Sandbox / Emulator Detection
What is Sandbox / Emulator Detection?
Sandbox / Emulator DetectionAnti-analysis techniques in malware that recognize when the host is an analysis sandbox, emulator, or virtual machine and then refuse to detonate to evade detection.
Sandbox and emulator detection is a class of defense-evasion behavior used by malware to identify automated analysis environments — Cuckoo, Joe Sandbox, ANY.RUN, Hatching Triage, FireEye AX, VMware-based commercial sandboxes — and stay dormant or display benign behavior when one is detected. Common probes include checking for VirtualBox / VMware MAC ranges, virtio drivers, Hyper-V CPUID strings (Microsoft Hv), small disk or RAM, low CPU core counts, single user account, recent files, accelerated mouse without movement, presence of analyst tools (Wireshark, x64dbg, OllyDbg), and time-based stalling. The MITRE ATT&CK technique T1497 (Virtualization/Sandbox Evasion) tracks the catalogue. Defenders counter with hardened sandboxes that fake real user activity, randomized hostnames, longer detonation windows, and bare-metal detonation systems.
● Examples
- 01
A loader that exits cleanly if it finds vmware.exe in the process list or detects the Hyper-V CPUID 'Microsoft Hv'.
- 02
Ransomware that waits 20 minutes before any malicious action, designed to time out short sandbox runs.
● Frequently asked questions
What is Sandbox / Emulator Detection?
Anti-analysis techniques in malware that recognize when the host is an analysis sandbox, emulator, or virtual machine and then refuse to detonate to evade detection. It belongs to the Defense & Operations category of cybersecurity.
What does Sandbox / Emulator Detection mean?
Anti-analysis techniques in malware that recognize when the host is an analysis sandbox, emulator, or virtual machine and then refuse to detonate to evade detection.
How do you defend against Sandbox / Emulator Detection?
Defences for Sandbox / Emulator Detection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Sandbox / Emulator Detection?
Common alternative names include: Anti-VM, Anti-sandbox, VM-aware malware.