Malware Analysis Evasive Sample - Bypassed MS

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
530
Screenshot_20230602-081751.png

Signed sample pretending to be TeamViewer. It is a password stealer. As a DFIR Specialist it's easy to me. After submitting the sample to Microsoft... They said the file was clean. File has been in the wild for a week now. Welcome to the current state of insecurity. Happy hunting! VirusTotal
 

Attachments

  • Screenshot_20230602-081637.png
    Screenshot_20230602-081637.png
    331 KB · Views: 169
Last edited by a moderator:

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,194
Confirmed here on my VM (Windows 10 x64) sample doesn't run at all.
We can see more details about evasive... Latest two re-analyzes of this sample are from my user account on Hybrid Analysis:
Free Automated Malware Analysis Service - powered by Falcon Sandbox
Evasive
  • Contains ability to check if a debugger is running
  • Contains ability to terminate a process
  • Input file contains API references not part of its Import Address Table (IAT)
  • Possibly checks for the presence of a forensics/monitoring tool
 

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
A "Teamviewer" with only 200 KB size that has also been uploaded as "Prison.Architect.The.Sunset.Update.Incl.A...exe" is clearly not legit.

I found an area that is XOR encoded with 0x1D, you can literally see the XOR key in the hex editor

1685782008387.png


After decoding it looks like this

1685781853847.png


The decoded portion contains a JS script, some additional strings and ZIP archive. The archive seems to be a Chrome extension with the ID jdejdmchbgaciegdmifmnkopbdbfhcfb

Strings related to Chrome extension installation.
1685782851261.png


The manifest of the Chrome extension just names itself "Apps" and shows the author's email address as sg(dot)guru1030(at)gmail(dot)com:

1685782683933.png


That extension hijacks search results, redirects them to searchesmia(dot)com (the following image shows content.js):

1685782486092.png


In sum it is clearly malware (not PUP, because there is not a shred of something useful).
So far it is also not really dangerous, more annoying. There might be more going on, e.g., the ShellExecuteW could be a point for more examination, but this is already enough to declare it malware.
If Microsoft declared this as clean, they did an obvious mistake.
 
Last edited:

brambedkar59

Level 32
Verified
Top Poster
Well-known
Apr 16, 2017
2,112
The manifest of the Chrome extension just names itself "Apps" and shows the author's email address as sg(dot)guru1030(at)gmail(dot)com:
If you search for that email address, you get a CV for a person with his actual physical address, his github, live account etc. Is the email for the person who created malware or just using a fake identity, is that common? Asking mods if I can link to that pdf in here?
Sorry for barging in. I know nothing about malware analysis, but I find this topic interesting.

Edit: Also someone on reddit had that same extension (id -jdejdmchbgaciegdmifmnkopbdbfhcfb ) installed.
 
Last edited:

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,923
Confirmed here on my VM (Windows 10 x64) sample doesn't run at all.
We can see more details about evasive... Latest two re-analyzes of this sample are from my user account on Hybrid Analysis:
Free Automated Malware Analysis Service - powered by Falcon Sandbox
Same here, tried with VM + KPremium (default settings) 21.13, ran for 2 seconds and auto terminated, moved to Low Restricted (Digitally Signed But Not Approved), currently already detected as Adware.
 

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
530
Recently I've been using 4+ different sandbox solutions to my workload on analysing suspect files. It's becoming common to see samples break sandboxes and also now getting listed as clean. How good are these analysts anyways.


Look and see the file is claimed clean by their analyst! Microsoft and Xcitium!! Same sample
Screenshot_20230603-160502.png
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
There are now a bunch of them masquerading as various things, but all essentially the same file.

Didn't notice any VM awareness nor extended sleep times; also didn't run on my sacrificial system. Also note that the certificate is still viewed as honky-dory:

2023-06-03 13_16_14-Digital Signature Details.png


CF contains thhese files anyway even though the cert is seemingly fine as the application itself has not been vetted by them.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Didn't notice any VM awareness nor extended sleep times; also didn't run on my sacrificial system.
On my sacrificial system Check Point is deployed and that runs a process clearly having “forensics” in the name. A lot of malware that I am trying to test just terminates. I thought this sample is from the same “dough”.
 

Shadowra

Level 37
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,617
Use hybrid analysis, anyrun or triage. They let you download the file.

Also take a look how I objected their Human verdict. That was a day ago. They still haven't noticed.
View attachment 275884

I made it.
Detected by DeepInstinct as a PUP.
On my VM, I couldn't launch it (it closes 2 seconds later).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top