Bypass-Sandbox-Evasion

• Sandboxes are widely used to analyse malwares , They provide a temporary, isolated and secure environment to observe if a suspicious file attempts anything malicious. Of course, Over time malware developers have also added methods to avoid sandboxes and analysis environments by performing various checks to see if there is an actual user operating the machine the malware is being executed on, and one of those checks and the one that we will bypass is ram check eg an unrealistically small RAM size (e.g. 1GB) can be indicative of a sandbox ,If the malware detects a sandbox, it will not execute its true malicious behavior and therefore appears to be another benign file.

Details

• the GetPhysicallyInstalledSystemMemory API Retrieves the amount of RAM that is physically installed on the computer from the SMBIOS firmware tables, it takes PULONGLONG in parameters and returns TRUE if function succeeds and sets the TotalMemoryInKilobytes to a nonzero value otherwise it returns FALSE.

  
  

Github : https://github.com/ZeroMemoryEx/Bypass-Sandbox-Evasion