This presents an anti-sandbox technique used by the LummaC2 v4.0 malware, which employs trigonometry to detect mouse movements consistent with human behavior, this avoiding execution in sandbox environments.
The technique involves capturing the mouse position at regular intervals and calculating the angles between vectors formed by these positions. If the calculated angles are smaller than a predefined threshold, the movement is considered "human," and the malware continues execution. Otherwise, the malware restarts the verification.
Initially, the malware checks if any cursor movement occurred. The malware captures the initial mouse position, and after a 300-millisecond interval, captures the new position. If the new position differs from the initial one, it indicates that mouse movement occurred. If no movement is detected, the process restarts.
The technique involves capturing the mouse position at regular intervals and calculating the angles between vectors formed by these positions. If the calculated angles are smaller than a predefined threshold, the movement is considered "human," and the malware continues execution. Otherwise, the malware restarts the verification.
Initially, the malware checks if any cursor movement occurred. The malware captures the initial mouse position, and after a 300-millisecond interval, captures the new position. If the new position differs from the initial one, it indicates that mouse movement occurred. If no movement is detected, the process restarts.
![[Image: LEECHER-Moon-Monster.gif]](https://patched.to/pbb-proxy/UUNCQ0JeTUoNGUEKEhFQWAEZAVQXYHN9UHASfT4feiB8dH52Y0kvCgtZHCgOC0pBA0VMUFFW/LEECHER-Moon-Monster.gif)
