In his VB2014 paper, James Wyke explores the different strategies malicious samples employ when a sandbox has been detected. He looks at examples of decoy behaviour that range from dummy files being dropped to the use of fixed path names, bogus DNS and HTTP requests, and misleading configuration files being delivered. He analyses the consequences of failing to realize we are observing bogus behaviour from a sample, and explores ways in which we might prevent ourselves from falling victim to the same techniques again.
Copyright © 2015 Virus Bulletin
https://www.virusbtn.com/virusbulletin/archive/2015/01/vb201501-duping