Detecting Virtual Environment Artefacts
Created the Monday 11 March 2019. Updated 2 weeks, 4 days ago.
Malware often checks for artifacts left by virtualization platforms to determine if it is running inside a virtual environment. Detecting such artifacts allows the malware to adapt its behavior, delay execution, or avoid exposing malicious functionality during analysis.
-
QEMU: QEMU registers artifacts in the Windows registry. For example, the key
HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
contains the valueIdentifier
with dataQEMU
. Another check is the keyHARDWARE\Description\System
with the valueSystemBiosVersion
and dataQEMU
. -
VirtualBox: The VirtualBox Guest Additions leave multiple registry artifacts. Searching the registry for the string
VBOX
often reveals keys that expose the presence of VirtualBox. -
VMware (Registry & Files): VMware installs tools in
C:\Program Files\VMware\VMware Tools
, and related registry entries may also contain information about the virtual hard drive, network adapters, or virtual mouse. Searching the registry forVMware
can reveal these indicators. -
VMware (Memory): VMware also leaves artifacts in memory. Critical processor structures may be moved or altered inside a VM, leaving recognizable footprints. Malware can scan physical memory for strings such as
VMware
to confirm that it is running in a virtualized environment.
Technique Identifier
Code Snippets
Detection Rules
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
2e496717b85edc1f47dececadbf2...edc432bef640f7ff7616e528.elf | 1 | 2025-10-05 | 1 day, 22 hours ago |
000.exe | 7 | 2025-10-06 | 2 days, 1 hour ago |
ri_setup_full4134_UjiwJcEu.exe | 7 | 2025-10-02 | 5 days, 19 hours ago |
mirroringApp-car-v1.0.2310071810 (1).apk | 3 | 2024-11-14 | 1 week, 1 day ago |
program.elf | 1 | 2025-09-26 | 1 week, 4 days ago |
chrome_pwa_launcher.exe | 5 | 2025-09-24 | 1 week, 6 days ago |
botnpwds.exe | 10 | 2025-09-24 | 1 week, 6 days ago |
rlm1611_http.dll | 6 | 2025-09-22 | 2 weeks, 1 day ago |
hid-tools.dll | 13 | 2025-09-22 | 2 weeks, 2 days ago |
Yandex.exe | 8 | 2025-09-20 | 2 weeks, 3 days ago |