Checking Pipe
Created the Monday 11 March 2019. Updated 2 weeks, 4 days ago.
Cuckoo is an open-source automated malware analysis system that performs dynamic analysis by running suspicious files in isolated virtual environments.
To facilitate communication between the host system (analysis environment) and the guest system (execution environment), Cuckoo uses a named pipe: \.\pipe\cuckoo
Detection Technique
Malware running inside the guest can check for the existence of this named pipe. If the pipe is present, it indicates that the sample is being executed within a Cuckoo-monitored virtual machine.
Based on this detection, the malware may alter its behavior to evade analysis, such as avoiding malicious actions or delaying execution.
Technique Identifier
Technique Tags
Sandbox Cuckoo Host system Guest system Communication Named pipe Virtual environment
Code Snippets
Detection Rules
Contributor
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.