Skip to content

T1633 Virtualization/Sandbox Evasion

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment.

Item Value
ID T1633
Sub-techniques T1633.001
Tactics TA0030
Platforms Android, iOS
Version 1.1
Created 30 March 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu has used code abstraction and anti-emulation checks to potentially avoid running while under analysis.1

Detection

ID Data Source Data Component
DS0041 Application Vetting API Calls

References

  1. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.