A common technique used to evade sandbox detection is adding a delay. The idea here is to stop execution before performing any malicious action. This will cause the Sandbox checks to timeout and not flag our payload as malicious.

There are a few issues with this technique:

• The Antivirus might detect that the executable has a sleep in the main function and therefore flag it as malicious.

  • I found any sleep functions to be for effective when they are called within a wrapper function outside the main()

• Some AV engines will speed up the the sleep function (more sandbox evasion opportunities)

Let's explore some code examples in GO.

Part of the golang standard library is the package time. This package has a few functions that could be useful