Checking Specific Folder Name

Created the Monday 11 March 2019. Updated 4 months, 2 weeks ago.

Specific directories, such as "C:\Cuckoo", can serve as indicators of a sandboxed or virtualized environment when present on a guest system. Consequently, a savvy piece of malware could potentially use the detection of this particular directory as a means of evading analysis. This would allow the malicious software to alter its behavior or even halt its execution altogether when it identifies such markers, thus skirting the sandbox and avoiding detection.

Technique Identifier

U1331

Technique Tags

Special path Cuckoo Guest system Malware Sandbox evasion

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

Code Snippets

Description

This C++ code provides three different functions to check whether a given directory exists in a Windows file system. The functions IsDirectory, IsDirectory1, and IsDirectory2 each use different methods to verify the existence of the directory. IsDirectory uses the CRT _access function, IsDirectory1 uses the WinAPI CreateFileA function with the OPEN_EXISTING flag and FILE_FLAG_BACKUP_SEMANTICS attribute to check if a directory handle can be created, and IsDirectory2 uses the CreateDirectoryA function to attempt to create the directory and then checks for an ERROR_ALREADY_EXISTS error. The main function then tests these three methods on a directory named "C:\Cuckoo" and outputs whether each method successfully detected the directory.

#include <Windows.h>
#include <iostream>
#include <io.h>

// win api
const bool IsDirectory2(std::string& strDirName) {
	const auto iCode = CreateDirectoryA(strDirName.c_str(), NULL);
	if (ERROR_ALREADY_EXISTS == GetLastError())
		return true;
	if (iCode)
		RemoveDirectoryA(strDirName.c_str());
	return false;
}

// win api
const bool IsDirectory1(std::string& strDirName) {
	const HANDLE hFile = CreateFileA(
		strDirName.c_str(),
		GENERIC_READ,                   
		0,                              
		NULL,
		OPEN_EXISTING,                  
		FILE_FLAG_BACKUP_SEMANTICS,     
		NULL);
	if (!hFile || (INVALID_HANDLE_VALUE == hFile))
		return false;
	if(hFile)
		CloseHandle(hFile);
	return true;
}

// crt
const bool IsDirectory(std::string& strDirName) {
	if (0 == _access(strDirName.c_str(), 0))
		return true;
	return false;
}

int main()
{
	std::string strDirName = "C:\\Cuckoo";
	if (IsDirectory(strDirName)) {
		std::cout << "Ture: " << strDirName.c_str() << std::endl;
	}
	else {
		std::cout << "Flase: " << strDirName.c_str() << std::endl;
	}

	if (IsDirectory1(strDirName)) {
		std::cout << "Ture: " << strDirName.c_str() << std::endl;
	}
	else {
		std::cout << "Flase: " << strDirName.c_str() << std::endl;
	}

	if (IsDirectory2(strDirName)) {
		std::cout << "Ture: " << strDirName.c_str() << std::endl;
	}
	else {
		std::cout << "Flase: " << strDirName.c_str() << std::endl;
	}


	return 0;
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Sandbox Evasion Cheat Sheet