Dynamic Analysis Evasion
May 1, 2024 ยท View on GitHub
| ID | B0003 |
| Objective(s) | Anti-Behavioral Analysis |
| Related ATT&CK Techniques | Virtualization/Sandbox Evasion (T1497, T1633) |
| Anti-Analysis Type | Evasion |
| Version | 2.2 |
| Created | 1 August 2019 |
| Last Modified | 27 April 2024 |
Dynamic Analysis Evasion
Malware may obstruct dynamic analysis in a sandbox or virtual machine. An analyst detonates the specimen in these controlled environments to understand the malware's behavior. However, the code may exhibit a variety of anti-analysis methods, including delayed execution and code integrity checks. Additional methods are listed in the table below.
See Emulator Evasion (B0004) for an emulator-specific evasion behavior, and see Conditional Execution (B0025) for a behavior that constrains dynamic execution based on environmental conditions.
The related Virtualization/Sandbox Evasion (T1497, T1633) ATT&CK techniques were defined subsequent to this MBC behavior.
Methods
| Name | ID | Description |
|---|---|---|
| Alternative ntdll.dll | B0003.001 | A copy of ntdll.dll is dropped to the filesystem and then loaded. This alternative DLL is used to execute function calls to evade sandboxes which use hooking in the operating system's ntdll.dll. |
| API Hammering | B0003.012 | Uses of a huge number of calls to Windows APIs as a form of extended sleep to evade analysis in sandbox environments. This method is related to Unprotect technique U1305. |
| Code Integrity Check | B0003.011 | Compares memory-based and disk-based versions of itself. If differences are detected, the malware alters its execution, possibly acting destructively. |
| Data Flood | B0003.002 | Overloads a sandbox by generating a flood of meaningless behavioral data. [1] |
| Delayed Execution | B0003.003 | Stalling code is typically executed before any malicious behavior. The malware's aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior. This method is very similar to ATT&CK's Virtualization/Sandbox Evasion: Time Based Evasion sub-technique. This method is related to Unprotect technique U1318. |
| Demo Mode | B0003.004 | Inclusion of a demo binary/mode that is executed when token is absent or not privileged enough. |
| Drop Code | B0003.005 | Original file is written to disk then executed. May confuse some sandboxes, especially if the dropped executable must be provided specific arguments and the original dropper is not associated with the drop file(s). |
| Encode File | B0003.006 | Encode a file on disk, such as an implant's config file. |
| Hook File System | B0003.007 | Execution happens when a particular file or directory is accessed, often through hooking certain API calls such as CreateFileA and CreateFileW. |
| Hook Interrupt | B0003.008 | Modification of interrupt vector or descriptor tables. |
| Illusion | B0003.009 | Creates an illusion; makes the analyst think something happened when it didn't. |
| Restart | B0003.010 | Restarts or shuts down system to bypass sandboxing. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| Terminator | 2013 | B0003.003 | The Terminator RAT evades a sandbox by not executing until after a reboot. Most sandboxes don't reboot during an analysis. [3] |
| Nap | 2013 | -- | Trojan Nap (tied to the Kelihos Botnet) uses extended sleep calls to evade sandbox analysis. [3] |
| Smokeloader | 2019 | -- | Smokeloader drops a copy of ntdll.dll to %APPDATA%\Local\Temp\ [4] |
| WebCobra | 2018 | B0003.001 | The malware loads ntdll.dll and user32.dll as data files and overwrites the first 8 bytes of those functions to avoid API hooking by security products. [7] |
| Rombertik | 2015 | B0003.002 | The malware stalls by writing a byte of random data to memory 960 million times which complicates analysis. It also calls specific Windows API functions. [5] |
| Rombertik | 2015 | B0003.011 | The malware computes a 32-bit hash of a resource in memory, and compares it to the PE Compile Timestamp of the unpacked sample. If the resource or compile time has been altered, the malware acts destructively. [5] |
| TrickBot | 2016 | B0003.012 | The malware uses numerous printf loops to delay the execution process and overload the sandbox with junk data (API Hammering). [6] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| delay execution | Dynamic Analysis Evasion::Delayed Execution (B0003.003) | kernel32.Sleep, kernel32.SleepEx, kernel32.WaitForSingleObject, kernel32.SignalObjectAndWait, kernel32.WaitForSingleObjectEx, kernel32.WaitForMultipleObjects, kernel32.WaitForMultipleObjectsEx, kernel32.RegisterWaitForSingleObject, WaitOnAddress, user32.MsgWaitForMultipleObjects, user32.MsgWaitForMultipleObjectsEx, NtDelayExecution, KeWaitForSingleObject, KeDelayExecutionThread, sleep, usleep |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| api_spamming | Dynamic Analysis Evasion (B0003) | -- |
| api_spamming | Dynamic Analysis Evasion::Data Flood (B0003.002) | -- |
| api_spamming | Dynamic Analysis Evasion::Delayed Execution (B0003.003) | -- |
| antisandbox_suspend | Dynamic Analysis Evasion (B0003) | NtSuspendThread |
| antisandbox_restart | Dynamic Analysis Evasion (B0003) | ExitWindowsEx, InitiateSystemShutdownExW, NtSetSystemPowerState, InitiateSystemShutdownW, InitiateShutdownW, NtRaiseHardError, NtShutdownSystem |
| antisandbox_restart | Dynamic Analysis Evasion::Restart (B0003.010) | ExitWindowsEx, InitiateSystemShutdownExW, NtSetSystemPowerState, InitiateSystemShutdownW, InitiateShutdownW, NtRaiseHardError, NtShutdownSystem |
| stealth_timeout | Dynamic Analysis Evasion (B0003) | NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime |
| stealth_timeout | Dynamic Analysis Evasion::Delayed Execution (B0003.003) | NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime |
| antisandbox_unhook | Dynamic Analysis Evasion (B0003) | -- |
B0003.003 Snippet
Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution
SHA256: 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561 Location: 0x40103Bpush 0x36ee80 ; sleep duration: 3600000 milliseconds (1 hour) call dword ptr [->KERNEL32.DLL::Sleep] ; Windows API call instructing thread to sleep for the time period specified above
References
[1] https://www.joesecurity.org/blog/4310408827727907098
[2] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[3] https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf
[4] https://research.checkpoint.com/2019-resurgence-of-smokeloader/