Attacking the sandbox Techniques and countermeasures

Explore the cat-and-mouse game between malware and sandboxes in Chapter 6, diving into advanced evasion techniques and countermeasures.

The cat-and-mouse game between threat actors and security professionals intensifies with each passing day. Malware authors are becoming increasingly adept at evading detection and analysis, and one of their primary battlegrounds is the sandbox. This chapter explores the sophisticated techniques used by threat actors to attack sandboxes and how robust sandbox technologies can withstand these assaults.

Blinding the Monitor

Hook Removal / Circumvention

One of the fundamental methods employed by malware to evade sandboxes is hook removal or circumvention. Hooks are mechanisms that monitor and intercept API calls and other activities within an application. Malware can attempt to subvert these hooks in two ways:

Removal: Malware can restore the original instructions or data, effectively removing the hook.

Circumvention: Instead of making API calls that are monitored and hooked, malware can use direct system calls or invoke private functions that are not hooked. Additionally, malware may perform unaligned function calls, effectively bypassing the hook code. While hooks can be effective for specific internal functions, they do not cover all functions present in the operating system, which vary with each Windows version. The problem of unaligned function calls also remains challenging to solve through hooking.

API Hammering

Some malware adopts a strategy called API hammering, which introduces delays in slow sandboxes. Sandboxes often impose time limits on the analysis of an application’s behavior. By introducing artificial delays, malware can prolong the analysis period, making it more challenging for the sandbox to observe malicious actions.

System File Replacement

Malware can target system files residing in memory. Hooks usually reside in system files mapped into memory. Certain malware families un-map these files and reload them, effectively “unhooking” them. This tactic allows malware to execute without detection.

Unmonitored Kernel Code and Boot Processes

Many sandboxes lack the capability to monitor kernel code or the boot process of a system. Malware can take advantage of this limitation by executing code within these unmonitored areas.

Obscure File Formats

Sandbox environments often do not support all file formats, leaving room for evasion. Malware can employ obscure file formats, such as OneNote, PowerShell, .hta, or .dzip, which may not be supported by the sandbox. Consequently, these files fail to execute, bypassing analysis.

No Support for Obscure Technologies

Malware may deliver payloads that leverage obscure technologies hidden from analysis tools. While the initial infection vector, such as a Word document with a macro, may open and execute in the sandbox, the subsequent payload uses technologies like COM, Ruby, ActiveX, or JAVA that remain hidden from detection.

OS Reboots

Some sandboxes cannot survive an operating system reboot. To evade analysis, malware may monitor reboot triggers, detecting instances where the sandbox tries to emulate logging in and out. These emulated reboots can be detected by malware, signaling the presence of a sandbox.

File Size Bloating

Many commercial sandboxes impose file size limitations on sample submissions (some free public-facing sandboxes have 100 Mb maximum file size). To bypass these restrictions, malware authors pad the file with zeros, artificially inflating its size. This padding can enable the malware to evade sandbox analysis.

Reserved Characters in Filename

Reserved characters in filenames, such as \ / : * ? ” < > |, are part of system functions and cannot be used when creating folders or files. Malware authors deliberately use these illegal characters in filenames, hoping that the sandbox will reject the sample. VMRay automatically renames files containing reserved characters before submission, ensuring proper analysis.

Defeating sandbox “technology” weaknesses

To counter these sandbox evasion techniques effectively, a robust sandbox analysis environment should consider the following strategies:

Not Rely on Modifying the Target Environment: 

Many sandboxes rely on modifying the target environment through hooking. However, hooks can be targeted by malware to disable analysis. A more resilient approach is to refrain from modifying the environment.

Run Gold Images as Target Analysis Environments: 

Instead of using a generic target environment, employ actual gold images – standard OS and application configurations used within your enterprise. This ensures that any malware that can run on your enterprise’s systems will also execute in the analysis environment.

Monitor All Malware-Related Activity: 

Some malware sandboxes, particularly those using a hooking-based approach, take shortcuts by not monitoring all activity for the sake of efficiency. This can create blind spots in analysis. VMRay technology accommodates all scenarios, offering full visibility into malware activity, regardless of attempts to obfuscate intentions.

As we navigate the intricate terrain of sandbox evasion techniques, it’s imperative to recognize the evolving strategies employed by threat actors. In the next chapter, we will delve deeper into techniques that allow malware to evade detection and analysis, uncovering their strategies, and understanding how advanced threat analysis tools like VMRay can thwart their efforts.

Combating sandbox evasion for a more effective security automation

Chapter 7: 
Evading the sandbox

Table of Contents

See VMRay in action.
Detect and analyze even the most evasive malware and phishing threats.

Further resources


Single source of truth for effective security automation


Checkmate: How sandbox evasion can stall automation

Watch our webinar from at SANS EDR / XDR Solutions Forum


The most advanced malware and phishing sandbox

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator