2

I am looking for a few malware samples that detects sandboxes using uncommon API calls. I understand that one of the drawbacks of OS emulated sandboxes is that the malware can use uncommon API calls to crash the emulator/sandboxes. Does anyone know of such samples? It would be great if different samples asking for different APIs could be supplied.

Thank you!

Improve this question
2
  • 4
    I'm voting to close this question as off-topic because it's not about reverse-engineering. It's sample collection. Commented Oct 4, 2019 at 18:00
  • @peterferrie Is there some other forum/website where I can ask for such help if it is deemed as off-topic here? Commented Oct 5, 2019 at 3:53

2 Answers 2

Reset to default
0

I don't have any experience with this directly, so take it with a grain of salt. If you take a look at what Sandboxie does, on top of their driver they also have a huge number of ring3 hooks on WinAPI. There are also lots of other things to check for, even as simple as their module being loaded. Point being that I don't think an individual example will really do much good because there are so many countless ways to detect it. The same goes for other sandbox emulation, VM's, etc.

Improve this answer
1
  • I am actually looking for malware with specific techniques in order to test it against different sandbox architecture as part of a research project. Commented Oct 4, 2019 at 1:19
0

I don't have the samples but here's the report on the malware which does sandbox detection: https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp_1.pdf so that you can be more specific in your samples search.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.