4d and ($s2 or ($s2 and $s1))
}

Contributor

Huntress Research Team

Matching Samples 10 most recent

Sample Name	Matching Techniques	First Seen	Last Seen
al-khaser.exe	24	2024-11-13	2 weeks, 5 days ago

View All