Learning Objectives
Today, we’ll learn how to:
Analyze malware behavior using sandbox tools
Explore how to use YARA rules to detect malicious patterns
Understand various malware evasion techniques
Implement an evasion technique to bypass YARA rule detection
The Sandbox – A Tool for Detection and Evasion
A sandbox is an isolated environment where code is executed without affecting the host system. Malware analysts and SOC teams often use sandboxes to safely observe how malware behaves, but attackers, like Mayor Malware, are also aware that sandboxes can be a threat. Before his malware executes, it needs to check if it's running in a sandbox—if it is, the malware will halt to avoid detection.
Detecting Sandboxes
One common method for detecting a sandbox is by checking for the presence of certain files or directories typically absent in virtualized environments. For example, malware may check the registry for specific directories to determine whether it's running on a regular system or inside a sandbox. Mayor Malware, knowing this, writes a small C program to check the registry for the directory C:\Program Files. If it doesn’t find it, the malware assumes it’s in a sandbox and stops running.
Here’s a simplified version of the registry-checking C code:
void registryCheck() {
const char *registryPath = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion";
const char *valueName = "ProgramFilesDir";
char command[512];
snprintf(command, sizeof(command), "reg query \"%s\" /v %s", registryPath, valueName);
int result = system(command);
if (result == 0) {
printf("Registry query executed successfully.\n");
} else {
fprintf(stderr, "Failed to execute registry query.\n");
}
}
int main() {
registryCheck();
return 0;
}
This simple code queries the system’s registry to check for the "ProgramFilesDir" path. If the malware detects the absence of this path, it assumes it’s being analyzed in a sandbox and stops its malicious activity.
Testing Detection with YARA Rules
Despite the cunning of his malware, Mayor Malware knows that security analysts use YARA rules to detect malicious code. YARA is a tool that helps analysts define patterns and rules for identifying suspicious files. To ensure his malware can’t be detected, he decides to test it against a custom YARA rule.
The rule is designed to catch any command trying to access the registry for ProgramFilesDir, which would indicate the malware is running in an environment designed to capture its behavior. Here’s an example YARA rule that detects such behavior:
rule SANDBOXDETECTED
{
meta:
description = "Detects the sandbox by querying the registry key for Program Path"
author = "TryHackMe"
date = "2024-10-08"
version = "1.1"
strings:
$cmd = "Software\\Microsoft\\Windows\\CurrentVersion\" /v ProgramFilesDir" nocase
condition:
$cmd
}
Once the rule is in place, Mayor Malware runs his malware in a controlled environment to see if the rule flags it. If the malware queries the registry key, the YARA rule will detect it, alerting the analysts.
Evasion Through Obfuscation
Even with YARA rules in place, Mayor Malware knows that obfuscation can help him bypass detection. By encoding the PowerShell command used to query the registry, he can avoid simple string matching. Here’s an example of how the registry query is encoded:
void registryCheck() {
const char *encodedCommand = "RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuACIAIAAtAE4AYQBtAGUAIABQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwBEAGkAcgA=";
char command[512];
snprintf(command, sizeof(command), "powershell -EncodedCommand %s", encodedCommand);
int result = system(command);
if (result == 0) {
printf("Registry query executed successfully.\n");
} else {
fprintf(stderr, "Failed to execute registry query.\n");
}
}
The registry query is now encoded in base64, making it harder to detect by simple string matching tools like YARA.
Combatting Obfuscation with Floss
Obfuscation isn’t foolproof, though. Tools like Floss (from Mandiant) can help analysts extract obfuscated strings from malware binaries. Floss is optimized for malware analysis and can reveal hidden strings that might otherwise evade detection.
To use Floss, an analyst would run the following command in PowerShell:
PS C:\Tools\FLOSS> floss.exe C:\Tools\Malware\MerryChristmas.exe | Out-file C:\tools\malstrings.txt
This scans the binary MerryChristmas.exe for hidden strings and outputs the results to malstrings.txt. When the analyst searches for specific markers like "THM", they can uncover the flag hidden in the malware.
Using YARA on Sysmon Logs
To further complicate matters, Mayor Malware must contend with Sysmon logs, which can expose detailed event data on system activities like process creation, network connections, and file changes. By creating custom filters in YARA, an analyst can detect traces of the malware’s actions within the Sysmon logs, making it harder for malware to remain hidden.
Conclusion
As Mayor Malware tests his creation, he is met with an uncomfortable truth: no matter how stealthy he makes it, security tools like YARA, Sysmon, and Floss are powerful enough to detect his malware. But he is not one to give up easily. As he leans back, pondering his next move, he realizes that this battle of cat and mouse will continue. He’ll need to adapt, evolve, and refine his methods until his malware is truly undetectable.
For now, however, the research continues, and the game of cat and mouse between attacker and defender rages on.
Answering the Questions:
What is the flag displayed in the popup window after the EDR detects the malware?
THM{GlitchWasHere}
What is the flag found in the
malstrings.txtdocument after runningfloss.exe?THM{YaraIsPain} (Hypothetical answer – adjust based on actual output from Floss).
This concludes Day 6’s blog post.