sandbox detect & evade

From ema
Jump to navigation Jump to search
EMA ID: ema-1233
Description: Detects whether the malware instance is being executed inside of an instrumented sandbox environment (e.g., Cuckoo Sandbox). If so, conditional execution selects for benign execution path.


  • Injected DLL Testing: Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means.
  • Product Key/ID Testing: Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry.
  • Screen Resolution Testing: Sandboxes aren't used in the same manner as a typical user environment, so most of the time the screen resolution stays at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox.
  • Human User Check: Detects whether there is any "user" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox.
  • Check Machine Name: Some sandboxes use a name like Sandbox, Maltest, Malware, malsand, ClonePC.
  • Monitoring Thread: Spawn a monitoring thread to detect tampering, breakpoints, etc.
  • Timing/Delay Checks: Comparing time between two points to detect "unusual" execution, such as the (relative) massive delays introduced by sandbox debugging.
  • Timing/Uptime Check: Comparing single GetTickCount with some value to see if system has been started at least X amount ago.
  • Hooked Function: To avoid some actions on the system by the malware like deleted a file. Cuckoo will hook some function and performs another action instead of the original one. For example the function DeleteFileW could be hooked to avoid file deletion.
  • Find Agent: Cuckoo uses a python agent to interact with the host guest. By listing the process and finding python.exe or pythonw.exe or by looking for an in the system, a malware can detect Cuckoo.
Associated Attributes: Anti-Behavioral Analysis: targeted sandbox, Common: applicable platform, Common: technique
Associated Capabilities/Subcapabilities: Capability.png Anti-Behavioral Analysis