Skip to content
July 12, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • Technique
  • Talking about sandbox
  • Technique

Talking about sandbox

Do Son May 31, 2017 5 minutes read
ssSandbox

In the past decade or so, the analysis of malware sandbox escape technology has become a silver bullet against high-level persistent threats, although this technology Become more and more popular, but malware developers seem to have found a static analysis based on the method (such as encryption , confusion and anti-reverse protection and other technologies) to avoid the traditional anti-virus security tool detection. Therefore, the analysis and research on the malware sandbox escape technology has become the last line of defense against our high-level persistent threats.

This series of articles mainly describes the current use of malicious software sandbox escape technology, the series points up and down, and will be a detailed analysis of the current three categories of mainstream sandbox escape technology.

Sandbox technology

In fact, the sandbox is a virtual system environment similar to the shadow system , it has a deeper level than the host virtual machine system kernel level technology. It can take over the function of malware to call interface or function behavior, and confirm the virus behavior after the implementation of the rollback mechanism, and let the system to maintain a clean state. It can be used to analyze and test programs that are untrustworthy, destructive, or unable to determine their true intent, and that all changes in the sandbox do not have any effect on the host operating system. Generally speaking, people who use this technology are generally in the field of computer information security professional and technical personnel, especially the anti-virus industry.

The working mechanism of the sandbox is very simple: how to determine whether a document is a malicious document? The sandbox will observe the behavior of the document in a controlled environment, and then judge it based on the analysis of the document Whether it has malicious behavior. The sandbox allows malware to perform all of its malicious functions in a controlled environment and record malicious behavior. After a period of observation, the analysis terminates and the sandbox treats the analysis as a typical malware Behavior mode to scan and detect this malware. Because the sandbox is no longer based on signatures to detect malware, it can even detect certain targeted or previously unwanted malware.

Obviously, behavior-based malware detection technology will only work if the observed file actually performs its malicious behavior in its analysis. If the target does not perform malicious behavior during the analysis, the sandbox will think that the file is friendly. Malware developers will continue to seek more innovative ways to hide the real behavior of malicious software, and to avoid sandbox detection. Here we divide these methods into the following three categories:

1. Sandbox detection: detection of the existence of sandbox (in the detection process only show friendly behavior);

2. Use sandbox vulnerability : the use of sandbox technology or the target environment in the presence of security flaws;

3. Context-Aware-based malware: the time / event / environment to judge, and in the sandbox analysis process will not be exposed to malicious behavior;

Sandbox detection

First of all, the first method of detecting sandboxes is to distinguish the nuances between the sandbox environment and the real target system. If a sandbox is detected, there are usually two ways to deal with malware: to immediately terminate the malicious behavior; only show friendly behavior, without performing malicious operations. We give an example here [the details of the light I], this sample has the following two characteristics:

1. Try to use the test to determine whether the current operating environment is a virtual machine (VM);

2. Detect whether the current environment has a sandbox application running (for example, Sandboxie)

 

We can learn from the details provided by the VMRay Threat Identification Service (VTI) that the VMRay discovery target will attempt to perform sandbox detection and mark this behavior as “highly suspicious”.

Use sandbox loopholes

The second approach is to use the underlying sandbox technology or target system environment in the security flaws to directly attack. For example, we recently found that there are a lot of malicious software use within Microsoft COM components , because most of the sandbox analysis of this sample can not be correct. Another kind of malware will confuse the file format and type, and let the sandbox can not handle such files properly. For example, an attacker could have a malicious file that exceeds the maximum file size that the sandbox can support, and the sandbox will not be able to parse such files.

We give you an example of “I’m getting it,” the malware will try to avoid using the API to avoid sandbox detection, and this method can be used to effectively avoid those based on the driver and function hook sandbox analyzer The But VMRay does not use the hook function, so this malicious software to avoid the sandbox detection attempt was detected and recorded:

 

Context-aware software (Context-Aware)

The third type of method used by malware does not actually attempt to detect or attack the sandbox, which takes advantage of the inherent flaws inherent in this automation system. Because most security detection environments and sandbox analysis systems do not take much time to analyze certain special malware, this malware can only avoid delays in malicious Payload execution time to effectively avoid sandbox detection. In addition to this time-based triggering condition, malware can also use events that typically do not occur in sandboxed environments, such as system reboots and user interactions. It should be noted that some malicious software will search the target device in some special tools, such as an application and localization settings, etc., interested in this part of the students can refer to this article.

In this sample analysis results, we can see that, in addition to trying to detect the virtual machine environment, this malware sample will also be through the installation of scripts and applications to achieve persistent infection:

Share this article:

Facebook Post LinkedIn Telegram
Tags: sandbox

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939CVSS 10.0
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291CVSS 10.0
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-61447CVSS 10.0
    PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that...
  • CVE-2026-61445CVSS 9.9
    PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in...
  • CVE-2026-60090CVSS 9.8
    PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the...
  • CVE-2026-57827CVSS 10.0
    The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload...
  • CVE-2026-57828CVSS 9.0
    The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file...
  • CVE-2026-14480CVSS 9.9
    OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the...
  • CVE-2026-20744CVSS 9.8
    The charging station websocket endpoint accepts connections without proper authentication, which could...
  • CVE-2026-57807CVSS 9.8
    Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security...
  • CVE-2026-55879CVSS 9.3
    OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the...
  • CVE-2026-12761CVSS 9.8
    The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.