Share via

How to hide Azure Windows 10 sandbox instance from malware.

Marcin Górski 25 Reputation points
2023-08-04T18:14:51.86+00:00

Hello,

I want my Azure Windows 10 sandbox to act more like a host not as a guest, while some of the malware are able to detect virtual environments.

To check how the sanbox might look like for malware and then where to look for optimization I used a tool called Pafish created by Alberto Ortega and others.
https://github.com/a0rtega/pafish

"The goal of this project is to collect techniques commonly observed in malware samples to evade analysis systems. This allows analysts to study them and test whether the analysis environments are properly implemented"

While analyzing the output of the pafish file I saw that there are few possibilities for the malware to detect the virtual environment. I'm interested in making the instance more like a host.

The output of the pafish binary looks like this:

[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit ... traced!

[*] Checking hypervisor bit in cpuid feature bits ... traced!

[*] Checking cpuid hypervisor vendor for known VM vendors ... traced!

[*] Checking mouse click activity ... traced!

[*] Checking mouse double click activity ... traced!

[*] Checking dialog confirmation ... traced!

[*] Checking plausible dialog confirmation ... traced!

[pafish] CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit

[pafish] CPU VM traced by checking hypervisor bit in cpuid feature bits

[pafish] CPU VM traced by checking cpuid hypervisor vendor for known VM vendors

[pafish] Sandbox traced by missing mouse click activity

[pafish] Sandbox traced by missing double click activity

[pafish] Sandbox traced by missing dialog confirmation

[pafish] Sandbox traced by missing or implausible dialog confirmation

[pafish] End

How can I optimize my Azure Windows 10 sandbox instance based on the given information?

Azure Blueprints
Azure Blueprints

An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.

Azure Virtual Machines
Azure Virtual Machines

An Azure service that is used to provision Windows and Linux virtual machines.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments
Answer accepted by question author
  1. Sedat SALMAN 14,285 Reputation points MVP Volunteer Moderator
    2023-08-04T22:25:08.2633333+00:00

    You can use tools like AutoIt or PowerShell can be used to simulate user activity such as mouse movements, clicks, and keyboard inputs. You can script mouse movements and clicks at random intervals. These won't make your VM indistinguishable from a physical machine, but they can help mask it from some types of malware. Nested virtualization can be another solution for you it is the process of running a virtual machine inside another virtual machine. Some malware might not be able to detect that they're running in a VM if the VM is itself running inside another VM. Note, though, that not all systems support nested virtualization and it can be resource-intensive.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.