check-mutex.md

ID	C0043
Objective(s)	Process
Related ATT&CK Techniques	None
Version	2.2
Created	4 December 2020
Last Modified	30 April 2024

Check Mutex

Malware checks a mutex.

Use in Malware

Name	Date	Method	Description
Poison Ivy	2005	--	Poison Ivy variant checks if the wireshark-is-running{} named mutex object exists. [1]
Matanbuchus	2021	--	Malware checks if multiple instances of the same mutex is running. If multiple instances are running, the malware exits. [2] [3]

Detection

Tool: capa	Mapping	APIs
check mutex	Check Mutex (C0043)	kernel32.OpenMutex, System.Threading.Mutex::OpenExisting, System.Threading.Mutex::TryOpenExisting, kernel32.GetLastError
check mutex and exit	Check Mutex (C0043)	ExitProcess, exit, _Exit, _exit, WaitForSingleObject, GetLastError

Tool: CAPE	Class	Mapping	APIs
antivm_vpc_mutex	VPCDetectMutex	Check Mutex (C0043)	--
antisandbox_sboxie_mutex	AntisandboxSboxieMutex	Check Mutex (C0043)	--
antivm_vmware_mutexes	VMwareDetectMutexes	Check Mutex (C0043)	--
purplewave_mutexes	PurpleWaveMutexes	Check Mutex (C0043)	--
antisandbox_sboxie_mutex	AntisandboxSboxieMutex	Check Mutex (C0043)	--

C0043 Snippet

Process::Check Mutex

SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c Location: 0x40294C

  push    eax     ; name of mutex to be opened
push    0x0     ; whether to allow processes created by the process which owns the mutex to inherit it (false)
push    0x1f0001        ; mutex access rights (MUTEX_ALL_ACCESS)
call    dword ptr [->KERNEL32.DLL::OpenMutexW]  ; call function to open mutex
test    eax, eax        ; test to see if previous function call returned 0
jz      LAB_00402976    ; if it returned zero (error), jump to new memory location and execute from that point

References

[1] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant

[2] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/

[3] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader