Anti-Sandboxing Malware


Malware Evasion Techniques Part 3

One of the simplest and long-lasting methods of analysis and sandbox avoidance is based on the simple premise that any sandbox will only allocate a finite amount of time (usually only several minutes) for each given analysis before moving to the next sample in its queue.

By delaying its execution beyond this timeframe malware can hide its malicious actions and activities from the sandbox. This is commonly accomplished either by using the “Sleep” or “NtDelayExecution” Windows APIs, which some sandboxes patch in order to circumvent this behavior. As a result of this, some malware has evolved to detect these patches as an additional indicator of an analysis/sandbox environment.

This is done by taking a timestamp, going to sleep, and checking the timestamp upon waking up. If the time difference from the previously taken timestamp is substantially different than the time the malware was programmed to sleep, the malware will avoid or adjust its execution.

An example of a similar timestamping mechanism can be found in MyloBot, which Deep Instinct discovered during the summer of 2018.