Sandbox Evasion

From Unprotect Project
Jump to: navigation, search

Techniques Description

Sandboxing is one of the most useful security solution, however the best practices are not always followed and malware can easily detect the sandbox environment. Sandbox are often misconfigured. With simple trick like hostname detection, mac address or process detection, malware can detect the environment.

Sandbox evasion capabilities allow malware to stay undetected during sandbox analysis.


Below is a list of all the sandbox evasion techniques in Unprotect Project:

Anti-Sandbox Techniques
Techniques Description
VMware artifacts Checking for memory artifacts VMware leaves many artifacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.
Mac address detection VMware uses specific virtual Mac address that can be detected by Malware. The usual mac address used started with the following numbers: "00:0C:29", "00:1C:14", "00:50:56", "00:05:69".
Registry keys The VMware installation directory C:\Program Files\VMware\VMware Tools may also contain artifacts, as can the registry. A search for VMware in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse.
Checking process The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string.
Checking files Some files are created by VMware on the system. Malware can check the different folder to find VMware artifacts.
Running services VMwareService.exe runs the VMware Tools Service as a child of services.exe. It can be identified by listing services.
Querying the I/O Communication Port VMware uses virtual I/O ports for communication between the virtual machine and the host operating system to support functionality like copy and paste between the two systems. The port can be queried and compared with a magic number VMXh to identify the use of VMware.
Virtualbox artifacts Mac address detection Virtualbox uses specific virtual Mac address that can be detected by Malware. The usual mac address used started with the following numbers: 08:00:27.
Registry keys The Virtualbox Guest addition leaves many artifacts in the registry. A search for VBOX in the registry might find some keys.
Checking Process Process related to Virtualbox can be detected by malware by query the process list.
Checking files Some files are created by Virtualbox on the system. Malware can check the different folder to find Virtualbox artifacts like VBoxMouse.sys.
Qemu detection Registry keys Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 with the value of Identifier and the data of QEMU or HARDWARE\Description\System with a value of SystemBiosVersion and data of QEMU.
CPU When an Operating System is virtualized, the CPU is relocated. That allows a malware to detect the virtual environment.
Cuckoo detection
Folder Special path like C:\Cuckoo can be used on the guest system. A malware could be able to detect this folder to evade the sandbox.
Hooked function To avoid some actions on the system by the malware like deleted a file. Cuckoo will hook some function and performs another action instead of the original one. For example the function DeleteFileW could be hooked to avoid file deletion.
Pipe Cuckoo uses a pipe \\\\.\\pipe\\cuckoo for the communication between the host system and the guest system. A malware can request the file to detect the virtual environment.
Agent Cuckoo uses a python agent to interact with the host guest. By listing the process and finding python.exe or pythonw.exe or by looking for an in the system, a malware can detect Cuckoo.
Anti-VM x86 Instruction SIDT / Red Pill Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The virtual machine monitor must relocate the guest's IDTR to avoid conflict with the host's IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned.
SGDT / No Pill The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine will be zero and on a virtual machine will be non-zero.
SLDT / No Pill
CPUID Checking the CPU ID found within the registry can provide information to what kind of system you are running.
Onset delay Malware will delay execution to avoid analysis by the sample. For example, a Ping can be perform during a time defined. Unlike extended sleep that will use the Sleep function, onset delay will use another way to delay execution.
Stalling code This technique is used for delaying execution of the real malicious code. Stalling code is typically executed before any malicious behavior. The attacker’s aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior.
Extended sleep code Most of the sandbox have a defined time for the analysis. Malware will use a Sleep function with a big time to avoid analysis by the sandbox.
User interaction Some Sandbox doesn't have the mouse moving or a fun wallpaper, malware can detect if there is any activities into the sandbox.
Office RecentFiles Another way to detect if the malware is running in a real user machine is to check if some recent Office files was opened.
Screen resolution Sandbox are not used to work as a normal user environment, so most of the time the screen resolution stay at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox.
Installed software By determining which software are installed the sandbox can be detected (e.g: Python, Tracer, Debugging Tools, Vmware tools...)
Memory size Most of the modern user machine are at least 4Go or more. Machine with less memory size can be detected as a sandbox.
Drive size Not so much user machine are using less than 80Go, by requesting the drive size, malware can determine a virtual environment.
Hostname Most sandbox are using name like Sandbox, Maltest, Malware, malsand, ClonePC.... All this hostname can provide the information to the malware.
USB drive Another way to determine if it's a sandbox, is to detect a potential USB drive.
Printer Another way to determine if it's a sandbox, is to detect a potential connected printer or identify the default Windows printers, Adobe, Onenote.
Processor Malware can check the number of processor to detect if it's a sandbox.


Practical Malware Analysis:
Malware Rootkit & Botnet:
Malware Analyst Cookbook: