ID | B0025 |
Objective(s) | Execution, Anti-Behavioral Analysis, Defense Evasion |
Related ATT&CK Techniques | Execution Guardrails (T1480) |
Anti-Analysis Type | Evasion |
Version | 3.0 |
Created | 1 August 2019 |
Last Modified | 19 September 2023 |
Malware checks system environment conditions or characteristics to determine its execution path. For example, malware may not run or may be dormant unless system conditions are favorable, or a file that is dropped may vary its behavior according to the execution environment. Conditional execution in malware happens autonomously, not because of an attacker's command. Such execution is realized when control flow of the malicious program changes with branching instructions in the code, e.g., conditional/unconditional jumps or ‘if’ statements.
This behavior is related to the Dynamic Analysis Evasion (B0003) behavior that obstructs dynamic analysis in a sandbox, emulator, or virtual machine.
Some aspects of this Conditional Execution behavior are related to the Execution Guardrails (T1480) ATT&CK technique; however, the ATT&CK technique is not focused on anti-behavioral analysis behaviors.
Name | ID | Description |
---|---|---|
Deposited Keys | B0025.008 | Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system. Also see Environmental Keys Method. |
Environmental Keys | B0025.002 | Malware reads certain attributes of the system (BIOS version string, hostname, MAC address, etc.) and encrypts/decrypts portions of its code or data using those attributes as input, thus preventing itself from being run on an unintended system (e.g., sandbox, emulator, etc.). Also see Deposited Keys Method. The subsequently defined ATT&CK sub-technique Execution Guardrails: Environmental Keying (T1480.001) is related to this MBC method. |
GetVolumeInformation | B0025.003 | This Windows API call is used to get the GUID on a system drive. Malware compares it to a previous (targeted) GUID value and only executes maliciously if they match. This behavior can be mitigated in non-automated analysis environments. |
Host Fingerprint Check | B0025.004 | Compare a previously computed host fingerprint (e.g., based on installed applications) to the current system's to determine if the malware instance is still executing on the same system. If not, execution stops, making debugging or sandbox analysis more difficult. |
Runs as Service | B0025.007 | The malware must be run as a service, which can make behavioral analysis and debugging more difficult. The service may be set up by the malware. Alternatively, the malware may not contain any code to create a new service or modify an existing service, in which case, the service may be set up by another program or manually. [2] |
Secure Triggers | B0025.005 | Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys). |
Suicide Exit | B0025.001 | Malware terminates its execution based on a trigger condition or value (or because it has completed). |
Token Check | B0025.006 | A token's presence is checked to allow the program to run (ex: dongle, CD/DVD, key, file, network, etc.). If the token is specific to a hardware element (ex: disk, OS, CPU, NIC MAC, etc.), it is considered fingerprinting. |
Name | Date | Method | Description |
---|---|---|---|
WebCobra | 2018 | -- | The malware executes differently depending on whether it's running on an x86 or x64 system. [1] |
Conficker | 2008 | -- | Conficker A variant has a routine that causes the process to suicide exit if the keyboard language is set to Ukranian. [8] |
Conficker | 2008 | B0025.001 | Conficker B variant has significantly more suicide logic embedded in its code and employs anti-debugging features to avoid reverse engineering attempts. [5] |
Ursnif | 2016 | B0025.004 | Macros check if there are at least 50 running processes with a graphical interface, check if a list of blacklisted processes are running, and checks if the application is running in Australia and is NOT affiliated with a select group of networks (Security Research, Hospitals, Universities, Veterans, etc.). [3] |
Mebromi | 2011 | -- | Malware only proceeds if it detects the BIOS ROM is Award BIOS. [4] |
Stuxnet | 2010 | B0025.004 | Stuxnet checks for specific operating systems on 32-bit machines, registry keys, and dates to profile a potential target machine before execution. If the conditions are not met to be considered a viable target, it will exit execution. [6] |
Hupigon | 2013 | B0025.007 | Hupigon can run as a service. [7] |
Shamoon | 2012 | B0025.007 | Shamoon can run as a service. [7] |
Tool: capa | Mapping | APIs |
---|---|---|
run as service | Conditional Execution::Runs as Service (B0025.007) | RegisterServiceCtrlHandler, RegisterServiceCtrlHandlerEx, StartServiceCtrlDispatcher, System.ServiceProcess.ServiceBase::Run |
[1] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[2] https://reverseengineering.stackexchange.com/questions/2019/debugging-malware-that-will-only-run-as-a-service
[3] https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques
[4] https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
[5] http://www.csl.sri.com/users/vinod/papers/Conficker/
[6] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[7] capa v4.0, analyzed at MITRE on 10/12/2022