malware analysis

Analyzing Malware Sandbox Evasion Techniques

Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports

anyrunbehavioral-analysiscuckoomalware-analysismitre-attacksandbox-evasionvirtualization-detection
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Sandbox evasion (MITRE ATT&CK T1497) allows malware to detect analysis environments and alter behavior to avoid detection. This skill analyzes behavioral reports from Cuckoo Sandbox and AnyRun for evasion indicators including timing-based checks (GetTickCount, QueryPerformanceCounter, sleep inflation), VM artifact detection (registry keys, MAC address prefixes, process names like vmtoolsd.exe), user interaction checks (mouse movement, keyboard input), and environment fingerprinting (disk size, CPU count, RAM). Detection rules flag samples exhibiting these behaviors for deeper manual analysis.

When to Use

  • When investigating security incidents that require analyzing malware sandbox evasion techniques
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Cuckoo Sandbox 2.0+ or AnyRun account for behavioral analysis reports
  • Python 3.8+ with json library for report parsing
  • Behavioral report exports in JSON format

Steps

  1. Parse Cuckoo/AnyRun behavioral report JSON files
  2. Extract API call sequences for timing-related functions
  3. Identify VM artifact detection via registry queries and WMI calls
  4. Detect sleep inflation by comparing requested vs actual sleep durations
  5. Flag user interaction checks (GetCursorPos, GetAsyncKeyState patterns)
  6. Score evasion sophistication based on technique count and diversity
  7. Map detected techniques to MITRE ATT&CK T1497 sub-techniques

Expected Output

JSON report listing detected evasion techniques with MITRE ATT&CK mapping, API call evidence, evasion sophistication score, and classification of evasion categories (timing, VM detection, user interaction, environment fingerprinting).

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.0 KB

Malware Sandbox Evasion Techniques API Reference

MITRE ATT&CK T1497 Sub-techniques

Sub-technique ID Evasion Method
System Checks T1497.001 VM artifacts, registry keys, MAC prefixes, process names
User Activity Based Checks T1497.002 Mouse movement, keyboard input, foreground window
Time Based Evasion T1497.003 GetTickCount, sleep inflation, RDTSC timing

Cuckoo Sandbox Report JSON Structure

API Call Format

{
  "behavior": {
    "processes": [
      {
        "process_name": "malware.exe",
        "pid": 1234,
        "calls": [
          {
            "api": "GetTickCount",
            "category": "system",
            "arguments": {},
            "return": "123456789"
          }
        ]
      }
    ]
  }
}

Timing API Indicators

API Purpose Evasion Use
GetTickCount / GetTickCount64 System uptime in ms Check if uptime < 20min (sandbox)
QueryPerformanceCounter High-res timer Measure sleep accuracy
GetSystemTimeAsFileTime System time Detect time acceleration
NtQuerySystemTime Kernel time query Compare with user-mode time
RDTSC CPU timestamp counter Detect VM overhead in timing

VM Artifact Indicators

Registry Keys

HKLM\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
HKLM\HARDWARE\ACPI\DSDT\VBOX__
HKLM\SYSTEM\CurrentControlSet\Services\VBoxGuest

VM Process Names

vmtoolsd.exe, vmwaretray.exe    # VMware
vboxservice.exe, vboxtray.exe   # VirtualBox
qemu-ga.exe                      # QEMU
prl_tools.exe                    # Parallels

VM MAC Address Prefixes

00:0C:29  VMware
00:50:56  VMware
08:00:27  VirtualBox
00:1C:42  Parallels
52:54:00  QEMU/KVM

AnyRun Report API

Get Report

GET https://api.any.run/v1/analysis/{task_id}
Authorization: API-Key <key>

CLI Usage

python agent.py --report cuckoo_report.json --output evasion_report.json
python agent.py --report report.json --min-sleep-ms 30000

Scripts 1

agent.py7.9 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Analyze malware sandbox evasion techniques from Cuckoo/AnyRun behavioral reports."""

import json
import argparse
from datetime import datetime

TIMING_APIS = {
    "GetTickCount", "GetTickCount64", "QueryPerformanceCounter",
    "QueryPerformanceFrequency", "GetSystemTimeAsFileTime", "NtQuerySystemTime",
    "timeGetTime", "GetLocalTime", "GetSystemTime",
}

SLEEP_APIS = {"Sleep", "SleepEx", "NtDelayExecution", "WaitForSingleObject"}

VM_REGISTRY_KEYS = [
    "HKLM\\SOFTWARE\\VMware", "HKLM\\SOFTWARE\\Oracle\\VirtualBox",
    "HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX", "HKLM\\SYSTEM\\CurrentControlSet\\Services\\VBoxGuest",
    "HKLM\\SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters",
    "HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion",
]

VM_PROCESSES = {
    "vmtoolsd.exe", "vmwaretray.exe", "vboxservice.exe", "vboxtray.exe",
    "qemu-ga.exe", "vmusrvc.exe", "prl_tools.exe", "xenservice.exe",
    "windanr.exe", "vdagent.exe",
}

VM_MAC_PREFIXES = ["00:0C:29", "00:50:56", "08:00:27", "00:1C:42", "00:16:3E", "52:54:00"]

USER_INTERACTION_APIS = {
    "GetCursorPos", "GetAsyncKeyState", "GetForegroundWindow",
    "GetLastInputInfo", "mouse_event", "keybd_event",
}

WMI_EVASION_QUERIES = [
    "Win32_ComputerSystem", "Win32_BIOS", "Win32_DiskDrive",
    "Win32_PhysicalMemory", "Win32_Processor",
]


def parse_cuckoo_report(filepath):
    """Parse a Cuckoo Sandbox behavioral report JSON."""
    with open(filepath) as f:
        report = json.load(f)
    behavior = report.get("behavior", {})
    api_calls = []
    for process in behavior.get("processes", []):
        for call in process.get("calls", []):
            api_calls.append({
                "api": call.get("api", ""),
                "category": call.get("category", ""),
                "arguments": call.get("arguments", {}),
                "return": call.get("return", ""),
                "process_name": process.get("process_name", ""),
                "pid": process.get("pid", 0),
            })
    return api_calls, report


def detect_timing_checks(api_calls):
    """Detect timing-based sandbox evasion via GetTickCount, QPC, etc."""
    findings = []
    timing_count = 0
    for call in api_calls:
        if call["api"] in TIMING_APIS:
            timing_count += 1
    if timing_count >= 3:
        findings.append({
            "technique": "Timing-Based Evasion",
            "mitre_id": "T1497.003",
            "api_count": timing_count,
            "apis_used": list({c["api"] for c in api_calls if c["api"] in TIMING_APIS}),
            "severity": "high",
            "description": f"{timing_count} timing API calls detected; malware may be measuring execution time to detect sandbox acceleration",
        })
    return findings


def detect_sleep_inflation(api_calls, min_sleep_ms=60000):
    """Detect sleep calls with long durations used to evade sandbox time limits."""
    findings = []
    for call in api_calls:
        if call["api"] not in SLEEP_APIS:
            continue
        ms = 0
        args = call.get("arguments", {})
        if isinstance(args, dict):
            ms = int(args.get("Milliseconds", args.get("milliseconds", 0)))
        elif isinstance(args, list):
            for a in args:
                if isinstance(a, dict) and a.get("name", "").lower() == "milliseconds":
                    ms = int(a.get("value", 0))
        if ms >= min_sleep_ms:
            findings.append({
                "technique": "Sleep Inflation",
                "mitre_id": "T1497.003",
                "api": call["api"],
                "sleep_ms": ms,
                "sleep_seconds": ms / 1000,
                "process": call["process_name"],
                "severity": "high",
                "description": f"Sleep call of {ms / 1000:.0f}s detected; likely delaying execution to outlast sandbox analysis window",
            })
    return findings


def detect_vm_artifact_checks(api_calls):
    """Detect VM artifact queries (registry, processes, MAC addresses)."""
    findings = []
    for call in api_calls:
        args_str = json.dumps(call.get("arguments", "")).lower()
        for reg_key in VM_REGISTRY_KEYS:
            if reg_key.lower() in args_str:
                findings.append({
                    "technique": "VM Registry Artifact Check",
                    "mitre_id": "T1497.001",
                    "registry_key": reg_key,
                    "api": call["api"],
                    "severity": "high",
                })
                break
        for wmi_query in WMI_EVASION_QUERIES:
            if wmi_query.lower() in args_str:
                findings.append({
                    "technique": "WMI Environment Fingerprinting",
                    "mitre_id": "T1497.001",
                    "wmi_class": wmi_query,
                    "api": call["api"],
                    "severity": "medium",
                })
                break
    return findings


def detect_user_interaction_checks(api_calls):
    """Detect checks for user interaction (mouse, keyboard, foreground window)."""
    interaction_apis = [c for c in api_calls if c["api"] in USER_INTERACTION_APIS]
    if len(interaction_apis) >= 2:
        return [{
            "technique": "User Interaction Detection",
            "mitre_id": "T1497.002",
            "api_count": len(interaction_apis),
            "apis_used": list({c["api"] for c in interaction_apis}),
            "severity": "medium",
            "description": "Malware checks for user input to determine if running in automated sandbox",
        }]
    return []


def score_evasion_sophistication(all_findings):
    """Score evasion sophistication based on technique diversity."""
    technique_ids = {f["mitre_id"] for f in all_findings}
    categories = {f["technique"].split()[0] for f in all_findings}
    score = min(len(all_findings) * 10 + len(technique_ids) * 15 + len(categories) * 10, 100)
    level = "low" if score < 30 else "medium" if score < 60 else "high"
    return {"score": score, "level": level, "unique_techniques": len(technique_ids), "total_indicators": len(all_findings)}


def main():
    parser = argparse.ArgumentParser(description="Sandbox Evasion Technique Analyzer")
    parser.add_argument("--report", required=True, help="Path to Cuckoo/AnyRun behavioral report JSON")
    parser.add_argument("--min-sleep-ms", type=int, default=60000, help="Minimum sleep duration to flag (ms)")
    parser.add_argument("--output", default="evasion_analysis_report.json", help="Output report path")
    args = parser.parse_args()

    api_calls, raw_report = parse_cuckoo_report(args.report)
    print(f"[+] Parsed {len(api_calls)} API calls from behavioral report")

    timing = detect_timing_checks(api_calls)
    sleep = detect_sleep_inflation(api_calls, args.min_sleep_ms)
    vm_checks = detect_vm_artifact_checks(api_calls)
    user_checks = detect_user_interaction_checks(api_calls)

    all_findings = timing + sleep + vm_checks + user_checks
    sophistication = score_evasion_sophistication(all_findings)

    report = {
        "analysis_time": datetime.utcnow().isoformat() + "Z",
        "sample_sha256": raw_report.get("target", {}).get("file", {}).get("sha256", ""),
        "total_api_calls": len(api_calls),
        "evasion_findings": {
            "timing_checks": timing,
            "sleep_inflation": sleep,
            "vm_artifact_checks": vm_checks,
            "user_interaction_checks": user_checks,
        },
        "total_indicators": len(all_findings),
        "sophistication": sophistication,
        "mitre_techniques": ["T1497.001", "T1497.002", "T1497.003"],
    }

    with open(args.output, "w") as f:
        json.dump(report, f, indent=2)
    print(f"[+] Timing checks: {len(timing)}")
    print(f"[+] Sleep inflation: {len(sleep)}")
    print(f"[+] VM artifact checks: {len(vm_checks)}")
    print(f"[+] User interaction checks: {len(user_checks)}")
    print(f"[+] Evasion sophistication: {sophistication['level']} ({sophistication['score']}/100)")
    print(f"[+] Report saved to {args.output}")


if __name__ == "__main__":
    main()
Keep exploring