{"id":19873249,"url":"https://github.com/navytitanium/fake-sandbox-artifacts","last_synced_at":"2025-04-07T06:11:58.930Z","repository":{"id":37300413,"uuid":"295815897","full_name":"NavyTitanium/Fake-Sandbox-Artifacts","owner":"NavyTitanium","description":"This script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools","archived":false,"fork":false,"pushed_at":"2024-07-31T16:18:36.000Z","size":1968,"stargazers_count":266,"open_issues_count":0,"forks_count":13,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-31T05:06:02.444Z","etag":null,"topics":["anti-analysis","anti-emulation","anti-sandbox","anti-vm","antivmdetection","deception-defense","malware-research","sandbox-detection"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NavyTitanium.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-09-15T18:29:13.000Z","updated_at":"2025-03-20T15:32:53.000Z","dependencies_parsed_at":"2024-07-31T20:14:24.468Z","dependency_job_id":null,"html_url":"https://github.com/NavyTitanium/Fake-Sandbox-Artifacts","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NavyTitanium%2FFake-Sandbox-Artifacts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NavyTitanium%2FFake-Sandbox-Artifacts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NavyTitanium%2FFake-Sandbox-Artifacts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NavyTitanium%2FFake-Sandbox-Artifacts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NavyTitanium","download_url":"https://codeload.github.com/NavyTitanium/Fake-Sandbox-Artifacts/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247601448,"owners_count":20964864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-analysis","anti-emulation","anti-sandbox","anti-vm","antivmdetection","deception-defense","malware-research","sandbox-detection"],"created_at":"2024-11-12T16:18:01.433Z","updated_at":"2025-04-07T06:11:58.897Z","avatar_url":"https://github.com/NavyTitanium.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Fake Sandbox Artifacts (FSA)\n\nInspired from the PowerShell script [Fake Sandbox Processes (FSP)](https://github.com/Phoenix1747/fake-sandbox/), this script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools.\n\nThe names of the artifacts to be created are separated in text files in the different folders to allow easy modification.\n\u003cimg align=\"right\" src=\"image/logo.jpg\" width=20% height=20% /\u003e\n\n## Background\n\nIt is estimated that 15-20% [[13]](#13) of malwares are aware of virtual machine environment and will either abort execution or change its behavior upon detection. Also, *fingerprinting tactic is still the dominant approach to evade sandboxes*. [[15]](#15)\n\n## Features \n\n- Create dummy files, folders and registry entries used by virtualization softwares (VmWare,VirtualBox,Qemu,...) in guest operating systems \n- Spawns dummy processes with names related to analysis tools and sandbox environments\n- Makes named pipes commonly used by virtual machines \n- Installs and start dummy services typically found after installing VMware Tools/VBox Guest Additions Service\n\n### Usage\n```bash\nusage: fsa.py [options]:\n\nFake Sandbox Artifact is a script that helps you create artifacts related to malware analysis lab environment and\nvirtualization systems\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --registry            Creates artifacts in the registry. Requires elevated privileges\n  --application         Creates files and folders specified in the text files. Requires elevated privileges\n  --pipe {start,stop}   Starts the dummy pipe server (dummy_pipe.py)\n  --process {start,stop}\n                        Start the dummy processes\n  --service {install,uninstall}\n                        Install and start dummy services using dummy-win-service_x64.exe. Requires elevated privileges\n```\n\n## Testing against pafish and al-khaser\n\n| [Pafish](https://github.com/a0rtega/pafish) - Before | [Pafish](https://github.com/a0rtega/pafish) - After running *fsa.py* |\n|:-:|:-:|\n| \u003cimg style=\"float: left;\" src=\"image/pafish_before.png\"\u003e | \u003cimg style=\"float: right;\" src=\"image/pafish_after_fsa.png\"\u003e |\n| **[Al-khaser](https://github.com/LordNoteworthy/al-khaser) - Before** | **[Al-khaser](https://github.com/LordNoteworthy/al-khaser) - after running *fsa.py*** |\n| \u003cimg style=\"float: left;\" src=\"image/al-khaser_before.png\"\u003e | \u003cimg style=\"float: right;\" src=\"image/al-khaser_after_fsa.png\"\u003e |\n\n## Testing against malware samples\n\n| Malware Name | Source | Without FSA | With FSA | Notes | Conclusion |\n| :-------------: |:-------------:|:-------------:|:-------------:|:-------------:|:-------------:|\n| :red_circle:AgentTesla | [VirusTotal](https://www.virustotal.com/gui/file/737ea6edfdc8fa560104c62e87efa44f0ec600dfda82f0ac09aa2d9f6fc522fa/detection) [MalwareBazaar](https://bazaar.abuse.ch/sample/737ea6edfdc8fa560104c62e87efa44f0ec600dfda82f0ac09aa2d9f6fc522fa/) | Malware established persistance via the Windows scheduler | No malicious behaviors observed | Modified registry values affects the malware behavior | Prevented :heavy_check_mark: |\n| :red_circle:TrickBot | [VirusTotal](https://www.virustotal.com/gui/file/d5efc42f10137cb465bcc098f0a3f5440a86ae59059526c6fb4bfce46bf1be83/detection) [MalwareBazaar](https://bazaar.abuse.ch/sample/d5efc42f10137cb465bcc098f0a3f5440a86ae59059526c6fb4bfce46bf1be83/) | Malware contacted C2 IPs, downloaded modules networkDll64 \u0026 pwgrab64 | same | Anti-VM techniques used by Trickbot includes screen resolution | Not prevented :x: |\n| :red_circle:ZLoader | [VirusTotal](https://www.virustotal.com/gui/file/14a3327458b734e398d5678f72482e4c429c2db0e9349e74fdf06618a952ea6d/detection) [MalwareBazaar](https://bazaar.abuse.ch/sample/14a3327458b734e398d5678f72482e4c429c2db0e9349e74fdf06618a952ea6d/) | Doc launched Wscript, created C:\\tabkey\\ and dropped a [.vbe](https://www.virustotal.com/gui/file/fcb7cbd384c72eac22fb0c84cdad9d8000bec993e8f3dbbfbc635de364851cd6/detection) script and a [.dll](https://www.virustotal.com/gui/file/7d8523ecb2d3d7b17e6d1a7528dc603170a0936c3e0b4b535e0b8fd5860000bf/detection) | Wscript not launched. No malicious behaviors observed  | Dummy processes running affects the malicious Word Macro behavior | Prevented :heavy_check_mark: |\n\nTo be continued\n\n## Limitations\n\nFor this script to trigger a positive fingerprinting from the malware sample, it has to know what constitutes the fingerprinting in the first place. However, the strategy here is simply to hit on many of those known checks as possible, hoping that at least one artifact will be detected.\n\nMost advanced checks are looking for virtual hardware, memory or kernel hypervisor artifacts, which are harder to fake (e.g. Hardware IDs., loaded drivers/kernel objects).\n\n------------\n\nSuccessfully tested on the following bare-metal Windows versions:\n\n- Windows 7 x64\n- Windows 8.1 x64\n- Windows 10 x64\n\n## References\n\u003ca id=\"1\"\u003e[1]\u003c/a\u003e [Github - Public malware techniques used in the wild](https://github.com/LordNoteworthy/al-khaser)\n\n\u003ca id=\"2\"\u003e[2]\u003c/a\u003e [Github - Pafish](https://github.com/a0rtega/pafish)\n\n\u003ca id=\"3\"\u003e[3]\u003c/a\u003e [Gtihub - Anti-Sandbox and Anti-Virtual Machine Tool](https://github.com/AlicanAkyol/sems)\n\n\u003ca id=\"4\"\u003e[4]\u003c/a\u003e [Github - Evasion-Tools](https://github.com/atlantis2013/Evasion-Tools)\n\n\u003ca id=\"5\"\u003e[5]\u003c/a\u003e [Github - cuckoosandbox signatures](https://github.com/cuckoosandbox/community/tree/master/modules/signatures/windows)\n\n\u003ca id=\"6\"\u003e[6]\u003c/a\u003e [Github - Antivmdetection](https://github.com/nsmfoo/antivmdetection)\n\n\u003ca id=\"7\"\u003e[7]\u003c/a\u003e [Deep Instinct - Anti-Virtualization Malware](https://www.deepinstinct.com/2019/10/29/malware-evasion-techniques-part-2-anti-vm-blog/)\n\n\u003ca id=\"8\"\u003e[8]\u003c/a\u003e [Cyberbit - Anti-VM and Anti-Sandbox Explained](https://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/)\n\n\u003ca id=\"9\"\u003e[9]\u003c/a\u003e [VinCSS Blog - GuLoader AntiVM Techniques](https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html)\n\n\u003ca id=\"10\"\u003e[10]\u003c/a\u003e [Prodefence - Collection of Anti-Malware Analysis Tricks](https://www.prodefence.org/collection-anti-malware-analysis-tricks/)\n\n\u003ca id=\"11\"\u003e[11]\u003c/a\u003e [rvsec0n - Anti VM and Anti Sandbox techniques in Themida and VMProtect](https://rvsec0n.wordpress.com/2019/09/15/anti-vm-and-anti-sandbox-techniques-in-themida-and-vmprotect/)\n\n\u003ca id=\"12\"\u003e[12]\u003c/a\u003e [code13 Blog - anti-VM vmware](https://code13.tistory.com/145)\n\n\u003ca id=\"13\"\u003e[13]\u003c/a\u003e [Symantec - Internet Security Threat Report Volume 24 | February 2019](https://docs.broadcom.com/doc/istr-24-2019-en)\n\n\u003ca id=\"14\"\u003e[14]\u003c/a\u003e [University of Tsukuba - Trends of anti-analysis operations of malwares observed in API call logs](https://tsukuba.repo.nii.ac.jp/?action=pages_view_main\u0026active_action=repository_view_main_item_detail\u0026item_id=46267\u0026item_no=1\u0026page_id=13\u0026block_id=83)\n\n\u003ca id=\"15\"\u003e[15]\u003c/a\u003e [ Amirkabir University of Technology - Malware Dynamic Analysis Evasion Techniques: A Survey](https://arxiv.org/pdf/1811.01190.pdf)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnavytitanium%2Ffake-sandbox-artifacts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnavytitanium%2Ffake-sandbox-artifacts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnavytitanium%2Ffake-sandbox-artifacts/lists"}