rule:
  meta:
    name: reference anti-VM strings
    namespace: anti-analysis/anti-vm/vm-detection
    author: moritz.raabe@fireeye.com
    scope: file
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm_*
      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp
    examples:
      - Practical Malware Analysis Lab 17-02.dll_
  features:
    - or:
      - string: /HARDWARE\\ACPI\\(DSDT|FADT|RSDT)\\BOCHS/i
      - string: /HARDWARE\\DESCRIPTION\\System\\(SystemBiosVersion|VideoBiosVersion)/i
      - string: /HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\.*ProcessorNameString/i
      - string: /HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0/i
      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\IDE/i
      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\Disk\\Enum\\/i
      - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\SystemInformation\\SystemManufacturer/i
      - string: /A M I/i
      - string: /Hyper-V/i
      - string: /Kernel-VMDetection-Private/i
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L699
      - string: /KVMKVMKVM/i
        description: KVM
      - string: /Microsoft Hv/i
        description: Microsoft Hyper-V or Windows Virtual PC
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L8
      - string: /avghookx.dll/i
        description: AVG
      - string: /avghooka.dll/i
        description: AVG
      - string: /snxhk.dll/i
        description: Avast
      - string: /pstorec.dll/i
        description: SunBelt Sandbox
      - string: /vmcheck.dll/i
        description: Virtual PC
      - string: /wpespy.dll/i
        description: WPE Pro
      - string: /cmdvrt64.dll/i
        description: Comodo Container
      - string: /cmdvrt32.dll/i
        description: Comodo Container
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L46
      - string: /sample.exe/i
      - string: /bot.exe/i
      - string: /sandbox.exe/i
      - string: /malware.exe/i
      - string: /test.exe/i
      - string: /klavme.exe/i
      - string: /myapp.exe/i
      - string: /testapp.exe/i