https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/
Last week we discovered several new samples that were similar to each other and uploaded to VirusTotal (VT) in a form of .dll, .gif or .jpg files. They all were tagged as ‘spreader’ and ‘detect-debug-environment’ by VT and caught our attention because they appeared to drop files, but those files could not be retrieved from VT.
Once we dug into this sample, we observed the use of a significant amount of evasion techniques. It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find. One such technique involved delaying execution through the use of the Beep API function, hence the malware’s name. …
Beep API function anti-sandbox – Malware usually uses the Sleep API function to delay execution and avoid detection by sandboxes. In this case , the malware uses the Beep Windows API function. Accordign to MSDN: “Generates simple tones on the speaker. The function is synchronous; it performs an alertable wait and does not return control to its caller until the sound finishes”. This function will suspend the execution of the malware, achieving the same effect as the Sleep API function. ..
