沙箱对抗之反沙箱技巧

前言

我们经常会在红蓝对抗中遇到这种场景，离线免杀，但是10分钟又被杀，这就是云查杀的威力，而云查杀可以分为下列两种:
1.静态分析
2.动态分析
静态分析就是分析样本的结构，导入表，等等来判定是否是恶意程序，或者使用AI等其他算法来聚类分析，看它整体的代码结构是否和其他病毒相似，既程序没有运行下来判定病毒，而动态分析则是样本运行起来后，它的API调用序列，内存特征，外联地址，流量特征，都是在静态的情况下无法捕获的，那么如果需要绕过他们，则需要识别沙箱的特征，进而来绕过沙箱不运行自己的样本，来完成绕过沙箱的目的。

反沙箱方法

本质上就是找到沙箱特征值，来区别沙箱和真机，例如如下方法
1.进程中包含vmtoolsd.exe
2.利用真机和沙箱API调用结果不同来绕过，例如获取gpu温度，而沙箱肯定获取不到该值
3.获取最近打开文件，或者temp文件小于10则被认为是沙箱
可以看到，我们的本质就是收集特征，那么下面我们写一个程序，获取沙箱的各种特征回传，来看看市面上主流的沙箱特征是什么样，进而针对绕过。

沙箱特征收集

我们主要收集如下特征:
1.主机名
2.用户名
3.UID
4.GID
5.平台
6.平台家族
7.平台版本
8.安装日期
9.启动时间
10.磁盘
11.所有网卡MAC
12.进程数目
13.进程名列表
14.临时文件名字
15.桌面文件
16.磁盘空余，可用，总大小

微X在线

WIN 7 32位分析系统

1. {
2. "Hostname": "DESKTOP-R0ASNAA",
3. "Username": "DESKTOP-R0ASNAA\\Admin",
4. "Uid": "S-1-5-21-2946486835-2728351130-1651602021-1000",
5. "Gid": "S-1-5-21-2946486835-2728351130-1651602021-513",
6. "Platform": "Microsoft Windows 7 Ultimate Service Pack 1",
7. "PlatformFamily": "Standalone Workstation",
8. "PlatformVersion": "6.1.7601 Build 7601",
9. "Cpu": "4",
10. "BootTime": "1658185174",
11. "UpTime": "34862",
12. "Disk": "C: ",
13. "Mac": ["Local Area Connection 52:54:00:c5:0f:7c", "isatap.{1141D443-46F3-4C40-8D6C-D57632F2B3B2} 00:00:00:00:00:00:00:e0"],
14. "Procs": "51",
15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe svchost.exe spoolsv.exe svchost.exe AcrylicService.exe svchost.exe dwm.exe taskhost.exe explorer.exe WeChat.exe rundll32.exe taskhost.exe taskhost.exe WinSAT.exe conhost.exe WeChat.exe aYdKcbVzZt.exe unsecapp.exe WmiPrvSE.exe WeChat.exe ShellExperienceHost.exe GoogleUpdateSetup.exe QQ.exe svchost.exe WUDFHost.exe taskhostw.exe GoogleUpdate.exe sihost.exe backgroundTaskHost.exe Detonate.exe RemindersServer.exe WmiPrvSE.exe audiodg.exe BackgroundTransferHost.exe main.exe ",
16. "TempFiles": ["!!!!tnQGd", "ASPNETSetup_00000.log", "ArmUI.ini", "CVR8BDF.tmp.cvr", "DMI3F89.tmp", "FXSAPIDebugLogFile.txt", "Low", "RGI6BC7.tmp-tmp", "WPDNSE", "acro_rd_dir", "acrord32_sbx", "au-descriptor-1.8.0_171-b11.xml", "dd_vcredistMSI3185.txt", "gen_py", "jawshtml.html", "log_de-0.log", "log_de.log", "moz-update-new-backup-update.log", "moz-update-new-last-update.log", "mozilla-temp-files", "tmpaddon", "vbccsb.bmp", "wmsetup.log"],
17. "DesktopFiles": ["desktop.ini"],
18. "DiskInfos": [" free 28 MB avail 28 MB total 494 MB "]
19. }

WIN 7 64位分析系统

1. {
2. "Hostname": "DESKTOP-RSILDVX",
3. "Username": "DESKTOP-RSILDVX\\Admin",
4. "Uid": "S-1-5-21-1129413703-3462700907-1341486384-1000",
5. "Gid": "S-1-5-21-1129413703-3462700907-1341486384-513",
6. "Platform": "Microsoft Windows 7 Ultimate Service Pack 1",
7. "PlatformFamily": "Standalone Workstation",
8. "PlatformVersion": "6.1.7601 Build 7601",
9. "Cpu": "4",
10. "BootTime": "1658190894",
11. "UpTime": "28888",
12. "Disk": "C: ",
13. "Mac": ["Local Area Connection 52:54:00:30:56:0f", "isatap.{43AC80D5-D666-4C30-8995-823B98B4E2BF} 00:00:00:00:00:00:00:e0"],
14. "Procs": "47",
15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe svchost.exe spoolsv.exe svchost.exe taskhost.exe dwm.exe explorer.exe svchost.exe svchost.exe WeChat.exe taskhost.exe WeChat.exe KrlwNxbURe.exe unsecapp.exe WmiPrvSE.exe ShellExperienceHost.exe GoogleUpdateSetup.exe WeChat.exe svchost.exe WUDFHost.exe Detonate.exe backgroundTaskHost.exe taskhostw.exe audiodg.exe GoogleUpdate.exe RemindersServer.exe QQ.exe sihost.exe WmiPrvSE.exe BackgroundTransferHost.exe main.exe ",
16. "TempFiles": ["!!!!OTVcUgAZCWtFUh", "ASPNETSetup_00005.log", "ArmUI.ini", "CVR45E1.tmp.cvr", "FXSAPIDebugLogFile.txt", "Low", "RGI64B.tmp-tmp", "WPDNSE", "acrord32_sbx", "chrome_installer.log", "gen_py", "jawshtml.html", "log_de-0.log", "log_de.log", "tmpaddon", "wmsetup.log"],
17. "DesktopFiles": ["Sticky Notes.lnk", "desktop.ini"],
18. "DiskInfos": [" free -725 MB avail -725 MB total 494 MB "]
19. }

Win10分析系统

1. {
2. "Hostname": "DESKTOP-H9URB7T",
3. "Username": "DESKTOP-H9URB7T\\Administrator",
4. "Uid": "S-1-5-21-984825153-1336012551-2928140700-500",
5. "Gid": "S-1-5-21-984825153-1336012551-2928140700-513",
6. "Platform": "Microsoft Windows 10 Pro",
7. "PlatformFamily": "Standalone Workstation",
8. "PlatformVersion": "10.0.18362 Build 18362",
9. "Cpu": "4",
10. "BootTime": "1658197215",
11. "UpTime": "21692",
12. "Disk": "C: ",
13. "Mac": ["Ethernet 52:54:00:9d:94:82"],
14. "Procs": "126",
15. "Process": "[System Process] System Registry smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe AcrylicService.exe svchost.exe svchost.exe svchost.exe svchost.exe sppsvc.exe svchost.exe dasHost.exe svchost.exe SppExtComObj.Exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe svchost.exe taskhostw.exe svchost.exe ctfmon.exe explorer.exe svchost.exe ChsIME.exe svchost.exe StartMenuExperienceHost.exe svchost.exe svchost.exe RuntimeBroker.exe ApplicationFrameHost.exe MicrosoftEdge.exe browser_broker.exe svchost.exe Windows.WARP.JITService.exe dllhost.exe RuntimeBroker.exe MicrosoftEdgeCP.exe MicrosoftEdgeSH.exe WeChat.exe taskhostw.exe svchost.exe svchost.exe svchost.exe usocoreworker.exe AppHostRegistrationVerifier.exe TrustedInstaller.exe TiWorker.exe svchost.exe WmiPrvSE.exe WmiPrvSE.exe WeChat.exe oLDThMtHHL.exe unsecapp.exe svchost.exe svchost.exe WeChat.exe svchost.exe ShellExperienceHost.exe GoogleUpdateSetup.exe QQ.exe RemindersServer.exe backgroundTaskHost.exe GoogleUpdate.exe WUDFHost.exe taskhostw.exe svchost.exe WmiPrvSE.exe Detonate.exe sihost.exe audiodg.exe BackgroundTransferHost.exe dllhost.exe main.exe ",
16. "TempFiles": ["!!!!QXnShWaDY", "gen_py", "log_de-0.log", "log_de.log"],
17. "DesktopFiles": ["Microsoft Edge.lnk", "desktop.ini"],
18. "DiskInfos": [" free 526 MB avail 526 MB total 494 MB "]
19. }

any.run

1. {
2. "Hostname": "User-PC",
3. "Username": "USER-PC\\admin",
4. "Uid": "S-1-5-21-1302019708-1500728564-335382590-1000",
5. "Gid": "S-1-5-21-1302019708-1500728564-335382590-513",
6. "Platform": "Microsoft Windows 7 Professional Service Pack 1",
7. "PlatformFamily": "Standalone Workstation",
8. "PlatformVersion": "6.1.7601 Build 7601",
9. "Cpu": "4",
10. "BootTime": "1658219380",
11. "UpTime": "1071",
12. "Disk": "C: ",
13. "Mac": ["Connection 12:03:33:4a:04:af", "isatap.{4040CF00-1B3E-486A-B407-FA14C56B6FC0} 00:00:00:00:00:00:00:e0"],
14. "Procs": "32",
15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe IMEDICTUPDATE.EXE svchost.exe taskhost.exe taskeng.exe dwm.exe explorer.exe ctfmon.exe SearchIndexer.exe SearchProtocolHost.exe SearchFilterHost.exe main.exe ",
16. "TempFiles": ["2hwflycr.wxy", "44fgwpug.l3b", "4h4bvyg0.zv1", "4hzyndia.i0b", "4u05srcx.2tm", "5cajz215.cyn", "DMI326A.tmp", "DMI5D92.tmp", "FXSAPIDebugLogFile.txt", "WPDNSE", "ae1197f8-1fef-485f-bd41-961d8cc76a3d.ps1", "be451b0w.oss", "io1vk3bc.a5o", "kdxz5yzf.q5x", "main.exe", "my5mdnsv.hzi", "nlkcainm.pwo", "qfgod4ch.wmc", "sotg2snm.etk", "wylivac0.ox4", "yn2xdy3b.fnw", "ytaotkcy.ydz"],
17. "DesktopFiles": ["buttonforeign.rtf", "checkimportant.rtf", "consumershare.rtf", "desktop.ini", "generalthought.rtf", "localsociety.png", "mrc.jpg", "plansvillage.jpg", "reservedrisk.rtf", "roomwestern.jpg", "teachersure.png", "telephonealong.png", "xxxworldwide.png"],
18. "DiskInfos": [" free -851 MB avail -851 MB total -51 MB "]
19. }

奇X信

1. {
2. "Hostname": "WIN-IVE99JTTEQ6",
3. "Username": "WIN-IVE99JTTEQ6\\Administrator",
4. "Uid": "S-1-5-21-170072326-1450976669-2659344978-500",
5. "Gid": "S-1-5-21-170072326-1450976669-2659344978-513",
6. "Platform": "Microsoft Windows 7 Ultimate Service Pack 1",
7. "PlatformFamily": "Standalone Workstation",
8. "PlatformVersion": "6.1.7601 Build 7601",
9. "Cpu": "4",
10. "BootTime": "1658222038",
11. "UpTime": "96",
12. "Disk": "C: ",
13. "Mac": ["Local Area Connection 2 6c:4b:90:45:7b:66"],
14. "Procs": "58",
15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe OSPPSVC.EXE taskhost.exe dwm.exe explorer.exe reader_sl.exe svchost.exe taskhost.exe sdclt.exe sc.exe QQ.exe conhost.exe Timwp.exe conhost.exe TIM.exe conhost.exe WeChat.exe conhost.exe Skype.exe conhost.exe LxMainNew.exe conhost.exe navicat.exe conhost.exe IDMan.exe conhost.exe Everything.exe conhost.exe Code.exe conhost.exe BSPrintNotify.exe conhost.exe Postman.exe conhost.exe TOTALCMD64.EXE conhost.exe dllhost.exe main.exe conhost.exe ",
16. "TempFiles": ["ASPNETSetup_00000.log", "Administrator.bmp", "BSPrintNotify.exe", "CVR4A69.tmp.cvr", "Code.exe", "Everything.exe", "FXSAPIDebugLogFile.txt", "IDMan.exe", "JavaDeployReg.log", "Low", "LxMainNew.exe", "MSI301d8.LOG", "MSI31bd8.LOG", "MSI358b2.LOG", "MSI36f67.LOG", "Microsoft .NET Framework 4.5.1 Setup_20190507_174334109.html", "Postman.exe", "QQ.exe", "RGIDD45.tmp", "RGIDD45.tmp-tmp", "SetupExe(201905071747259A8).log", "Skype.exe", "TCDA77F.tmp", "TCDA87B.tmp", "TCDA8BC.tmp", "TCDAAA2.tmp", "TCDAB60.tmp", "TCDABBF.tmp", "TCDAC3E.tmp", "TCDACAE.tmp", "TCDAD3C.tmp", "TCDADAC.tmp", "TCDAE3A.tmp", "TCDAF85.tmp", "TCDB081.tmp", "TCDB0D1.tmp", "TCDB1EC.tmp", "TCDB24C.tmp", "TCDB377.tmp", "TCDB388.tmp", "TCDB5DC.tmp", "TCDB699.tmp", "TCDB7F3.tmp", "TCDB8FF.tmp", "TCDB96E.tmp", "TCDBAF7.tmp", "TCDBB18.tmp", "TCDBCDF.tmp", "TCDBE29.tmp", "TCDBE4B.tmp", "TCDBF75.tmp", "TCDBFB6.tmp", "TCDC016.tmp", "TCDC047.tmp", "TCDC133.tmp", "TCDC1F0.tmp", "TCDC379.tmp", "TIM.exe", "TOTALCMD64.EXE", "Timwp.exe", "VBE", "WPDNSE", "WeChat.exe", "dd_vcredist_x86_20190507025919.log", "dd_vcredist_x86_20190507025919_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20190507025919_001_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20190507025958.log", "dd_vcredist_x86_20190507025958_001_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20190507025958_002_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20190507030029.log", "hsperfdata_Administrator", "jawshtml.html", "jusched.log", "main.exe", "navicat.exe", "outlook logging", "tmp0dgy8u", "wsa123.exe", "{1C306CB1-771E-4B4B-A902-86E897877F5B}.jpg", "~DF8644E64CA01A218F.TMP"],
17. "DesktopFiles": ["DsGaLSzflu.docx", "desktop.ini", "kgnGFCzxsHo.ppt", "saDFoZCLTCK.pptx", "uNPPMKXOmp.pptx", "xaYfucvcptb.ppt"],
18. "DiskInfos": [" free -328 MB avail -328 MB total -913 MB "]
19. }

3x0

Windows 7 SP1 Pro 32

1. {
2. "Hostname": "WIN-3AI1DIQI7NN",
3. "Username": "WIN-3AI1DIQI7NN\\Administrator",
4. "Uid": "S-1-5-21-4209391066-2031757954-2950908010-500",
5. "Gid": "S-1-5-21-4209391066-2031757954-2950908010-513",
6. "Platform": "Microsoft Windows 7 Professional Service Pack 1",
7. "PlatformFamily": "Standalone Workstation",
8. "PlatformVersion": "6.1.7601 Build 7601",
9. "Cpu": "1",
10. "BootTime": "1658221348",
11. "UpTime": "133",
12. "Disk": "C: D: ",
13. "Mac": ["本地连接 2 00:16:3e:eb:ca:65", "isatap.{ACF86E96-BF0F-433A-BE2B-29CE9110C5C6} 00:00:00:00:00:00:00:e0"],
14. "Procs": "40",
15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dwm.exe explorer.exe spoolsv.exe svchost.exe taskhost.exe liteagent.exe WmiPrvSE.exe svchost.exe svchost.exe SearchIndexer.exe wmpnetwk.exe svchost.exe taskhost.exe mobsync.exe WmiPrvSE.exe dllhost.exe mscorsvw.exe sppsvc.exe SearchProtocolHost.exe SearchFilterHost.exe 8frufytb_829929069.exe ",
16. "TempFiles": ["28299290697e835af887eeffd55331f9", "ASPNETSetup_00000.log", "AUCHECK_PARSER.txt", "CVR1A53.tmp.cvr", "DMI7C7F.tmp", "DMI7CCE.tmp", "DMI7D7A.tmp", "FXSAPIDebugLogFile.txt", "IME2010imeklmg00000001.log", "IME2010imeklmg00000002.log", "IME2010imeklmg00000003.log", "JAUReg.log", "Kno6F74.tmp", "Kno7CFB.tmp", "Kno7D59.tmp", "Low", "Microsoft .NET Framework 4 Setup_20200721_203001434-MSI_netfx_Core_x86.msi.txt", "Microsoft .NET Framework 4 Setup_20200721_203001434-MSI_netfx_Extended_x86.msi.txt", "Microsoft .NET Framework 4 Setup_20200721_203001434.html", "Microsoft .NET Framework 4 Setup_4.0.30319", "Microsoft Visual C 2010 x86 Redistributable Setup_10.0.30319", "Microsoft Visual C 2010 x86 Redistributable Setup_20200716_172954925-MSI_vc_red.msi.txt", "Microsoft Visual C 2010 x86 Redistributable Setup_20200716_172954925.html", "OneNoteRuntimeCache", "OneNote_MigrationLog.txt", "RGI390F.tmp", "RGI390F.tmp-tmp", "Rar$EXa0.016", "Rar$EXa0.428", "Rar$EXa0.529", "Rar$EXa0.859", "Rar$EXa0.911", "Setup000002e0", "Setup00000dd0", "SetupExe(20200721191235F90).log", "SetupExe(20200721191520DCC).log", "SetupExe(202007211923372E0).log", "SetupExe(20200721193448BC8).log", "SetupExe(20200721193623DD0).log", "SetupExe(20200721193828F1C).log", "SetupExe(20200721194221B08).log", "SetupExe(20200721194303BC0).log", "Ultra$ISO", "UserInfoSetup(20200721193828F1C).log", "UserInfoSetup(20200721194221B08).log", "UserInfoSetup(20200721194303BC0).log", "VBE", "WPDNSE", "config.model.xml", "configModel.xml", "dd_SetupUtility.txt", "dd_dotnet_decompression_log.txt", "dd_vcredistMSI0508.txt", "dd_vcredistUI0508.txt", "dd_vcredist_x86_20200716173003.log", "dd_vcredist_x86_20200716173003_0_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173003_1_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173015.log", "dd_vcredist_x86_20200716173015_0_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173015_1_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173026.log", "dd_vcredist_x86_20200716173026_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173026_001_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173047.log", "dd_vcredist_x86_20200716173047_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20200716173047_001_vcRuntimeAdditional_x86.log", "dd_vcredist_x86_20200716173109.log", "dd_wcf_CA_smci_20200721_123142_475.txt", "hsperfdata_Administrator", "java_install.log", "java_install_reg.log", "jusched.log", "langs.model.xml", "langsModel.xml", "nppLocalization", "ose00000.exe", "outlook logging", "stylers.model.xml", "stylers_remove.xml", "stylesGlobalModel.xml", "stylesLexerModel.xml", "vKHzvAZ", "wmplog00.sqm", "wmplog01.sqm", "wmsetup.log", "xmlUpdater.exe", "~DF3E206C0835443121.TMP"],
17. "DesktopFiles": ["Internet Explorer.lnk", "Microsoft Excel 2010.lnk", "Microsoft OneNote 2010.lnk", "Microsoft Outlook 2010.lnk", "Microsoft PowerPoint 2010.lnk", "Microsoft Word 2010.lnk", "My Document.doc", "My Document.docx", "My Document.ppt", "My Document.pptx", "My Document.rtf", "My Document.txt", "My Document.xls", "My Document.xlsx", "desktop.ini"],
18. "DiskInfos": [" free 37 MB avail 37 MB total -51 MB ", " free -48 MB avail -48 MB total -1 MB "]
19. }

hybird分析

1. {
2. "Hostname": "HAPUBWS-PC",
3. "Username": "7vVtzvDKth\\DIXkeMT",
4. "Uid": "S-1-5-21-2092356043-4041700817-663127204-1001",
5. "Gid": "S-1-5-21-2092356043-4041700817-663127204-513",
6. "Platform": "Microsoft Windows 7 Professional Service Pack 1",
7. "PlatformFamily": "Standalone Workstation",
8. "PlatformVersion": "6.1.7601 Build 7601",
9. "Cpu": "2",
10. "BootTime": "1657307906",
11. "UpTime": "907360",
12. "Disk": "C: Z: ",
13. "Mac": ["Local Area Connection 62:58:52:95:75:56", "isatap.scl3.dc 00:00:00:00:00:00:00:e0"],
14. "Procs": "39",
15. "Process": "[System Process] System smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe lsass.exe lsm.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe audiodg.exe svchost.exe spoolsv.exe svchost.exe taskhost.exe dwm.exe explorer.exe svchost.exe svchost.exe conhost.exe WmiPrvSE.exe OSPPSVC.EXE conhost.exe conhost.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe AutoIt3.exe dllhost.exe main.exe mobsync.exe ",
16. "TempFiles": ["10D5CC3F-71C4-40D7-8173-E990C25C1412.Diagnose.Admin.0.etl", "99F9947D-30DB-4640-92C7-6BB2A24B05F1.Diagnose.Admin.0.etl", "AA7D7BE8-CE8F-4570-A39C-1992F0466AAE.Diagnose.Admin.0.etl", "ASPNETSetup_00001.log", "ASPNETSetup_00002.log", "AdobeARM.log", "AdobeARM_NotLocked.log", "AdobeSFX.log", "Adobe_ADMLogs", "CVR640E.tmp.cvr", "CVR78E9.tmp.cvr", "CVRC166.tmp.cvr", "CVRE8FB.tmp.cvr", "FXSAPIDebugLogFile.txt", "HAPUBWS-PC-20171203-1827.log", "HAPUBWS-PC-20171203-1827a.log", "HAPUBWS-PC-20171203-1827b.log", "HAPUBWS-PC-20171204-1724.log", "HNCDownload", "HShow90", "HancomESD", "Hnc", "HncUpdate.txt", "Hwp80", "Hwp90", "JavaDeployReg.log", "Low", "Microsoft .NET Framework 4.7.1 Setup_20171203_174215874-MSI_netfx_Full_x86.msi.txt", "Microsoft .NET Framework 4.7.1 Setup_20171203_174215874.html", "Microsoft .NET Framework 4.8 Setup_20200214_151530609-MSI_netfx_Full_x86.msi.txt", "Microsoft .NET Framework 4.8 Setup_20200214_151530609.html", "NDFDiag.tmp", "PrinterSetup.log", "ProcessList.txt", "Python 3.6.3 (32-bit)_20171204192711.log", "Python 3.6.3 (32-bit)_20171204192711_000_core_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_001_dev_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_002_exe_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_003_lib_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_004_test_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_005_doc_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_006_tools_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_007_tcltk_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_008_launcher_AllUsers.log", "Python 3.6.3 (32-bit)_20171204192711_009_pip_JustForMe.log", "Python 3.6.3 (32-bit)_20171204192711_010_path_JustForMe.log", "RGI7358.tmp", "RGI7358.tmp-tmp", "RGIA802.tmp", "RGIA802.tmp-tmp", "Setup00000588", "Setup00000ab0", "Setup00000adc", "SetupExe(2017120417370864C).log", "SetupExe(20180717121800DF8).log", "SetupExe(20180717122451248).log", "SetupExe(201807171224585BC).log", "SetupExe(20180717122536ADC).log", "SetupExe(20180717123728CF4).log", "SetupExe(20190129154611C6C).log", "SetupExe(2019012916352912C).log", "SetupExe(20190129164246588).log", "SetupExe(20190129164731D68).log", "SetupExe(20210127110003AB0).log", "SetupExe(20210127110250AC4).log", "Silverlight0.log", "SilverlightMSI.log", "TCD7656.tmp", "TCD7657.tmp", "TCD7658.tmp", "TCD7659.tmp", "TCD765A.tmp", "TCD765B.tmp", "TCD765C.tmp", "TCD765D.tmp", "TCD767C.tmp", "TCD7687.tmp", "TCD769D.tmp", "TCD769F.tmp", "TCD76AB.tmp", "TCD76B7.tmp", "TCD76B9.tmp", "TCD76C5.tmp", "TCD76DB.tmp", "TCD76E7.tmp", "TCD76F3.tmp", "TCD76FF.tmp", "TCD770B.tmp", "TCD7717.tmp", "TCD7723.tmp", "TCD772F.tmp", "TCD773B.tmp", "TCD7747.tmp", "TCD7749.tmp", "TCD7755.tmp", "TCD7761.tmp", "TCD7763.tmp", "TCD776F.tmp", "TCD777B.tmp", "TCD777D.tmp", "TCD7789.tmp", "TCD7795.tmp", "TFRAE69.tmp", "UserInfoSetup(20180717121800DF8).log", "VBE", "VBoxGuestAdditions", "VirtualBox Dropped Files", "WPDNSE", "ccversion.tag", "chromesetup.msi", "dat17FA.tmp", "dat17FB.tmp", "dat2336.tmp", "dat4FD7.tmp", "dat4FF7.tmp", "dat5008.tmp", "dat558A.tmp", "dat558B.tmp", "dat558C.tmp", "dat680B.tmp", "dat681B.tmp", "dat681C.tmp", "dat71C3.tmp", "dat7824.tmp", "dat7825.tmp", "dat7836.tmp", "dat81B.tmp", "dat9021.tmp", "dat9022.tmp", "dat9355.tmp", "dat95C7.tmp", "dat9CFD.tmp", "datB64D.tmp", "datBB64.tmp", "datC673.tmp", "datC783.tmp", "datC794.tmp", "datC795.tmp", "datC796.tmp", "datCB0D.tmp", "datCB0E.tmp", "datCB0F.tmp", "datCB10.tmp", "datD4D6.tmp", "datDE99.tmp", "datDE9A.tmp", "datDEAB.tmp", "dd_NDP471-KB4033342-x86-x64-AllOS-ENU_decompression_log.txt", "dd_SetupUtility.txt", "dd_dotnet48_decompression_log.txt", "dd_vcredistMSI32CB.txt", "dd_vcredistUI32CB.txt", "dd_vcredist_x86_20171203174931.log", "dd_vcredist_x86_20171203174931_000_vcRuntimeMinimum_x86.log", "dd_vcredist_x86_20171203174931_001_vcRuntimeAdditional_x86.log", "dd_wcf_CA_smci_20171203_164234_020.txt", "dd_wcf_CA_smci_20200214_141755_312.txt", "hsperfdata_HAPUBWS", "jawshtml.html", "jusched.log", "lilo.1028", "mozilla-temp-files", "msdtadmin", "ose00000.exe", "outlook logging", "tmpaddon", "tmpaddon-9dca54", "vxaction.log", "{1C306CB1-771E-4B4B-A902-86E897877F5B}.jpg", "~DF0143E214B8C9E6AE.TMP", "~DF077413B5F655E35F.TMP", "~DF07B80DBE1CCF0C79.TMP", "~DF07FD0640D4EA82C9.TMP", "~DF08090ACC356DFC21.TMP", "~DF093490451CAE83AB.TMP", "~DF0ED01EC732FDAFA2.TMP", "~DF0EF0E18548EEA293.TMP", "~DF0F0F234644F49DE2.TMP", "~DF101308F7E81C54F4.TMP", "~DF116385E86BED55F5.TMP", "~DF1B5DF0D392F9E6C7.TMP", "~DF1F0DDC5F8B609DE8.TMP", "~DF271EE0B23449FD12.TMP", "~DF2771B7C2AFD95939.TMP", "~DF337C0FE6AA3638C9.TMP", "~DF3585DA09B06D7E6D.TMP", "~DF398875B6755A22D2.TMP", "~DF3998002D6736F250.TMP", "~DF3BF1549098C3A3EF.TMP", "~DF3CC3C2F6C7776C4B.TMP", "~DF3FDA0C963CDEAEE4.TMP", "~DF40B648C0F2208FD2.TMP", "~DF41FFA924ADD67CE9.TMP", "~DF441C00F9EB6EB3CD.TMP", "~DF49006E350003EDAC.TMP", "~DF4B7C162F8F1CD972.TMP", "~DF4EE8A3A5CC156CE0.TMP", "~DF57339DF37D21BCD5.TMP", "~DF592AE2FC335E9F76.TMP", "~DF5B01072A4E03E492.TMP", "~DF5F0721D3B42DE902.TMP", "~DF62BF266AE832DD48.TMP", "~DF636ACE35E31011D2.TMP", "~DF6441493643A1F3A5.TMP", "~DF666651D70D3DA7EE.TMP", "~DF683666592FDF2EB3.TMP", "~DF756849845F24A090.TMP", "~DF757013ED8B56164D.TMP", "~DF7637732D3A85F269.TMP", "~DF790314186277E4A2.TMP", "~DF7B7DE2DED068BC09.TMP", "~DF89A65B2040F30C8F.TMP", "~DF8D37FE8D880D3185.TMP", "~DF8F0345C6CD888054.TMP", "~DF9182A01DA4D935FB.TMP", "~DF95FD6AF88DCD1AFB.TMP", "~DFA8A2B36753303ED2.TMP", "~DFA9EA58B172B43D82.TMP", "~DFAA50C5778E3DE2B9.TMP", "~DFB0FC97C4D2D510EB.TMP", "~DFB3F2CC227B95F4E7.TMP", "~DFB99F8C31CBB44EE4.TMP", "~DFBC669D44D419653F.TMP", "~DFC2B5D92B6664FFF1.TMP", "~DFC6A6CC22E4ED1D84.TMP", "~DFC95AC5F598668FBA.TMP", "~DFCDD6CF39DA6E89FA.TMP", "~DFD526B1CA2A67FC42.TMP", "~DFD7D5A4DE136CCB0E.TMP", "~DFD9FDF3F6C945C7B5.TMP", "~DFDA7311B468259D69.TMP", "~DFE12EE24DED8F1C5B.TMP", "~DFE8A1E01BFAFF2921.TMP", "~DFEA5B20C0E8F490C2.TMP", "~DFF0D25BB8135B3015.TMP", "~DFF45532CAEBA50EC9.TMP", "~DFF83E0CB58F7C7DB8.TMP", "~DFF8D79AF7CFF50FF8.TMP", "~DFFC4CABF8DB22D782.TMP", "~DFFEB1D8F752EE02C2.TMP"],
17. "DesktopFiles": ["desktop.ini"],
18. "DiskInfos": [" free 888 MB avail 888 MB total 0 MB ", " free 888 MB avail 888 MB total 0 MB "]
19. }

桌面特征

我们对桌面进行截图后，某些沙箱会的桌面如下所示
沙箱1：
 

沙箱2：

特征提取

我们可以看到上面的沙箱大致特征如下
1.MAC存在00:00:00:00:00:00:00:e0
2.部分只有C盘
3.带负数大小的沙箱

总结

由此可见，大部分沙箱特征都十分明显，我们针对提取出的特征，代码中做判断即可

推荐个项目

https://github.com/LordNoteworthy/al-khaser