
Checking Mouse Activity
Some Sandbox doesn’t have the mouse moving or a fun wallpaper, malware can detect if there is any activities into the sandbox.
Detection Rules
rule:
meta:
name: check for unmoving mouse cursor
namespace: anti-analysis/anti-vm/vm-detection
author: BitsOfBinary
scope: function
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012]
references:
- https://www.joesecurity.org/blog/5852460122427342172
examples:
- 7E17F0F35D50F49407841372F24FBD38:0x4010f6
features:
- and:
- count(api(user32.GetCursorPos)): 2 or more