| ID | C0043 |
| Objective(s) | Process |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 4 December 2020 |
| Last Modified | 13 September 2023 |
Malware checks a mutex.
| Name | Date | Method | Description |
|---|---|---|---|
| Poison Ivy | 2005 | -- | Poison Ivy variant checks if the wireshark-is-running{} named mutex object exists. [1] |
| Matanbuchus | 2021 | -- | Malware checks if multiple instances of the same mutex is running. If multiple instances are running, the malware exits. [2] [3] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| check mutex | Check Mutex (C0043) | kernel32.OpenMutex, System.Threading.Mutex::OpenExisting, System.Threading.Mutex::TryOpenExisting, kernel32.GetLastError |
| check mutex and exit | Check Mutex (C0043) | ExitProcess, exit, _Exit, _exit, WaitForSingleObject, GetLastError |
[1] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
[2] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[3] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader