Navigating the Vast Ocean of Sandbox Evasions

Malware authors employ a wide range of sandbox evasion techniques, from instrumentation checks and VM detection to requiring human interaction and timing tricks, and defenders counter with bespoke analysis approaches and memory-focused detection. The article surveys major evasion categories, provides concrete examples, and describes mitigation strategies, including building a custom hypervisor for malware analysis and memory-delta detection. #GuLoader #Trickbot #Sundown #VBCrypt #Zebrocy #InstallCore #KingSoft #VMware #VirtualBox #QEMU #Hypervisor #AdvancedWildFire

Keypoints

Malware evasion focuses on detecting sandbox environments by checking environment characteristics for signs of automation or targeting.
Instrumentation evasion centers on detecting API hooks and instrumentation, including unhooking existing hooks to hide activity.
VM detection methods include VMware backdoor interfaces, WMI queries, and VM-specific artifacts to determine if the analysis is in a virtual environment.
To counter VM evasion, some teams build their own custom hypervisor to obscure instrumentation and reduce fingerprinting.
Human interaction evasion involves requiring user input (mouse clicks, keystrokes, dialogs) and using timing to differentiate real users from automated analyses.
Timing and resource-based evasion uses sleeps, timers, and CPU timing loops to delay or hide malicious actions within short analysis windows.
Pocket litter checks look for real-system clues (uptime, files in My Documents, memory) to distinguish a real host from a sandbox; defenses respond with case-by-case mitigations and memory-focused analysis.

MITRE Techniques

[T1497] Virtualization/Sandbox Evasion – Malware detects sandbox/VM environments to avoid malicious execution. “There are many variations on how malware authors specifically detect sandboxes, but the general theme is that they will check the characteristics of the environment to see whether it looks like a targeted host rather than an automated system.”
[T1497] Virtualization/Sandbox Evasion – VM detection via VMware backdoor interface. “One of the earliest and most widely used mechanisms for malware to determine whether it’s running inside a VMware virtual machine is to use the backdoor interface of VMware to see whether there is any valid response from the VMware hypervisor.”
[T1497] Virtualization/Sandbox Evasion – WMI queries to gather system information for virtualization/hypervisor strings. “Malware families can also query the computer manufacturer or model information using Windows Management Instrumentation (WMI) queries. This allows them to get information about the system and compare it with known sandbox and/or hypervisors strings.”
[T1497] Virtualization/Sandbox Evasion – Pocket litter-based checks to confirm a real host (e.g., uptime, documents, memory). “The term ‘pocket litter’ has been co-opted from the field of espionage… commonly includes looking for things like a reasonable amount of system uptime, a sufficient number of files in the My Documents folder or a good number of pages in the system’s browser cache.”
[T1497] Virtualization/Sandbox Evasion – Lack of human interaction checks (no user input) to deter automated analysis. “This category includes evasions requiring specific human interaction… malware families often check for human interaction and cease execution if it looks like there is no user driving the system.”
[T1497] Virtualization/Sandbox Evasion – Timing and resource-based checks (e.g., sleep, timers, CPUID loops) to delay or detect analysis. “Early on, one of the most common sandbox evasions was to just call sleep for about an hour before doing anything evil.”

Indicators of Compromise

[SHA256] WMI queries – 3bf0f489250eaaa99100af4fd9cce3a23acf2b633c25f4571fb8078d4cb7c64d – Trickbot
[SHA256] Timing attack using SetTimer – e9f6edb73eb7cf8dcc40458f59d13ca2e236efc043d4bc913e113bd3a6af19a2 – Sundown payload
[SHA256] Sleep using time stamp counter instruction – 3450abaf86f0a535caeffb25f2a05576d60f871e9226b1bd425c425528c65670 – VBCrypt
[SHA256] Volume Disk serial number check – 091ffdfef9722804f33a2b1d0fe765d2c2b0c52ada6d8834fdf72d8cb67acc4b – Zebrocy
[SHA256] VMware check – 96a88531d207bd33b579c8631000421b2063536764ebaf069d0e2ca3b97d4f84 – PUA/KingSoft
[SHA256] GetLastUserInput check – de85a021c6a01a8601dbc8d78b81993072b7b9835f2109fe1cc1bad971bd1d89 – PUA/InstallCore