Simbda Anti-VM

[Thorsten-Sick]

A sample (sha256: 09858ae19ce96499a78dd1f2a304a29caa7a1c220869cb6ec245b8fb91470c7e) has been using those not-yet-supported techniques to detect an analysis system/vm:

RegOpenKeyExA on

These here are anti-spyware detections

SubKey => SOFTWARE\SUPERAntiSpyware.com SubKey => SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1 SubKey => SOFTWARE\SUPERAntiSpyware.com

(generic ?) Sandbox detection

SubKey => Software\Classes*\shell\sandbox SubKey => Software\Classes\Folder\shell\sandbox

Sandboxie

SubKey => SYSTEM\CurrentControlSet\Services\SbieDrv SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie

API Spy http://download.cnet.com/APIS32-API-Spy/3000-2247_4-9923.html

SubKey => SOFTWARE\APIS32 SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32 SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APIS32

Debugger

SubKey => Software\Syser Soft

Debugger

SubKey => SYSTEM\CurrentControlSet\Services\SDbgMsg

MS Debugging tools

SubKey => Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)

DotNet Stuff

SubKey => SOFTWARE\Classes\PEBrowseDotNETProfiler.DotNETProfiler

Password sniffer

SubKey => Software\Win Sniffer SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1

IM Tool for companies ?

SubKey => Software\B Labs\Bopup Observer SubKey => AppEvents\Schemes\Apps\Bopup Observer SubKey => SOFTWARE\B Labs\Bopup Observer

Cygwin

SubKey => SOFTWARE\Cygwin SubKey => SOFTWARE\Cygwin

Packet analyser

SubKey => SOFTWARE\ZxSniffer

Wireshark

SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe SubKey => SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark

Network monitor

SubKey => Software\eEye Digital Security SubKey => SYSTEM\CurrentControlSet\Services\IRIS5 SubKey => Software\CommView