As we saw with the recent Ransomware attack malware doesn't behave differently if it realises it is in a sandbox, however to date that has usually been to deactivate itself to reduce the likelihood of it being analysed. I imagine a virtualbox 0 day would be useful in these situations but probably only to state level actors or malware authors looking to get one up on security firms.