Search For Content
Search Result
58 item(s) found so far for this keyword.
Retrieve HDD Information
Malware can figure out if it's in a virtual environment by checking hard drive info. It looks for specific details like serial and model numbers. This is easier to spot in VirtualBox because it shows clues that it's running in a virtual space.
Malware uses this trick to avoid getting caught. It does this by using a special command …
Read moreDetecting Mac Address
Virtualbox and VMware use specific virtual Mac address that can be detected by Malware.
- The usual mac address used by Virtualbox starts with the following number: 08:00:27.
- The usual mac address used by VMware starts with the following numbers: 00:0C:29, 00:1C:14, 00:50:56, 00:05:69.
Malware can use this simple trick to detect if it is running …
Read moreChecking Specific Folder Name
Specific directories, such as "C:\Cuckoo", can serve as indicators of a sandboxed or virtualized environment when present on a guest system. Consequently, a savvy piece of malware could potentially use the detection of this particular directory as a means of evading analysis. This would allow the malicious software to alter its behavior or even halt its execution altogether when it …
Read moreChecking Installed Software
By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox.
This inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis …
Read moreChecking Memory Size
Most modern user machines have at least 4GB of memory. Malware programs can detect whether they are running in a sandbox environment by checking the available memory size. If the available memory size is less than 4GB, it is likely that the program is running in a sandbox.
Read moreDetecting USB Drive
To detect whether a program is running in a sandbox environment, malware can look for the presence of USB drives. Many sandboxes do not have USB ports or do not allow access to USB drives, and detecting the absence of USB drives can help identify whether the program is being run in a sandbox.
Read moreAdding antivirus exception
This technique involves searching for active antivirus-related processes or modules and terminating execution if any are found. By detecting loaded antivirus libraries, malware can determine whether it is running in a monitored environment and exit to avoid detection.
Read moreIsDebuggerPresent
This function checks specific flag in the Process Environment Block (PEB) for the field IsDebugged which will return zero if the process is not running into a debugger or a nonzero if a debugger is attached.
If you want to understand the underlying process of IsDebuggerPresent API you can check the code snippet section for the following method: IsDebugged …
Read moreNtGlobalFlag
The information that the system uses to determine how to create heap structures is stored at an undocumented location in the PEB at offset 0x68. If the value at this location is 0x70, we know that we are running in a debugger.
The NtGlobalFlag field of the Process Environment Block (0x68 offset on 32-Bit and 0xBC on …
RDTSCP
Newer processors support a new instruction called RDTSCP which does the exact same thing as RDTSC, except that it does so serializing (meaning it waits for all instructions to execute before reading the counter. and that the possible reordering of the execution of the instructions is won that does not happen).
This instruction can be used to calculate the …
Read more