Analysis of Rovnix Dropper 3/5 - Anti Analysis (Static & Dynamic)

In the previous post, I described how I unpacked the sample. In this post, I will focused on the anti analysis techniques used by the sample. I will first touch on the anti static analysis then the anti dynamic analysis.

After the sample was unpacked, I noticed a number of strings were still obfuscated.

The strings were de-obfuscated into strings containing names of various security products during runtime:

I did not found other anti static analysis techniques such as anti-disassembly. However, I notice quite a few anti dynamic analysis techniques.

First, was a common anti VM technique to detect the use of VMware. The sample sent the VMware magic value of "VMXh" into the "VX" port using the 'IN' instruction. By reading and comparing the reply from the port the sample could detect the use of VMware.

Next, was a less common anti VM technique to detect the use of VirtualBox. The less common "VPCEXT" instruction was executed to detect the use of VirtualBox.

Then to detect the use of debuggers the "BeingDebugged" flag is checked in the PE.

Next to check for the use of various tools for instrumentation. The name of the parent process of the sample is compared against a fix list of strings.

The sample also created multiple threads to carried out its activities. The use of multi threading brought a little hurdle to overcome when debugging the sample.

All in all the sample did not make use of many anti analysis techniques. In the next post, I will cover how the sample escalated its privilege to install a driver in x64 Windows.