Carding 4 Carders
Professional
- Messages
- 2,728
- Reaction score
- 1,574
- Points
- 113
I think many people know that malware can detect its presence in the sandbox, and knowing this, it will not be active, make system changes, try to spread to the infrastructure, etc. This is done in order to make it more difficult to detect and / or study malware in test and / or isolated environments. In theory, this can also be used to protect against malware. Therefore, we will consider creating your own sandbox for spoofing, based on running fake processes on the system.
Obviously, artificially created processes in the sandbox do not guarantee that you will be 100% protected from malware, but it is well known that, for example, ransomware programs such as Petya or Bad Rabbit will search the system for certain files and even deploy incorrectly if they are found. By analogy, there is also malware that checks the activity of certain processes that assume the presence of a virtual machine, working with network monitoring tools and antivirus protection that you can hide from.
To create such a fake sandbox, we will use the fake-sandbox utility.
This repository contains the PowerShell script, as well as files for installing and updating It.
download and unpack it to some folder.
Let's start with the PS screen. To do this, download the full archive from the specified repository and unpack it to the desired directory. The script that we need is called fsp. ps1, run it using Powershell or on the command line (cmd.exe) enter the command( specify the path to the unpacked folder with the utility:
Whichever method you choose, the result should be something like this:
Now we can start available false processes by typing " start "or" stop " respectively to remove them. The script will instantly start all processes, and the result should look something like this:
If you then open the task Manager, you will see several newly launched command-line processes. If you use programs like Process explorer, you can see that only the main tasks are performed. The processes themselves are called "WinDbg.exe", "wireshark.exe" etc. So how does it work? At the beginning of the script, there is a section containing fake process names, and we can add our own processes to the $fakeProcesses array. Then the script will copy ping.exe create a temporary directory and rename these copies to the specified process names. To make this work while the PC is turned on, the script will ping the invalid IP address 1.1.1.1 every hour indefinitely. This ensures minimal load on the system, and also ensures that processes do not disappear. The "stop" Argument will simply kill everything specified in $ fakeProcesses.
The only problem with the script is that it is not persistent, which means that the processes will disappear after logging in again and the script will need to be restarted. To simplify all this solution, there is an installer that automatically puts all files in the% AppData% \ Roaming \ FakeSandboxProcesses directory and a small package of triggers. To do this, run the fsp-installer file.bat from the installer section.
Administrator rights are not required, just run the batch file in the command line window and enter "i "to start the installation, then enter "y" if you also need to install the automatic update component or "n" if you do not need to install it. Then click any button to close the command prompt window-the installation is complete. Processes will now start automatically when the computer is turned on.
Important note: The developer recommends adding the batch file to the whitelist of the antivirus software for its autorun in the FakeSandboxProcesses folder and in the AppData directory. Otherwise, the antivirus program can detect it as malware and prevent it from spreading. Kaspersky detected the batch file as a Trojan:
But of course, this script is not a trojan.
To summarize, fake sandbox processes are an easy way to make malware think it's being scanned. Debugging malware that is covered in this course is a challenge for security researchers and antivirus software, but at the same time, this warning can be used to our advantage.
Obviously, artificially created processes in the sandbox do not guarantee that you will be 100% protected from malware, but it is well known that, for example, ransomware programs such as Petya or Bad Rabbit will search the system for certain files and even deploy incorrectly if they are found. By analogy, there is also malware that checks the activity of certain processes that assume the presence of a virtual machine, working with network monitoring tools and antivirus protection that you can hide from.
To create such a fake sandbox, we will use the fake-sandbox utility.
This repository contains the PowerShell script, as well as files for installing and updating It.
download and unpack it to some folder.
Let's start with the PS screen. To do this, download the full archive from the specified repository and unpack it to the desired directory. The script that we need is called fsp. ps1, run it using Powershell or on the command line (cmd.exe) enter the command( specify the path to the unpacked folder with the utility:
Code:
Powershell -executionpolicy remotesigned -F 'Your\Path\fsp.ps1'Whichever method you choose, the result should be something like this:
Now we can start available false processes by typing " start "or" stop " respectively to remove them. The script will instantly start all processes, and the result should look something like this:
If you then open the task Manager, you will see several newly launched command-line processes. If you use programs like Process explorer, you can see that only the main tasks are performed. The processes themselves are called "WinDbg.exe", "wireshark.exe" etc. So how does it work? At the beginning of the script, there is a section containing fake process names, and we can add our own processes to the $fakeProcesses array. Then the script will copy ping.exe create a temporary directory and rename these copies to the specified process names. To make this work while the PC is turned on, the script will ping the invalid IP address 1.1.1.1 every hour indefinitely. This ensures minimal load on the system, and also ensures that processes do not disappear. The "stop" Argument will simply kill everything specified in $ fakeProcesses.
The only problem with the script is that it is not persistent, which means that the processes will disappear after logging in again and the script will need to be restarted. To simplify all this solution, there is an installer that automatically puts all files in the% AppData% \ Roaming \ FakeSandboxProcesses directory and a small package of triggers. To do this, run the fsp-installer file.bat from the installer section.
Administrator rights are not required, just run the batch file in the command line window and enter "i "to start the installation, then enter "y" if you also need to install the automatic update component or "n" if you do not need to install it. Then click any button to close the command prompt window-the installation is complete. Processes will now start automatically when the computer is turned on.
Important note: The developer recommends adding the batch file to the whitelist of the antivirus software for its autorun in the FakeSandboxProcesses folder and in the AppData directory. Otherwise, the antivirus program can detect it as malware and prevent it from spreading. Kaspersky detected the batch file as a Trojan:
But of course, this script is not a trojan.
To summarize, fake sandbox processes are an easy way to make malware think it's being scanned. Debugging malware that is covered in this course is a challenge for security researchers and antivirus software, but at the same time, this warning can be used to our advantage.
