# Let's Learn: Lethic Spambot & Survey of Anti-Analysis Techniques **[vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html](http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html)** **[Goal: Reverse the latest Lethic spambot, shared by Brad from Malware Traffic Analysis with](http://www.malware-traffic-analysis.net/2017/11/02/index.html)** the focus on its plethora of various anti-analysis and anti-virtual machine checks. **Source:** Lethic original spambot [(e324c63717a4c2011fde7d1af0d8dbe8ddb0897fe4e7f80f3147a7498e2166fe)](https://www.virustotal.com/#/file/e324c63717a4c2011fde7d1af0d8dbe8ddb0897fe4e7f80f3147a7498e2166fe/detection) **Background** [While analyzing the Lethic spambot (thanks to @malware_traffic), unpacked and reviewed](https://twitter.com/malware_traffic/status/926235399500062721) some of the bot internals. By and large, the spambot leverages process injection into explorer.exe through usual WriteProcessMemory and CreateRemoteThread. This Lethic hardcoded call back IP is 93[.]190[.]139[.]16. Another unique feature of this Trojan is persistency in C:\RECYCLER\* as “backwindow32.exe” and usual registry RUN keys. ----- **Malware checks:** I. Wine check II. Anti-analysis process check III. Anti-analysis DLL check IV. UserName check V. Path string check VI. Virtual Machine (VM) process check VII. VM registry and VM CreateFile check VIII. Anti-sleep bypass check IX. Anti-debugger check **I. Wine check** The Lethic spambot checks for the presence of Wine on the victim machine as follows checking the ntdll and kernel32 DLL's for the following functions via GetProcAddress API: wine_get_version wine_get_unix_file_name A. wine_get_version ----- The pseudo-coded C++ function is as follows: _signed int anti_wine_get_version()_ _{_ _HMODULE hModule;_ _signed int v2;_ _v2 = 0;_ _hModule = GetModuleHandleA("ntdll.dll");_ ----- _if ( hModule && GetProcAddress(hModule, wine_get_version ) )_ _v2 = 1;_ _return v2;_ _}_ B. wine_get_unix_file_name The pseudo-coded C++ function is as follows: _signed int wine_get_unix_file_name()_ _{_ _HMODULE hModule;_ _signed int v2;_ _v2 = 0;_ _hModule = GetModuleHandleA("kernel32.dll");_ _if ( hModule && GetProcAddress(hModule, "wine_get_unix_file_name") )_ _v2 = 1;_ _return v2;_ _}_ **II. Anti-analysis process check** ----- The Trojan checks for the following processes and suspends threads if they exist on the host: regmon.exe filemon.exe procdump.exe procexp.exe wireshark.exe prcview.exe sysinspector.exe sniff_hit.exe proc_watch.exe apimonitor exe ----- tcpview.exe petools.exe vmtoolsd.exe autoruns.exe The suspend thread function is as follows: _HANDLE __cdecl suspend_thread_function (int a1)_ _{_ _HANDLE result;_ _HANDLE hThread;_ _THREADENTRY32 te;_ _HANDLE hSnapshot;_ _te.dwSize = 0;_ _te.cntUsage = 0;_ _te.th32ThreadID = 0;_ _te.th32OwnerProcessID = 0;_ _te.tpBasePri = 0;_ _te.tpDeltaPri = 0;_ _te.dwFlags = 0;_ _result = CreateToolhelp32Snapshot(4u, 0);_ _hSnapshot = result;_ _if ( result != (HANDLE)-1 )_ _{_ _te.dwSize = 28;_ _if ( Thread32First(hSnapshot, &te) )_ _{_ ----- _do_ _{_ _if ( te.th32OwnerProcessID == a1 )_ _{_ _hThread = OpenThread(2u, 0, te.th32ThreadID);_ _SuspendThread(hThread);_ _CloseHandle(hThread);_ _}_ _}_ _while ( Thread32Next(hSnapshot, &te) );_ _}_ _result = (HANDLE)CloseHandle(hSnapshot);_ _}_ _return result;_ _}_ **III. Anti-analysis DLL check** The malware checks for the presence of loaded DLL’s. ----- The list of all checked DLL is as follows: api_log.dll log_api32.dll dir_watch.dll pstorec.dll vmcheck.dll wpespy.dll snxhk.dll **IV. UserName check** The malware checks for specific host usernames via retrieving them with GetUserName API and converting them to upper case. ----- The list of the checked usernames is as follows: MALTEST TEQUILABOOMBOOM SANDBOX VIRUS MALWARE **V. Path string check** The malware checks for specific path strings aliases via retrieving them with GetModuleFileName API and converting them to upper case. ----- The list of the checked path strings is as follows: SAMPLE MALWARE SANDBOX VIRUS The malware also checks if it is named “sample.” **VI. Virtual Machine (VM) process check** ----- Lethic checks for the presence of the VM-related processes. The full list of all checked processes is as follows: vmusrvc.exe vmsrvc.exe xsvc_depriv.exe xenservice.exe **VII. VM registry keys check** The malware checks for the registry artefacts associated with VM. The following registry locations and values are checked: A. HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier VMWARE QEMU B. HKLM\HARDWARE\Description\System\SystemBiosVersion VBOX QEMU ----- C. HKLM\HARDWARE\Description\System\VideoBiosVersion VIRTUALBOX BOCHS D. HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions E. The malware tries to create a file “\\\\.\\VBoxGuest” and checks if it exists. ----- The C++ pseudocode is as follows: _signed int vm_createfile_check()_ _{_ _signed int v1;_ _HANDLE hObject;_ _v1 = 0;_ _hObject = CreateFileW(L"\\\\.\\VBoxGuest", 1u, 1u, 0, 4u, 0, 0);_ _if ( hObject != (HANDLE)-1 )_ _{_ _CloseHandle(hObject);_ _v1 = 1;_ _}_ _return v1;_ _}_ **VIII. Anti-sleep bypass check** The malware implements Sleep API patch/hook check preventing the analyst from patching/hooking Sleep to a return. ----- The routine is as follows: _signed int anti_sleep_hook_check()_ _{_ _DWORD v0;_ _signed int v2;_ _v2 = 1;_ _v0 = GetTickCount();_ _Sleep(500);_ ----- _if ( GetTickCount() - v0 <= 440 )_ _Sleep(0);_ _else_ _v2 = 0;_ _return v2;_ _}_ **IX. Anti-debugger check** The malware calls IsDebuggerPresent and CheckRemoteDebuggerPresent APIs to check for the debugger presence. The function in C++ is as follows: ----- _int anti_debugger_check()_ _{_ _BOOL pbDebuggerPresent;_ _int v2;_ _pbDebuggerPresent = 0;_ _v2 = 0;_ _if ( IsDebuggerPresent() || CheckRemoteDebuggerPresent((HANDLE)0xFFFFFFFF,_ _&pbDebuggerPresent) && pbDebuggerPresent )_ _v2 = 1;_ _return v2;_ _}_ -----