Checking Mouse Activity

Created the Monday 11 March 2019. Updated 3 years, 6 months ago.

Some Sandbox doesn’t have the mouse moving or a fun wallpaper, malware can detect if there is any activities into the sandbox.

Technique Identifier

U1317

Code Snippets

Delphi

Jean-Pierre LESUEUR

program ADetectMouseMove;

{$APPTYPE CONSOLE}

{$R *.res}

uses
  WinApi.Windows,
  WinApi.ShellAPI,
  System.Classes,
  System.SysUtils;

var APoint     : TPoint;
    AOldPoint  : TPoint;
    AMoveCount : Cardinal;

// Update bellow constant to require more mouse move check before continue code execution
const AMaxMove = 5;

begin
  try
    GetCursorPos(AOldPoint);
    ///

    AMoveCount := 0;
    while True do begin
      GetCursorPos(APoint);

      if not PointsEqual(APoint, AOldPoint) then begin
        AOldPoint := APoint;

        Inc(AMoveCount);
      end;

      if AMoveCount >= AMaxMove then
        break;

      Sleep(1000);
    end;

    ///

    WriteLn('Mouse has moved, continue execution...');

    ShellExecuteW(0, 'open', 'calc.exe', nil, nil, SW_SHOW);
  except
    on E: Exception do
      Writeln(E.ClassName, ': ', E.Message);
  end;
end.

Open Snippet

Detection Rules

CAPA

rule:
  meta:
    name: check for unmoving mouse cursor
    namespace: anti-analysis/anti-vm/vm-detection
    author: BitsOfBinary
    scope: function
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012]
    references:
      - https://www.joesecurity.org/blog/5852460122427342172
    examples:
      - 7E17F0F35D50F49407841372F24FBD38:0x4010f6
  features:
    - and:
      - count(api(user32.GetCursorPos)): 2 or more

Additional Resources

External Links

Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware | Forcepoint