Recently we came across an interesting sample (MD5:
9f68ae8267182bf1be4e5bb6c75022b8). According to one of our customers it did not
run on a virtual machine but showed some malicious activities on a physical
machine. We run it on our virtual machine and native systems for verification.
Surprisingly the sample worked well on both systems. Thus we started to look
for other reasons which could be used by the sample to detect the analysis
systems. After a quick analysis we found the following code:
On address 3501B8B the sample calls a routine to get the function address of
GetSystemTime. Hiding APIs from the import address table and resolving them
during runtime is a trick we see very often. On address
3501B95 GetSystemTime is called. Right after the member
wMonth of the struct SYSTEMINFO filled by GetSystemTime is compared to 9. If
true the sample continues and shows it real payload. If the value is not 9 the
sample simply terminates. So as a fact the current sample only runs in September. We
verified this finding by using a cookbook which sets the date.
Full Joe Sandbox 8.0.0 Analysis of the sample: