| ID | OB0001 |
Behaviors that prevent, obstruct, or evade behavioral analysis (sandbox, debugger, etc). Because the underlying methods differ, separate "detection" and "evasion" behaviors are defined for some anti-behavioral analysis areas (e.g., anti-debugger).
Two primary resources for anti-behavioral analysis behaviors are [1] and [2].
- Capture Evasion B0036
- Conditional Execution B0025
- Debugger Detection B0001
- Debugger Evasion B0002
- Dynamic Analysis Evasion B0003
- Emulator Detection B0004
- Emulator Evasion B0005
- Executable Code Virtualization B0008
- Hooking F0003
- Memory Dump Evasion B0006
- Sandbox Detection B0007
- Software Packing F0001
- Virtual Machine Detection B0009
[1] Unprotect Project, a database about malware self-defense and protection. https://search.unprotect.it/map
[2] InDepthUnpacking, course content for teaching malware anti-analysis techniques and mitigations, with emphasis on packers. https://github.com/knowmalware/InDepthUnpacking