Discovering and masking environmental features in modern sandboxes

Sammanfattning: Background. The awareness of cyber attacks in businesses is increasing with the rising number of cyber incidents for businesses. With nearly 350 000 new malware detected per day, there is a big incentive to allocate resources to company infrastructure to mitigate malware. These solutions require scalability not to become bottlenecks and expensive. Therefore, to combat malware, automated solutions have been developed. The automated solutions comprises isolated virtual environments (sandbox), automated analysis, and reports. As a response from malware developers, malware has evolved to become aware of its environment, which has led to an arms race between malware developers and analysts. Objectives. In this thesis, we study how malware can identify sandbox environments and attempt to find appropriate values for masking system information (features). Methods. First, we research previous techniques to identify sandbox environments and consult with Windows environment experts from Truesec. We found 179 features to examine. Then, we gather a dataset of 2448 non-sandbox samples and 77 sandbox samples with a probing method. We use the statistical test Mann-Whitney U-test to identify features that differ between the dataset's groups. We conduct masking on a dataset level and evaluate it with a method similar to k-fold cross-validation using a random forest classifier. Furthermore, we analyze each feature's ability to detect sandboxes with the feature importance calculated by the Mean Decrease in Impurity (MDI). Results. We found 156 out of 179 features that reveal sandbox environments. Which seven out of those features could independently expose sandboxes, i.e., it was possible to classify all sandboxes and non-sandboxes with only one of them. The masking evaluation indicates that our proposed methods are effective at masking the sandboxes. The results of the feature importance showed that Windows Management Instrumentation (WMI) is an ideal source of information when it comes to exposing sandbox environments. Conclusions. Based on the result, we conclude that various values can expose a sandbox. Furthermore, we conclude that our method to find masking values is adequate and the proposed masking methods successfully masks sandbox samples. Lastly, we conclude that there needs to be a change of focus from evasion techniques to masking implementations in the research field.