Malware sandbox detection and evasion


If I were a malware writer, which I’m not, I would mainly focus on making sure that my malware is not analyzed by the most famous online sandboxes. To avoid this I would need to gather some information about these platforms.

What information do I need?

The fastest way is to ask to the operating system how it was configured. To do this, it takes just a few lines of AutoIt code. The same logic can be applied to vba, vbs and powershell scripts widely used for the initial stages.

PoC code AutoIt

Among the information contained in the “$OSInfo” variable, the most interesting ones are: “Computer Name”, “User Name”, “OS Language”, “Drive Serial” and “Mac Address”.

Note that the values obtained can change according to the type of machine chosen, 32 or 64 bits, Windows 7 or Windows 10.

The last two lines of code are used to write the contents of the “$OSInfo” variable in specific registry key and to send a fake HTTP request with the “$OSInfo” values. Alternatively you can write the contents in a text file inside the Temp folder.

After I compiled my source code, I loaded the executable on a sandbox so that I could observe these values in the final report.

Any Run text report

Not all sandboxes allow you to inspect the contents of registry keys or the complete query of an HTTP GET request (in many cases only the domain or IP address is provided) or the content of new files released by the malware. This is why it is important to apply different methods to get a report with the information you want.

So, I tried to send my “sample” to the two most popular sandboxes: Hybrid Analysis and Any Run (besides Yomi, a recent Italian malware sandbox).

Here are the results for Windows 7 SP1 machine:

Hybrid Analysis (32 bit)

Computer Name: HAPUBWS-PC
User Name: HAPUBWS
OS Language: 409 (en-US)
Drive Serial: 140302931
Mac Address: 0A:00:27:3E:B0:1E

Any Run (32bit)

Computer Name: USER-PC
User Name: admin
OS Language: 409 (en-US)
Drive Serial: 3300537927
Mac Address: 52:54:00:4A:04:AF

Yomi (64bit)

Computer Name: BOSS-PC
User Name: j.seance
OS Language: 409 (en-US)
Drive Serial: 2758303248
Mac Address: 54:56:00:7F:00:01

Now my PoC is ready to evolve

For instance, if I choose Italy as my target I won’t have any problems, just check the language settings because these sandboxes use the en-US (code 409) versions of the OS by default when the language identifier for Italy is 410. However, for different countries I can control these variables to skip the analysis and not reveal the actual behavior.

AutoIt code (PoC) to skip sandbox

These parameters do not change often, so they will be valid for the entire campaign period.

In conclusion, there are other ways to evade the sandbox as a process control or virtual environment detection, but this method just mentioned is the fastest way to reach the goal (IMHO).