Attached is an API log, captured using PIN. Apart from the obvious I/O VMWare detection that occurs at 70005277, how is it detecting the presence of a VM? Any calls prefixed with "mal." are calls made from the malware itself and not subsequent API calls.
As a test, you can create C:\pagefile.sys.bak.txt and it will not perform the VM checks.
I have made a comment in the API log after FindFirstFileA/_strcmpi that the VM detection probably occurs after that point. The APIs called after this, in order, are:
EDIT: Oops, forgot to include the sample. It is now attached, password is 'infected'
As a test, you can create C:\pagefile.sys.bak.txt and it will not perform the VM checks.
I have made a comment in the API log after FindFirstFileA/_strcmpi that the VM detection probably occurs after that point. The APIs called after this, in order, are:
Code: Select all
Any help appreciated. -->mal.70001866 : call dword ptr [0x700090ec] (GetDriveTypeA) (7c8214cb) [C:\WINDOWS\system32\kernel32.dll]
-->mal.70004575 : call dword ptr [0x70009080] (unnamedImageEntryPoint) (763610e0) [C:\WINDOWS\system32\WINSTA.dll]
-->mal.70003770 : call dword ptr [0x70009028] (EqualSid) (77ddf06a) [C:\WINDOWS\system32\ADVAPI32.DLL]
-->mal.70007ddc : call eax (WTSEnumerateSessionsA) (76f51a90) [C:\WINDOWS\system32\wtsapi32.dll]
-->mal.70008966 : jmp dword ptr [0x700091b8] (NetUserEnum) (5b89495d) [C:\WINDOWS\system32\NETAPI32.dll]
-->mal.700086ac : call edi (LookupAccountNameW) (77de5b39) [C:\WINDOWS\system32\ADVAPI32.DLL]
-->mal.700086e3 : call edi (CopySid) (77ddf0d7) [C:\WINDOWS\system32\ADVAPI32.DLL]
-->mal.7000818b : call esi (RtlGetLastWin32Error) (7c90fe01) [C:\WINDOWS\system32\ntdll.dll]
-->mal.700084f6 : call dword ptr [0x70009010] (ConvertSidToStringSidA) (77dfc15d) [C:\WINDOWS\system32\ADVAPI32.DLL]
-->mal.700088f0 : jmp dword ptr [0x70009174] (_local_unwind2) (77c354a7) [C:\WINDOWS\system32\msvcrt.dll]
-->mal.70008960 : jmp dword ptr [0x700091bc] (NetApiBufferFree) (5b867a00) [C:\WINDOWS\system32\NETAPI32.dll]
-->mal.70007e02 : call eax (WTSFreeMemory) (76f51454) [C:\WINDOWS\system32\wtsapi32.dll]
-->mal.70008884 : call dword ptr [0x7000911c] (exit) (77c39e7e) [C:\WINDOWS\system32\msvcrt.dll]
EDIT: Oops, forgot to include the sample. It is now attached, password is 'infected'
Attachments
Qakbot sample
(192.38 KiB) Downloaded 74 times
(192.38 KiB) Downloaded 74 times
Qakbot API log
(80.8 KiB) Downloaded 37 times
(80.8 KiB) Downloaded 37 times