x64dbg

Introduction

Debugging with x64dbg allows a real-time dynamic analysis of the malware's behavior. Upon the program halts at the entry point.

Bypassing Sandbox Detection

Any decent malware developer will add checks within the software to see if the execution is taking place in a Sandbox / VM. As I learn more methods, I'll add them here.

Copying the Address from IDA

If we know the address where the sandbox detection is taking place, we search for it in x64dbg CPU Diassembler.

Address of cmp (found in IDA):

.text:00000000004032C8                 cmp     [rsp+148h+Type], 1

Searching through Strings

Right-click anywhere on the disassembly view, and choose Search for > Current Module > String references.

Doublie-click on the address where we see "Sandbox Detected"

Changing the value:

The cmp instruction returns a boolean 0 or 1 if the comparison is true. We can change the return value by pressing spacebar on the keyboard. This allows us to change the value.