sandbox prevention

From ema
Jump to navigation Jump to search
EMA ID: ema-1027
Description: Defeats or prevents the execution of the malware instance in a sandbox environment.


  • Deposited Keys: Parts of the code and/or data is encrypted or otherwise relies on data external to the file itself. For example, malware that contains code that is encrypted with a key that is downloaded from a server; malware that only runs if certain other software is installed on the system; or malware that reads certain attributes of the system (BIOS version string, hostname, etc) and then encrypts portions of its code or data using those attributes as input, thus preventing itself from being able to be run on a different system (e.g., sandbox, emulator, etc.).
  • Secure Triggers: Code and/or data is encrypted until the underlying system satisfies a preselected condition unknown to the analyst (this is a form of Deposited Keys).
  • Hook Interrupt: modification of interrupt vector or descriptor tables
  • Hook File System: do something when particular file/dir is accessed; often through hooking certain API calls such as CreateFileA and CreateFileW.
  • Demo Mode: Inclusion of a demo binary/mode that is executed when token is absent or not enough privileged.
  • Drop Code: Original file is written to disk then executed. May confuse some sandboxes, especially if the dropped executable must be provided specific arguments and the original dropper is not associated with the drop file(s).

Associated Capabilities/Subcapabilities: Capability.png Anti-Behavioral Analysis

Associated With sandbox prevention
No results