Preprint Article Version 1 Preserved in Portico This version is not peer-reviewed

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Version 1 : Received: 12 October 2020 / Approved: 14 October 2020 / Online: 14 October 2020 (12:34:40 CEST)
Version 2 : Received: 14 November 2020 / Approved: 16 November 2020 / Online: 16 November 2020 (13:40:46 CET)

A peer-reviewed article of this Preprint also exists.

Mills, A.; Legg, P. Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques. J. Cybersecur. Priv. 2021, 1, 19-39. Mills, A.; Legg, P. Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques. J. Cybersecur. Priv. 2021, 1, 19-39.

Journal reference: J. Cybersecur. Priv. 2020, 1, 3
DOI: 10.3390/jcp1010003


Malware analysis is fundamental for defending against prevalent cyber security threats, and requires a means to deploy and study behavioural software traits as more sophisticated malware is developed. Traditionally, virtual machines are used to provide an environment that is isolated from production systems so as to not cause any adverse impact on existing infrastructure. Malware developers are fully aware of this and so will often develop evasion techniques to avoid detection within sandbox environments. In this paper, we conduct an investigation into anti-evasion malware triggers for uncovering malware behaviours that may act benign when they detect a traditional sandbox environment. To facilitate our investigation, we developed a dynamic sandbox reconfiguration tool called MORRIGU that couples together both automated and human-driven analysis for anti-evasion configuration testing, along with a visual analytics view for examining system behaviours and performing comparative analysis. Our study reveals a variety of anti-evasion traits that are shared amongst different malware families, such as sandbox `wear-and-tear’, and Reverse Turing Tests (RTT), as well as more sophisticated malware samples that require multiple anti-evasion checks to be deployed. Using a systematic testing approach such as MORRIGU enables test coverage of anti-evasion methods, whilst also offering flexibility for further human-driven analysis of additional evasion methods. We also perform a comparative study against automated analysis using Cuckoo sandbox to show that automated scoring alone can not reliably inform on the presence of evasive malware, hence requiring a more sophisticated anti-evasive testing approach. With a greater understanding of anti-evasion malware triggers and with appropriate tools to explore these in an effective and efficient manner, this study helps to advance research on how evasive malware is being utilised to evade analysis so that we can better defend against future attacks.


Malware analysis; Context-aware malware; Anti-evasion malware detection



Comments (0)

We encourage comments and feedback from a broad range of readers. See criteria for comments and our diversity statement.

Leave a public comment
Send a private comment to the author(s)
Views 0
Downloads 0
Comments 0
Metrics 0

Notify me about updates to this article or when a peer-reviewed version is published.
We use cookies on our website to ensure you get the best experience.
Read more about our cookies here.