Fake Sandbox Artifacts (FSA)
Inspired from the PowerShell script Fake Sandbox Processes (FSP), this script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools.
The names of the artifacts to be created are separated in text files in the different folders to allow easy modification.
Background
It is estimated that 15-20% [13] of malwares are aware of virtual machine environment and will either abort execution or change its behavior upon detection. Also, fingerprinting tactic is still the dominant approach to evade sandboxes. [15]
Features
- Create dummy files, folders and registry entries used by virtualization softwares (VmWare,VirtualBox,Qemu,...) in guest operating systems
- Spawns dummy processes with names related to analysis tools and sandbox environments
- Makes named pipes commonly used by virtual machines
- Installs and start dummy services typically found after installing VMware Tools/VBox Guest Additions Service
Usage
usage: fsa.py [options]:
Fake Sandbox Artifact is a script that helps you create artifacts related to malware analysis lab environment and
virtualization systems
optional arguments:
-h, --help show this help message and exit
--registry Creates artifacts in the registry. Requires elevated privileges
--application Creates files and folders specified in the text files. Requires elevated privileges
--pipe {start,stop} Starts the dummy pipe server (dummy_pipe.py)
--process {start,stop}
Start the dummy processes
--service {install,uninstall}
Install and start dummy services using dummy-win-service_x64.exe. Requires elevated privilegesTesting against pafish and al-khaser
| Pafish - Before | Pafish - After running fsa.py |
|---|---|
 |
 |
| Al-khaser - Before | Al-khaser - after running fsa.py |
 |
 |
Testing against malware samples
| Malware Name | Source | Without FSA | With FSA | Notes | Conclusion |
|---|---|---|---|---|---|
| VirusTotal MalwareBazaar | Malware established persistance via the Windows scheduler | No malicious behaviors observed | Modified registry values affects the malware behavior | Prevented |
|
| VirusTotal MalwareBazaar | Malware contacted C2 IPs, downloaded modules networkDll64 & pwgrab64 | same | Anti-VM techniques used by Trickbot includes screen resolution | Not prevented |
|
| VirusTotal MalwareBazaar | Doc launched Wscript, created C:\tabkey\ and dropped a .vbe script and a .dll | Wscript not launched. No malicious behaviors observed | Dummy processes running affects the malicious Word Macro behavior | Prevented |
To be continued
Limitations
For this script to trigger a positive fingerprinting from the malware sample, it has to know what constitutes the fingerprinting in the first place. However, the strategy here is simply to hit on many of those known checks as possible, hoping that at least one artifact will be detected.
Most advanced checks are looking for virtual hardware, memory or kernel hypervisor artifacts, which are harder to fake (e.g. Hardware IDs., loaded drivers/kernel objects).
Successfully tested on the following bare-metal Windows versions:
- Windows 7 x64
- Windows 8.1 x64
- Windows 10 x64
References
[1] Github - Public malware techniques used in the wild
[3] Gtihub - Anti-Sandbox and Anti-Virtual Machine Tool
[5] Github - cuckoosandbox signatures
[7] Deep Instinct - Anti-Virtualization Malware
[8] Cyberbit - Anti-VM and Anti-Sandbox Explained
[9] VinCSS Blog - GuLoader AntiVM Techniques
[10] Prodefence - Collection of Anti-Malware Analysis Tricks
[11] rvsec0n - Anti VM and Anti Sandbox techniques in Themida and VMProtect
[12] code13 Blog - anti-VM vmware
[13] Symantec - Internet Security Threat Report Volume 24 | February 2019
[14] University of Tsukuba - Trends of anti-analysis operations of malwares observed in API call logs
[15] Amirkabir University of Technology - Malware Dynamic Analysis Evasion Techniques: A Survey