INTRODUCTION TO MALWARE ANALYSIS - Debugging

Why on the Debugging Malware feels like when I do the changes when RUN still shows SandBox Detected and all the changes reset?

I do all the changes but still doesn’t work
1 - We can change the comparison value of 0x1 to 0x0 .
2 - We can alter the instruction from je shell.402F09 to jne shell.402F09 .
3 - jne to jmp
4 - Set up breakpoint on the last “SandBox Detected”

I am missing something here? stuck on the same thing for days

I’m also encountering the same issue, I managed to get the pop from inet and the c2 but the notepad is not popping up.

Same here trying to pop up notepad.exe now

VirtualAllocEx , WriteProcessMemory , and CreateRemoteThread

I can help you two solve this. You have to patch it, save as an .exe through the file menu, then debug the new executable. You should see what you’re looking for in the new exe because the sandbox detection will be gone.

1 Like

I did that but still nothing… going to try again today

To be clear: you have to follow the steps on the new exe still but when you do you’ll notice the sandbox is removed as intended. Sorry the author didn’t mention it.

VirtualAllocEx , WriteProcessMemory , and CreateRemoteThread we have to set up a breaktpoint on all 3 is it?

I know the WriteProcessMemory is where notepad.exe is called

thanks this led me to the right direction… still a lot of trial and error by having to reset the pawn a lot of times… it should be done precisely or else it will not work

@jinn @bb0rges I’ve been struggling with this for hours. I was originally able to get rid of the sanbox message, but the inetsim was not working correctly. Once I got that working, now I cannot get rid of the sandbox message, I’m not sure what I’m doing wrong. After I add the breakpoints and make those 3 changes it just doesn’t seem to behave correctly, when I hit Run it will almost immediately pause, then I have to hit run 3 more times and the Sandbox message will come up. Would love a DM is someone thinks they can help.

I want to offer two observations which may help in the future:

  • x64dbg by default resets your opcode edits when you rerun the executable (probably due to ASLR since the walkthrough applies them during execution?). Maybe there is an option to prevent this reset, but your safest bet is patching.
  • INetSim DNS is broken on current Kali (PwnBox isn’t Kali, it works fine there). The perl DNS code has been rewritten and now doesn’t want to work properly after forking. You can confirm this by running ss -tuln after launching INetSim, port 53 will not be listed. INetSim will also display an alert that you attempt running the DNS as a subprocess. I got it working on my Kali by overwriting my local /usr/share/perl5/Net/DNS (make a backup) with the version from the PwnBox.