Detect sandbox by cursor movement speed and clicking speed and location.
This tool was created as a demonstration for my talk about vaccination @ BSdiesLV 2017. It is an example for a simple technique to bypass many sandboxes by monitoring mouse movements. While many tools and malware looks if the mouse moved at all, my tool checks if the movement was smooth by applying basic calculus. There are some thresholds I set in advance - feel free to play with it. Timing and Location modes recently added also allow you to detect sandbox by monitoring clicking speed and location, which are often hard coded.
Will be glad to get your feedback @ https://twitter.com/Gal_B1t
My aim is to show that there are many ways to create new evasion techniques, yet, like this one - most of them can be easily countered.
Execute with the flag -mean The script will accumulate the mouse speed values (only if a movement occurred) and will return the average of all speeds. In a sandbox, the cursor only jumps so the average will be much higher.
Execute with the flag -max It will run similarly, yet instead of the average it will return the maximal speed. This technique can trigger a false positive if a flesh and blood user moves its cursor extremely fast.
Execute with the flag -location The script will accumulate 10 clicking events. Cuckoo sandbox always simulates click in the same location. If all locations are the same and match known the known Cuckoo location - it will declare it is executed in a sandbox.
Execute with the flag -timing The script will accumulate 10 clicking events. Cuckoo sandbox always simulates click which last 50 milliseconds. If all the clicks are roughly 50 milliseconds long - it will declare it is executed in a sandbox.
This tool and its abstract logic should be used only for legal and educational purposes. Anyone adopting ir adapting it for illegale purposes is doing so at its own risk.