Hello, welcome to the Monday, February 10th, 2020 edition of the Sansaunt, Stormstar, Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

So he came across an interesting visual basic script that he's talking about in a diary that he wrote this weekend.

Now, what's sort of interesting about this script diary that he wrote this weekend.

Now, what's sort of interesting about this script is that it incorporates a number of tricks

to detect whether or not it's running inside a virtual environment or a sandbox.

Now, none of these tricks are specifically new, but it's sort of neat to see them all in one single malicious

script. For example, this script checks whether or not the system it's running on only has

one CPU core. Pretty much any real system, and I think you actually would have a hard time

buying a physical system with only one CPU core.

So running only one CPU core makes you suspicious, say, having only one gigabyte of RAM or

less than 60 gigabyte of hard disk space. But often researchers, when they are running

a malware in a virtual machine in a sandbox,

they're assigning minimum resources to this sandbox to be able to run multiple experiments

at the same time.

And technically from a performance point of view, that's not a problem, but this particular

malware will not run.

It will also check for a number of common tools that

researchers are using to collect information about the malware. They're investigating like,

for example, good old Olli debug and similar tools. There's a whole list here that

Xavier found in this particular malware. And if you're

...