Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anti-Sandbox Check - Known hostnames / usernames #189

Closed
recvfrom opened this issue Sep 5, 2019 · 3 comments
Closed

Anti-Sandbox Check - Known hostnames / usernames #189

recvfrom opened this issue Sep 5, 2019 · 3 comments
Labels
enhancement

Comments

@recvfrom
Copy link
Contributor

recvfrom commented Sep 5, 2019
edited
Loading

Some malware will stop executing if it's running on a machine with certain host names and user names, presumably as an anti-sandbox check. It'd be awesome if al-khaser could have a check for these.

Usernames checked for by Gootkit, from [1]:

CurrentUser
Sandbox

Hostnames checked for by Gootkit, from [1]:

SANDBOX
7SILVIA

Usernames checked for by a Trickbot downloader, from [2]:

Emily
HAPUBWS
Hong Lee
IT-ADMIN
Johnson
Miller
milozs
Peter Wilson
timmy
user

Hostnames checked for by a Trickbot downloader, from [2]:

HANSPETER-PC
JOHN-PC
MUELLER-PC
WIN7-TRAPS

More research will need to be done to know which sandboxes these usernames and hostnames correspond to. For the ones that we can't definitively tie back to a known sandbox, should these be included in al-khaser? It's possible those could be the username/hostname of the malware author's test environment, for instance, and isn't technically an anti-sandbox check.

[1] https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/
[2] https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/
@Waterman178
Copy link

It’s a bit interesting, I need to study it.

@recvfrom
Copy link
Contributor Author

recvfrom commented Sep 13, 2019
edited
Loading

Usernames checked for by Betabot, from [3] (not including ones mentioned above):

sand box
malware
maltest
test user

[3] https://www.cybereason.com/blog/betabot-banking-trojan-neurevt

@recvfrom
Copy link
Contributor Author

recvfrom commented Sep 13, 2019
edited
Loading

Usernames checked for by Satan, from [4] (not including ones mentioned above):

virus

Hostnames checked for by Shifu, from [5] (not including ones mentioned above):

FORTINET

Combined checks by Emotet, from [6]:

NetBIOS name is TEQUILABOOMBOOM (VirusTotal Sandbox)
UserName is Wilber and (NetBIOS name starts with SC, or NetBIOS name starts with CW)
UserName is admin and DnsHostName is SystemIT
Username is admin, and NetBIOS name is KLONE_X64-PC
UserName is John Doe
UserName is John and there are two files called C:\\take_screenshot.ps1 and C:\\loaddll.exe

[4] https://cofense.com/satan/
[5] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/japanese-banking-trojan-shifu-combines-malware-tools
[6] https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/

@re-fox re-fox mentioned this issue Aug 13, 2020
Merged
@recvfrom recvfrom mentioned this issue Oct 27, 2020
Merged
ayoubfaouzi added a commit that referenced this issue Oct 28, 2020
@ayoubfaouzi
Merge pull request #219 from recvfrom/master
d7eda52 
Fix #189 - Add known hostname / username checks from malware
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gsuberland @Waterman178 @recvfrom