Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Greg Linares (Laughing Mantis) Profile picture
Greg Linares (Laughing Mantis)
@Laughing_Mantis
20+ yrs in Infosec. Malware Influencer. I turn Malware into Art and Music. Art @MalwareArt. 4x Pwnie Nominee. 𝕍𝕏. GameDev. Autistic.

Jul 2, 2020, 8 tweets

Todays #VBALostArts Topic: #Sandbox Detection

So a few hours ago I whipped up a super basic Office #malware whose goal was to extract as much info from sandboxes as possible and send it in the clear so you can gather all the configurations of the sandbox.

I named it Thumper

Thumper does 4 things:
- Built In Office/VBA Info Gathering
- Registry Reading (USER & LM)
- RecentFiles Methods
- Shoots results via HTTP (so you can see)

It does this (by design) with the elegance of a herd of drunken water buffaloes dancing to Russian hard bass in a tea shop.

As the reference to the name, it's meant to call the sandworms hidding in the dunes.

And if you want to detect and avoid almost all of the sandboxes - easiest way is to check the DateTime stamps of RecentFile methods of Word.

Like This:

This method isnt new by any means and in many sandboxes I found the last time a recent file was accessed to be > 600 days.

Meaning your image is nearly 2 years old without any environment updates.

While I applaud your uptime, its a easy way to see that no real human uses it

In addition to that, most online sandboxes dont hide any unique data nor do they attempt to mimic any hardware values in registry =(

Another common one was NMAP installed on an Office machine.

Because Sam in Accounting def needs to deep inspect them packetz

Anyways you can inspect the reports of a few yourselves and see what configurations Online Sandboxes have so you can just bypass them on your next upload.

joesandbox.com/analysis/24305…

hybrid-analysis.com/sample/14307d1…

app.any.run/tasks/4775b935…

If you would like to see how blatant the sample is doing all of this feel free to inspect it here:

labs.inquest.net/dfi/sha256/143…

SHA256: 14307d1bc115d834ad4af97c2806b21f5537e031884c051491dc024a2be0c681

So for #BlueTeams and Sandbox Developers the take away is this:

Run Thumper and see what data is found on your sandbox.

Make sure you take your Sandbox images and shuffle around the recent files and then resave the image - you can easily script this out.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling