Sandbox Awareness

January 27, 2009

Hi there,

In the last period, malware evolved to new Detection Ways, like Sandbox Awareness, if a malware is executed into one of the most famous Sandboxes it block execution.

Here a little piece of code taken fro a malware and readapted:

Public Function IsInSandbox() As Boolean
Dim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As Long
Dim szBuffer As String * 128

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)

me32.dwSize = Len(me32)
Module32First hSnapShot, me32

Do While Module32Next(hSnapShot, me32) <> 0
    If InStr(1, LCase(me32.szModule), “sbiedll.dll”) > 0 Then ‘Sandboxie
       IsInSandbox = True
   ElseIf InStr(1, LCase(me32.szModule), “dbghelp.dll”) > 0 Then ‘ThreatExpert
        IsInSandbox = True
    End If

CloseHandle (hSnapShot)

If IsInSandbox = False Then
    hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, “Software\Microsoft\Windows\CurrentVersion”, 0, KEY_ALL_ACCESS, hKey)
    If hOpen = 0 Then
        hQuery = RegQueryValueEx(hKey, “ProductId”, 0, REG_SZ, szBuffer, 128)
        If hQuery = 0 Then
            If InStr(1, szBuffer, “76487-337-8429955-22614”) > 0 Then ‘Anubis
               IsInSandbox = True
           ElseIf InStr(1, szBuffer, “76487-644-3177037-23510”) > 0 Then ‘CWSandbox
                IsInSandbox = True
            ElseIf InStr(1, szBuffer, “55274-640-2673064-23950”) > 0 Then ‘JoeBox
               IsInSandbox = True
           End If
       End If
   End If
   RegCloseKey (hKey)
End If
End Function

It detects Sandboxie, ThreatExpert, JoeBox, CWSandBox and Anubis, by checking the Product Id or the presence of usual dll like sbiedll.dll and sbiedll.dll

Fraud/Scam – Fake JOB Proposal

January 27, 2009


Some time ago a my contact adviced me about another kind of Scam/Fraud based on a Fake Job Proposal, contact receives an e-mail in which is said that they have seen CV and you’re good for a position as Financial Agent.

Here the First E-mail:


— Sun 14/12/08, Jolene PERRY <> ha scritto:

> Da: Jolene PERRY <>
> Oggetto: Ciao _NAME_
> Data: Sunday 14 dicembre 2008, 19:37
> Hello !
> We are looking for entry level specialists of various
> profiles. You must have adult age. Your previous operational
> experience is not important. The minimum education level
> necessary – High School.
> Location: Italy
> We have a lot of available vacancies.
> From you: some hours per week of a free time, the
> experience of PC and the
> Internet on a simple level.
> We will offer to you: the decent salary with system of
> bonuses and
> the complete legality & security.
> If you are interested in our offer – we are waiting for
> your reply.
> E-mail address only:


First of all as you can see, mail addresses are all from @europe and @googlemail it’s strange that a recruiting  company does not have a custom mail box..

About the position, it’s easy to understant that is only  a dream, a some hours per week of a free time work with entire assurance system is not suistenable by a Company.

After a reply that you’re intersted, here the second email:


> Dear Name and Surname,
> We are happy to inform you are acceptable for a Financial
> Representative job
. You can find additional information
> about your salary, work schedule and duties in the attached
> file.

> To register:
>    1. Read the job specifications and descriptions. If you
> have any questions – ask me or   write a reply with your
> confirmation.
>    2. I will send you the employee’s Registration form
> and Labor Agreement. You should fill it in correctly, sign
> it and send it back.
>    3. Send a scanned image of your Driver’s License or
> your Passport
for your identification.
> The procedure is simple and will not take more than 2 days.
> Note:
> You can easily find additional information on our website
> or feel free to ask any questions about your duties and
> salary.
> Right now we are at the very start of the process.
> Read the job specifications and descriptions. If you have
> any questions – ask me or write a reply with your
> confirmation
> I am here to help you and I will do my best to help you get
> along with this.
> Best regards,
> Xxxxxxxxxxxxxx
> Xxxxxxxxxxxxxxxx
> Web: xxxxxxxxxxxx
> Tel:  Xxxxxxxx
> Fax:  Xxxxxxxx


Uh really strange..

additional information about your salary, work schedule and duties in the attached  file.

In the attached doc the work schedule does not appears, and in not specificated how “work schedule” for a free time job is organized.

Here the really poor Job Description


<!– @page { margin: 2cm } P { margin-bottom: 0.21cm } –>


Position: Financial representative

Department: Cost accounting department

Salary: 2,000 USD a month + 5% from transaction


Receive payments from clients in your region; assist in company’s financial business.


  1. Receive payments from company’s clients in your region on your bank account.

  2. Prepare reports for every and each transaction

  3. Work with (Western Union/Money Gram) money transfer systems


  1. Assistance in company’s financial business


  1. Team work

  2. Basic knowledge of MS Office.

  3. Accuracy

  4. More than 2 years experience in management

Working conditions

Work at your internet-office with banks and money transfer systems.


  1. Our clients from your region make a payment on your account

  2. Draw money out and send them to our office (company covers all taxes and expenses)

  3. Make a financial statement on payment.

  4. Receive 5% for every transaction immediately + 2,000 USD every month.


It’s really strange, a Free-Time work that requires a continuous presence to delivery payments, that has a per month salary plus 5% of transactions..

In the second part we will investigate more on the website and compare this proposal with another one (Differential Approach)

NtSetDebugFilterState as Anti-Dbg Trick Reverse Engineering

January 9, 2009

Here you can download my last paper related to NtSetDebugFilterState UndocumentAPI that can be used as 
Anti Debugging Trick.

Have a Nice Read 🙂
Giuseppe 'Evilcry' Bonfa'