Preprint Article Version 2 Preserved in Portico This version is not peer-reviewed

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Version 1 : Received: 12 October 2020 / Approved: 14 October 2020 / Online: 14 October 2020 (12:34:40 CEST)
Version 2 : Received: 14 November 2020 / Approved: 16 November 2020 / Online: 16 November 2020 (13:40:46 CET)

A peer-reviewed article of this Preprint also exists.

Mills, A.; Legg, P. Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques. J. Cybersecur. Priv. 2021, 1, 19-39. Mills, A.; Legg, P. Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques. J. Cybersecur. Priv. 2021, 1, 19-39.


Malware analysis is fundamental for defending against prevalent cyber security threats, and requires a means to deploy and study behavioural software traits as more sophisticated malware is developed. Traditionally, virtual machines are used to provide an environment that is isolated from production systems so as to not cause any adverse impact on existing infrastructure. Malware developers are fully aware of this and so will often develop evasion techniques to avoid detection within sandbox environments. In this paper, we conduct an investigation of anti-evasion malware triggers for uncovering malware that may attempt to conceal itself when deployed in a traditional sandbox environment. To facilitate our investigation, we developed a tool called MORRIGU that couples together both automated and human-driven analysis for systematic testing of anti-evasion methods using dynamic sandbox reconfiguration techniques. This is further supported by visualisation methods for performing comparative analysis of system activity when malware is deployed under different sandbox configurations. Our study reveals a variety of anti-evasion traits that are shared amongst different malware families, such as sandbox `wear-and-tear', and Reverse Turing Tests (RTT), as well as more sophisticated malware samples that require multiple anti-evasion checks to be deployed. We also perform a comparative study using Cuckoo sandbox to demonstrate the limitations of adopting only automated analysis tools, to justify the exploratory analysis provided by MORRIGU. By adopting a clearer systematic process for uncovering anti-evasion malware triggers, as supported by tools like MORRIGU, this study helps to further the research of evasive malware analysis so that we can better defend against such future attacks.

Supplementary and Associated Material MORRIGU software tools and curated evasion malware data available from the author's home page


Malware analysis; Context-aware malware; Anti-evasion malware detection


Computer Science and Mathematics, Algebra and Number Theory

Comments (1)

Comment 1
Received: 16 November 2020
Commenter: Phil Legg
Commenter's Conflict of Interests: Author
Comment: Article updated based on reviewer comments - minor revisions to discussion and conclusions, and formatting updates.
+ Respond to this comment

We encourage comments and feedback from a broad range of readers. See criteria for comments and our Diversity statement.

Leave a public comment
Send a private comment to the author(s)
* All users must log in before leaving a comment
Views 0
Downloads 0
Comments 1
Metrics 0

Notify me about updates to this article or when a peer-reviewed version is published.
We use cookies on our website to ensure you get the best experience.
Read more about our cookies here.