How to hide Azure Windows 10 sandbox instance from malware.

Marcin Górski 20 Reputation points
2023-08-04T18:14:51.86+00:00

Hello,

I want my Azure Windows 10 sandbox to act more like a host not as a guest, while some of the malware are able to detect virtual environments.

To check how the sanbox might look like for malware and then where to look for optimization I used a tool called Pafish created by Alberto Ortega and others.
https://github.com/a0rtega/pafish

"The goal of this project is to collect techniques commonly observed in malware samples to evade analysis systems. This allows analysts to study them and test whether the analysis environments are properly implemented"

While analyzing the output of the pafish file I saw that there are few possibilities for the malware to detect the virtual environment. I'm interested in making the instance more like a host.

The output of the pafish binary looks like this:

[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit ... traced!

[*] Checking hypervisor bit in cpuid feature bits ... traced!

[*] Checking cpuid hypervisor vendor for known VM vendors ... traced!

[*] Checking mouse click activity ... traced!

[*] Checking mouse double click activity ... traced!

[*] Checking dialog confirmation ... traced!

[*] Checking plausible dialog confirmation ... traced!

[pafish] CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit

[pafish] CPU VM traced by checking hypervisor bit in cpuid feature bits

[pafish] CPU VM traced by checking cpuid hypervisor vendor for known VM vendors

[pafish] Sandbox traced by missing mouse click activity

[pafish] Sandbox traced by missing double click activity

[pafish] Sandbox traced by missing dialog confirmation

[pafish] Sandbox traced by missing or implausible dialog confirmation

[pafish] End

How can I optimize my Azure Windows 10 sandbox instance based on the given information?

Azure Blueprints
Azure Blueprints
An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.
70 questions
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,651 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,154 questions
Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,908 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,552 questions
0 comments
Accepted answer
  1. Sedat SALMAN 13,160 Reputation points
    2023-08-04T22:25:08.2633333+00:00

    You can use tools like AutoIt or PowerShell can be used to simulate user activity such as mouse movements, clicks, and keyboard inputs. You can script mouse movements and clicks at random intervals. These won't make your VM indistinguishable from a physical machine, but they can help mask it from some types of malware. Nested virtualization can be another solution for you it is the process of running a virtual machine inside another virtual machine. Some malware might not be able to detect that they're running in a VM if the VM is itself running inside another VM. Note, though, that not all systems support nested virtualization and it can be resource-intensive.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest