Behavior Instances

From ema
Jump to: navigation, search

A Behavior Instance captures a specific instance of a Behavior, as exhibited by one or more malware instances or families.

Name Applicable Platform Associated Behavior Description
API Call: IsDebuggerPresent BehaviorInstance-Windows.png debugger detect & evade The kernel32!IsDebuggerPresent API call checks the Process Environment Block to see if the calling process is being debugged. This is one of the most basic and common ways of detecting debugging.
Control Graph Flattening BehaviorInstance.png linear disassembler prevention Flattening the control flow of each function by first breaking up the nesting of loops and if-statements, and then hiding each of them in a case of a large switch statement, that is wrapped inside the body of a loop.
CryptoAPI BehaviorInstance-Windows.png & Encrypt Files for Ransom (mobile) The Microsoft CryptoAPI includes functions to encrypt and decrypt data; these are commonly imported and used by malware (particularly ransomware) to encrypt user data/files on a system.
Debugger Artifacts BehaviorInstance.png debugger detect & evade Detects a debugger by its artifact (window title, device driver, exports, etc.)
Extended/Different Instruction Sets BehaviorInstance.png emulator prevention Emulators may be blocked through the use of different opcodes sets (ex: FPU, MMX, SSE).
Extra Loops/Time Locks BehaviorInstance.png emulator prevention Extra loops may be added to make time-constraint emulators give up.
Guard Pages BehaviorInstance.png memory dump obstruction Blocks of code are encrypted individually, and decrypted temporarily only upon execution. One variant uses self-debugging to accomplish.
Guest Process Testing BehaviorInstance-Windows.png virtual machine detect & evade Virtual machines offer guest additions that can be installed to add functionality such as clipboard sharing. Detecting the process, via its name or other methods, responsible for these tasks is a technique employed by malware for detecting whether it is being executed in a virtual machine.
HTML5 Performance Object BehaviorInstance-Windows.png virtual machine detect & evade In three browser families, it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. This value can then be used to detect whether the code is being executed in a virtual machine, by detecting two specific frequencies commonly used in virtual but not physical machines.
Injected DLL Testing BehaviorInstance-Windows.png sandbox detect & evade Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means.
Instruction Overlap BehaviorInstance.png linear disassembler prevention Jumping after the first byte of an instruction. Confuses some disassemblers.
Interrupt Hooking BehaviorInstance.png debugger prevention Block interrupt 1 and/or 3 to prevent debuggers from working.
Monitoring thread BehaviorInstance.png debugger detect & evade Spawn a monitoring thread to detect tampering, breakpoints, etc.
Named System Object Checks BehaviorInstance-Windows.png virtual machine detect & evade Virtual machines often include specific named system objects by default, such as Windows device drivers, which can be detected by testing for specific strings, whether found in the Windows registry or other places.
Process Environment Block (PEB) BehaviorInstance-Windows.png debugger detect & evade The Process Environment Block (PEB) is a Windows data structure associated with each process that contains several fields, one of which is "BeingDebugged". Testing the value of this field in the PEB of a particular process can indicate whether the process is being debugged; this is equivalent to using the kernel32!IsDebuggerPresent API call.
Product Key/ID Testing BehaviorInstance-Windows.png sandbox detect & evade Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.
Screen Resolution Testing BehaviorInstance-Linux.png sandbox detect & evade Sandboxes aren't used in the same manner as a typical user environment, so most of the time the screen resolution stays at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox.
Self Debugging BehaviorInstance.png debugger prevention Debug itself to prevent another debugger to be attached.
Timing/Date Checks BehaviorInstance-Windows.png sandbox detect & evade Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date.
Timing/Date Checks BehaviorInstance.png debugger detect & evade Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date.
Timing/Delay Checks BehaviorInstance.png debugger detect & evade Comparing time between two points to detect "unusual" execution, such as the (relative) massive delays introduced by debugging.
Timing/Up-time Check BehaviorInstance.png debugger detect & evade Comparing single GetTickCount with some value to see if system has been started at least X amount ago.
Undocumented Opcodes BehaviorInstance.png emulator prevention Use of rare or undocumented opcodes to block non-exhaustive emulators.
Unusual/Undocumented API Calls BehaviorInstance.png emulator prevention Unusual APIs are called to block non-exhaustive emulators (particularly anti-virus).