Blog

Preventing Sandbox Evasion with Randomized Filenames

In the malware analysis community, it is common to rename a malware sample to its hash value or add the hash to the filename. This helps analysts easily identify a sample and to store it with a unique filename. This strategy saves time and empowers collaboration. A drawback, however, is malware can use this as a way to detect and evade analysis.

A simple evasion technique used by malware is to check its own filename. If it includes a hash value or specific hash pattern, the malware terminates execution early – possibly without revealing any malicious behavior.

In response, we introduced a new feature in VMRay Analyzer v2.1 to prevent this simple evasion technique by checking submitted samples for their own hash value and randomizing the filename.

Randomized File Names - Check Box
Figure 1: Randomized File Names – Check Box

To look closer at this feature, we will analyze a sample that uses this evasion technique. We will upload the file twice, first with the original filename and again with the new feature enabled.

In the first analysis, the sample checks if the filename contains a hash by using a simple heuristic. The VTI Score in Figure 2 shows the sample terminating if the filename is longer than 32 chars. This check is the evasion technique in-action. All common hash algorithms produce hash values ranging from 16 Bytes (MD5) to 32 Bytes (SHA256) which translates to 32 and 64 chars.

Randomized File Names - Analysis 1
Figure 2: Detected Threats of the first and incomplete analysis

As a result, the malware detects analysis and the actual malicious behavior is not shown.

Function Log - File Name Check
Figure 3: Excerpt of the code that the malware uses to detect hash values in its filename

Now let’s run the file again using the new randomized naming feature.

We know from the first analysis that a renamed sample is needed to get a complete analysis. Submitting the sample again, the VMRay Analyzer automatically recognizes the hash value in the uploaded filename and suggests the option to rename it.

With a randomized filename we see the complete behavior in the analysis report, resulting in a VTI Score of 98/100. Looking at the process graph (Figure 3), we can get a quick glance at the real behavior of the malware. We see the malware masking its presence by using several injection transitions and renaming the image on the hard disk.

Randomized File Names - Analysis 2 Process Graph
Figure 4: Process graph of the analysis with a randomized name

Conclusion

Analyzing malware often raises the problem of time management, since it is often cumbersome and time-consuming. The ability to randomize filenames that contain their own hash value means VMRay Analyzer can further simplify analysis workflows while increasing analysis accuracy.

View the VMRay Analyzer Reports
Analysis #1: Original File Name
Analysis #2: Randomized File Name Feature Enabled