During some large scale analysis test to optimize our signature sets we detect a sample showing the following behavior:
Joe Sandbox Analysis Report: report-8ebd97ee5f259cb2f1b38da1f1040cf0
The sample has started a couple of new processes as well as new service (smss.exe). Joe Sandbox has not found any malicious behavior, except that the "Contains long sleeps" signature has fired.
Sleeping to bypass automated malware analysis system, like Joe Sandbox, is not new but certainly used more these days. Because the malware is executed / analyzed for a short time only, the analysis system misses interesting activities after the sleep.
Basically there are two techniques to circumvent long sleeps:
- Increase the analysis time (do long term malware analysis)
- Dynamically modify the sleep duration
For doing long term malware analysis we have a special cookbook which executes the malware for more than 10 minutes. The cookbook produces good analysis results, however we have seen malware with sleeps even longer. In addition it is smarter and efficient to modify the sleep duration dynamically.
A week ago we have implemented the following new cookbook command:
By using the command an analyst can specify how sleep duration are shortened. Internally the Joe Sandbox monitor driver automatically exchanges the sleep duration once a sleep call is executed by a sample.
With Joe Sandbox 7.0.0 all default cookbooks are going to use that command:
Behavior analysis of the sample previously analyzed, by using the new cookbook:
After the 6min sleep the sample injects itself into lsass.exe. The injection technique is highly malicious and a good artifact for detection. In addition the sample starts its communication:
Analysis Report: report-8ebd97ee5f259cb2f1b38da1f1040cf0(1)
Using the _JBShortenSleepsGreaterThan has a big impact on the analysis results.
Sleeps with a long duration are also a good malicious indicator, since most legitimate software do not use it as malware does.
Shorting sleep and wait duration in general is hard. One may implement a sleep with the following techniques:
- for (int i = 0; i < 240; ++i) Sleep(1000); // Waits 240x 1s
- WaitForSingleObject(non signaled Semaphore / Event, 24000)
We are currently working on an extension of the _JBShortenSleepsGreaterThan command to also cover these techniques.