Before starting, we need to set up the testing environment and the development environment. The Static Analysis will be tested with an online service that allows running a file through 27 different AVs. The most known service is called VirusTotal, however, this service shares the uploaded samples with the AV vendors, so if in one of the tests, the malware gets detected, the sample would be shared with the different AV vendors and the signature would be registered, therefore it will automatically get detected in the future. To avoid this, a service that does not share samples must be used. The selected service is called AntiScan. It is a paid service that claims no samples are being shared. This service will be used as a method to gather information quickly, but the results should be interpreted carefully since there is no way of knowing what configuration the testing environment has, and therefore we can not be sure of the validity of the results.

As a more accurate way of testing, we will use a virtual machine with Windows installed and without an internet connection. The internet connection is disabled to avoid Windows Defender uploading a sample of our trojan if it gets detected.

For more accurate testing you can test the trojan against other AVs, but for this explanation, we will only use Defender.

To avoid the trojan being sampled and uploaded when coding it, I recommend that you code it in a virtual machine with no active connection to the internet and with windows defender and sample submission disabled.

The first step will be to create two virtual machines, one for testing and the other for development. We will use the most recent version of Windows 11 (as of date September 2022). For the virtual machines, I used VMWARE.

I am not going to explain how to set up a VMWARE virtual machine, there are hundreds of tutorials about this on the internet.

Once we have two virtual machines with Windows 11 installed we have to configure each environment.

Testing Environment

The only thing we have to do here is to disable the Automatic Sample submission feature of Windows Defender and disable the internet connection for the virtual machine.

The process to follow to disable the Automatic Sample Submission is explained in the Development Environment section.

After setting up the testing environment I recommend that you take a snapshot of the system. A snapshot allows you to record the exact state of the machine at a given time and to roll back to that state whenever you want. This will allow us to test our trojan against a virgin machine. This helps improve the validity of our results.

Development Environment

The development environment will require Visual Studio (the purple one, not VSCode). Once installed on your computer you have to disable Windows Defender.

First, disable sample submission: Settings -> Privacy and Security -> Windows Security -> Virus and Threat Protection

This will open the following window:

Here we click on manage settings (under Virus & Threat protection settings).

This will open a window where we should disable all the sliders:

• Real-Time Protection: OFF

• Cloud-delivered protection: OFF

• Automatic sample submission: OFF

• Tamper protection: OFF