You are browsing the archive for Anti-*.

A few more anti-sandbox tricks…

May 31, 2020 in Anti-*, Sandboxing

Update 2020-06-03

Added more details on MOVES, HABO and Jujubox

Old Post

Today I spotted an article comparing various sandboxes being posted on Twitter. I noticed many of sandboxes present on VirusTotal were not covered in that article so I reviewed a couple of reports and added these sandboxes to the list. While doing so, I picked up a few sandbox characteristics that seem to be fixed, and as such, can lead to programmatic identification of these solutions. In my opinion, sandboxes that don’t provide a randomized environment (different user, different system profile) are relatively easy to detect and sandbox creators need to take this into account to ensure their products remain stealthy. Also, providing screenshots is one of the easiest way to make profile available to attackers. I wonder if creating a fake desktop image could help here (window sized to the screen/workarea resolution and presenting a picture of a fake desktop)

Below are notes I took:

JujuBox

  • User: masked in reports as <USER>, but SID is not
  • SID: S-1-5-21-364843204-231886559-199882026-1001
  • OS version: not licensed and detectable via a trick I described a few days ago
  • Desktop includes Acrobat Reader, Firefox, Google Chrome, Open Office 4.1.6, Steam, accounting, eula, mydoc, mypresentation, OpenOffice, party, and stats — file extensions are not shown, but easy to guess
  • filename is a <SHA256 hash>.exe
  • Screen resolution seems to be low – 800x 600?
  • Only 4 icons on the taskbar


VenusEye

  • User: debug4fun

Yomi Hunter

  • User: j.yoroi

NSFOCUS POMA

  • OS: XP
  • User: sys
  • File: C:\Windows\Temp\sample\<md5>_<sha256>.exe

BitDam ATP

  • User: trans_iso_0

QiAnXin RedDrip

  • User: Administrator
  • System language: zh-CN

Tencent Habo

  • User: Administrator
  • SID: S-1-5-21-1482476501-1645522239-1417001333-500
  • File: sample.doc
  • Hostname: ANALYST<DIGIT>-<HEX>
  • OS: XP (refers to C:\Documents and Settings\Administrator)
  • System language: zh-CN
  • Directory present:
    • C:\DiskD
  • File: 996e.exe (this file name is so prevalent that it even raises questions on Reddit); wild speculation: I wonder if it comes from a Unicode character Ux996E (щео) which means ‘drink’; the reports attempt to remove information about the process name, but do so inefficiently as shown on the below screenshot
  • Other possible fingerprints:
    • OFFICE11 (C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE)
    • Python
      • C:\Python\Python27
      • C:\Python\Python36

SecondWrite

  • User: Virtual
  • File: <hash> of the file and starts from %TEMP%\<hash>.exe

Dr.Web vxCube

  • Hides lots of information from the report, these guys know what they are doing (e.g. sample path is listed as <PATH_SAMPLE.EXE>)
  • OS: XP
  • Other possible fingerprints:
    • %CommonProgramFiles(x86)%\microsoft shared\vs7debug\mdm.exe
    • Office14 (%ProgramFiles%\microsoft office\office14)

Rising MOVES

  • User: Administrator
  • System language: zh-CN
  • Service present:
    • badrv
  • Kernel Driver present:
    • rs_badrv
  • Files present:
    • c:\analyse\drop_files.zip
    • c:\analyse\result.zip
    • C:\analyse\log.log
    • C:\analyse\analyzer.exe
    • c:/analyse/gen_report.py
    • C:\Program Files\Qemu-ga\gspawn-win32-helper.exe
  • Mutex:
    • ba_probe_event_memory_mutex

VirusTotal Cuckoofork

  • User: admin
  • Hostname: USER-PC
  • Other possible fingerprints:
    • starts sample from c:\ root directory
    • filename is a SHA256 hash

Lastline

  • User: Johnson, Olivia (randomized)
  • Other possible fingerprints:
    • Office14
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    • Office16
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

VMRay

  • User: nice to see proper randomization e.g. ‘aETAdzjz’
  • Other possible fingerprints:
    • Office16
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

VirusTotal Box of Apples

  • User: user1

OS X Sandbox

  • Other possible fingerprints:
    • VMWare path mapped
      • Library/Filesystems/vmhgfs.fs

VirusTotal Androbox

  • n/a

VirusTotal Droidy

  • User: user

Genuine Anti-sandbox trick

May 28, 2020 in Anti-*

This a bit unusual trick, because it relies on a test if Windows version that sample is running on is… legitimate/genuine.

Yes.. we live in these times. Lots of pirated versions of Windows still floating around, but less than say 10 years ago.

When I came up with the idea I googled around and discovered that to verify if Windows is genuine one has to run a single API: SLIsGenuineLocal.

Encouraged, I crafted a small .exe that shows a message that takes a form of either ‘Genuine, continue’ or ‘Pirated, exit’. Since sandbox engines are very unreliable I use 3 methods of message notification:

  • I print to STDOUT
  • I show a message box
  • I create a file with a name equal to the message chosen

To demonstrate the technique, I submitted a test file to VirusTotal hoping that its internal behavioral engine will pick it up. I was not disappointed and after a few tunings and tweaks VT JukeBox presented me with the result as below:

Oh… can it be?

Now, this may come as a surprise, but it is undeniable that many Jukebox sessions I have seen in the past present this bit to the sample submitter:

I am absolutely, positively, undeniably and equivocally certain that this is a genuine mistake and VirusTotal team will fix it soon.

In the mean time, and to distract the audience, let’s remember that 5 engines detected my small .exe as malware:

The genius detectors are not surprising at all. As they say… garbage in, garbage out.