App.Any.Run Heavy Anti-Evasion easy bypass

The goal of the research was to create a small dropper that creates no detection within the famous App.Any.Run Sandbox solution but can still determine if its running in the sandbox or not.
For now, i cant tell if that also affects the searcher and hunter version, but for the free one it works just fine.

This was created for a workshop about malware analysis for one of my clients and it should demonstrate how easy tools like App.Any.Run and other Sandbox Solutions can be tricked and that they can not replace human analysts. To be clear the sandbox in my opinion is very good and i can recommend it as a first analyse step, but It must be clear that even something called “heavy anti evasion” can not detect everything and can only be seen as a help for the human analyst.¬†

The following code acts as a dropper (.NET) that drops the eicar test file with the “enhanced functionality” to not get detected by App.Any.Run sandbox, even with Heavy Anti-Evasion turned on.
It simply checks for a running executable that always runs in the current version, not advanced and no rocket since at all. Killing the process (qemu-ga.exe) would result in termination of the connection to the guest os. However, this requires administrative access so in the below sample we just quit our sample after detecting the agent running.

Detecting the attack is fairly simple. Most malware analysts would probably immediately check why the app quits directly after the start and patch it out, however more junior analysts might get tricked by this.

Sample url: App Any Run Sample

The below file can be compiled with .NET >= 2.0.

App Any Run Sandbox Detection Bypass
Detection bypass for app.any.run
App Any Run bypass virustotal
 Virustotal scan of app any run bypass file
Result from Falcon Sandbox
Hybrid analysis of the any run bypass file

Company Reviews

Leave a Reply

Your email address will not be published. Required fields are marked *