Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Analyzing Gozi's Anti-Analysis Tricks with Joe Sandbox Hypervisor 2.0

Published on: 03.10.2018

Over the past couple of months, we have focused our efforts on the development of the second version of Joe Sandbox Hypervisor. To inspect a program during runtime, Joe Sandbox Hypervisor uses the hardware virtualization feature of the CPU. Compared to other analysis techniques Hypervisor-based Inspection (HBI) inspects a program more deeply and therefore extracts more malicious behavior. Hypervisor 2.0 can also run on bare metal. We already blogged about how to extract C&C traffic with Joe Sandbox Hypervisor here.

This blog post will show some of the new features we added to Joe Sandbox Hypervisor 2.0 by using a recent Gozi sample found on Vitali Kremez (big kudo) twitter account:

The Gozi developers are very active and add new tricks and evasions frequently. This time they added two new evasions:

  • GetCursorPos, WaitForSingleObject user activity check
  • GetLocaleInfo, language check

Locale Check

Language checks are very common in targeted malware samples. They help the attackers to restrict the execution of particular samples to one country or to a specific geographical zone (e.g. Asia). If you start browsing the Execution Graph, you can easily spot a suspicious looking section:

The red nodes with a diamond shape are so-called "key decisions". They refer to a location in the code where a decision is made. For evasion, the decision often relates to a process termination, a sleep or crash. Zooming in reveals the API calls and edges:

First "Locale" information is queried, then a string in string comparison is done using StrStrIA. In 4010e7 the decision is made to execute the payload (left branch) or not:

In case the right branch is taken, the process is simply exited. As a result, the payload is not executed and the sandbox will not detect any malicious behavior:

What is Locale information about and what does Gozi compare? To answer this question, we can easily jump to the corresponding Hybrid Code Analysis function. Thanks to Hypervisor 2.0 we have the API arguments for many strings comparison functions:

String 1 is a list of country codes to compare with. String 2 shows the actual Locale information of the analysis machine on which Joe Sandbox executed Gozi. By putting all this together, the evasion works as follows:

In case the machine is located in China or Russia, Gozi will simply terminate and not execute its payload.

Since the Locale of the analysis is US and not CN or RU the evasion does not work. Customers analyzing in Russia or China can easily use one of our Cookbooks to change the locale for analysis:

User Behavior driven Unpacking

The second evasion which is more unique is related to the User Behavior. Most of the time, when a sandbox analyzes a threat, there is no direct user interaction with the analysis machine. Therefore, the mouse or the keyboard is inactive, allowing advanced malware to detect the sandbox and to evade the dynamic analysis.

Let us have a look at function 4010ED:

We see GetCursorPos, WaitForSingleObject and GetCursorPos. GetCursorPos is an API to query the actual coordinates of the mouse pointer. WaitForSingleObject a routine to pause execution. Thanks to the C code decompiler we can easily understand the functionality of the evasion:

At line 45, we can see that the initial cursor coordinates are stored in v108. and then the thread sleeps for 64 milliseconds. Right after, at line 52, the cursor coordinates are stored in v120. If we look further at line 54, the deviation of the coordinates is calculated. The deviation is used as an argument for the unpacking routine at 401C7A. The whole process repeats until the unpacking routine returns 0 (line 56). A returned value of 0 means the unpacking is completed.

If we put this all together the evasion works as follows:

In case the mouse is not moved, the deviation of the two cursors coordinates is zero. If the deviation is zero, the malware does not trigger the unpacking and as a result, the evasion process continues forever. 

Joe Sandbox simulates mouse movements and clicks since version 8.0.0. Thus, unpacking completes successfully and the payload is triggered:

Joe Sandbox Hypervisor 2.0

Today's evasion techniques often use string comparison functions such as StrStr, StrCmp or StrRChr. Joe Sandbox Hypervisor 2.0 is capturing such API calls and therefore is able to detect and bypass samples which are country or region aware.

Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Analysis Report of Gozi 2.17.