Search Evasion Techniques
Names, Techniques, Definitions, Keywords
12 item(s) found so far for this keyword.
Process related to Virtualbox can be detected by malware by query the process list.
The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.
Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key
HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0 with the value of
Identifier and the data of
HARDWARE\\Description\\System with a value of
SystemBiosVersion and data of
The VirtualBox Guest addition leaves many artifacts …
Some files are created by Virtualbox and VMware on the system.
Malware can check the different folders to find Virtualbox artifacts like VBoxMouse.sys.
Malware can check the different folders to find VMware artifacts like vmmouse.sys, vmhgfs.sys.
Some Files Example
Below is a list of files that can be detected on virtual machines:
- "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\agent.pyw",
- "C:\WINDOWS\system32\drivers\VBoxVideo.sys", …
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions …
The VMCPUID instruction is a sophisticated mechanism often employed by malware to ascertain if it is operating within a virtual environment.
This instruction is part of the x86 architecture's virtual machine extensions (VMX) and is designed to provide information about the capabilities and status of the virtual machine.
By using VMCPUID, malware can adapt its behavior based on the context …
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core …
Many user machines have hard drives that are larger than 80GB. A malware program can detect whether it is running in a virtual environment by checking the size of the hard drive. If the size is less than 80GB, it is likely that the program is running in a sandbox or virtual environment.
Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time. …
Cuckoo is a malware analysis system that uses a named pipe, called \.\pipe\cuckoo, for communication between the host system (where the malware is being analyzed) and the guest system (where the malware is running).
A malware that is running on the guest system can detect the presence of a virtual environment by attempting to access the \.\pipe\cuckoo named pipe. If …
The temperature sensor is used to know the current temperature of a machine. In a non-virtualized environment, the function returns valid support and output like: "25.05 C: 77.09 F: 298.2K". But for a fully virtualized environment, the return is "MSAcpi_ThermalZoneTemperature not supported" because this feature is not supported on virtualized processors.
Interestingly, this method is not valid. Not all Windows …