On a daily business we check analyses which somehow look suspicious. Laltely we checked a sample (MD5: 9FAC72A50A7F756D0D3319C686850516) we got from www.file-analyzer.net
As the page outlines the sample was detect as clean. A first look at the behavior report showed that the sample does not produce any special behavior:
A look at the signature overview also did not revealed anything special except the virtual machine detection group:
As the signature outlines Joe Sandbox found some strings within the process memory which may be used to detect virtual machines. Knowing that we analyzed the sample on native system (a real physical machine):
Surprisingly Joe Sandbox detected some malicious behavior on native machine.This was surprising to us because Joe Sandbox implements a huge bunch of tricks to prevent the detection of virtual machines. So the sample somehow used an unknown trick to detect the virtual machine. In order to verify we checked all executed and non-executed functions which are extracted thanks to our hybrid code analysis (HCA) technology. After a brief lookover we found the following function:
The function uses SetupDiGetClassDevs, SetupDiEnumDeviceInfo and SetupDiGetDeviceRegistryProperty to query the friendly name of all devices present on the current system and checks for the occurrence of the strings VMWARE, VBOX, VIRTUAL HD and QEMU within the name. After upgrading our anti virtual machine detection algorithms we re-analysed the sample on a virtual machine:
As the screenshot and report excerpts show the sample which seems to be a rogue antivirus program has installed itself and started communciation.
Often we are asked about how we fight against virtual machine aware malware at Joe Security. Our answer is simple: we focus on depth
of malware analysis. With in in-depth analysis you can easily spot and defeat the virtual machine detection.
You find the full analysis report at: