analyzing-malware-sandbox-evasion-techniques

Solid

Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
96
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Malware Sandbox Evasion Techniques ## Overview Sandbox evasion (MITRE ATT&CK T1497) allows malware to detect analysis environments and alter behavior to avoid detection. This skill analyzes behavioral reports from Cuckoo Sandbox and AnyRun for evasion indicators including timing-based checks (GetTickCount, QueryPerformanceCounter, sleep inflation), VM artifact detection (registry keys, MAC address prefixes, process names like vmtoolsd.exe), user interaction checks (mouse movement, keyboard input), and environment fingerprinting (disk size, CPU count, RAM). Detection rules flag samples exhibiting these behaviors for deeper manual analysis. ## When to Use - When investigating security incidents that require analyzing malware sandbox evasion techniques - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Cuckoo Sandbox 2.0+ or AnyRun account for behavioral analysis reports - Python 3.8+ with json library for report parsing - Behavioral report exports in JSON format ## Steps 1. Parse Cuckoo/AnyRun behavioral report JSON files 2. Extract API call sequences for timing-related functions 3. Identify VM artifact detection via registry queries and WMI calls 4. Detect sleep inflation by comparing requested vs actual sleep durations 5. Flag user interaction checks (GetCursorPos, GetA...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-malware-behavior-with-cuckoo-sandbox

Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral analysis, or automated malware execution.

12,642 Updated today
mukul975
Data & Documents Solid

malware-analysis--sandboxing

Static and dynamic malware analysis, YARA rule generation, sandbox configuration, behavioral profiling, and malware family classification

47 Updated today
Masriyan
AI & Automation Featured

analyzing-network-traffic-of-malware

Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-evasion-techniques-in-endpoint-logs

Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping, process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.

12,642 Updated today
mukul975
AI & Automation Solid

security-sandbox

Isolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.

1,034 Updated today
a5c-ai