Sandbox Detection
May 1, 2024 · View on GitHub
| ID | B0007 |
| Objective(s) | Anti-Behavioral Analysis |
| Related ATT&CK Techniques | Virtualization/Sandbox Evasion: System Checks (T1497.001, T1633.001), Virtualization/Sandbox Evasion: User Activity Based Checks (T1497.002) |
| Anti-Analysis Type | Detection |
| Version | 2.3 |
| Created | 1 August 2019 |
| Last Modified | 27 April 2024 |
Sandbox Detection
Malware checks whether it is being executed inside an instrumented and isolated sandbox (test) environment. In performing reconnaissance of its environment, the malware will check a variety of user or system based artifacts. Examples include monitoring for user action as reflected by mouse clicks or timing checks [1], [2]. Upon detection of the sandbox, conditional execution will change the malware’s behavior. For example, execution may terminate, or activity may appear benign, e.g., connecting to a benign domain.
The related Virtualization/Sandbox Evasion (T1497, T1633) ATT&CK techniques were defined subsequent to this MBC behavior.
Methods
| Name | ID | Description |
|---|---|---|
| Check Clipboard Data | B0007.001 | Checks clipboard data which can be used to detect whether execution is inside a sandbox. |
| Check Files | B0007.002 | Sandboxes create files on the file system. Malware can check the different folders to find sandbox artifacts. |
| Human User Check | B0007.003 | Detects whether there is any "user" activity on the machine, such as the movement of the mouse cursor, non-default wallpaper, or recently opened Office files. Directories or file might be counted. If there is no human activity, the machine is suspected to be a virtualized machine and/or sandbox. Other items used to detect a user: mouse clicks (single/double), DialogBox, scrolling, color of background pixel [5]. This method is similar to ATT&CK's Virtualization/Sandbox Evasion: User Activity Based Checks sub-technique. This method is also related to Unprotect techniques U1316 and U1317. |
| Injected DLL Testing | B0007.004 | Testing for the name of a particular DLL that is known to be injected by a sandbox for API hooking is a common way of detecting sandbox environments. This can be achieved through the kernel32!GetModuleHandle API call and other means. |
| Product Key/ID Testing | B0007.005 | Checking for a particular product key/ID associated with a sandbox environment (commonly associated with the Windows host OS used in the environment) can be used to detect whether a malware instance is being executed in a particular sandbox. This can be achieved through several means, including testing for the Key/ID in the Windows registry. |
| Screen Resolution Testing | B0007.006 | Sandboxes aren't used in the same manner as a typical user environment, so most of the time the screen resolution stays at the minimum 800x600 or lower. No one is actually working on a such small screen. Malware could potentially detect the screen resolution to determine if it's a user machine or a sandbox. This method is related to Unprotect technique U1315. |
| Self Check | B0007.007 | Malware may check its own characteristics to determine whether it's running in a sandbox. For example, a malicious Office document might check its file name or VB project name. This method is related to Unprotect technique U1303. |
| Timing/Date Check | B0007.008 | Calling GetSystemTime or equiv and only executing code if the current date/hour/minute/second passes some check. Often this is for running only after or only until a specific date. This behavior can be mitigated in non-automated analysis environments. This method is related to Unprotect technique U1005. |
| Timing/Uptime Check | B0007.009 | Comparing single GetTickCount with some value to see if system has been started at least X amount ago. This behavior can be mitigated in non-automated analysis environments. |
| Test API Routines | B0007.010 | Calls Windows API routines with invalid arguments to identify error supression. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| Redhip | 2011 | B0007.005 | Redhip detects publicly available automated analysis workbenches (e.g., Joe Box) by considering OS product keys and special DLLs and checks for sandboxes and AV modules. [3] |
| Rombertik | 2015 | B0007.010 | The malware checks for sandboxes that suppress errors returned from API routine calls the using ZwGetWriteWatch routine. [4] |
| Terminator | 2013 | -- | The Terminator RAT evades a sandbox by not executing until after a reboot. Most sandboxes don't reboot during an analysis. [6] |
| Ursnif | 2016 | B0007.007 | Ursnif uses malware macros to evade sandbox detection - checking whether the filename contains only hexadecimal characters before the extension. [10] |
| GotBotKR | 2019 | -- | GoBotKR performs several checks on the compromised machine to avoid being emulated or executed in a sandbox. [7] |
| EvilBunny | 2011 | -- | EvilBunny hooks time retrieval APIs and calls each API twice to calculate a delta. Execution aborts depending on the delta value. [8] |
| Vobfus | 2016 | -- | Vobfus uses GetModuleHandle API to check for the presence of a sandbox. [9] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| check for microsoft office emulation | Sandbox Detection::Product Key/ID Testing (B0007.005) | CreateFile |
| check for sandbox and av modules | Sandbox Detection (B0007) | GetModuleHandle |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| antisandbox_joe_anubis_files.py | Sandbox Detection::Check Files (B0007.002) | -- |
| antisandbox_cuckoo_files | Sandbox Detection::Check Files (B0007.002) | -- |
| antisandbox_cuckoo_files | Sandbox Detection (B0007) | -- |
| antisandbox_cuckoo_files | Sandbox Detection::Check Files (B0007.002) | -- |
| antisandbox_threattrack_files | Sandbox Detection (B0007) | -- |
| antisandbox_threattrack_files | Sandbox Detection::Check Files (B0007.002) | -- |
| antisandbox_sleep | Sandbox Detection (B0007) | NtDelayExecution |
| antisandbox_sleep | Sandbox Detection::Timing/Date Check (B0007.008) | NtDelayExecution |
| antisandbox_mouse_hook | Sandbox Detection (B0007) | SetWindowsHookExA, SetWindowsHookExW |
| antisandbox_mouse_hook | Sandbox Detection::Human User Check (B0007.003) | SetWindowsHookExA, SetWindowsHookExW |
| antisandbox_foregroundwindows | Sandbox Detection (B0007) | GetForegroundWindow, NtDelayExecution |
| antisandbox_sboxie_mutex | Sandbox Detection (B0007) | -- |
| antisandbox_script_timer | Sandbox Detection (B0007) | -- |
| antisandbox_sboxie_libs | Sandbox Detection (B0007) | LdrGetDllHandle, LdrLoadDll |
| antisandbox_cuckoocrash | Sandbox Detection (B0007) | -- |
| antisandbox_joe_anubis_files | Sandbox Detection (B0007) | -- |
| antisandbox_joe_anubis_files | Sandbox Detection::Check Files (B0007.002) | -- |
| antisandbox_fortinet_files | Sandbox Detection (B0007) | -- |
| antisandbox_fortinet_files | Sandbox Detection::Check Files (B0007.002) | -- |
| antisandbox_sunbelt_files | Sandbox Detection (B0007) | -- |
| antisandbox_sunbelt_files | Sandbox Detection::Check Files (B0007.002) | -- |
| antisandbox_sboxie_objects | Sandbox Detection (B0007) | NtOpenDirectoryObject |
| antisandbox_sunbelt_libs | Sandbox Detection (B0007) | LdrGetDllHandle, LdrLoadDll |
| antisandbox_cuckoo | Sandbox Detection (B0007) | -- |
Code Snippets
B0007.005 Snippet
Sandbox Detection::Product Key/ID Testing
asm push ebx add esp, 0FFFFFEF4h xor ebx, ebx push esp ; phkResult push 1 ; samDesired push 0 ; ulOptions push offset SubKey ; "Software\Microsoft\Windows\CurrentVersi"... push 80000002h ; hKey call RegOpenKeyExA test eax, eax jnz short loc_405387 mov [esp+110h+cbData], 101h lea eax, [esp+110h+cbData] push eax ; lpcbData lea eax, [esp+114h+Data] push eax ; lpData push 0 ; lpType push 0 ; lpReserved push offset ValueName ; "ProductId" mov eax, [esp+124h+hKey] push eax ; hKey call RegQueryValueExA lea eax, [esp+110h+Data] cmp eax, offset a55274640267306 ; "55274-640-2673064-23950" jnz short loc_405387 mov bl, 1
References
[1] Check Point Research,"CP
[2] Splunk Threat Research Team,"From Macros to No Macros: Continuous Malware Improvements by QakBot," Splunk, blog,, 01 December 2022. [Online]. Available: https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html.
[3] https://web.archive.org/web/20200815134441/https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html
[4] https://blogs.cisco.com/security/talos/rombertik
[5] https://github.com/LordNoteworthy/al-khaser
[6] https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/file/fireeye-hot-knives-through-butter.pdf
[7] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[8] https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/
[9] https://securitynews.sonicwall.com/xmlpost/revisiting-vobfus-worm-mar-8-2013/
[10] https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques