BuildCommDCBAndTimeoutA

Created the Wednesday 20 March 2024. Updated 1 month, 1 week ago.

This technique uses a BuildCommDCBAndTimeoutsA API call to determine if the malware is detonating in a sandbox. Normally, a bogus device string would cause this API call to fail. However, some malware sandbox environments may emulate in a way that allows the API call to succeed even when given a bogus device string.

Technique Identifiers

U1342 T1497.002

Technique Tags

BuildCommDCBAndTimeoutsA sandbox evasion

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

BuildCommDCBAndTimeoutsA

Code Snippets

Description

This code compiles a C program on Windows that tests if it's running in an emulation environment by attempting to configure a bogus device string with BuildCommDCBAndTimeouts; if the call succeeds, it terminates the program, suggesting it might not be running on a genuine Windows system.

// $ x86_64-w64-mingw32-gcc -o main.exe main.c

#include <windows.h>
#include <stdio.h>

int main()
{
    printf("[*] Running...\n");
    HANDLE currentProcess;

    // If we pass a bogus device string into this API call, the return value should always be zero to indicate failure.
    // The hypothesis here is that if this API call ever succeeds, it is in some kind of emulation environment that will allow a bogus device string.
    // https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-buildcommdcbandtimeoutsa

    // device string from the POC: "jhl46745fghb"
    // properly formatted device string: "COM1:9600,n,8,1"
    if (BuildCommDCBAndTimeouts("jhl46745fghb", NULL, NULL))
    {
        printf("[*] Nope.\n");
        currentProcess = GetCurrentProcess();
        TerminateProcess(currentProcess, 0);
    }

    printf("[+] Boom!\n");

    return 0;
}

Detection Rules

                                    rule BuildCommDCBAndTimeouts 
{
    meta:
        author = "Unprotect"
        contributors = "Huntress Research Team | Unprotect Project"
        description = "Detects usage of BuildCommDCBAndTimeouts function call"
        status = "experimental"

    strings:
        $s1 = "jhl46745fghb" ascii wide nocase
        $s2 = "BuildCommDCBAndTimeouts" ascii wide nocase

    condition:
        uint16(0) == 0x5a4d and ($s2 or ($s2 and $s1))
}

Contributors

Huntress Research Team