VMCPUID Sandbox Evasion

The VMCPUID instruction is a sophisticated mechanism often employed by malware to ascertain if it is operating within a virtual environment.

This instruction is part of the x86 architecture's virtual machine extensions (VMX) and is designed to provide information about the capabilities and status of the virtual machine.

By using VMCPUID, malware can adapt its behavior based on …

VPCEXT Sandbox Evasion

The VPCEXT instruction (visual property container extender) is another anti–virtual machine trick used by malware to detect virtual systems. This technique is not documented. If the execution of the instruction does not generate an exception (illegal instruction), then the program is running on a virtual machine.

Checking Installed Software Sandbox Evasion

By detecting the presence of certain software and tools commonly used in sandbox environments, such as Python interpreters, tracing utilities, debugging tools, and virtual machine software like VMware, it is possible to infer the existence of a sandbox.

This inference is based on the premise that such tools are often found in sandbox setups used for dynamic malware analysis …

Thermal Zone Temperature Sandbox Evasion

The temperature sensor is used to know the current temperature of a machine. In a non-virtualized environment, the function returns valid support and output like: "25.05 C: 77.09 F: 298.2K". But for a fully virtualized environment, the return is "MSAcpi_ThermalZoneTemperature not supported" because this feature is not supported on virtualized processors.

Interestingly, this method is not valid. Not all …

GetForegroundWindow Sandbox Evasion

This technique uses the GetForegroundWindow and Sleep APIs to attempt to evade sandboxes. Many sandboxes do not alter the foreground window like a user would in a normal desktop environment.

It accomplishes this by making a call to GetForegroundWindow, which returns a handle to the current window. Then the malware sample will sleep for a short time, followed by …

Detecting Online Sandbox Sandbox Evasion

Online sandboxes are widely used for malware analysis. To evade detection, many malware families implement checks to identify if they are running in such environments. Below are examples of detection techniques for Any.Run and Tria.ge.

Detecting Any.Run

Any.Run uses a fake root certificate to spy on sandbox traffic. System information can be obtained by querying …

Themida Packers

Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption...

Anti-debugger techniques that detect/fool any kind of debugger
Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers
Different encryption algorithms and keys in each protected application
Anti-API scanners techniques that avoids reconstruction …

VMProtect Packers

VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software. Besides that, VMProtect generates and verifies serial numbers, limits free upgrades and much more.

Cronos-Crypter Packers

Cronos-Crypter is an open-source crypter publicly available on GitHub. The crypter applies AES encryption or XOR obfuscation to a selected payload before storing it as a .NET resource of a final generated .NET executable payload. Cronos-Crypter contains multiple capabilties for persistence and defense evasion. An operator may select persistence via a Windows Registry autorun key or a Scheduled Task. An …

Default Windows Wallpaper Check Sandbox Evasion

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. In this particular case, the malware checks to see if the wallpaper set on the machine is the default Windows …

Search Evasion Techniques

Search Result