A Large Language Model Approach to Generating Bypass Rules for Malware Evasion in Analysis Sandbox

TL;DR

This paper presents ABLE, a novel LLM-based system that automatically generates bypass rules for sandbox evasion in malware analysis, significantly improving detection and analysis of evasive malware.

Contribution

ABLE introduces an automated, scalable approach using large language models to generate and refine bypass rules, reducing reliance on manual reverse engineering.

Findings

Achieves 79% bypass success rate on real-world malware

Identifies 47% more malware families compared to existing platforms

Iterative refinement accounts for 29.5% of successful bypasses

Abstract

Sandbox evasion remains a critical challenge for automated malware analysis, as modern malware employs environment checks to detect analysis platforms and suppress malicious behavior. Existing approaches rely on manually crafted bypass rules that require deep reverse engineering of each evasion mechanism -an approach that cannot scale against rapidly evolving evasion techniques. In this paper, we leverage large language models (LLMs) to automatically generate YARA rules that bypass evasion checks in sandbox environments. We propose ABLE, which analyzes execution traces from malware terminated due to potentially evasive behavior and employs multiple reasoning strategies to generate targeted bypass rules. To address syntactic errors and improve the efficacy of the bypass rules in the LLM outputs, we introduce an auto-sanitization pipeline and feedback-driven iterative refinement. We evaluate ABLE on 334 real-world malware samples across four open-weight LLMs. ABLE achieves a 79% bypass success rate, with iterative refinement contributing 29.5% of successful cases. Compared to existing analysis platforms, ABLE identifies 47% more malware family classifications and exposes previously hidden behaviors.