I'd like to #analyze malware in my own VM instead of a properitary sandbox but the #malware I try to detonate seems to have some sort of sandbox evasion techniques in place.
Since I'd like to use procmon in parallel to the dynamic analysis, which is usually not possible in commercial products, I need to find a way to run it within my VMWare VM.
Does anyone of you have any recommendations on how to avoid sandbox evasion techniques?
Looking forward to get input on that topic 😊🙏
[#]Malware #Analysis #Sandbox #Evasion
=> More informations about this toot | More toots from jo3rg@infosec.exchange
@jo3rg @viq you need use a VM sandbox prebuilt for it or evade all common VM detection methods (hardware, registry, services)
=> More informations about this toot | More toots from hacks4pancakes@infosec.exchange
@hacks4pancakes @viq thanks for your answer. Which VM sandbox prebuild would you suggest? Any concrete recommendations?
=> More informations about this toot | More toots from jo3rg@infosec.exchange
@jo3rg @viq cuckoo & remnux
=> More informations about this toot | More toots from hacks4pancakes@infosec.exchange
@hacks4pancakes @viq but as far as i know cuckoo is not for manual dynamic analysis but more for generating automatic reports, right? I've used Remnux in the past but it's a Linux based OS so it's not natively supporting Windows PE's. Not sure how i could use it for that usecase. The usecase is to detonate the malware and being able to trace all it's calls using procmon.
=> More informations about this toot | More toots from jo3rg@infosec.exchange
@jo3rg @viq you can access and modify the windows guest as you want
=> More informations about this toot | More toots from hacks4pancakes@infosec.exchange
@hacks4pancakes @viq okay nice, i'll def look into cuckoo then! will keep you updated on my progress ;)
=> More informations about this toot | More toots from jo3rg@infosec.exchange This content has been proxied by September (3851b).Proxy Information
text/gemini