Monday, November 4, 2013

Sandbox Overloading with GetSystemTimeAdjustment

Lately we came across an interesting sample (MD5: b4f310f5cc7b9cd68d919d50a8415974) we would like to share with you. An initial analysis spotted:



To summarize the sample seems to be not showing any interesting behavior at all. However a closer look revealed:


The process calls GetSystemTimeAdjustment for more than 1.8M times. Since Joe Sandbox captures this API which introduces some additional computation time the overall sample execution slows down dramatically and due to the limited execution time the payload is never reached. We already outlined this technique named "Sandbox overloading" in a previous blog post. Function 4011B4 outlines that GetSystemTimeAdjustment is called for 7.8M times:


After the loop some anti-emulation routines follow and finally the payload is executed. Since overloading techniques are generic they effect a wide range of dynamic malware analysis system and thus are very powerful. Therefore it is important to have technologies to quickly detect and prevent such prevention techniques.

Full analysis available:

- Joe Sandbox 8.0.0 Analysis b4f310f5cc7b9cd68d919d50a8415974