Fake Sandbox Artifacts (FSA)

April 20, 2024 ยท View on GitHub

Inspired from the PowerShell script Fake Sandbox Processes (FSP), this script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools.

The names of the artifacts to be created are separated in text files in the different folders to allow easy modification.

Background

It is estimated that 15-20% [13] of malwares are aware of virtual machine environment and will either abort execution or change its behavior upon detection. Also, fingerprinting tactic is still the dominant approach to evade sandboxes. [15]

Features

  • Create dummy files, folders and registry entries used by virtualization softwares (VmWare,VirtualBox,Qemu,...) in guest operating systems
  • Spawns dummy processes with names related to analysis tools and sandbox environments
  • Makes named pipes commonly used by virtual machines
  • Installs and start dummy services typically found after installing VMware Tools/VBox Guest Additions Service

Usage

usage: fsa.py [options]:

Fake Sandbox Artifact is a script that helps you create artifacts related to malware analysis lab environment and
virtualization systems

optional arguments:
  -h, --help            show this help message and exit
  --registry            Creates artifacts in the registry. Requires elevated privileges
  --application         Creates files and folders specified in the text files. Requires elevated privileges
  --pipe {start,stop}   Starts the dummy pipe server (dummy_pipe.py)
  --process {start,stop}
                        Start the dummy processes
  --service {install,uninstall}
                        Install and start dummy services using dummy-win-service_x64.exe. Requires elevated privileges

Testing against pafish and al-khaser

Pafish - BeforePafish - After running fsa.py
Al-khaser - BeforeAl-khaser - after running fsa.py

Testing against malware samples

Malware NameSourceWithout FSAWith FSANotesConclusion
:red_circle:AgentTeslaVirusTotal MalwareBazaarMalware established persistance via the Windows schedulerNo malicious behaviors observedModified registry values affects the malware behaviorPrevented :heavy_check_mark:
:red_circle:TrickBotVirusTotal MalwareBazaarMalware contacted C2 IPs, downloaded modules networkDll64 & pwgrab64sameAnti-VM techniques used by Trickbot includes screen resolutionNot prevented :x:
:red_circle:ZLoaderVirusTotal MalwareBazaarDoc launched Wscript, created C:\tabkey\ and dropped a .vbe script and a .dllWscript not launched. No malicious behaviors observedDummy processes running affects the malicious Word Macro behaviorPrevented :heavy_check_mark:

To be continued

Limitations

For this script to trigger a positive fingerprinting from the malware sample, it has to know what constitutes the fingerprinting in the first place. However, the strategy here is simply to hit on many of those known checks as possible, hoping that at least one artifact will be detected.

Most advanced checks are looking for virtual hardware, memory or kernel hypervisor artifacts, which are harder to fake (e.g. Hardware IDs., loaded drivers/kernel objects).


Successfully tested on the following bare-metal Windows versions:

  • Windows 7 x64
  • Windows 8.1 x64
  • Windows 10 x64

References

[1] Github - Public malware techniques used in the wild

[2] Github - Pafish

[3] Gtihub - Anti-Sandbox and Anti-Virtual Machine Tool

[4] Github - Evasion-Tools

[5] Github - cuckoosandbox signatures

[6] Github - Antivmdetection

[7] Deep Instinct - Anti-Virtualization Malware

[8] Cyberbit - Anti-VM and Anti-Sandbox Explained

[9] VinCSS Blog - GuLoader AntiVM Techniques

[10] Prodefence - Collection of Anti-Malware Analysis Tricks

[11] rvsec0n - Anti VM and Anti Sandbox techniques in Themida and VMProtect

[12] code13 Blog - anti-VM vmware

[13] Symantec - Internet Security Threat Report Volume 24 | February 2019

[14] University of Tsukuba - Trends of anti-analysis operations of malwares observed in API call logs

[15] Amirkabir University of Technology - Malware Dynamic Analysis Evasion Techniques: A Survey