Joe Security's Blog

Recently we came across an interesting sample (MD5: 9f68ae8267182bf1be4e5bb6c75022b8). According to one of our customers it did not run on a virtual machine but showed some malicious activities on a physical machine. We run it on our virtual machine and native systems for verification. Surprisingly the sample worked well on both systems. Thus we started to look for other reasons which could be used by the sample to detect the analysis systems. After a quick analysis we found the following code:


On address 3501B8B the sample calls a routine to get the function address of GetSystemTime. Hiding APIs from the import address table and resolving them during runtime is a trick we see very often. On address 3501B95 GetSystemTime is called. Right after the member wMonth of the struct SYSTEMINFO filled by GetSystemTime is compared to 9. If true the sample continues and shows it real payload. If the value is not 9 the sample simply terminates. So as a fact the current sample only runs in September. We verified this finding by using a cookbook which sets the date.

Full Joe Sandbox 8.0.0 Analysis of the sample:

• Joe Sandbox Analysis 9f68ae8267182bf1be4e5bb6c75022b8