Kovter 2016 – Anti Analysis tricks

AntiVbox

VBoxService.exe (ZwQuerySystemInformation / 0x5)

VBoxTray.exe (ZwQuerySystemInformation / 0x5)

VBoxHook.dll (attempts loadlibrary)

HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

SystemBiosVersion

HARDWARE\Description\System

VideoBiosVersion

virtualbox

SYSTEM\ControlSet001\Services\Disk\Enum

SOFTWARE\Oracle\VirtualBox Guest Additions

C:\WINDOWS\system32\drivers\VBoxMouse.sys

AntiVmWare

vmwareuser.exe (ZwQuerySystemInformation / 0x5)

vmwaretray.exe (ZwQuerySystemInformation / 0x5)

HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

SOFTWARE\VMware, Inc.\VMware Tools

SYSTEM\ControlSet001\Services\Disk\Enum

C:\WINDOWS\system32\drivers\vmmouse.sys

vmware (ZwQuerySystemInformation / 0x5)

C:\WINDOWS\\system32\drivers\vmhgfs.sys

AntiVirtualPC

vmusrvc.exe (ZwQuerySystemInformation / 0x5)

vmsrvc.exe (ZwQuerySystemInformation / 0x5)

SYSTEM\ControlSet001\Services\Disk\Enum

HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

C:\WINDOWS\system32\drivers\vpc-s3.sys

C:\WINDOWS\\system32\drivers\vpcubus.sys

AntiSandboxie

SbieDll.dll (getmoduleHandle to check if injected)

AntiWireShark

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Wireshark

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark

Software\Wireshark

wireshark (ZwQuerySystemInformation / 0x5)

AntiFiddler

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Fiddler.exe

Software\Microsoft\Fiddler2

 fiddler (ZwQuerySystemInformation / 0x5)

AntiHttpAnalyzer

SOFTWARE\Classes\SOFTWARE\IEInspectorSoft\HTTPAnalyzerAddon

SOFTWARE\Classes\IEHTTPAnalyzer.HTTPAnalyzerAddOn

SOFTWARE\Classes\HTTPAnalyzerStd.HTTPAnalyzerStandAlone

httpanalyzer (ZwQuerySystemInformation / 0x5)

injectwinsockservice (ZwQuerySystemInformation / 0x5)

AntiCharles

Software\Classes\Charles.AMF.Document

Software\Classes\Charles.Document

Software\XK72 Ltd  folder

charles.exe (ZwQuerySystemInformation / 0x5)

AntiJoeBox

joeboxserver.exe (ZwQuerySystemInformation / 0x5)

joeboxcontrol.exe (ZwQuerySystemInformation / 0x5)

AntiRFP

regmon.exe (ZwQuerySystemInformation / 0x5)

filemon.exe (ZwQuerySystemInformation / 0x5)

procmon.exe (ZwQuerySystemInformation / 0x5)

AntiDebug

Kernel32!IsDebuggerPresent()

Check PEB (mov eax, fs[30h] / eax+2

AntiSunbeltSandboxie

api_log.dll (GetModuleHandle to see if injected)

dir_watch.dll (GetModuleHandle to see if injected)

sniff_hit.exe (ZwQuerySystemInformation / 0x5)

sysAnalyzer.exe (ZwQuerySystemInformation / 0x5)

AntiQemu

HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

SystemBiosVersion

HARDWARE\Description\System