Search the Community

DRAKVUF Sandbox is an automated black-box malware analysis system with a DRAKVUF engine under the hood. This project provides you with a friendly web interface that allows you to upload suspicious files to be analyzed. Once the sandboxing job is finished, you can explore the analysis result through the mentioned interface and get insight on whether the file is truly malicious or not. Because it is usually pretty hard to set up a malware sandbox, this project also provides you with an installer app that would guide you through the necessary steps and configure your system using settings that are recommended for beginners. At the same time, experienced users can tweak some settings or even replace some infrastructure parts to better suit their needs. Supported hardware&software In order to run DRAKVUF Sandbox, your setup must fullfill all of the listed requirements: Processor: Intel processor with VT-x and EPT features Host system: Debian 10 Buster/Ubuntu 18.04 Bionic/Ubuntu 20.04 Focal with at least 2 core CPU and 5 GB RAM Guest system: Windows 7 (x64), Windows 10 (x64; experimental support) Nested virtualization: KVM does work, however it is considered experimental. If you experience any bugs, please report them to us for further investigation. Due to lack of exposed CPU features, hosting drakvuf-sandbox in cloud is not supported (although it might change in the future) Hyper-V does not work Xen does work out of the box VMware Workstation Player does work, but you need to check Virtualize EPT option for a VM; Intel processor with EPT still required [hide][Hidden Content]]

What is Cuckoo? Cuckoo Sandbox is the leading open source automated malware analysis system.You can throw any suspicious file at it and in a matter of minutes Cuckoo will provide a detailed report outlining the behavior of the file when executed inside a realistic but isolated environment. Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization. In these evolving times, detecting and removing malware artifacts is not enough: it's vitally important to understand how they operate in order to understand the context, the motivations, and the goals of a breach. Cuckoo Sandbox is free software that automated the task of analyzing any malicious file under Windows, macOS, Linux, and Android. What can it do? Cuckoo Sandbox is an advanced, extremely modular, and 100% open source automated malware analysis system with infinite application opportunities. By default it is able to: Analyze many different malicious files (executables, office documents, pdf files, emails, etc) as well as malicious websites under Windows, Linux, macOS, and Android virtualized environments. Trace API calls and general behavior of the file and distill this into high level information and signatures comprehensible by anyone. Dump and analyze network traffic, even when encrypted with SSL/TLS. With native network routing support to drop all traffic or route it through InetSIM, a network interface, or a VPN. Perform advanced memory analysis of the infected virtualized system through Volatility as well as on a process memory granularity using YARA. Due to Cuckoo's open source nature and extensive modular design one may customize any aspect of the analysis environment, analysis results processing, and reporting stage. Cuckoo provides you all the requirements to easily integrate the sandbox into your existing framework and backend in the way you want, with the format you want, and all of that without licensing requirements. Downoad: [HIDE][Hidden Content]]

MorphAES IDPS & SandBox & AntiVirus STEALTH KILLER. MorphAES is the world's first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent. Properties: Polymorphism (AES encryption) Metamorphism (logic and constants changing) Platform independent (Linux/BSD/Windows) IDPS stealthing (the total number of possible signatures is more the number of atoms in the universe for one given code) Sandbox evasion (special assembly instructions) Bad characters avoiding (\x00, \x04, \x05, \x09, \x0a, \x20) Can produce executables and be exploited remotely Input code can have arbitrary length Possibility for a NOP sled Dependencies for the morpher: Python 2.7 - main engine Dependencies for the code execution: 64-bit Intel AES-NI - for decryption Nonetheless, there are some limitations (aka white-hat aspects): Metamorphism is not very robust and can be detected using regular expressions (but can be improved pretty easily) Unicode null bytes might still work (but who cares?) It will only work on 64-bit Intel processors with AES-NI support, but since all the user's PCs (like Pentium, Celeron, i3, i5, i7) and the industry's servers (like Xeon) have it, it's more a specification, rather than a limitation, thus a 32-bit implementation is unpractical Almost any shellcode is guarantee to work however, an arbitrary code doesn't (to avoid malware abuse) Windows/BSD PoC and executables are in progress, as well as the ARM version How it works Shellcode padding with NOPs (since AES is a block cipher) and adding an optional NOP sled Shellcode encryption with a random key using custom AES-128-ECB (not the best, but the simplest) - polymorphism Constants randomization, logic changes, instructions modification and rewriting - metamorphism HowTo You will have to assemble my custom AESNI-128-ECB implementation using an Intel x64 CPU and put it in the same folder with the python script. For Linux: sudo apt-get install python as --64 AES.s -o AES.o ld AES.o -o AES Execute the Python script and enter your shellcode or nothing for a default Linux shell. You can specify your own execution address as well. It is also possible to build and execute on Windows/BSD/Mac, but I'm still testing it. You can test the Linux PoC in assembly: as --64 shellcodePoC.s -o shellcodePoC.o ld shellcodePoC.o -o shellcodePoC ./shellcodePoC or in 😄 gcc -m64 -fno-stack-protector -z execstack shellcode.c -o shellcode ./shellcode Every file is commented and explained Tests At this point, it should be pretty obvious that, the hashes would be different every time, but let's compare SSDEEPes of 2 Linux executables of the same shellcode: 96:GztTHyKGQh3lo6Olv4W4zS/2WnDf74i4a4B7UEoB46keWJl09:Gzty6VOlvqSTDflmNroh, 96:GQtT23yKmFUh3lo6OlOnIrFS4rkoPPf74i4a4B7UEoB46keWJ5:GQtCGWVOlOWFSsPflmNroh, Well, there's something in common, but globally those are 2 different signatures, now what about the shellcode it-self: 6:Cq8bnJYn4Xkm3qECaADATyEnT8snTiETiTCfhUaAP6mYGexCKdKZzX+rqVCKdKTc:xuJ0Zp2xRZof79G/KVyk/KTbA, 6:vrg+T1RfLEQD/zD1DZzDJ3zDBfjDcDRJDULUwzWq0Cgk3g4zE/Yq0Cgk3gy12Ots:vLjjEszWCp3w/YCp3Nts, Almost totally different signatures for the same morphed shellcode! At the publication date, the executable was detected as a shellcode only by 2 out of 53 antiviruses (AVG and Ikarus) on virustotal, but now, it just fails to analyze. malwr and cuckoo2 don't see anything suspicious. On the reverser's perspective, IDA won't see anything either. Radare2 would show the real instructions only if assembled by the assembler it-self however, it doesn't detects any crypto or suspicious activity for the executable. Althrough, I didn't test it personally, I think that FortiSandbox, Sophos Sandstorm, Blue Coat, GateWatcher and their derivatives might fail badly... To put it in the nutshell Basically, it can transform a script-kid's code (or a known-one) into a zero-day. IDPS will fail because, it's almost impossible to make a signature and difficult to make a regular expression or heuristic analysis. Most of the sandboxes doesn't use Intel's AES-NI instructions directly, so they will not execute the code, so "everything is fine" for them, whereas it's not. The only way to defeat this type of shellcode is to use an appropriate sandboxing or/and an AI. Of course DEP/NX/CANARY/ASLR should work as well. Notice that, the whole execution is done by a pure assembly, no Python (or OpenSSL) is needed for the shellcode's execution since, I use built-in assembly instructions only, thus it's system-independent (surely, you will have to assemble it for each-one by adapting the instructions/opcodes, but they are still same). Notes This is still a work in progress, I will implement Windows and BSD/Mac engines and PoCs ASAP. IDPSes and sanboxes are the past. Jiddu Krishnamurti Download: [HIDE][Hidden Content]]

AppContainer Launcher AppContainer and LPAC (Less Privileged AppContainer) Launcher with Capabilities Screenshot: Release Details: Second release. This is a fork of Privexec aimed at narrowing down the scope to just AppContainer and LPAC with some minor GUI enhancements. Changes since last release: Regular AppContainer is default (therefore 2 choices for AppContainer type now) LPAC (Less Privileged AppContainer can be enabled via checkbox) AppxManifest button to import/parse Capabilities from AppxManifest files Allow changing AppContainer Name field Unique SIDs based upon AppContainer Name File, Folder and Registry ACL permissions (may require Admin) Process Startup Directory (can be empty) Output box shows launched process' AppContainer SID, AppContainer Folder, Name, etc. Basic theme support; Change Color Panel selection in Sysmenu [HIDE][Hidden Content]]

iOS and MacOS suffers from sandbox escape vulnerabilities due to type confusions and memory safety issues in iohideventsystem. View the full article

[Hidden Content]

Hola amigos estoy con un problema no estoy consiguiendo sacar la sandbox avast 2018 alguien me puede ayudar?

360 version 3.5.0.1033 suffers from a sandbox escape vulnerability. View the full article

virtualenv version 16.0.0 suffers from a sandbox escape vulnerability. View the full article

Microsoft Edge suffers from a sandbox escape vulnerability. View the full article