Sandbox Evasion: How to Spot the Signs of Malicious Malware

What is Sandbox Evading Malware?

Sandbox evading malware is malware that knows if it’s inside a virtual machine or a sandbox. These malware infections don’t execute their code until they are out in the user’s controlled environment.

The first malware software to use sandbox evasion occurred in the 1980s. This malware was able to encrypt its code that security specialists were unable to read it. Since then, over 500 sandbox evasion techniques and multiple contemporary malware families were created by cybercriminals.

Nowadays, malware can be used to hide complex threats that are aimed to attack a victim’s computer over an extended period of time. Moreover, there are new types of malware that can bypass technologies that have machine learning algorithms.

Common Sandbox Evasion Techniques

Malware uses sandbox evasion techniques that are based on obtaining environmental awareness detecting system or user interactions.

Detecting User Interaction

We interact with our computer systems in different ways: by clicking with a mouse, scrolling with a wheel, or pressing keys on the keyboard. However, these actions don’t occur within a sandbox environment.

Thus, hackers can code malware to execute the virus after a specific user interaction occurs. Here are some examples:

  • Clicking and moving the mouse: There are some malware viruses that are programmed to monitor the speed of clicks and mouse movements and will stay inactive if the speed is too fast. For instance, Trojan.APT.BaneChan activates after a multiple amounts of mouse clicks are made by the user.
  • Scrolling document: Malware can be programmed to execute after a user scrolls to a particular page on a text document. For example, one piece of malware can activate once a user scrolls to the second page of an RTF document. The malware used paragraph codes found in Microsoft Word documents to detect this. While RTF files have paragraph marks, the code has a series of paragraphs that need to be scrolled before the code is executed. Since the sandbox environment doesn’t have any scroll movements, which keeps the malware dormant.

Detecting System Interactions

Malware can be programmed to detect real system features that aren’t available in virtual or sandbox environments.

  • Digital system signature. Some malware viruses are designed to find your digital signature, which has information about your computer’s configuration.
  • Operating System Reboots. Malware can be programmed to activate once the user reboots their computer. Cybercriminals use this technique because a few sandboxes can’t do reboots. However, the virtual environment can try to emulate reboots by logging the user in and out. The malware software can detect this because not all reboot triggers execute.
  • Environmental Awareness: To check the environment, malware is programmed to detect devices that are installed on the infected system or look for indicators that are only apart of a virtual environment, such as certain filenames, hypervisor calls, and processes that are typical of a sandbox.


To conclude, sandbox evasion techniques can be fatal if you are unable to notice the signs. That’s why you should protect your computer by installing malware detection systems and antivirus software. By being cautious about your computer’s health, you’ll be able to protect yourself from malicious viruses attempting to take your information.

Adam Hansen

Adam is a part time journalist, entrepreneur, investor and father.