Extending DRAKVUF by an I/O-emulation module in order to camouflage its sandbox nature

To be a reliable black-box malware analysis system DRAKVUF has to mitigate the observer effect, which can be accomplished by defeating Anti-VM-techniques. One way for the malware to determine if it is running in a sandbox environment, is to query the I/O communication port in order to identify human interaction from HID devices with the system. Until now DRAKVUF’s engine does not provide I/O-emulation, although it is needed to further camouflage its sandbox nature. Therefore an I/O-emulation module should be built to simulate a human user sitting in front of the screen and trick the malware to show its malicious behavior.