Secondary Categories: 02-Malware


Description:

When it comes to dynamic analysis our payload is usually executed in a sandbox environment to monitor actions it performs such as modifying a registry key or create a connect to a remote server. Most sandbox environments can not emulate a real computer or network environment. So there are several logic checks that can be performed before the shellcode is executed.

  • Is the system domain joined?
  • Less than 4Gb of RAM?
  • Less than 2 Cores?
  • Is the timezone in UTC?
  • Setting the memory protections to Read only on shellcode then changing it to read-execute once its time to execute the payload

Some good sample code snippets can be found here

If the shellcode loader is written in any of the following languages AMSI (Anti Malware Scan Interface) can be used to detect if there is any malicious activity.

  • Powershell
  • Jscript
  • VBScript
  • C#
  • WMI
  • VBA

When any program is ran amsi.dll is injected into the process and utilizes the AmsiScanBuffer and AmsiScanString API functions to detect malware. These functions can be patched similarly to EtwEventWrite API function.

We can also use this C# AMSI bypass method found here. We can use the amsi.fail project to check our payloads or PEStudio to see a more detailed view of the payload information


Resources:

Also Check Out: