Enhanced Windows Sandbox: A Unified Framework for Stealth-Based, Automated Malware Analysis with Centralized Logging رسالة ماجستير

Abstract

The escalating sophistication of malicious software, particularly its use of advanced evasion techniques, poses a significant and persistent challenge to modern cybersecurity. Standard analysis environments, or sandboxes, are often defeated by malware that can detect their virtualized nature, thus hiding its true behavior and undermining analysis. While Microsoft Windows Sandbox offers a promising lightweight, OS-integrated platform, its default configuration is highly detectable and lacks the automation and deep visibility required for rigorous malware analysis. This thesis addresses these deficiencies through the design, implementation, and validation of the "Sandbox Enhancer," a novel system that transforms Windows Sandbox into a stealthy and efficient malware analysis platform. The methodology involved three core thrusts: (1) a systematic identification and modification of sandbox artifacts to enhance environmental stealth; (2) the development of a fully automated workflow to manage the entire analysis lifecycle from setup to reporting; and (3) the integration of a comprehensive logging framework using Sysmon, NxLog, and Graylog to provide deep behavioral visibility. The final system was empirically validated through a large-scale experiment involving the analysis of 1,700 unique malware samples, each pre-identified as "evasive" for having defeated a commercial-grade sandbox. The experimental results demonstrate the profound effectiveness of the "Sandbox Enhancer" system. It successfully compelled 47.8% of these highly evasive samples to execute their malicious payloads, revealing critical behaviors such as network command-and-control (C2) communications and local ransomware activities. The analysis also identified the limitations of the current system, noting that malware employing low-level architectural checks (e.g., for disk capacity or hypervisor timing) could still achieve evasion. This research makes a significant contribution by providing a validated, cost-effective, and scalable framework for analyzing evasive malware. It offers a practical model for hardening lightweight virtualization environments and presents a powerful tool for security practitioners and researchers. The findings confirm that through systematic enhancement of V stealth, automation, and observability, the utility of platforms like Windows Sandbox can be dramatically elevated, strengthening our collective capabilities in the ongoing fight against cyber threats. In addition to the large-scale experiment, a controlled head-to-head baseline on 200 samples compared the default and enhanced sandboxes, yielding a higher detection rate for the enhanced variant (43.5% vs. 30.5%; Δ=+13.0 p.p.; McNemar p≈0.007)