vFeed


Tools

Published on April 25th, 2016 | by MaxiSoler

0

Sems Anti-Sandbox and Anti-Virtual Machine Tool v1.0

sems is a tool which is created to help malware researchers by checking their environments for the signatures of any virtualization techniques, malware sandbox tools or well know malware analysis tools. sems is using the same techniques and looking for the same footprints that evasive malwares do in order to detect if it is running in a controlled environment. So it is useful for malware researchers to check if the analysis environment is inevasible.

How it works?

Virtual Machine

Once the tool is run in a virtual machine(Virtualbox, Vmware, Qemu), it performs all the checks which are shown below and drops logs to the console about detected signatures until the “control” text is shown. In addition to that a separate .txt file with the finding name is created in the running directory for each detected signatures. Example; vboxBios.txt will be created for virtualbox bios signature.

Malware Sandbox

sems tool is sent to malware sandbox like any other malware samples and waited until the completion of analysis. Detected signatures can be seen in “File Operations” section of the sandbox report hence sems drops separate .txt files for each findings.

 

VirtualBox Detection

  • Files
  • Regedit
  • Folder
  • Services
  • Mac
  • Bios
  • Window

VMWare Detection

  • Files
  • Folder
  • Regedit
  • Services
  • Mac
  • Bios
  • Window
  • Magic
  • Memory
  • Version
  • IDTR, LDTR, TR, SMSW, I/O Port

 

QEMU Detection

  • Regedit
  • Bios
  • CPU

Cuckoo Sandbox Detection

  • Files
  • Folder
  • Port
  • Hooked Function
  • Core Number
  • Pipe
  • Modules

Some Sandboxes Detection

Anubis , Thread Expert , Cuckoo , Sandboxie , CWSandbox

  • Computer Name
  • Core Number
  • Modules
  • Check internet
  • Disk spaces
  • Files

 

Analysis Tools Detection

  • Immunity Debugger
  • Ollydbg
  • Ida Pro
  • Regshot
  • Fiddler
  • Wireshark
  • Process Monitor
  • Process Hacker
  • Process Explorer

More Information: here

 

Thanks to Alican Akyol for sharing this tool with us. 😉

Tags: , , ,


About the Author

www.artssec.com @maxisoler



Back to Top ↑