You are browsing the archive for Batch Analysis.

Enter Sandbox – part 12: The Library of naughty libraries

July 1, 2016 in Batch Analysis, Clustering, Sandboxing

Detecting sandboxes is a cool domain for research. It’s been a fav topic for many companies to cover for many years in their blogs and there is… no end to it.

In this short summary, I’ll try to list all the phantom/real DLLs that anti-sandbox tricks rely on to detect suspicious, or at least unfriendly AV environment.

Some of them are very well known, some of them… less.

If you know any others, please do let me know.

Thank you!

Here they are:

  • a2hooks32    Emsisoft
  • adialhk    Kaspersky Anti-Virus
  • anvirhook56    AnVir Software
  • api_log    SunBelt SandBox
  • apihookdll    (Generic API Hooking DLL name)
  • apshook    Cognizant Application Protection Hook
  • avgrsstx    AVG Internet Security
  • avcuf32    BitDefender
  • BgAgent    BullGuard
  • cssdll32    Comodo (SafeSurf)
  • dbghelp    Debug Help (Potentially used to detect sandboxing env)
  • desktopmessaging    Sophos Anti-Virus
  • dir_watch    SunBelt SandBox
  • eeconsumer    Sophos Anti-Virus
  • guard32    Comodo
  • hinthk    HintSoft
  • iatloader    API Override
  • icadapter    Sophos Anti-Virus
  • icmanagement    Sophos Anti-Virus
  • ieprot    Rising Information Technology (IE Protector)
  • kakatool    Rising Information Technology
  • kloehk    Kaspersky Anti-Virus (Outlook Express Hook)
  • kmon    Rising Information Technology
  • legacyconsumers    Sophos Anti-Virus
  • mzvkbd    Kaspersky Anti-Virus
  • pavshook    Panda
  • PCTGMhk    PC Tools
  • persistance    Sophos Anti-Virus
  • pinvm    PIN (Instrumentation Framework)
  • printfhelp    Unknown Sandbox
  • psapi    Possibly loaded to look for processes/modules
  • pstorec    Possible SunBelt Sandbox (but also other sandboxes that preload DLLs)
  • QOEHook    Qurb
  • R3HOOK    Kaspersky Anti-Virus (Ring 3 Hooker)
  • rapport    Trusteer
  • rooksbas    Trusteer
  • sar1    Sophos Anti-Rootkit
  • sar2    Sophos Anti-Rootkit
  • sar3    Sophos Anti-Rootkit
  • sar4    Sophos Anti-Rootkit
  • savneutralres    Sophos Anti-Virus
  • savreseng    Sophos Anti-Virus
  • savshellext    Sophos Anti-Virus
  • savshellextx64    Sophos Anti-Virus
  • sbie    SandBoxie
  • sbie!ll    SandBoxie
  • sbiedll    SandBoxie
  • sbiedllx    SandBoxie
  • scaneditfacade    Sophos Anti-Virus
  • scanmanagement    Sophos Anti-Virus
  • security    Sophos Anti-Virus
  • sipsmanagement    Sophos Anti-Virus
  • snxhk    Avast
  • sophos_detoured    Sophos Anti-Virus
  • sophos_detoured_x64    Sophos Anti-Virus
  • sophosbho    Sophos Anti-Virus
  • sophosbhox64    Sophos Anti-Virus
  • sophtaineradapter    Sophos Anti-Virus
  • ssleay32    Trusteer (could be a legitimate use of OpenSSL library though)
  • swi_filter    Sophos Anti-Virus
  • swi_ifslsp    Sophos Anti-Virus
  • swimanagement    Sophos Anti-Virus
  • systeminformation    Sophos Anti-Virus
  • tamperprotectionmanagement    Sophos Anti-Virus
  • threatdetection    Sophos Anti-Virus
  • translators    Sophos Anti-Virus
  • UMEngx86    Norton Sonar
  • virusdetection    Sophos Anti-Virus
  • vmcheck    Virtual PC
  • vmhgfs    VMWare
  • wbsys    Stardock.Net (WindowBlinds)
  • wl_hdlr    Agnitum (Outpost)
  • wl_hook    Agnitum (Outpost)
  • wpcap    Attempts ot WinPCAP library (possible sandbox detection)
  • wpespy    Winsock Packet Editor (WPE)

A separate category is the OS DLLs. The technique that some malware relies on requires loading f.ex. ntdll.dll as a data file, parsing it manually as a PE file, then discovering its exports, finding the code of the API functions that are typically hooked, and eventually comparing that ‘static’ code with the code of the actually loaded library (in memory). This is a trick used by some older packers (AFAIR Themida), but also some custom (and typically advanced, since written in asm most of the time) malware.

Note: if you use this list in a commercial sandbox, please ensure you give a credit 🙂

DeXRAY update

June 25, 2016 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Malware Analysis, Software Releases

Added:

  • ESafe (VIR)
  • Microsoft Windows Defender (partial support)
  • Spypot – Search & Destroy

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP)
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Any binary file (using X-RAY scanning)

You can download it here.