Cisco Blogs

Fake Volume License Trojan Targets Corporate Users and Evades Sandboxes

- February 9, 2015 - 12 Comments

Two weeks ago, multiple Cisco Managed Threat Defense (MTD) customers received an email that appeared to come from the Microsoft Volume Licensing Service Center (VLSC).  The email shown below is very similar to the real email Microsoft sends.  It had a personalized welcome line and appears to contain a link to login to the Volume Licensing Service Center:

The phish email supposedly from Microsoft Volume Licensing

The phish email supposedly from Microsoft Volume Licensing

The email address of the recipient was in the fake link to make it look more credible.  The real link, that was visible if you hovered with the mouse over the link, went to one of the following domains:

  • livihome[.]pl
  • tirillycompagnie[.]com
  • redwoodrecycling[.]com
  • gdc[.]travel

Attack Targeted at Corporate Users

Analysis of what these domains have in common found that they are all compromised WordPress servers.  Hackers added extra pages to the legitimate ones at a location like:


Microsoft licenses products like Windows and Office in volume to corporate customers.  The VLSC is where customers login to get their licenses, usually in the form of an activation code.  If a user clicks on the link in the email, they would see the screenshot below:


Clicking on the link ending in 1.php runs a function that uses Javascript to display the real Microsoft Volume License Center login page and starts a download of the fake volume license trojan as a .zip file.  If you look closely in the download window for the .Zip file, the source of the download is from: http://tirillycompagnie[.]com, but most users would not notice this and instead believe they were downloading something from

The Microsoft VLSC site overlaid by the malware download

The Microsoft VLSC site overlaid by the malware download

Analyst Alerted by a Wonky File

MTD security analysts were first alerted to this attack by Sourcefire file events for a file named 1.php:

Sourcefire alerts were for a wonky 1.php file, which contained the JavaScript to overlay the download against the site

Sourcefire alerts were for a wonky 1.php file, which contained the JavaScript to overlay the download against the site

To discover the nature of the threat, the analyst grabbed the .ZIP file.  Our malware analysis determined that if opened, the .ZIP contained a Windows executable with .SCR extension named, Volume_Licensing_Service_Center_details_7834892334.scr

The file had the following hashes and size:

MD5: 1b147fc9d5342ca0fa59207d366ec4fb
SHA256: 53365e66e87a46fe8c2838aed30f099b275a816129af0c3e9bce4dcc0d58fdd0
File Size: 51.9541 KB

Sandbox Evaluation Failed

Initially, the detection by antivirus software was a low 9 out of 57 antivirus programs.

MTD investigators turned to sandbox analysis for the file. Detonating the malware on three commercial and one open source sandbox solution yielded no success.  The malware seemed to know it was being analyzed and exited after 20 seconds without doing anything.  The name given by antivirus programs was “Chanitor” which is used to download other malware.  This downloader has been used in many attacks such as fake fax, fake voicemail, fake invoice and fake purchase order email attacks.

Investigator Used Debugger for Analysis

To analyze the malware completely and determine what command and control servers it connected to, investigators ran the malware on real hardware with network capture, memory capture and file system monitoring software installed. The analysis clearly revealed programmatic delays to prevent the sandbox from detonating the malware.

Running the malware in a debugger revealed the programmatic delays to evade detonation

Running the malware in a debugger revealed the programmatic delays to evade detonation

This produced better results and revealed one of the anti-forensics measures in this variant of Chanitor.  This variant of Chanitor goes to sleep for a total of over 30 minutes when first run.  Upon execution,  Volume_Licensing_Service_Center_details_7834892334.scr unpacks and decodes itself and then starts a process called winlogin.exe.  winlogin.exe goes to sleep many times for the times in milliseconds shown below:

winlogin.exe delays execution by calling the sleep function over and over

 "winlogin.exe" sleep "00313623" milliseconds
 "winlogin.exe" sleep "00301713" milliseconds
 "winlogin.exe" sleep "00289634" milliseconds
 "winlogin.exe" sleep "00326947" milliseconds
 "winlogin.exe" sleep "00319869" milliseconds
 "winlogin.exe" sleep "00290436" milliseconds
 "winlogin.exe" sleep "00304573" milliseconds
 "winlogin.exe" sleep "00300983" milliseconds
 "winlogin.exe" sleep "00300131" milliseconds
 "winlogin.exe" sleep "00305685" milliseconds

winlogin.exe sleeps to wait out automatic sandbox analysis before starting to communicate on the internet.  The program displays no output, but the metadata indicated that it was compiled on a computer using English for output.  When launched, the malware creates several files as shown below:

Created Files and Types

  • agmas.dll – PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
  • agmas.msy – binary data
  • winlogin.exe – PE32 executable (GUI) Intel 80386, for MS Windows, self-extracting archive

This trojan downloader also copies itself to another file on the disk and then renames that file back to winlogin.exe using the commands shown here:

cmd /D /R type “C:\Users\PSPUBWS\AppData\Roaming\Windows\winlogin.exe” > ___ && move /Y ___ “C:\Users\PSPUBWS\AppData\Roaming\Windows\winlogin.exe”

This is done to cause some sandbox analysis systems to fail.

Investigator Discovered C2 Servers And Method

Monitoring the network activity of Volume_Licensing_Service_Center_details_7834892334.scr found that the following domains are looked up after the winlogin.exe process wakes up:

DNS queries and IP used at the time of analysis:

  • api[.]ipify[.]org –,,
  • o3qz25zwu4or5mak[.]tor2web[.]org –,
  • o3qz25zwu4or5mak[.]tor2web[.]ru –

api[.]ipify[.]org is an online service with an API for allowing applications to learn their IP address.

After the DNS queries,  the Chanitor trojan connects to api[.]ipify[.]org first and learns its IP address:

TCP connections

–>          api[.]ipify[.]org                               learns its IP

Next, the malware determines if it can connect to the Tor anonymizing network:

Forensic analysis revealed service for C2 translation

Forensic analysis revealed service for C2 translation

TCP connections

–>               o3qz25zwu4or5mak[.]tor2web[.]org   Len=0

–>                  o3qz25zwu4or5mak[.]tor2web[.]ru    Len=0

Notice the length of the payload for these connections is 0 since it is just a test.

Investigator Searched NetFlow for C2 and Exfiltration

MTD investigators checked the NetFlow data for connections to the IP addresses found in the malware analysis and were able to determine that, although several customers had downloaded the fake Volume License trojan, no customer systems had opened it and been compromised. Here’s a rundown of the investigations we opened for customers during the early attack.

Investigations Opened

1 investigation where two hosts downloaded the trojan from:


4 investigations where 1 host had downloaded the trojan from:


and 3 hosts had downloaded the trojan from:


The four websites distributing this malware were online for approximately 6 days.  MTD investigators advised customers to block the domains.  During that time, MTD continued to monitor for new connections to these domains and the IPs used if the Chanitor trojan was executed.


This malware exemplifies three trends:

  1. Attackers are targeting corporate users via improved phishing techniques.
  2. Attackers are building sandbox evasion into their malware; as such you need skilled investigators and a rich security toolbox to catch it.
  3. Tor is growing more commonplace as a means of c2 and exfiltration.

Are you seeing similar trends? How effective do you believe malware authors are in evading sandboxes today?


Leave a comment

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

All comments in this blog are held for moderation. Your comment will not display until it has been approved

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


    Great article. Any chance you guys can let me know what memory capture and file system monitoring softwares were used during the threat analysis?

      Hi Murilo, our investigator used FTK Imager for memory dumping and Sysinternals Process Monitor to monitor the files created.

    This takes phishing to a whole new level especially at the corporate level. Scary to think that this is becoming a trend.

    Great work!

    Its disturbing how sophisticated hackers are getting these days. Thanks for sharing the details of this. I think its only through experience that users can learn to identify more accurately potential threats.

      Agree Jennifer - what I find very interesting is the sophisticated phishing plus the Tor network for control and exfiltration.

  1. As Jennifer stated, it is very disturbing how sophisticated these hackers have become but even more disturbing is how slow others have been to respond to and train against phishing attacks. They just keep going, like a bunny we know. When are the Targets and Anthems of the world going to learn that the breaches are happening through their users and train them to STOP clicking through and on the links provided?

      Great callout on phishing training. I've seen some really useful guidance from Corning Industries that I liked: 1. Avoid strangers (be alert to senders you don't know) 2. Don't rush (be suspicious of emails that require urgent attention) 3. Notice the recipient list (look for recipients that don't make sense) 4. Appreciate personal touches (not vague greetings) 5. Don't be lured by dangled temptations 6. Keep sensitive data to yourself 7. Double-check links and attachments (run cursor over links)

    Know what makes me a bit upset? Those who keep taking the victim stance and doing nothing to protect their sites and the ultimate victims - you and me! It's our money that's being stolen and the Chase banks, Targets, local hospitals and businesses don't seem to care. The rules have been published everywhere and we still hear how, yet another, major hack has taken place with nearly a billion dollars stolen! Worse yet, the latest has been in "cultivation" for years and only during harvesting did an IT worker discover his credentials being used for something he was not doing. That made it apparent they had been hacked! All because a few users clicked an attachment in their email.

      Hi Rich - I agree with you that we, as consumers and as defenders, need to improve our vigilance. Still, it's clear that the adversary has a strong financial motive to advance attacks. There's an entire ecosystem of cyber criminals working constantly to improve their techniques; we must advance our own defensive and investigative tactics to stay in the game.

  2. It appears that some of the new malware can detect they are being run inside a virtual machine and stop there infection.

    Guys, do you remember the old attacks using fakes AV? :-) Legacy threats with new GUI... and most users are still vulnerables. Education is another great tool we need to use.