Surprisingly the results were exact the same. The sample did not show any suspicious activites during execution on the physical machine. So based on this finding it looked obvious that the sample either does not run at all or it only runs on virtual machine. To validate that we disabled the randomization of virtual machine artifcats within a cookbook:
And finally analyzed the sample a second time:
As the signature overview outlines the sample has opened a listening socket on port 8000, dropped a new PE file and created a startup key. This malicious behavior confirms that the sample (which seems to be a version of the Gamarue Worm) only runs on virtual machine. This is quite funny, since malware authors try to prevent running on virtual machines to hinder automated analysis. So it seems to be a cool programming mistake.
A deeper look with Hybrid Code Analysis revealed the sample only works on VirtualBox, VMware and Qemu:
Full sample report:
Update 1: Thanks to advanced_reddit_user to pointing out that our analysis was wrong. He outlined that the payload we see on VMs only (copy to svchost.exe and 8000 port listening) is a fake behavior of a trojan called Andromeda. The real payload is only shown if the volumn name of the system drive equals a specific checksum.
Update 2: We confirm the finding by advanced_reddi-user:
Analysis Report:
Changing the drive volume to CKF81X:
Analysis Report: