sandbox obstruction

From ema
Jump to navigation Jump to search
EMA ID: ema-1235
Description: The 'sandbox obstruction' Behavior impedes sandbox analysis.


  • Delay Execution - Stalling code is typically executed before any malicious behavior. The attacker’s aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior.
    • Timing/Date Checks: Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date.
  • Overloading - overloads a sandbox (e.g., by generating a flood of meaningless behavioral data).
  • Check Host Fingerprint: Compares a previously computed host fingerprint(e.g., based on installed applications) to the current system's to determine if the malware instance is still executing on the same system. If not, execution will stop, making debugging or sandbox analysis more difficult.
  • GetVolumeInformation: This Windows API call is used to get the GUID on a system drive. Malware compares it to a previous (targeted) GUID value and only executes maliciously if they match.
Associated Attributes: Anti-Behavioral Analysis: targeted sandbox
Associated Capabilities/Subcapabilities: Capability.png Anti-Behavioral Analysis

Associated With sandbox obstruction
No results