- Sandboxes are widely used to analyse malwares , They provide a temporary, isolated and secure environment to observe if a suspicious file attempts anything malicious. Of course, Over time malware developers have also added methods to avoid sandboxes and analysis environments by performing various checks to see if there is an actual user operating the machine the malware is being executed on, and one of those checks and the one that we will bypass is ram check eg an unrealistically small RAM size (e.g. 1GB) can be indicative of a sandbox ,If the malware detects a sandbox, it will not execute its true malicious behavior and therefore appears to be another benign file.
GetPhysicallyInstalledSystemMemoryAPI Retrieves the amount of RAM that is physically installed on the computer from the SMBIOS firmware tables, it takes
PULONGLONGin parameters and returns TRUE if function succeeds and sets the
TotalMemoryInKilobytesto a nonzero value otherwise it returns FALSE.
*Beware click the link!