Sandbox / Emulator Detection
What is Sandbox / Emulator Detection?
Sandbox / Emulator DetectionAnti-analysis techniques in malware that recognize when the host is an analysis sandbox, emulator, or virtual machine and then refuse to detonate to evade detection.
Sandbox and emulator detection is a class of defense-evasion behavior used by malware to identify automated analysis environments — Cuckoo, Joe Sandbox, ANY.RUN, Hatching Triage, FireEye AX, VMware-based commercial sandboxes — and stay dormant or display benign behavior when one is detected. Common probes include checking for VirtualBox / VMware MAC ranges, virtio drivers, Hyper-V CPUID strings (Microsoft Hv), small disk or RAM, low CPU core counts, single user account, recent files, accelerated mouse without movement, presence of analyst tools (Wireshark, x64dbg, OllyDbg), and time-based stalling. The MITRE ATT&CK technique T1497 (Virtualization/Sandbox Evasion) tracks the catalogue. Defenders counter with hardened sandboxes that fake real user activity, randomized hostnames, longer detonation windows, and bare-metal detonation systems.
● Examples
- 01
A loader that exits cleanly if it finds vmware.exe in the process list or detects the Hyper-V CPUID 'Microsoft Hv'.
- 02
Ransomware that waits 20 minutes before any malicious action, designed to time out short sandbox runs.
● Frequently asked questions
What is Sandbox / Emulator Detection?
Anti-analysis techniques in malware that recognize when the host is an analysis sandbox, emulator, or virtual machine and then refuse to detonate to evade detection. It belongs to the Defense & Operations category of cybersecurity.
What does Sandbox / Emulator Detection mean?
Anti-analysis techniques in malware that recognize when the host is an analysis sandbox, emulator, or virtual machine and then refuse to detonate to evade detection.
How does Sandbox / Emulator Detection work?
Sandbox and emulator detection is a class of defense-evasion behavior used by malware to identify automated analysis environments — Cuckoo, Joe Sandbox, ANY.RUN, Hatching Triage, FireEye AX, VMware-based commercial sandboxes — and stay dormant or display benign behavior when one is detected. Common probes include checking for VirtualBox / VMware MAC ranges, virtio drivers, Hyper-V CPUID strings (Microsoft Hv), small disk or RAM, low CPU core counts, single user account, recent files, accelerated mouse without movement, presence of analyst tools (Wireshark, x64dbg, OllyDbg), and time-based stalling. The MITRE ATT&CK technique T1497 (Virtualization/Sandbox Evasion) tracks the catalogue. Defenders counter with hardened sandboxes that fake real user activity, randomized hostnames, longer detonation windows, and bare-metal detonation systems.
How do you defend against Sandbox / Emulator Detection?
Defences for Sandbox / Emulator Detection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Sandbox / Emulator Detection?
Common alternative names include: Anti-VM, Anti-sandbox, VM-aware malware.
● Related terms
- defense-ops№ 298
Defense Evasion
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.
- forensics-ir№ 650
Malware Analysis
The structured study of a malicious sample to understand its functionality, origin, indicators of compromise, and impact on affected systems.
- defense-ops№ 964
Sandbox Escape
A vulnerability or exploit chain that lets code break out of an isolating sandbox — browser, VM, or hypervisor — to gain code execution in the surrounding host environment.
- forensics-ir№ 926
Reverse Engineering
The process of disassembling and analyzing compiled software, firmware, or hardware to recover its design, behavior, and inner workings.
- malware№ 417
Fileless Malware
Malware that runs primarily in memory and leverages trusted system tools, avoiding the use of traditional executable files on disk.
- malware№ 840
Polymorphic Malware
Malware that changes its on-disk appearance — typically via re-encryption or packing — for each infection, while keeping its core logic intact.