As usual, at Joe Security we keep a close eye on evasive samples. Some days ago we detected an interesting Azorult sample on Cloud Basic (MD5: ff17014cbb249e173309a9e1251e4574). In this blog post, we will use Joe Sandbox Hypervisor together with the Function Log to understand the evasion techniques in this sample.
Joe Sandbox Hypervisor uses the hardware virtualization feature of the CPU. Compared to other analysis techniques, Hypervisor inspects a program more deeply and extracts more behavior data. Hypervisor can also run on bare metal. We already blogged about using Hypervisor in an analysis of Gozi's evasions technique here.
The Function Log is a new low-level report generated by Joe Sandbox. It contains all API calls (user-mode APIs and system calls). It can be found in the low-level report section:
The first evasion check starts at 0042B690 and checks for debuggers with kernel32!IsDebuggerPresent and ntdll!ZwQueryInformationProcess (ProcessDebugFlags):
All API calls are dynamically resolved as the call to GetProcAddress right before NtQueryInformationProcess proves. This hinders code analysis as the calls are known during runtime only.
What follows is a sleep based evasion. Azorults verifies if a sandbox modifies the kernel32!Sleep API value by cross-checking the elapsed time via the kernel32!GetTickCount API:
Sleep value modification is often done by sandboxes to bypass sleeping malware, e.g. if the malware sleeps longer than the execution time before the payload is started. Some sandboxes modify even very small values or forget to modify other time sources such as the tick count. This weakness is exploited by Azorult:
Dummy API Calls
If the previous checks succeed, Azorult continues to perform various dummy API calls, including calling kernel32!Beep:
Right after that, various API calls are done in a random order. As a result, the function logs differ from analysis to analysis. Next, there is a random amount of API calls to kernel32!VirtualAlloc:
Dummy API calls are added to the malware in order to delay the execution in a sandbox. If the delay is longer than the analysis time the sandbox will not detect any malicious behavior.
The anti-analysis checks are not yet complete. After the dummy API calls, Azorult continues with an available RAM check:
If there is less than 3GB available it stops execution. Next, it checks the screen resolution via user32!GetDesktopWindow and user32!GetWindowRect:
If the screen resolution is below 1152 x 864 it will fail. Finally, as the last check, it looks for known sandbox processes via kernel32!CreateToolhelp32Snapshot:
The process comparison list looks interesting. Qemu-ga.exe is likely related to Any.run. Cmd.exe, notepad.exe and python.exe are often used by malware analysts. Azorult does not use any API such as strcmp, strstr or similir but rather a built-in function:
This makes it hard for a sandbox to detect the process check.
Detecting Sandbox Evasions
Thanks to the deep analysis of Joe Sandbox Hypervsior several existing and some new behavior rules catch the evasion:
Joe Sandbox Hypervisor
As this analysis proves, today's evasion techniques are more stealthy than ever. Thanks to the Function Log and Joe Sandbox Hypervisor, malware analysts can detect and understand any evasion - no matter how stealthy it is:
Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!