A forum for reverse engineering, OS internals and malware analysis
EP_X0FF wrote:Exactly what kind of anti-* stuff was removed?Maxstar wrote:in a virtual mode there not working.I assume all three samples are identical, so I take care only of one of them. In attach crypter free sample with removed AntiVM part so it should work everywhere.
Buster_BSA wrote:VM detection (VirtualPC, VBOX, QEMU, VmWare), Wireshark detection, Sandboxie detection.EP_X0FF wrote:Exactly what kind of anti-* stuff was removed?Maxstar wrote:in a virtual mode there not working.I assume all three samples are identical, so I take care only of one of them. In attach crypter free sample with removed AntiVM part so it should work everywhere.
I tried the sample under Sandboxie and it aborts execution. I noticed it checks for SbieDll.dll presence, but the DLL is hidden so execution continues after the check, so that´s not what the malware is detecting.if this was this patched binary then it seems checks for sandbox somewhere else additionally.
EP_X0FF wrote:VM detection is discarded as I am running the sample in the host. Sandboxie detection is also discarded because it checks for SbieDll.dll presence and I have it hidden. So probably it´s related to Wireshark detection.Buster_BSA wrote:Exactly what kind of anti-* stuff was removed?VM detection (VirtualPC, VBOX, QEMU, VmWare), Wireshark detection, Sandboxie detection.
EP_X0FF wrote:if this was this patched binary then it seems checks for sandbox somewhere else additionally.Your patched binary runs fine. I tested the original sample.
Buster_BSA wrote:Do you know what is the malware checking for related to Wireshark? WinPCap driver maybe?It looks for presense of "wireshark.exe" in list of running processes.
EP_X0FF wrote:The problem is in the mapping copy of itselt to svchost.exe. This process is running out of Sandboxie so the injection fails and the malware aborts.Buster_BSA wrote:Do you know what is the malware checking for related to Wireshark? WinPCap driver maybe?It looks for presense of "wireshark.exe" in list of running processes.
Additionally this malware is three stage loader.
First - decryption of payload and spawning copy of loader. Second - Vm/Sandboxie/Wshark check and mapping copy of itself to svchost.exe (I assume any). So it can fail here for example, just because it was unable to inject code. Third stage is inside svchost - it's again decryption of real payload with numerous VM/Sandboxie/WShark checks. Patched binary was extracted from 3 stage.
