Sandbox Evasion Cheat Sheet

T
Thomas Roccia
Sandbox Best Practices Cheat Sheet Unprotect [Project] – unprotect.tdgt.org Thomas Roccia | @fr0gger_ VMWARE Change the default MAC address. Default first 3 bytes of MAC address of VMware: 00:0C:29 00:1C:14 00:50:56 00:05:69 Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0“Identifier”;“VMWARE” HKLMSOFTWAREVMware, Inc.VMware Tools HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"VMWARE" HKEY_LOCAL_MACHINESYSTEMControlSet001 ControlClass{4D36E968-E325-11CE-BFC1- 08002BE10318}0000DriverDesc“Vmware SCSI Controller” HKEY_LOCAL_MACHINESYSTEMControlSet001 ControlClass{4D36E968-E325-11CE-BFC1- 08002BE10318}0000ProviderName“VMware, Inc.” Check the name or remove the following processes: VMwareService.exe Vmwaretray.exe TPAutoConnSvc.exe Vmtoolsd.exe Vmwareuser.exe Check the name of default paths or files: system32driversvmmouse.sys system32driversvmhgfs.sys Program FilesVMware VIRTUALBOX Change the default MAC address. Default first 3 bytes of MAC address of VirtualBox: 08:00:27 Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0"Identifier";"VBOX" HKLMHARDWAREDescriptionSystem"SystemBiosVersion";VBOX HKLMSOFTWAREOracleVirtualBox Guest Additions HKLMHARDWAREDescriptionSystem"VideoBiosVersion"; "VIRTUALBOX" HKLMHARDWAREACPIDSDTVBOX__ HKLMHARDWAREACPIFADTVBOX__ HKLMHARDWAREACPIRSDTVBOX__ HKLMHARDWAREDescriptionSystem“SystemBiosDate"; "06/23/99" HKLMSYSTEMControlSet001ServicesVBoxGuest HKLMSYSTEMControlSet001ServicesVBoxService HKLMSYSTEMControlSet001ServicesVBoxMouse HKLMSYSTEMControlSet001ServicesVBoxVideo Check the name or remove the following processes: vboxservice.exe vboxtray.exe vboxcontrol.exe Check the name of default paths or files: C:WINDOWSsystem32driversVBoxMouse.sys C:WINDOWSsystem32driversVBoxGuest.sys C:WINDOWSsystem32driversVBoxSF.sys C:WINDOWSsystem32driversVBoxVideo.sys C:WINDOWSsystem32vboxdisp.dll C:WINDOWSsystem32vboxhook.dll C:WINDOWSsystem32vboxmrxnp.dll C:WINDOWSsystem32vboxogl.dll C:WINDOWSsystem32vboxoglarrayspu.dll C:WINDOWSsystem32vboxoglcrutil.dll C:WINDOWSsystem32vboxoglerrorspu.dll C:WINDOWSsystem32vboxoglfeedbackspu.dll C:WINDOWSsystem32vboxoglpackspu.dll C:WINDOWSsystem32vboxoglpassthroughspu.dll Program Filesoraclevirtualbox guest additions QEMU Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0"Identifier";"QEMU" HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"QEMU" PARALLELS Check the name or remove the following processes: prl_cc.exe prl_tools.exe VIRTUAL PC Check the name or remove the following processes: VMSrvc.exe VMUSrvc.exe CUCKOO Check the name or remove the following processes: Python.exe Pythonw.exe Check the name of default paths or files: C:cuckoo .pipecuckoo XEN Check the name or remove the following processes: xenservice.exe
WINE Change or remove the following registry key: HKLMSOFTWAREWine BOCHS Change or remove the following registry key: HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"BOCHS" X86 INSTRUCTIONS The following Assembly instructions are used to detect Virtual Environment: SIDT SGDT SLDT SMSW STR CPUID IN VMCPUID RDTSC VPCEXT LOADED DLL Sandboxes are loaded DLL to perform actions on the system. Malware are able to detect these DLL. Check if the following DLL are loaded: sbiedll.dll (Sandboxie) api_log.dll (SunBelt SandBox) dir_watch.dll (SunBelt SandBox) pstorec.dll (SunBelt Sandbox) vmcheck.dll (Virtual PC) wpespy.dll (WPE Pro) GENERIC DETECTION Malware can detect a sandbox by different ways. The normal user activities should be reproducing to avoid detection. Reproduce or change the following elements to avoid detection: Mouse movement Office recent files Screen resolution Wallpaper Memory size Hard drive size Installed software Hostname USB drive Printer Number of processor MANUAL ANALYSIS Sandboxes can be used for automatic analysis but also for manual analysis. Rename the following analysis tools (NB: all the analysis tools can be detected by malware with the original process name): Wireshark.exe Ollydbg.exe ProcessHacker.exe TCPview.exe Autoruns.exe/Autorunsc.exe filemon.exe ProcMon.exe regmon.exe procexp.exe HookExplorer.exe SysInspector.exe PETools.exe DumpPcap.exe TIMING ATTACKS Malware can delay execution in order to avoid analysis or detection. Onset delay: Malware will delay execution to avoid analysis by the sandbox. Stalling code: Stalling code is typically executed before any malicious behaviour. Extended sleep code: Most of the sandbox have a defined time for the analysis. Malware will use a Sleep function with a big time to avoid analysis by the sandbox. TOOLS Different tools exist to harden a sandbox. Paranoid Fish: Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do. https://github.com/a0rtega/pafish Al-Khaser: Al-khaser is a PoC malware with good intentions that aims to stress your sandbox system. https://github.com/LordNoteworthy/al- khaser RocProtect: RocProtect is a POC that emulates a sandbox environment to avoid infection by advanced malware. https://github.com/fr0gger/RocProtect-V1 Thomas Roccia | @fr0gger_ Version 1.1. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
1 of 2

Sandbox Evasion Cheat Sheet

Download to read offline
Internet

This is a best practice cheat sheet to avoid malware sandbox evasion.

T
Thomas Roccia

Recommended

A Threat Hunter Himself by
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
1.2K views31 slides
A Threat Hunter Himself by
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
6.3K views31 slides
A Case Study in Attacking KeePass by
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
9.9K views50 slides
Hunting for Privilege Escalation in Windows Environment by
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
12K views99 slides
Countering Innovative Sandbox Evasion Techniques Used by Malware by
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareTyler Borosavage
895 views28 slides
Automated Malware Analysis and Cyber Security Intelligence by
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
1.1K views48 slides

More Related Content

What's hot

Hunting Lateral Movement in Windows Infrastructure by
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
9K views52 slides
Windows attacks - AT is the new black by
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
10.9K views76 slides
Super Easy Memory Forensics by
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
4.6K views151 slides
How to hack wireless internet connections using aircrack-ng by
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngOpen Knowledge Nepal
3.9K views19 slides
Pentesting react native application for fun and profit - Abdullah by
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullahidsecconf
487 views38 slides
Petit potam slides-rtfm-ossir by
Petit potam slides-rtfm-ossirPetit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirLionelTopotam
2.4K views31 slides

What's hot(20)

Hunting Lateral Movement in Windows Infrastructure by Sergey Soldatov
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov9K views
Windows attacks - AT is the new black by Chris Gates
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates10.9K views
Super Easy Memory Forensics by IIJ
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ4.6K views
How to hack wireless internet connections using aircrack-ng by Open Knowledge Nepal
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ng
Open Knowledge Nepal 3.9K views
Pentesting react native application for fun and profit - Abdullah by idsecconf
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
idsecconf487 views
Petit potam slides-rtfm-ossir by LionelTopotam
Petit potam slides-rtfm-ossirPetit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossir
LionelTopotam2.4K views
Derbycon - The Unintended Risks of Trusting Active Directory by Will Schroeder
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder35.9K views
Abusing Microsoft Kerberos - Sorry you guys don't get it by Benjamin Delpy
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy43.1K views
CCNA Security 02- fundamentals of network security by Ahmed Habib
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
Ahmed Habib5.3K views
DerbyCon 2019 - Kerberoasting Revisited by Will Schroeder
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder10.4K views
The Unintended Risks of Trusting Active Directory by Will Schroeder
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder8.5K views
Hacking Windows IPC by gueste041bc
Hacking Windows IPCHacking Windows IPC
Hacking Windows IPC
gueste041bc2K views
How to Hunt for Lateral Movement on Your Network by Sqrrl
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl2.8K views
macOS Vulnerabilities Hiding in Plain Sight by Csaba Fitzl
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain Sight
Csaba Fitzl420 views
VULNERABILITY ( CYBER SECURITY ) by Kashyap Mandaliya
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya6.4K views
Windows Threat Hunting by GIBIN JOHN
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN1.4K views
Local File Inclusion to Remote Code Execution by n|u - The Open Security Community
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community11.1K views
Hunting malware with volatility v2.0 by Frank Boldewin
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
Frank Boldewin1.7K views
Abusing Symlinks on Windows by OWASP Delhi
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on Windows
OWASP Delhi6.9K views
Stuxnet by Shishir Aryal
StuxnetStuxnet
Stuxnet
Shishir Aryal388 views

Similar to Sandbox Evasion Cheat Sheet

Malware Analysis and Defeating using Virtual Machines by
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machinesintertelinvestigations
1.4K views74 slides
Network Manual by
Network ManualNetwork Manual
Network ManualJason Myers
88 views42 slides
Windows Attacks AT is the new black by
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
19.5K views78 slides
Cache is King: Get the Most Bang for Your Buck From Ruby by
Cache is King: Get the Most Bang for Your Buck From RubyCache is King: Get the Most Bang for Your Buck From Ruby
Cache is King: Get the Most Bang for Your Buck From RubyMolly Struve
1.4K views105 slides
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces by
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
875 views41 slides
Synack Shakacon OSX Malware Persistence by
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
1.3K views57 slides

Similar to Sandbox Evasion Cheat Sheet(20)

Malware Analysis and Defeating using Virtual Machines by intertelinvestigations
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
intertelinvestigations1.4K views
Network Manual by Jason Myers
Network ManualNetwork Manual
Network Manual
Jason Myers88 views
Windows Attacks AT is the new black by Rob Fuller
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller19.5K views
Cache is King: Get the Most Bang for Your Buck From Ruby by Molly Struve
Cache is King: Get the Most Bang for Your Buck From RubyCache is King: Get the Most Bang for Your Buck From Ruby
Cache is King: Get the Most Bang for Your Buck From Ruby
Molly Struve1.4K views
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces by michelemanzotti
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti875 views
Synack Shakacon OSX Malware Persistence by Ivan Einstein
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware Persistence
Ivan Einstein1.3K views
Dns configuration on rhel 5 by Subin Selvaraj
Dns configuration on rhel 5Dns configuration on rhel 5
Dns configuration on rhel 5
Subin Selvaraj703 views
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程 by Jimmy Chang
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
Jimmy Chang690 views
Salt Cloud vmware-orchestration by Mo Rawi
Salt Cloud vmware-orchestrationSalt Cloud vmware-orchestration
Salt Cloud vmware-orchestration
Mo Rawi3.4K views
Unix executable buffer overflow by Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP4.5K views
Web Insecurity And Browser Exploitation by Michele Orru'
Web Insecurity And Browser ExploitationWeb Insecurity And Browser Exploitation
Web Insecurity And Browser Exploitation
Michele Orru'551 views
Long live to CMAN! by Ludovico Caldara
Long live to CMAN!Long live to CMAN!
Long live to CMAN!
Ludovico Caldara1.3K views
Trouble shooting apachecloudstack by Sailaja Sunil
Trouble shooting apachecloudstackTrouble shooting apachecloudstack
Trouble shooting apachecloudstack
Sailaja Sunil2.2K views
Component pack 6006 install guide by Roberto Boccadoro
Component pack 6006 install guideComponent pack 6006 install guide
Component pack 6006 install guide
Roberto Boccadoro219 views
Zhp diag by julian audouard
Zhp diagZhp diag
Zhp diag
julian audouard363 views
Meder Kydyraliev - Mining Mach Services within OS X Sandbox by DefconRussia
Meder Kydyraliev - Mining Mach Services within OS X SandboxMeder Kydyraliev - Mining Mach Services within OS X Sandbox
Meder Kydyraliev - Mining Mach Services within OS X Sandbox
DefconRussia1.5K views
How to use shodan more powerful by National Cheng Kung University
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
National Cheng Kung University1.6K views
Kl 031.30 eng_class_setup_guide_1.2 by Freddy Ortiz
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2
Freddy Ortiz434 views
Build Automation 101 by Martin Jackson
Build Automation 101Build Automation 101
Build Automation 101
Martin Jackson5K views
Automating everything with PowerShell, Terraform, and AWS by Chris Brown
Automating everything with PowerShell, Terraform, and AWSAutomating everything with PowerShell, Terraform, and AWS
Automating everything with PowerShell, Terraform, and AWS
Chris Brown2.1K views

More from Thomas Roccia

TRITON: The Next Generation of ICS Malware by
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
1.6K views31 slides
CoinMiners are Evasive - BsidesTLV by
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
1.8K views34 slides
42 - Malware - Understand the Threat and How to Respond by
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
1.9K views65 slides
Wannacry | Technical Insight and Lessons Learned by
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
437 views39 slides
Malware Evasion Techniques by
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
4.2K views34 slides
Ransomware Teslacrypt Uncovered - Malware Analysis by
Ransomware Teslacrypt Uncovered - Malware AnalysisRansomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisThomas Roccia
859 views16 slides

More from Thomas Roccia(9)

TRITON: The Next Generation of ICS Malware by Thomas Roccia
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
Thomas Roccia1.6K views
CoinMiners are Evasive - BsidesTLV by Thomas Roccia
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
Thomas Roccia1.8K views
42 - Malware - Understand the Threat and How to Respond by Thomas Roccia
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
Thomas Roccia1.9K views
Wannacry | Technical Insight and Lessons Learned by Thomas Roccia
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
Thomas Roccia437 views
Malware Evasion Techniques by Thomas Roccia
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
Thomas Roccia4.2K views
Ransomware Teslacrypt Uncovered - Malware Analysis by Thomas Roccia
Ransomware Teslacrypt Uncovered - Malware AnalysisRansomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware Analysis
Thomas Roccia859 views
Research Paper on Digital Forensic by Thomas Roccia
Research Paper on Digital ForensicResearch Paper on Digital Forensic
Research Paper on Digital Forensic
Thomas Roccia1.6K views
Windows Kernel Debugging by Thomas Roccia
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel Debugging
Thomas Roccia954 views
Sec day cuckoo_workshop by Thomas Roccia
Sec day cuckoo_workshopSec day cuckoo_workshop
Sec day cuckoo_workshop
Thomas Roccia510 views

Recently uploaded

cis5-Project-11a-Harry Lai by
cis5-Project-11a-Harry Laicis5-Project-11a-Harry Lai
cis5-Project-11a-Harry Laiharrylai126
9 views11 slides
The Dark Web : Hidden Services by
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden ServicesAnshu Singh
19 views24 slides
Marketing and Community Building in Web3 by
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3Federico Ast
15 views64 slides
ARNAB12.pdf by
ARNAB12.pdfARNAB12.pdf
ARNAB12.pdfArnabChakraborty499766
5 views83 slides
ATPMOUSE_융합2조.pptx by
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptxkts120898
35 views70 slides
How to think like a threat actor for Kubernetes.pptx by
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxLibbySchulze1
7 views33 slides

Recently uploaded(10)

cis5-Project-11a-Harry Lai by harrylai126
cis5-Project-11a-Harry Laicis5-Project-11a-Harry Lai
cis5-Project-11a-Harry Lai
harrylai1269 views
The Dark Web : Hidden Services by Anshu Singh
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden Services
Anshu Singh19 views
Marketing and Community Building in Web3 by Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast15 views
ARNAB12.pdf by ArnabChakraborty499766
ARNAB12.pdfARNAB12.pdf
ARNAB12.pdf
ArnabChakraborty4997665 views
ATPMOUSE_융합2조.pptx by kts120898
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptx
kts12089835 views
How to think like a threat actor for Kubernetes.pptx by LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze17 views
WITS Deck by W.I.T.S.
WITS DeckWITS Deck
WITS Deck
W.I.T.S.18 views
Amine el bouzalimi by Amine EL BOUZALIMI
Amine el bouzalimiAmine el bouzalimi
Amine el bouzalimi
Amine EL BOUZALIMI5 views
hamro digital logics.pptx by tupeshghimire
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptx
tupeshghimire11 views
Affiliate Marketing by Navin Dhanuka
Affiliate MarketingAffiliate Marketing
Affiliate Marketing
Navin Dhanuka20 views

Sandbox Evasion Cheat Sheet

  • 1. Sandbox Best Practices Cheat Sheet Unprotect [Project] – unprotect.tdgt.org Thomas Roccia | @fr0gger_ VMWARE Change the default MAC address. Default first 3 bytes of MAC address of VMware: 00:0C:29 00:1C:14 00:50:56 00:05:69 Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0“Identifier”;“VMWARE” HKLMSOFTWAREVMware, Inc.VMware Tools HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"VMWARE" HKEY_LOCAL_MACHINESYSTEMControlSet001 ControlClass{4D36E968-E325-11CE-BFC1- 08002BE10318}0000DriverDesc“Vmware SCSI Controller” HKEY_LOCAL_MACHINESYSTEMControlSet001 ControlClass{4D36E968-E325-11CE-BFC1- 08002BE10318}0000ProviderName“VMware, Inc.” Check the name or remove the following processes: VMwareService.exe Vmwaretray.exe TPAutoConnSvc.exe Vmtoolsd.exe Vmwareuser.exe Check the name of default paths or files: system32driversvmmouse.sys system32driversvmhgfs.sys Program FilesVMware VIRTUALBOX Change the default MAC address. Default first 3 bytes of MAC address of VirtualBox: 08:00:27 Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0"Identifier";"VBOX" HKLMHARDWAREDescriptionSystem"SystemBiosVersion";VBOX HKLMSOFTWAREOracleVirtualBox Guest Additions HKLMHARDWAREDescriptionSystem"VideoBiosVersion"; "VIRTUALBOX" HKLMHARDWAREACPIDSDTVBOX__ HKLMHARDWAREACPIFADTVBOX__ HKLMHARDWAREACPIRSDTVBOX__ HKLMHARDWAREDescriptionSystem“SystemBiosDate"; "06/23/99" HKLMSYSTEMControlSet001ServicesVBoxGuest HKLMSYSTEMControlSet001ServicesVBoxService HKLMSYSTEMControlSet001ServicesVBoxMouse HKLMSYSTEMControlSet001ServicesVBoxVideo Check the name or remove the following processes: vboxservice.exe vboxtray.exe vboxcontrol.exe Check the name of default paths or files: C:WINDOWSsystem32driversVBoxMouse.sys C:WINDOWSsystem32driversVBoxGuest.sys C:WINDOWSsystem32driversVBoxSF.sys C:WINDOWSsystem32driversVBoxVideo.sys C:WINDOWSsystem32vboxdisp.dll C:WINDOWSsystem32vboxhook.dll C:WINDOWSsystem32vboxmrxnp.dll C:WINDOWSsystem32vboxogl.dll C:WINDOWSsystem32vboxoglarrayspu.dll C:WINDOWSsystem32vboxoglcrutil.dll C:WINDOWSsystem32vboxoglerrorspu.dll C:WINDOWSsystem32vboxoglfeedbackspu.dll C:WINDOWSsystem32vboxoglpackspu.dll C:WINDOWSsystem32vboxoglpassthroughspu.dll Program Filesoraclevirtualbox guest additions QEMU Change or remove the following registry keys: HKLMHARDWAREDEVICEMAPScsiScsi Port 0Scsi Bus 0Target Id 0Logical Unit Id 0"Identifier";"QEMU" HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"QEMU" PARALLELS Check the name or remove the following processes: prl_cc.exe prl_tools.exe VIRTUAL PC Check the name or remove the following processes: VMSrvc.exe VMUSrvc.exe CUCKOO Check the name or remove the following processes: Python.exe Pythonw.exe Check the name of default paths or files: C:cuckoo .pipecuckoo XEN Check the name or remove the following processes: xenservice.exe
  • 2. WINE Change or remove the following registry key: HKLMSOFTWAREWine BOCHS Change or remove the following registry key: HKLMHARDWAREDescriptionSystem "SystemBiosVersion";"BOCHS" X86 INSTRUCTIONS The following Assembly instructions are used to detect Virtual Environment: SIDT SGDT SLDT SMSW STR CPUID IN VMCPUID RDTSC VPCEXT LOADED DLL Sandboxes are loaded DLL to perform actions on the system. Malware are able to detect these DLL. Check if the following DLL are loaded: sbiedll.dll (Sandboxie) api_log.dll (SunBelt SandBox) dir_watch.dll (SunBelt SandBox) pstorec.dll (SunBelt Sandbox) vmcheck.dll (Virtual PC) wpespy.dll (WPE Pro) GENERIC DETECTION Malware can detect a sandbox by different ways. The normal user activities should be reproducing to avoid detection. Reproduce or change the following elements to avoid detection: Mouse movement Office recent files Screen resolution Wallpaper Memory size Hard drive size Installed software Hostname USB drive Printer Number of processor MANUAL ANALYSIS Sandboxes can be used for automatic analysis but also for manual analysis. Rename the following analysis tools (NB: all the analysis tools can be detected by malware with the original process name): Wireshark.exe Ollydbg.exe ProcessHacker.exe TCPview.exe Autoruns.exe/Autorunsc.exe filemon.exe ProcMon.exe regmon.exe procexp.exe HookExplorer.exe SysInspector.exe PETools.exe DumpPcap.exe TIMING ATTACKS Malware can delay execution in order to avoid analysis or detection. Onset delay: Malware will delay execution to avoid analysis by the sandbox. Stalling code: Stalling code is typically executed before any malicious behaviour. Extended sleep code: Most of the sandbox have a defined time for the analysis. Malware will use a Sleep function with a big time to avoid analysis by the sandbox. TOOLS Different tools exist to harden a sandbox. Paranoid Fish: Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do. https://github.com/a0rtega/pafish Al-Khaser: Al-khaser is a PoC malware with good intentions that aims to stress your sandbox system. https://github.com/LordNoteworthy/al- khaser RocProtect: RocProtect is a POC that emulates a sandbox environment to avoid infection by advanced malware. https://github.com/fr0gger/RocProtect-V1 Thomas Roccia | @fr0gger_ Version 1.1. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.