| ID | B0013 |
| Objective(s) | Discovery |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 13 September 2023 |
Malware can employ various means to detect whether analysis tools are present or running on the system on which it is executing.S uch tools include Wireshark, Process Hacker, and IDA.
Note that analysis tools are used to analyze malware whereas security software (see Software Discovery: Security Software Discovery (T1518) aims to detect/mitigate malware on a system or network.
This behavior corresponds to simple, general discovery of analysis tools. Behaviors to find specific analysis tools (e.g., debuggers or disassemblers) are defined under the Anti-Behavioral Analysis objective.
| Name | ID | Description |
|---|---|---|
| Known File Location | B0013.008 | Malware may detect an analysis tool by the presence of a file in a known location. |
| Known Window | B0013.009 | Malware may detect an analysis tool via the presence of a known window. |
| Known Windows Class Name | B0013.010 | Running program windows are checked to see if any windows class name contains a string indicating that an analysis tool is running. For example, 'WinDbgFrameClass' is Windbg main window’s class name. [2] |
| Process detection | B0013.001 | Malware can scan for the process name associated with common analysis tools. |
| Process detection - Debuggers | B0013.002 | Malware can scan for the process name associated with common analysis tools - OllyDBG / ImmunityDebugger / WinDbg / IDA Pro. |
| Process detection - PCAP Utilities | B0013.004 | Malware can scan for the process name associated with common analysis tools - Wireshark / Dumpcap. |
| Process detection - PE Utilities | B0013.006 | Malware can scan for the process name associated with common analysis tools - ImportREC / PETools / LordPE. |
| Process detection - Process Utilities | B0013.005 | Malware can scan for the process name associated with common analysis tools - ProcessHacker / SysAnalyzer / HookExplorer / SysInspector. |
| Process detection - Sandboxes | B0013.007 | Malware can scan for the process name associated with common analysis tools - Joe Sandbox, etc. |
| Process detection - SysInternals Suite Tools | B0013.003 | Malware can scan for the process name associated with common analysis tools - Process Explorer / Process Monitor / Regmon / Filemon, TCPView, Autoruns. |
| Name | Date | Method | Description |
|---|---|---|---|
| Emotet | 2018 | B0013.002 | If Emotet receives a response from the C2 server stating a debugging-related tool is in the list of running processes, it receives an "upgrade" command which calls the ShellExecuteW function and exits. [1] |
| Poison Ivy | 2005 | -- | Poison Ivy Variant runs a threat to check if any analysis tools are running by creating specially named pipes that are created by various analysis tools. If one of the named pipes cannot be created, it means one of the analysis tools is running. [2] [3] |
| Poison Ivy | 2005 | B0013.010 | Poison Ivy goes through all the running program windows to check if any Windows class name contains a special string to determine if an analysis tool is running. [2] [3] |
| WebCobra | 2018 | B0013.004 | When infecting a x64 architecture system, the malware terminates if Wireshark is running on the system. [4] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| reference analysis tools strings | Analysis Tool Discovery::Process detection (B0013.001) |
[1] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-1
[2] https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf
[3] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
[4] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/