This is my first article on the forum. Hope you learn something from it
While building malware & attacking, even if you reuse old malware samples from vx_underground or github, you could easily bypass static analysis. Even schoolchildren can do this using automation tools found on github. Now AMSI has become much more advanced than when it was launched. AMSI provides a simple API which is independent of antivirus. Almost all modern AVs take its advantage.
This article is written for beginners who keep asking questions on how to start. You will get ideas on how people think while building evasion techniques.
Sandbox analysis has been very successful at detecting malware but it has its own disadvantages:
- they use lots of resources making them expensive
- they take good amount of time
- they might have to scan every activity on the system constantly
etc
lets start with something simple
1. password protected files :
corp mails are being sent with passwords in the mail body and the files are encrypted.
Sandbox cant get past the locking but the social engineering aspect of this is weak and has its own disadvantages.
Malware analysts & Reverse Engineers could easily crack it open.
But other than that, the file might itself be flagged unknown rather than suspicious itself warning the target
2. Time Delay :
Email filters cant scan your phishes for minutes, they are with their time allotted.
This is not very useful in all attack types. eg. in case of a macro this will keep the document open until the delay ends
3. Sandbox fingerprinting :
Use CPU cores, Disk sizes + partitions, RAM can be used to detect their odd characteristics
4. Check common processes used by reverse engineers & sandboxes :
These are some of common tools used, these list of tools can be found on the internet.
5. Check for WMI objects :
You can enumerate the hardware & system configurations
You could look for generic hardware present like a fan or a video controller.
The disadvantage of this method is that the manufacturers of hardware don't have a universal way of implementing these.
While building malware & attacking, even if you reuse old malware samples from vx_underground or github, you could easily bypass static analysis. Even schoolchildren can do this using automation tools found on github. Now AMSI has become much more advanced than when it was launched. AMSI provides a simple API which is independent of antivirus. Almost all modern AVs take its advantage.
This article is written for beginners who keep asking questions on how to start. You will get ideas on how people think while building evasion techniques.
Sandbox analysis has been very successful at detecting malware but it has its own disadvantages:
- they use lots of resources making them expensive
- they take good amount of time
- they might have to scan every activity on the system constantly
etc
lets start with something simple
1. password protected files :
corp mails are being sent with passwords in the mail body and the files are encrypted.
Sandbox cant get past the locking but the social engineering aspect of this is weak and has its own disadvantages.
Malware analysts & Reverse Engineers could easily crack it open.
But other than that, the file might itself be flagged unknown rather than suspicious itself warning the target
2. Time Delay :
Email filters cant scan your phishes for minutes, they are with their time allotted.
This is not very useful in all attack types. eg. in case of a macro this will keep the document open until the delay ends
3. Sandbox fingerprinting :
Use CPU cores, Disk sizes + partitions, RAM can be used to detect their odd characteristics
4. Check common processes used by reverse engineers & sandboxes :
Код:
Array("cis.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe", \
"fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe", \
"apimonitor.exe", "GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe", \
"apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe", \
"sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe", \
"sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe", \
"procanalyzer.exe", "spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe", \
"idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe", \
"bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe", \
"sython.exe", "capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe", \
"taslogin.exe","cffexplorer.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe", \
"tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe", \
"totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe", \
"raptorclient.exe","txplatform.exe","dnf.exe"," lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe", \
"vx.exe","dumpcap.exe", "lordpe.exe","RepMgr64.exe","winalysis.exe","emul.exe","malmon.exe","RepUtils32.exe","winapioverride32.exe", \
"ethereal.exe","mbarun.exe","RepUx.exe","windbg.exe","ettercap.exe","mdpmon.exe","runsample.exe","windump.exe", \
"fakehttpserver.exe","mmr.exe","samp1e.exe","winspy.exe","fakeserver.exe","mmr.exe","sample.exe","wireshark.exe", \
"Fiddler.exe","multipot.exe","sandboxiecrypto.exe","XXX.exe","filemon.exe","netsniffer.exe","sandboxiedcomlaunch.exe"These are some of common tools used, these list of tools can be found on the internet.
5. Check for WMI objects :
You can enumerate the hardware & system configurations
You could look for generic hardware present like a fan or a video controller.
The disadvantage of this method is that the manufacturers of hardware don't have a universal way of implementing these.
