Profiling different types of sandboxes

Discover the nuances of sandbox profiling, unraveling the strengths and strategies behind different sandboxing technologies.

In the dynamic landscape of cybersecurity, understanding the intricacies of sandboxing technologies is essential. Sandboxes are not created equal, and profiling them sheds light on their capabilities and limitations. In this chapter, we embark on an exploration of two distinct types of sandboxes, each with its approach to malware analysis.

Hooking and Kernel-Mode sandboxes

Our journey begins with a closer look at hooking and kernel-mode sandboxes. These sandboxes employ a specific architecture that facilitates in-depth analysis of potentially malicious code. When we dropped Al-Khaser into one such environment, it swiftly responded with a barrage of checks. These checks range from probing for the presence of a VirtualBox service to scrutinizing registry keys and system BIOS versions.

However, the challenge lies in maintaining a pristine environment. A sandbox isn’t merely a virtual system where you toss a malware sample. At VMRay, meticulous efforts go into patching and randomizing the environment to thwart any profiling attempts.

A closer look at hooking and kernel-mode sandboxes
A closer look at hooking and kernel-mode sandboxes

Hypervisor-Based Sandboxes: A Third-Generation Solution

But what if a malicious entity detects the sandbox’s presence and refuses to detonate, leaving you with a false sense of security? This is where hypervisor-based monitoring, a third-generation sandboxing solution, comes into play. It goes beyond the traditional sandbox concept by employing virtual machine introspection. This approach allows us to log and monitor activities within the sandbox without leaving any telltale traces.

When we introduce a tool like Al-Khaser into such an environment, the results are strikingly different. The sandbox responds with an array of full clean checks, virtually guaranteeing the successful detonation of malware. This advanced sandboxing technology offers a higher level of confidence in identifying and analyzing threats.

Hypervisor-based monitoring goes beyond the traditional sandbox concept and allows us to log and monitor activities within the sandbox without leaving any traces.
Hypervisor-based monitoring goes beyond the traditional sandbox concept and allows us to log and monitor activities within the sandbox without leaving any traces.

In our next chapter, we will explore the challenging domain of bypassing sandbox detection, unveiling the tactics and strategies employed by threat actors to evade analysis. Join us as we dive into this crucial aspect of cybersecurity, where the stakes are high, and the adversaries are relentless.

Combating sandbox evasion for a more effective security automation

Chapter 4: 
Introduction to bypassing sandbox detection

Table of Contents

See VMRay in action.
Detect and analyze even the most evasive malware and phishing threats.

Further resources


Single source of truth for effective security automation


Checkmate: How sandbox evasion can stall automation

Watch our webinar from at SANS EDR / XDR Solutions Forum


The most advanced malware and phishing sandbox

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator