Today we have been notify by a Joe Sandbox user about a sample which does not show any suspicious activities:
What is striking is the following file operation:
The binary is trying to open the SCSI device object (\\.\scsi0). Because the analysis have been executed on a VirtualBox VM with an SCSI adapter an SCSI0 device object is present and CreateFile returns a valid handle.
Thus we thought this sample is trying to detect virtual machines by checking if an SCSI controller is present and by reading some information from the SCSI device (over IOCTL_SCSI_PASS_THROUGH, INQUIRY):
FH -> \Device\Harddisk0\DR0
OC -> 4D004
IBL -> 2C
OBL -> 10C
OB -> (VirtualBox)
-> (native System)
NS -> 0
After few hours of reverse engineering we found out that we were on the completely wrong way. Although the sample is reading disk information it does not terminate / crash. Rather it performs some interesting tasks in a loop:
Actually it queries the foreground window which is always the desktop window on automated malware analysis systems, sleeps, loops. Thus we have written the following tiny cookbook (cookbooks are scripts to simulate user behavior on Joe Sandbox):
Right after launching the sample on line 20, the start menu is opened, which is obviously a different window than the desktop window. The results are amazing:
Checking if something changes on the user desktop is a nice generic trick to bypass automated malware analysis systems. We have seen similar tricks like checking if the mouse pointer is not moving for a particular time. All these trick belong to the family of logic bombs. Logic bombs are particular checks in the program which require certain events to be true in order to execute the malicious payload.
Our philosophy of defeating logic bombs is a high quality analysis report. By understanding the behavior of the logic bomb code in the analysis report human analysts are able to trigger the events by writing a simple but effective cookbook.
Credits for sample sharing: www.abuse.ch