Detecting Virtual Environment Artefacts
Created the Monday 11 March 2019. Updated 1 year, 2 months ago.
Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0
with the value of Identifier
and the data of QEMU
or HARDWARE\\Description\\System
with a value of SystemBiosVersion
and data of QEMU
.
The VirtualBox Guest addition leaves many artifacts in the registry. A search for VBOX
in the registry might find some keys.
The VMware installation directory C:\\Program Files\\VMware\\VMware Tools
may also contain artifacts, as can the registry. A search for VMware in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse.
VMware leaves many artefacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.
Technique Identifier
Code Snippets
Detection Rules
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
avbox.exe | 7 | 2024-12-11 | 1 week ago |
1d460cf2b1dae2b7e400068fc384...c508faed68963df3588695be.exe | 3 | 2024-12-10 | 1 week ago |
xd | 3 | 2024-12-02 | 2 weeks, 2 days ago |
PrimoRamdisk6-RSLOAD.NET-.rar | 3 | 2024-11-30 | 2 weeks, 4 days ago |
DittoSetup_64bit_3_24_246_0.exe | 4 | 2024-11-26 | 3 weeks ago |
_mh_av | 3 | 2024-11-25 | 3 weeks, 1 day ago |
MailAcess_Checker_by_xRisky.exe | 4 | 2024-11-25 | 3 weeks, 1 day ago |
setupbatterycare.exe | 4 | 2024-11-25 | 3 weeks, 2 days ago |
AnyDesk.exe | 4 | 2024-11-25 | 3 weeks, 2 days ago |
MSTeamsSetup.exe | 4 | 2024-11-25 | 3 weeks, 2 days ago |