A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25932  by Xylitol
 Tue May 26, 2015 8:38 am
Attachments
infected
(605.46 KiB) Downloaded 145 times
 #25946  by Snakebyte
 Thu May 28, 2015 2:20 pm
"Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this."

Am I missing something? where is the fairly high part? UPX?
 #25952  by maddog4012
 Fri May 29, 2015 12:54 pm
the only thing I can see are

Attempts to detect sandbox characteristics Info:
Sample attempted to detect Sandbox using the following string: Failed to create syscall sandbox filter
Sample attempted to detect Sandbox using the following string: Sandbox
Sample attempted to detect Sandbox using the following string: ...Sandbox; at most one can be set
Sample attempted to detect Sandbox using the following string: ...Sandbox is not allowed.
Sample attempted to detect Sandbox using the following string: Can't change PidFile while Sandbox is active
Sample attempted to detect Sandbox using the following string: ...Sandbox is active
Sample attempted to detect Sandbox using the following string: Can't change Logs while Sandbox is active
Sample attempted to detect Sandbox using the following string: Can't change ConnLimit while Sandbox is active
Sample attempted to detect Sandbox using the following string: ...Sandbox mode.(%sTransportPlugin line was %s)
Sample attempted to detect Sandbox using the following string: ...sandboxing is only implemented on Linux. The featu...
Sample attempted to detect Sandbox using the following string: sandbox_init
Sample attempted to detect Sandbox using the following string: ...sandbox.h

and Deletes files to compromise the system or to remove traces of the infection

other then that and UPX that is all I am seeing I would not use the term fairly high for evasion

here are a few more samples
Attachments
(1.18 MiB) Downloaded 86 times