{"id":7307,"date":"2020-05-31T11:28:40","date_gmt":"2020-05-31T11:28:40","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=7307"},"modified":"2021-03-12T12:04:41","modified_gmt":"2021-03-12T12:04:41","slug":"a-few-more-anti-sandbox-tricks","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/05\/31\/a-few-more-anti-sandbox-tricks\/","title":{"rendered":"A few more anti-sandbox tricks&#8230;"},"content":{"rendered":"\n<p><strong>Update 2021-01-02<\/strong><\/p>\n\n\n\n<p>Added VirusTotal Sysmon, C2AE, Sangfor ZSand<\/p>\n\n\n\n<p><strong>Update 2020-06-03<\/strong><\/p>\n\n\n\n<p>Added more details on MOVES, HABO and Jujubox<\/p>\n\n\n\n<p><strong>Old Post<\/strong><\/p>\n\n\n\n<p>Today I spotted <a href=\"https:\/\/twitter.com\/jk0pr\/status\/1266662285432500224?s=20\">an article<\/a> comparing various sandboxes being posted on Twitter. I noticed many of sandboxes present on VirusTotal were not covered in that article so I reviewed a couple of reports and added these sandboxes to the list. While doing so, I picked up a few sandbox characteristics that seem to be fixed, and as such, can lead to programmatic identification of these solutions. In my opinion, sandboxes that don&#8217;t provide a randomized environment (different user, different system profile) are relatively easy to detect and sandbox creators need to take this into account to ensure their products remain stealthy. Also, providing screenshots is one of the easiest way to make profile available to attackers. I wonder if creating a fake desktop image could help here (window sized to the screen\/workarea resolution and presenting a picture of a fake desktop)<\/p>\n\n\n\n<p>Below are notes I took:<\/p>\n\n\n\n<p><strong>JujuBox<\/strong><\/p>\n\n\n\n<ul><li>User: masked in reports as &lt;USER&gt;, but SID is not<\/li><li>SID: S-1-5-21-364843204-231886559-199882026-1001<\/li><li>OS version: not licensed and detectable via a trick I <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/05\/28\/genuine-anti-sandbox-trick\/\">described<\/a> a few days ago<\/li><li>Desktop includes Acrobat Reader, Firefox, Google Chrome, Open Office 4.1.6, Steam, accounting, eula, mydoc, mypresentation, OpenOffice, party, and stats &#8212; file extensions are not shown, but easy to guess<\/li><li>filename is a &lt;SHA256 hash&gt;.exe<\/li><li>Screen resolution seems to be low &#8211; 800x 600? <\/li><li>Only 4 icons on the taskbar<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt_jujubox.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt_jujubox.png\" alt=\"\" class=\"wp-image-7308\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt_jujubox.png 800w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt_jujubox-300x225.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt_jujubox-768x576.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/a><\/figure>\n\n\n\n<p><br><strong>VenusEye<\/strong><\/p>\n\n\n\n<ul><li>User: debug4fun<\/li><\/ul>\n\n\n\n<p><strong>Yomi Hunter<\/strong><\/p>\n\n\n\n<ul><li>User: j.yoroi<\/li><\/ul>\n\n\n\n<p><strong>NSFOCUS POMA<\/strong><\/p>\n\n\n\n<ul><li>OS: XP<\/li><li>User: sys<\/li><li>File: C:\\Windows\\Temp\\sample\\&lt;md5&gt;_&lt;sha256&gt;.exe<\/li><\/ul>\n\n\n\n<p><strong>BitDam ATP<\/strong><\/p>\n\n\n\n<ul><li>User: trans_iso_0<\/li><\/ul>\n\n\n\n<p><strong>QiAnXin RedDrip<\/strong><\/p>\n\n\n\n<ul><li>User: Administrator<\/li><li>System language: zh-CN<\/li><\/ul>\n\n\n\n<p><strong>Tencent Habo<\/strong><\/p>\n\n\n\n<ul><li>User: Administrator<\/li><li>SID: S-1-5-21-1482476501-1645522239-1417001333-500<\/li><li>File: sample.doc<\/li><li>Hostname: ANALYST&lt;DIGIT&gt;-&lt;HEX&gt;<\/li><li>OS: XP (refers to C:\\Documents and Settings\\Administrator)<\/li><li>System language: zh-CN<\/li><li>Directory present:<ul><li>C:\\DiskD<\/li><\/ul><\/li><li>File: 996e.exe (this file name is so prevalent that it even <a href=\"https:\/\/www.reddit.com\/r\/Malware\/comments\/fgxhs4\/virustotal_tencent_habo_996eexe\/\">raises<\/a> questions on Reddit); wild speculation: I wonder if it comes from a Unicode character Ux996E (\u996e) which means &#8216;drink&#8217;; the reports attempt to remove information about the process name, but do so inefficiently as shown on the below screenshot<\/li><li>Other possible fingerprints:<ul><li>OFFICE11 (C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE)<\/li><li>Python <ul><li>C:\\Python\\Python27<\/li><li>C:\\Python\\Python36<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt_habo.png\"><img decoding=\"async\" loading=\"lazy\" width=\"498\" height=\"357\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt_habo.png\" alt=\"\" class=\"wp-image-7309\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt_habo.png 498w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt_habo-300x215.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt_habo-222x160.png 222w\" sizes=\"(max-width: 498px) 100vw, 498px\" \/><\/a><\/figure>\n\n\n\n<p><strong>SecondWrite<\/strong><\/p>\n\n\n\n<ul><li>User: Virtual<\/li><li>File: &lt;hash&gt; of the file and starts from %TEMP%\\&lt;hash&gt;.exe<\/li><\/ul>\n\n\n\n<p><strong>Dr.Web vxCube<\/strong><\/p>\n\n\n\n<ul><li>Hides lots of information from the report, these guys know what they are doing (e.g.  sample path is listed as &lt;PATH_SAMPLE.EXE&gt;)<\/li><li>OS: XP<\/li><li>Other possible fingerprints: <ul><li>%CommonProgramFiles(x86)%\\microsoft shared\\vs7debug\\mdm.exe<\/li><li>Office14 (%ProgramFiles%\\microsoft office\\office14)<\/li><\/ul><\/li><\/ul>\n\n\n\n<p><strong>Rising MOVES<\/strong><\/p>\n\n\n\n<ul><li>User: Administrator<\/li><li>System language: zh-CN<\/li><li>Service present:<ul><li>badrv<\/li><\/ul><\/li><li>Kernel Driver present:<ul><li>rs_badrv<\/li><\/ul><\/li><li>Files present:<ul><li>c:\\analyse\\drop_files.zip<\/li><li>c:\\analyse\\result.zip<\/li><li>C:\\analyse\\log.log<\/li><li>C:\\analyse\\analyzer.exe<\/li><li>c:\/analyse\/gen_report.py<\/li><li>C:\\Program Files\\Qemu-ga\\gspawn-win32-helper.exe<\/li><\/ul><\/li><li>Mutex:<ul><li>ba_probe_event_memory_mutex<\/li><\/ul><\/li><\/ul>\n\n\n\n<p><strong>VirusTotal Cuckoofork<\/strong><\/p>\n\n\n\n<ul><li>User: admin<\/li><li>Hostname: USER-PC<\/li><li>Other possible fingerprints:<ul><li>starts sample from c:\\ root directory<\/li><li>filename is a SHA256 hash<\/li><\/ul><\/li><\/ul>\n\n\n\n<p><strong>Lastline<\/strong><\/p>\n\n\n\n<ul><li>User: Johnson, Olivia (randomized)<\/li><li>Other possible fingerprints:<ul><li>Office14<ul><li>C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE<\/li><\/ul><\/li><li>Office16<ul><li>C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<p><strong>VMRay<\/strong><\/p>\n\n\n\n<ul><li>User: nice to see proper randomization e.g. &#8216;aETAdzjz&#8217;<\/li><li>Other possible fingerprints:<ul><li>Office16<ul><li>C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<p><strong>VirusTotal Box of Apples<\/strong><\/p>\n\n\n\n<ul><li>User: user1<\/li><\/ul>\n\n\n\n<p><strong>OS X Sandbox<\/strong><\/p>\n\n\n\n<ul><li>Other possible fingerprints:<ul><li>VMWare path mapped<ul><li>Library\/Filesystems\/vmhgfs.fs<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<p><strong>VirusTotal Androbox<\/strong><\/p>\n\n\n\n<ul><li>n\/a<\/li><\/ul>\n\n\n\n<p><strong>VirusTotal Droidy<\/strong><\/p>\n\n\n\n<ul><li>User: user<\/li><\/ul>\n\n\n\n<p><strong>VirusTotal C2AE (this is not CAPEv2, thx @doomedraven)<\/strong><\/p>\n\n\n\n<ul><li>Very weak rule: processes present at the time of execution, and soon after terminated:<ul><li>%windir%\\System32\\svchost.exe -k WerSvcGroup<\/li><li>wmiadap.exe \/F \/T \/R<\/li><\/ul><\/li><li>&#8220;%SAMPLEPATH%&#8221; is probably a better option, just need to get lucky to get it resolved using a test sample<\/li><\/ul>\n\n\n\n<p><strong>VirusTotal Sysmon<\/strong><\/p>\n\n\n\n<ul><li>User: admin<\/li><li>Process launched as &#8220;C:\\Users\\admin\\Downloads\\&lt;MD5&gt;.mlw.exe&#8221; OR<\/li><li>Process launched as &#8220;C:\\Users\\admin\\Downloads\\&lt;MD5&gt;.virus.exe&#8221;<\/li><\/ul>\n\n\n\n<p><strong>Sangfor ZSand<\/strong><\/p>\n\n\n\n<ul><li>Process starts from c:\\<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Update 2021-01-02 Added VirusTotal Sysmon, C2AE, Sangfor ZSand Update 2020-06-03 Added more details on MOVES, HABO and Jujubox Old Post Today I spotted an article comparing various sandboxes being posted on Twitter. I noticed many of sandboxes present on VirusTotal &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/05\/31\/a-few-more-anti-sandbox-tricks\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,41],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7307"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7307"}],"version-history":[{"count":11,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7307\/revisions"}],"predecessor-version":[{"id":7731,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7307\/revisions\/7731"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}