Monday, July 7, 2014

Joe Sandbox aware Malware? Certainly not! But surely!

During the weekend we have been notified by one of our Joe Sandbox Cloud customers that they have found an interesting sample (MD5: D80E956259C858EACCB53C1AFFAF8141) which shows much malicious behavior on a competitor malware analysis system but behaves silently on Joe Sandbox. A first look at the behavior report does not give any clues why it stays silent:




We see that Joe Sandbox has found a function which is used to inject code into remote processes. However the function has not been executed:



As a next step we checked the last behavior actions from the chronological section within the report:


As we see the malware seems to executed some kind of sleep loop. So we checked the last API call before the sleep loop started:


Here comes the interesting part. The code is checking the volume number of the local disk as well as the disk name. In a next step, all software uninstallers are enumerated. Thanks to Hybrid Code Analysis (HCA) we can lookup the function corresponding to this behavior:



This is the key function. First the file name is validated it contains the substring "sample". Then the disk volume ID and name are queried. Finally, it starts the software uninstall key enumeration:


During enumeration it checks if AutoItv3, CCleaner and WIC have present uninstaller entries. Guess what? These software are installed on all our Joe Sandbox Cloud and analyzer VMs. Joe Sandbox uses AutoIt for user emulation and CCleaner is a default system cleaning tool we often use. So this is a very nice and unique fingerprint of a Joe Sandbox Cloud / Analyzer VM. If the three applications are installed on a system the malware redirects to the endless sleep loop previously detected:


To prove our theory we have written quickly a cookbook which deletes the uninstall keys:

Finally result:







So you may wonder how did they know about the software installed on the Joe Sandbox Cloud VMs?
Since more than a year we are running free online services, including www.file-analyzer.net. The analyzer services are highly restricted but still leave some room for spying. We have experienced many attacks for all analyzer services (mostly www.apk-analyzer.net) ranging from simple ID lookups to information gathering and technology bypasses. Therefore, we have changed the free services to registered services. If you would like to use them send us your request and you will get an authentication code.


Full Joe Sandbox 9.5.0 Report available at: