You can use tools like AutoIt or PowerShell can be used to simulate user activity such as mouse movements, clicks, and keyboard inputs. You can script mouse movements and clicks at random intervals. These won't make your VM indistinguishable from a physical machine, but they can help mask it from some types of malware. Nested virtualization can be another solution for you it is the process of running a virtual machine inside another virtual machine. Some malware might not be able to detect that they're running in a VM if the VM is itself running inside another VM. Note, though, that not all systems support nested virtualization and it can be resource-intensive.
How to hide Azure Windows 10 sandbox instance from malware.
Hello,
I want my Azure Windows 10 sandbox to act more like a host not as a guest, while some of the malware are able to detect virtual environments.
To check how the sanbox might look like for malware and then where to look for optimization I used a tool called Pafish created by Alberto Ortega and others.
https://github.com/a0rtega/pafish
"The goal of this project is to collect techniques commonly observed in malware samples to evade analysis systems. This allows analysts to study them and test whether the analysis environments are properly implemented"
While analyzing the output of the pafish file I saw that there are few possibilities for the malware to detect the virtual environment. I'm interested in making the instance more like a host.
The output of the pafish binary looks like this:
[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit ... traced!
[*] Checking hypervisor bit in cpuid feature bits ... traced!
[*] Checking cpuid hypervisor vendor for known VM vendors ... traced!
[*] Checking mouse click activity ... traced!
[*] Checking mouse double click activity ... traced!
[*] Checking dialog confirmation ... traced!
[*] Checking plausible dialog confirmation ... traced!
[pafish] CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
[pafish] CPU VM traced by checking hypervisor bit in cpuid feature bits
[pafish] CPU VM traced by checking cpuid hypervisor vendor for known VM vendors
[pafish] Sandbox traced by missing mouse click activity
[pafish] Sandbox traced by missing double click activity
[pafish] Sandbox traced by missing dialog confirmation
[pafish] Sandbox traced by missing or implausible dialog confirmation
[pafish] End
How can I optimize my Azure Windows 10 sandbox instance based on the given information?