{
	"id": "76cd0c80-7a83-4fbe-b1da-8e6d6805f4a8",
	"created_at": "2026-04-06T00:18:08.687948Z",
	"updated_at": "2026-04-10T03:21:45.618272Z",
	"deleted_at": null,
	"sha1_hash": "c706d3e67ee0b4459fbc3f5a88293e6c7da2eef9",
	"title": "Environment Awareness Final Paper.pdf",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31205,
	"plain_text": "Environment Awareness Final Paper.pdf\r\nArchived: 2026-04-05 20:43:40 UTC\r\nSida 3 av 17\r\nIntroduction\r\nA Sandbox is an isolated and instrumented detonation environment where malware\r\ncan be deployed and observed without causing any harm to the actual system. This type of\r\nsystem is used for dynamic malware analysis and behavior-based detection. In order for\r\nSandboxes to work, it is necessary that the executed file exhibits malicious behavior,\r\notherwise it will be classified as benign.\r\nFollowing this requirement, the main objective of cyber actors and their Sandbox\r\nevasion techniques is to hide the actual behavior of the file and therefore avoid being\r\nlabeled as a potentially malicious threat.\r\nThis investigation will cover the group of techniques used by malware to detect if it is\r\nbeing executed in a controlled environment, such as a system with the presence of Sandbox\r\ntechnology, or a system with the presence of forensic analysts and tools. As a result, any\r\nmalicious program that implements this kind of maneuvers will be aware of these\r\nenvironments and change their behavior to avoid detection or attempt to exit to avoid\r\nfurther analysis.\r\nThe most common responses to these types of detections are:\r\n● The program ends abruptly when it detects that it is being detonated.\r\nHowever, this option is not recommended since it is likely to raise suspicion.\r\n● The program ends abruptly and shows an error message related to a missing\r\nmodule or a corrupted executable file in order to avoid suspicion.\r\n● The program performs only benign operations in order to be classified as a\r\nnon-malicious file.\r\nhttps://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit\r\nPage 1 of 2\n\nIn the next section, each of the categories, and their respective sub-techniques,\r\nwhich are part of the Environment Awareness will be deepened and explained to mark a\r\nclear understanding of how cyber actors carry out the detection of the controlled\r\nenvironments.\r\nSource: https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit\r\nhttps://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit"
	],
	"report_names": [
		"edit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434688,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c706d3e67ee0b4459fbc3f5a88293e6c7da2eef9.pdf",
		"text": "https://archive.orkl.eu/c706d3e67ee0b4459fbc3f5a88293e6c7da2eef9.txt",
		"img": "https://archive.orkl.eu/c706d3e67ee0b4459fbc3f5a88293e6c7da2eef9.jpg"
	}
}