creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-malware-sandbox-evasion-techniques/references/api-reference.md
T

85 lines
2.0 KiB
Markdown
Raw Blame History

# Malware Sandbox Evasion Techniques API Reference
## MITRE ATT&CK T1497 Sub-techniques
| Sub-technique | ID | Evasion Method |
|---|---|---|
| System Checks | T1497.001 | VM artifacts, registry keys, MAC prefixes, process names |
| User Activity Based Checks | T1497.002 | Mouse movement, keyboard input, foreground window |
| Time Based Evasion | T1497.003 | GetTickCount, sleep inflation, RDTSC timing |
## Cuckoo Sandbox Report JSON Structure
### API Call Format
```json
{
"behavior": {
"processes": [
{
"process_name": "malware.exe",
"pid": 1234,
"calls": [
{
"api": "GetTickCount",
"category": "system",
"arguments": {},
"return": "123456789"
}
]
}
]
}
}
```
## Timing API Indicators
| API | Purpose | Evasion Use |
|---|---|---|
| GetTickCount / GetTickCount64 | System uptime in ms | Check if uptime < 20min (sandbox) |
| QueryPerformanceCounter | High-res timer | Measure sleep accuracy |
| GetSystemTimeAsFileTime | System time | Detect time acceleration |
| NtQuerySystemTime | Kernel time query | Compare with user-mode time |
| RDTSC | CPU timestamp counter | Detect VM overhead in timing |
## VM Artifact Indicators
### Registry Keys
```
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
HKLM\HARDWARE\ACPI\DSDT\VBOX__
HKLM\SYSTEM\CurrentControlSet\Services\VBoxGuest
```
### VM Process Names
```
vmtoolsd.exe, vmwaretray.exe # VMware
vboxservice.exe, vboxtray.exe # VirtualBox
qemu-ga.exe # QEMU
prl_tools.exe # Parallels
```
### VM MAC Address Prefixes
```
00:0C:29 VMware
00:50:56 VMware
08:00:27 VirtualBox
00:1C:42 Parallels
52:54:00 QEMU/KVM
```
## AnyRun Report API
### Get Report
```
GET https://api.any.run/v1/analysis/{task_id}
Authorization: API-Key <key>
```
## CLI Usage
```bash
python agent.py --report cuckoo_report.json --output evasion_report.json
python agent.py --report report.json --min-sleep-ms 30000
```
Reference in New Issue View Git Blame Copy Permalink