detect mouse movement analysis for sandbox evasion

[tevjd]

Prerequisites

• Put an X between the brackets on this line if you have done all of the following:
  • Checked that your rule idea isn't already filed: search

Summary

Rule Name: detect mouse movement analysis for sandbox evasion

This rule identifies more sophisticated mouse movement analysis techniques used by malware to detect sandbox environments through behavioral analysis. Unlike simple position checks, this rule detects advanced pattern analysis using vector mathematics, loop API calls, and mouse-click behavioral analysis.

Examples

Hash: 5589857ba6ad8cd0893f4fbba774382222a573d20a2dd71b26b3b4d64f671301
Offset: 0x401594 (main analysis function)
Test file: Submitted to capa-testfiles repository
Context: Educational toy malware created for university project
Current Detection: NOT detected by existing CAPA mouse rules here, demonstrating detection gap

Features

The rule combines multiple feature sets to identify three categories of mouse analysis:

Advanced Pattern Analysis:

• api: user32.GetCursorPos
• Math functions: api: msvcrt.acos, api: msvcrt.sqrt, api: msvcrt.atan2
• Timing: api: kernel32.Sleep or api: kernel32.GetTickCount

Simple Position Tracking:

• api: user32.GetCursorPos
• characteristic: loop
• Timing functions for sampling intervals

Mouse-Click Correlation:

• api: user32.GetCursorPos
• Button state: api: user32.GetAsyncKeyState or api: user32.GetKeyState
• Timing correlation functions

Additional context

Academic Research Context: Developed as part of malware sandbox evasion research project analyzing real-world evasion techniques.

Detection Gap: The existing CAPA rule "check for unmoving mouse cursor" only counts if GetCursorPos appears 2+ times. This is easily bypassed by:

• Putting GetCursorPos in a loop
• Using advanced mouse pattern analysis with vector mathematics

Why We Need Both Rules:

• Existing rule: Good for simple static analysis of cursor position checks
• Our proposed rule: Detects complex mouse movement analysis that bypasses simple counting

Validation: Rule passes lint.py --thorough checks and has been tested against the reference sample.

The rule in text file (I didn't create a PR yet I want to have feedback first)
detect-mouse-movement-analysis.txt

Rule details

Namespace

anti-analysis/anti-vm/vm-detection

References

• https://evasions.checkpoint.com/src/Evasions/techniques/human-like-behavior.html#check-mouse-movement
• https://www.joesecurity.org/blog/5852460122427342172
• https://unprotect.it/technique/checking-mouse-activity/

Other rule meta information

ATT&CK: Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
Authors: tevajdr@gmail.com
Scopes: static: function

[mr-tz]

Wow awesome context and nice work here. Please send the PR for us to discuss but your details here look great.