GET /api/techniques/168/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 168,
    "key": "detecting-online-sandbox",
    "unprotect_id": "U1338",
    "name": "Detecting Online Sandbox",
    "description": "Online sandbox has become very popular for malware analysis. Several malware authors employ such techniques to avoid detection and analysis. Some of these techniques will be summarized here.\r\n\r\n* Any.Run uses a fake root certificate to spy on sandbox traffic. The first information about the system can be obtained by querying the information of the root certificate. In addition, the QEMU Agent is modified and used to monitor the applications running in the virtual machine allowing the sandbox to do API hooking and monitor the analyzed process. If a process name such as \"srvpost.exe\" is running and the \"winanr.dll\", \"winsanr.dll\" libraries are loaded, it is possible to detect the Any.Run agent.\r\n\r\n* Any.Run offers many packages to their users. And in addition to the features they are offering in these packages, they also determine the maximum number of minutes for active analysis. For example, you can analyze a file for 5 minutes by default with the Searcher package, that you pay 90 dollars to acquire, and you can make this time a maximum of 10 minutes by adding time in interactive mode. The sechost.dll in the agent contains and transmits the timing metrics of ANY.RUN. When we suspend this thread, Any.Run stops its counter and the analysis continues until it drops to timeout.",
    "resources": "https://malwation.com/offensive-approach-to-online-sandboxes-1-any-run/\nhttps://gist.github.com/kaganisildak/4ff8adcaba2521a28a7029d61c265d16\nhttps://app.any.run/tasks/5bff31df-4688-41b1-a73a-d15d30e7ac54/\nhttps://app.any.run/",
    "creation_date": "2021-03-10T14:32:11Z",
    "tags": "",
    "modification_date": "2023-10-04T10:44:43.778000Z",
    "category": [
        1
    ],
    "rules": [],
    "attachments": [],
    "featured_api": [
        2,
        18,
        22,
        23,
        24,
        25,
        26,
        27,
        28,
        29,
        30,
        317,
        320,
        364,
        381,
        412,
        419,
        425
    ],
    "contributors": []
}