Cuckoomon evasion tactic

Question

Cuckoomon evasion tactic

Closed this issue 8 years ago · 6 comments

MD5: ffbb763b95ea8f9ea44e786c0ff43bf5

Creates a child process, then injects a PE image into its virtual address space:

The child process evades analysis by repeatedly calling Sleep(0):

Carving out the injected PE image and loading it into IDA Pro clearly shows the 1 million iteration loop with the Sleep calls:

This evasion tactic seem to work only because it is performed by a child process, which is treated differently by Cuckoomon than the main target process.

Answer 1 · 2016-08-11T19:53:39.000Z

I can write something for this, but in general there are many more cases of this same idea, particularly with VB loaders. Sometimes it'll be necessary to run the sample for a longer duration.

-Brad

Answer 2 · 2016-08-11T19:58:46.000Z

Is there any reason why child processes are treated differently in this context than the main target process?

Answer 3 · 2016-08-11T20:04:23.000Z

Because there's code to skip the sleeps happening in the first 5 seconds of execution in the initial process -- this isn't such a good idea anyway really and I'll probably replace it at some point.

-Brad

Answer 4 · 2016-08-12T15:30:08.000Z

To clarify, are you saying that sleep skipping in the target process is a bad idea, or that NOT sleep skipping in the child processes is a bad idea?

Answer 5 · 2016-08-12T15:31:18.000Z

The indiscriminate skipping of sleeps (as in, not calling the real API at all) for the first 5 seconds is a bad idea.

-Brad

Answer 6 · 2016-08-12T15:44:38.000Z

It's an interesting problem. I guess at minimum the sandbox should be able to reliably detect long sleeps and related tricks.