Recently we came accross an interesting sample equipped with new tricks to evade sandboxes and other dynamic analysis systems:
In pseude code:
The sample sleeps until there is a mouse and foreground window change. Since most malware analysis system only simulate mouse changes they miss to analyze the real malicious payload. With the
Cookbook technology of Joe Security one can easily simulate any activites:
However this is not enough. The sample includes an additional evasion trick:
Basically the disk is queried for
IOCTL_DISK_GET_DRIVE_GEOMETRY_EX. The structure contains information like the media type, sector per track and the number of cylinders of the hard disk. After the query the number of cylinders is compared to value 5000. If there are less than 5000 cylinders the sample simple terminates. Since Joe Sandbox runs on any device including virtual, simulated and native systems one can quickly analyze the malware on real system: