Malware sandbox detection

#20381 by DeW
Mon Aug 05, 2013 5:21 am

Do you have any idea why the malware checks the ProductId of the victim system with 5 specified ProductId s???

Username

DeW

Posts

2

Joined

Sat Jan 26, 2013 10:09 am

Re: Win32/Atrax

#20386 by EP_X0FF
Mon Aug 05, 2013 3:58 pm

This is common technique used to determine if dropper runs in online sandbox service. This is part of anti forensics

Code: Select all

 76487-640-1457236-23837 76487-644-3177037-23510 55274-640-2673064-23950 76497-640-6308873-23835 76487-640-1464517-23529 S b i e D l l . d l l   s n x h k . d l l       d b g h e l p . d l l   VMware  DiskVirtual_HD  VBOX    SOFTWARE\Microsoft\Windows NT\CurrentVersion    ProductId       SYSTEM\ControlSet001\Enum\IDE

76487-640-1457236-23837 - Anubis
76487-644-3177037-23510 - CWSandbox
55274-640-2673064-23950 - JoeBox
don't know from what last two

Anyway this never works with real AV lab.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win32/Atrax

#20391 by frame4-mdpro
Mon Aug 05, 2013 7:22 pm

76487-640-1464517-23529 is VirtualBox, not sure what 76497-640-6308873-23835 is.

Username

frame4-mdpro

Posts

40

Joined

Wed Jul 13, 2011 1:53 am

Re: Win32/Atrax

#20392 by EP_X0FF
Tue Aug 06, 2013 2:14 am

frame4-mdpro wrote:76487-640-1464517-23529 is VirtualBox, not sure what 76497-640-6308873-23835 is.

Why do you think it is VirtualBox? Does it have any prebuilt Windows installations?
I can't check as I don't have this, but they can be from Windows XP mode or from VirtualBox running on Virustotal (as their sandbox page implementation). Also they are not from Comodo Camas, because they use for example 76487-OEM-0027453-63808 and 76487-OEM-0027453-63796 (all Id's will be with -OEM-).

What interesting so old technique, indeed works for Anubis, as their ProductId didn't change and always 76487-640-1457236-23837.

edit: figured out what is 76487-640-1464517-23529. It is detection of malwr.com sandbox. They use same Windows install for all sandboxes seems.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win32/Atrax

#20399 by frame4-mdpro
Tue Aug 06, 2013 2:51 pm

EP_X0FF wrote:Why do you think it is VirtualBox? Does it have any prebuilt Windows installations?

I have to admit I was being lazy LOL, I got the information from here and did not think further:
http://avtracker.info/tracker.php?ip=149.20.63.55

Username

frame4-mdpro

Posts

40

Joined

Wed Jul 13, 2011 1:53 am

Re: Win32/Atrax

#20401 by Fabian Wosar
Tue Aug 06, 2013 3:11 pm

IP 149.20.63.55 belongs to Shadow Server. So the key is most likely used on one of their VMs.

Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

Username

Fabian Wosar

Posts

88

Joined

Thu Aug 26, 2010 8:23 am

Location

Germany

Contact

Re: Win32/Atrax

#20404 by EP_X0FF
Tue Aug 06, 2013 3:44 pm

I did a small app and send it to malwr retrieving Windows info. Their Id 76487-640-1464517-23529. If they share the same sandbox their ProductId is the same.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact