Detecting Online Sandbox Sandbox Evasion

Online sandboxes are widely used for malware analysis. To evade detection, many malware families implement checks to identify if they are running in such environments. Below are examples of detection techniques for Any.Run and Tria.ge.

Detecting Any.Run

Any.Run uses a fake root certificate to spy on sandbox traffic. System information can be obtained by querying …

Hide Artifacts: Run Virtual Instance Defense Evasion [Mitre]

Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual …

Retrieve HDD Information Sandbox Evasion

Malware can figure out if it's in a virtual environment by checking hard drive info. It looks for specific details like serial and model numbers. This is easier to spot in VirtualBox because it shows clues that it's running in a virtual space.

Malware uses this trick to avoid getting caught. It does this by using a special command …

Detecting Mac Address Sandbox Evasion

Virtualbox and VMware use specific virtual Mac address that can be detected by Malware.

The usual mac address used by Virtualbox starts with the following number: 08:00:27.
The usual mac address used by VMware starts with the following numbers: 00:0C:29, 00:1C:14, 00:50:56, 00:05:69.

Malware can use this simple trick to detect if it is running …

Detecting Virtual Environment Process Sandbox Evasion

Process related to Virtualbox can be detected by malware by query the process list.

The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.

Detecting Virtual Environment Files Sandbox Evasion

Some files are created by Virtualbox and VMware on the system.

Malware can check the different folders to find Virtualbox artifacts like VBoxMouse.sys.

Malware can check the different folders to find VMware artifacts like vmmouse.sys, vmhgfs.sys.

Some Files Example

Below is a list of files that can be detected on virtual machines:

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\agent.pyw",

Detecting Virtual Environment Artefacts Sandbox Evasion

Malware often checks for artifacts left by virtualization platforms to determine if it is running inside a virtual environment. Detecting such artifacts allows the malware to adapt its behavior, delay execution, or avoid exposing malicious functionality during analysis.

QEMU: QEMU registers artifacts in the Windows registry. For example, the key HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical …

VboxEnumShares Sandbox Evasion

This method represents a variation of the WNetGetProviderName(WNNC_NET_RDR2SAMPLE, ...) approach, which is typically employed to determine if the network share's provider name is specific, such as VirtualBox. Instead of relying on this well-established technique, we utilize WNetOpenEnum and WNetEnumResource functions to iterate through each network resource. The primary objective is to identify VirtualBox shared folders, which typically feature "VirtualBox" or …

Search Evasion Techniques

Search Result