Skip to main content

Debugger and Sandbox Detection

This code provides functions to detect the presence of a debugger or a sandbox environment. It includes the following functions:

is_debugger_detected() -> bool

Checks if a debugger is detected.

Returns: true if a debugger is present; otherwise, false.

is_sandbox_detected() -> bool

Checks if a sandbox environment is detected.

Returns: true if a sandbox environment is present; otherwise, false.

Suspicious Renamed Executable Detection

The function checks for the presence of suspiciously named executables that might indicate a sandbox environment. The suspicious executable names include:

  • sample.exe
  • bot.exe
  • sandbox.exe
  • malware.exe
  • test.exe
  • klavme.exe
  • myapp.exe
  • testapp.exe
  • infected.exe

Suspicious User Name Detection

The function checks if any suspicious user names are present on the system. The suspicious user names include:

  • CurrentUser
  • Sandbox
  • Emily
  • HAPUBWS
  • Hong Lee
  • IT-ADMIN
  • Johnson
  • Miller
  • milozs
  • Peter Wilson
  • timmy
  • user
  • sand box
  • malware
  • maltest
  • test user
  • virus
  • John Doe
  • SANDBOX
  • 7SILVIA
  • HANSPETER-PC
  • JOHN-PC
  • MUELLER-PC
  • WIN7-TRAPS
  • FORTINET
  • TEQUILABOOMBOOM

Specific Conditions Check

The function checks for specific conditions related to certain users and host names:

  • If the user is "Wilber" and the host name starts with "SC" or "SW".
  • If the user is "admin" and the host name is "SystemIT" or "KLONE_X64-PC".
  • If the user is "John" and the files "C:\take_screenshot.ps1" and "C:\loaddll.exe" exist.

Suspicious File Existence Check

The function checks for the existence of specific files that might indicate a sandbox environment:

  • C:\email.doc
  • C:\email.htm
  • C:\123\email.doc
  • C:\123\email.docx

Hardware and System Checks

The function performs the following hardware and system checks:

  • Checks if the number of physical CPUs is less than 2.
  • Checks if the total space on the C: drive is less than 80 GB (85899345920 bytes).
  • Checks if the mouse cursor position remains unchanged after a delay of 10 seconds.
  • Checks if the total memory is less than 1 GB (1073741824 bytes).
  • Checks if any of the suspicious processes are running.
  • Checks the parent process name of the current process.

Network Interface Check

The function checks the network interfaces for specific MAC addresses that might indicate a sandbox environment:

  • MAC addresses starting with "00:05:69"
  • MAC addresses starting with "00:0c:29"
  • MAC addresses starting with "00:1C:14"
  • MAC addresses starting with "00:50:56"
  • MAC addresses starting with "08:16:3E"
  • MAC addresses starting with "08:00:27"
Back to top