Sandbox?
A sandbox is an isolated environment where (malicious) code is executed without affecting anything outside the system. Often, multiple tools are installed to monitor, record, and analyze the code’s behaviour.
Detecting Sandboxes | Anti-Sandbox Detection Technique
Mayor Malware’s malware checks if it’s in a sandbox by verifying the existence of the C:\Program Files directory via the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion. The absence of this registry key (or the directory) suggests a sandbox environment, causing the malware to halt its malicious activity.
Here’s what it looks like in the C Programming Language:
void registryCheck() {
const char *registryPath = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion";
const char *valueName = "ProgramFilesDir";
// Prepare the command string for reg.exe
char command[512];
snprintf(command, sizeof(command), "reg query \"%s\" /v %s", registryPath, valueName);
// Run the command
int result = system(command);
// Check for successful execution
if (result == 0) {
printf("Registry query executed successfully.\n");
} else {
fprintf(stderr, "Failed to execute registry query.\n");
}
}
int main() {
const char *flag = "[REDACTED]";
registryCheck();
return 0;
} YARA?
YARA is a tool used to identify and classify malware based on patterns in its code. By writing custom rules, analysts can define specific characteristics to look for—such as particular strings, file headers, or behaviours—and YARA will scan files or processes to find matches, making it invaluable for detecting malicious code.
Mayor Malware does not think such a simple tool can detect his malware. But just to be sure, he has to test it out himself.
rule SANDBOXDETECTED
{
meta:
description = "Detects the sandbox by querying the registry key for Program Path"
author = "TryHackMe"
date = "2024-10-08"
version = "1.1"
strings:
$cmd= "Software\\Microsoft\\Windows\\CurrentVersion\" /v ProgramFilesDir" nocase
condition:
$cmd
}Let’s understand the contents:
- In the strings section, we have defined variables that include the value to look out for: $cmd
- In the condition section, we define when the rule will match the scanned file. In this case, if any of the specified strings are present.
For his testing, Mayor Malware has set up a one-function script that runs the Yara rule and logs a true positive in C:\Tools\YaraMatches.txt.
Adding More Evasion Techniques
Ah, it seems that Yara can detect the evasion that Mayor Malware has added. No worries. Because we can make our malware even stealthier by introducing obfuscation.
void registryCheck() {
// Encoded PowerShell command to query the registry
const char *encodedCommand = "RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEwATQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuACIAIAAtAE4AYQBtAGUAIABQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwBEAGkAcgA=";
// Prepare the PowerShell execution command
char command[512];
snprintf(command, sizeof(command), "powershell -EncodedCommand %s", encodedCommand);
// Run the command
int result = system(command);
// Check for successful execution
if (result == 0) {
printf("Registry query executed successfully.\n");
} else {
fprintf(stderr, "Failed to execute registry query.\n");
}
}Code Explanation
The above code does the same thing: query the same registry key to get the information about the Program Data. The only difference is that the query is now encoded using base64, and the code uses the PowerShell to execute the query. The encoded string can be checked by decoding it using a tool like CyberChef, as shown below:
Beware of Floss
While obfuscation is helpful, we also need to know that there are tools available that extract obfuscated strings from malware binaries. One such tool is Floss, a powerful tool developed by Mandiant that functions similarly to the Linux strings tool but is optimized for malware analysis, making it ideal for revealing any concealed details.
To try out Floss, open a PowerShell Window and enter the following command:
Administrator: Windows Powershell
PS C:\Tools\FLOSS> floss.exe C:\Tools\Malware\MerryChristmas.exe |Out-file C:\tools\malstrings.txtThe above command can take up to two minutes to complete. In the meantime, let’s break down the command:
-
floss.exe C:\Tools\Malware\MerryChristmas.exe: This command scans for strings in the binary MerryChrismas.exe. If any hardcoded variables were defined in the malware, Floss should find them. -
The
|symbol redirects the output of the command in front of it to the input of the command behind it. -
Out-file C:\tools\malstrings.txt: We save the command results in a file calledmalstrings.txt.
Once the command is done, open malstrings.txt, press CTRL+F, and search for the string THM. Enter the flag as the answer to question two. The format of the string is THM{}.
THM{HiddenClue}