Product Key/ID Testing

From ema
Jump to: navigation, search
EMA ID: ema-1088
Description: Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.
Associated Behavior: detect sandbox

Code Snippets: x86 assembly
push ebx

add esp, 0FFFFFEF4h xor ebx, ebx push esp  ; phkResult push 1  ; samDesired push 0  ; ulOptions push offset SubKey  ; "Software\Microsoft\Windows\CurrentVersi"... push 80000002h  ; hKey call RegOpenKeyExA test eax, eax jnz short loc_405387 mov [esp+110h+cbData], 101h lea eax, [esp+110h+cbData] push eax  ; lpcbData lea eax, [esp+114h+Data] push eax  ; lpData push 0  ; lpType push 0  ; lpReserved push offset ValueName ; "ProductId" mov eax, [esp+124h+hKey] push eax  ; hKey call RegQueryValueExA lea eax, [esp+110h+Data] cmp eax, offset a55274640267306 ; "55274-640-2673064-23950" jnz short loc_405387 mov bl, 1


Inherited Attributes:

applicable platform: Windows 10, Windows 7, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2003 SP1, Windows Server 2003 SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 SP1, Windows Server 2008 SP1, Windows Server 2008 SP2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows Vista SP1, Windows Vista SP2, Windows XP, Windows XP SP1, Windows XP SP2, Windows XP SP3
References:
Date Malware Family URL
January 27, 2011 Rebhip https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html