Skip to content

Latest commit

 

History

History
98 lines (63 loc) · 6.86 KB

README.md

File metadata and controls

98 lines (63 loc) · 6.86 KB

Fake Sandbox Artifacts (FSA)

Inspired from the PowerShell script Fake Sandbox Processes (FSP), this script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools.

The names of the artifacts to be created are separated in text files in the different folders to allow easy modification.

Background

It is estimated that 15-20% [13] of malwares are aware of virtual machine environment and will either abort execution or change its behavior upon detection. Also, fingerprinting tactic is still the dominant approach to evade sandboxes. [15]

Features

  • Create dummy files, folders and registry entries used by virtualization softwares (VmWare,VirtualBox,Qemu,...) in guest operating systems
  • Spawns dummy processes with names related to analysis tools and sandbox environments
  • Makes named pipes commonly used by virtual machines
  • Installs and start dummy services typically found after installing VMware Tools/VBox Guest Additions Service

Usage

usage: fsa.py [options]:

Fake Sandbox Artifact is a script that helps you create artifacts related to malware analysis lab environment and
virtualization systems

optional arguments:
  -h, --help            show this help message and exit
  --registry            Creates artifacts in the registry. Requires elevated privileges
  --application         Creates files and folders specified in the text files. Requires elevated privileges
  --pipe {start,stop}   Starts the dummy pipe server (dummy_pipe.py)
  --process {start,stop}
                        Start the dummy processes
  --service {install,uninstall}
                        Install and start dummy services using dummy-win-service_x64.exe. Requires elevated privileges

Testing against pafish and al-khaser

Pafish - Before Pafish - After running fsa.py
Al-khaser - Before Al-khaser - after running fsa.py

Testing against malware samples

Malware Name Source Without FSA With FSA Notes Conclusion
🔴AgentTesla VirusTotal MalwareBazaar Malware established persistance via the Windows scheduler No malicious behaviors observed Modified registry values affects the malware behavior Prevented ✔️
🔴TrickBot VirusTotal MalwareBazaar Malware contacted C2 IPs, downloaded modules networkDll64 & pwgrab64 same Anti-VM techniques used by Trickbot includes screen resolution Not prevented ❌
🔴ZLoader VirusTotal MalwareBazaar Doc launched Wscript, created C:\tabkey\ and dropped a .vbe script and a .dll Wscript not launched. No malicious behaviors observed Dummy processes running affects the malicious Word Macro behavior Prevented ✔️

To be continued

Limitations

For this script to trigger a positive fingerprinting from the malware sample, it has to know what constitutes the fingerprinting in the first place. However, the strategy here is simply to hit on many of those known checks as possible, hoping that at least one artifact will be detected.

Most advanced checks are looking for virtual hardware, memory or kernel hypervisor artifacts, which are harder to fake (e.g. Hardware IDs., loaded drivers/kernel objects).


Successfully tested on the following bare-metal Windows versions:

  • Windows 7 x64
  • Windows 8.1 x64
  • Windows 10 x64

References

[1] Github - Public malware techniques used in the wild

[2] Github - Pafish

[3] Gtihub - Anti-Sandbox and Anti-Virtual Machine Tool

[4] Github - Evasion-Tools

[5] Github - cuckoosandbox signatures

[6] Github - Antivmdetection

[7] Deep Instinct - Anti-Virtualization Malware

[8] Cyberbit - Anti-VM and Anti-Sandbox Explained

[9] VinCSS Blog - GuLoader AntiVM Techniques

[10] Prodefence - Collection of Anti-Malware Analysis Tricks

[11] rvsec0n - Anti VM and Anti Sandbox techniques in Themida and VMProtect

[12] code13 Blog - anti-VM vmware

[13] Symantec - Internet Security Threat Report Volume 24 | February 2019

[14] University of Tsukuba - Trends of anti-analysis operations of malwares observed in API call logs

[15] Amirkabir University of Technology - Malware Dynamic Analysis Evasion Techniques: A Survey