Friday, July 24, 2015

Hacking Team inspired Anti-VM Trick spot in the Wild

Two days we came across an interesting sample (MD5: 9437eabf2fe5d32101e3fbf9f6027880, source: ThreatWave). The sample has been unknown at this time and also did not look interesting from a dynamic behavior analysis perspective. However there were some tiny outliers which brought attention to us:




We first ran the sample on a virtual machine. The overall score was suspicious but some of the behavior signatures (up to now Joe Sandbox's Behavior Signature set includes over 850 signatures) detected several anti-VM, anti-sandbox and anti-debugging tricks.

To verify the sample has detect the virtual machine we run the sample on a native analysis machine. A native analysis machine is a pure physical machine like a real laptop or PC. All our products including Joe Sandbox Cloud enable to analyze on physical machines. Compared to virtual machines or emulators (e.g. QEMU or BOCHS) physical machines cannot be easily detected. In addition, you can use directly an existing laptop or PC from your (company) network environment for analysis. This is a perfect malware analysis system since there is no difference to a target system. Some analysis results from the analysis run on the physical machine:







As the report cuttings outline, the sample has persisted itself and also shown some very interesting network behavior. We analyzed the anti-VM, anti-sandbox and anti-debugging tricks in more depth. Here is a list of them:

  • KEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System, SystemBiosVersion,
  • KEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System, VideoBiosVersion
  • HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0  Identifier
Another interesting trick used by the malware is checking for PCI devices unique to virtual machine hardware:


What actually is compared are the device strings (PCI vendor IDs) VEN_80ee (Virtualbox), VEN_1ab8 (Parallels) and VEN_15ad (VMWare). This detection seems to be very similar to the one used by Hacking Team and also recently added to Pafish:


We have updated all our products to evade this detection on virtual machines. Some full Joe Sandbox 12.5.0 Analysis: