Malware analysis in the sandbox

Under the Microscope

WannaCry Kill Switch

The WannaCry developers adapted their detection mechanism for the special way that sandboxes handle Internet access. Many sandboxes provide an Internet emulator to limit and control, but not prevent, the malware's communication capabilities. The Internet emulator then responds to all Internet connection attempts on behalf of the requested servers. This usually happens regardless of whether or not the domain names and IP addresses actually exist.

When WannaCry is run in a sandbox, the functionality to encrypt systems and attack other vulnerable systems suddenly stops working. The shutdown was caused by the sandbox's Internet emulator. WannaCry queries a previously unregistered, cryptically structured domain. On any commercial system, the request causes a connection error because the name cannot be resolved by the DNS.

If this connection error occurs, everything seems to be okay, and the malware begins to infect other systems. However, if a connection is possible, the malware developers suspect that their malicious code is being analyzed, and nothing else happens. The spread of WannaCry in May 2017 was finally stopped by the fact that the English analysis team simply registered the previously unregistered domain. At the time, the analysis team did not even know exactly what would happen [4].


Sandboxes allow the dynamic analysis of malware and the investigation of effects when running in a secure environment. While analysts optimize their sandboxes to remain as hidden as possible from the malware, the dark side also optimizes the corresponding detection mechanisms.

In the case of WannaCry, the detection mechanism blew up in the attacker's face. The malware's own protection function led to a far-reaching shutdown of the malicious functions, thus preventing damage to some companies that were still vulnerable.

This article has provided a little insight into the world of analysis and countermeasure techniques. Finally, and not without a touch of irony, there is no escaping the fact that, as a legitimate user, you are probably safest inside an obvious sandbox. The only problem being that running software in a sandbox will probably not give you the performance you need.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=