al-khaser icon indicating copy to clipboard operation
al-khaser copied to clipboard

Published 20 hours ago verified publisher icon LordNoteworthy

Anti-Sandbox Check - Known ProductIDs

Open recvfrom opened this issue 5 years ago • 2 comments

Some malware will look for ProductIds associated with commercial sandboxes and stop running if detected. For example, from [1]:

76487-337-8429955-22614 // Anubis Sandbox
76487-644-3177037-23510 // CW Sandbox
55274-640-2673064-23950 // Joe Sandbox

Although these checks are still common in malware, they are a bit dated (Anubis has shutdown, for instance). Is it worth adding a check for these?

[1] https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/

recvfrom avatar Sep 05 '19 16:09 recvfrom

I think it's worth adding it

Waterman178 avatar Sep 08 '19 12:09 Waterman178

From [1]:

76487-640-1457236-23837 // Anubis
76497-640-6308873-23835 // CWSandbox 2.1.22
76487-640-8834005-23195
76487-640-0716662-23535
76487-644-8648466-23106
00426-293-8170032-85146
76487-341-5883812-22420
76487-OEM-0027453-63796 // Comodo Camas

From [2]:

76487-640-1464517-23259 // malwr.com sandbox
76487-341-0620571-22546 // From one of the virustotal sandboxes

It'd also be cool to check for the repeating patterns used by JoeSecurity as found in [2]

All the annotations above are what I've been able to find from searching the web, but as you can see their are many that I couldn't find any information on. [1] mentions that some of these are associated with GFI and Kaspersky, but I'm not sure which. I wonder if these lists are on some hacker forum somewhere, for instance, and if so, it'd be awesome if we could collect that info here

[1] https://www.cybereason.com/blog/betabot-banking-trojan-neurevt [2] https://thisissecurity.stormshield.com/2014/08/20/win32atrax-a/ [3] https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2894

recvfrom avatar Sep 13 '19 18:09 recvfrom