Search For Content
Search Result
8 item(s) found so far for this keyword.
Detecting Online Sandbox
Online sandboxes are widely used for malware analysis. To evade detection, many malware families implement checks to identify if they are running in such environments. Below are examples of detection techniques for Any.Run and Tria.ge.
Detecting Any.Run
-
Any.Run uses a fake root certificate to spy on sandbox traffic. System information can be obtained by querying …
Hide Artifacts: Run Virtual Instance
![Defense Evasion [Mitre] icon](/media/2024/04/08/icons8-burglar.svg){kind=small}
Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual …
Read moreRetrieve HDD Information
Malware can figure out if it's in a virtual environment by checking hard drive info. It looks for specific details like serial and model numbers. This is easier to spot in VirtualBox because it shows clues that it's running in a virtual space.
Malware uses this trick to avoid getting caught. It does this by using a special command …
Read moreDetecting Mac Address
Virtualbox and VMware use specific virtual Mac address that can be detected by Malware.
- The usual mac address used by Virtualbox starts with the following number: 08:00:27.
- The usual mac address used by VMware starts with the following numbers: 00:0C:29, 00:1C:14, 00:50:56, 00:05:69.
Malware can use this simple trick to detect if it is running …
Read moreDetecting Virtual Environment Process
Process related to Virtualbox can be detected by malware by query the process list.
The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.
Read moreDetecting Virtual Environment Files
Some files are created by Virtualbox and VMware on the system.
Malware can check the different folders to find Virtualbox artifacts like VBoxMouse.sys.
Malware can check the different folders to find VMware artifacts like vmmouse.sys, vmhgfs.sys.
Some Files Example
Below is a list of files that can be detected on virtual machines:
- "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\agent.pyw", …
Detecting Virtual Environment Artefacts
Malware often checks for artifacts left by virtualization platforms to determine if it is running inside a virtual environment. Detecting such artifacts allows the malware to adapt its behavior, delay execution, or avoid exposing malicious functionality during analysis.
-
QEMU: QEMU registers artifacts in the Windows registry. For example, the key
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical …
VboxEnumShares
This method represents a variation of the WNetGetProviderName(WNNC_NET_RDR2SAMPLE, ...) approach, which is typically employed to determine if the network share's provider name is specific, such as VirtualBox. Instead of relying on this well-established technique, we utilize WNetOpenEnum and WNetEnumResource functions to iterate through each network resource. The primary objective is to identify VirtualBox shared folders, which typically feature "VirtualBox" or …