Introduction

Nowadays malware are becoming more sophisticated. When incidents response team or somebody who wants to analyze malware samples, they usually uses sandbox machines: A “sandbox” environment is an isolated virtual machine in which potentially dangerous software code can run without affecting network resources or local applications. The goal here is to analyze the behavior of the malicious payload/program.

Sandboxes comes with many tools for malware analysis: Debuggers, memory/disk forensics, static file analyzers, Sysinternals suite,… I am familiar with some : REMnux, Cuckoo. There are websites sandbox too, for analyzing malware dynamically : ANY.RUN, Hybrid Analysis

Adversaries don’t want their malware analyzed, reversers can found hardcoded informations (IOCs) such as combos login/password, IP, DNS C2 or TTPs! So they need to add functions in their code to detect and avoid virtualization and analysis environments.

Tactics

A tactic exists in the MITRE ATT&CK, refeer as T1497. This is a good starting point reading this to know more about the techniques used by attackers and also the malware IDs using sandbox evasion techniques. 3 sub-techniques (T1497.001, T1497.002, T1497.003) are found in the MITRE matrix and we are going to see concrete examples in real scenarios.

System checks

Getting system informations can be very usefull to detect a virtual environment.

Here some informations you can check :

  • Storage name: Hard disk drives that use names such as QEMU, VBOX, VIRTUAL HD, and VMWare.

  • Storage size: Every computers have at least 100Go.

  • Ram size: Recent computers have at least 4Go.

  • CPU core: Most computers have at least 4 logical cpu cores.

  • HDD vendor ID: The vendor ID of the hard disc drive named VBOX or vmware.

  • Audio device: Lack of audio device in the machine.

  • Screen resolution: Low resolutions that are not frequently used in modern systems.

  • Username: Common sandbox usernames such as sandbox, virus, malware, vmware, test, forensics,..

  • Hostname: Common sandbox names such as cuckoo, sandbox, sample, and malware.

  • MAC addresses: Specific MAC address prefixes:

    • 08:00:27 for VirtualBox
    • 00:05:69 | 00:0C:29 | 00:1C:14 | 00:50:56 for VMWare
    • 00:16:E3 for Xen
    • 00:1C:42 for Parallels

  • Network adapter name: Specific names for network adapters (e.g., Vmware).

  • List of directories: Certain directories such as “oracle\virtualbox guest additions" and “VMWare”.

  • List of files: A clean desktop or documents folder or an empty list of recent files.

  • CPUID: The CPUID that includes the strings such as

    • Microsoft Hv for Hyper-V
    • KVMKVMKVM for KVM
    • prl hyperv for Parallels
    • VBoxVBoxVBox for VirtualBox
    • VMwareVMware for VMWare
    • XenVMMXenVMM for Xen.

  • Basic ping: Request to an non-existent DNS.

Windows Techniques

There are so many informations you can check on windows systems to detect if it’s a virtual environment:

  • Process Name Enumeration: Known VM processes.

    • vboxservices.exe
    • vboxservice.exe
    • vboxtray.exe
    • xenservice.exe
    • VMSrvc.exe
    • vemusrvc.exe
    • VMUSrvc.exe
    • qemu-ga.exe
    • prl_cc.exe
    • prl_tools.exe
    • vmtoolsd.exe
    • vmwaretray.exe
    • vmsrvc.exe
    • vmusrvc.exe
    • df5serv.exe

  • Registry key value artifacts: Reg keys values known from VM software

    • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VBOX)
    • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (QEMU)
    • HARDWARE\Description\System (SystemBiosVersion) (VBOX)
    • HARDWARE\Description\System (SystemBiosVersion) (QEMU)
    • HARDWARE\Description\System (VideoBiosVersion) (VIRTUALBOX)
    • HARDWARE\Description\System (SystemBiosDate) (06/23/99)
    • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
    • HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
    • HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier) (VMWARE)
    • SYSTEM\ControlSet001\Control\SystemInformation (SystemManufacturer) (VMWARE)
    • SYSTEM\ControlSet001\Control\SystemInformation (SystemProductName) (VMWARE)

  • Registry Keys artifacts: Reg keys known from VM software

    • HARDWARE\ACPI\DSDT\VBOX__ (VBOX)
    • HARDWARE\ACPI\FADT\VBOX__ (VBOX)
    • HARDWARE\ACPI\RSDT\VBOX__ (VBOX)
    • SOFTWARE\Oracle\VirtualBox Guest Additions (VBOX)
    • SYSTEM\ControlSet001\Services\VBoxGuest (VBOX)
    • SYSTEM\ControlSet001\Services\VBoxMouse (VBOX)
    • SYSTEM\ControlSet001\Services\VBoxService (VBOX)
    • SYSTEM\ControlSet001\Services\VBoxSF (VBOX)
    • SYSTEM\ControlSet001\Services\VBoxVideo (VBOX)
    • SOFTWARE\VMware, Inc.\VMware Tools (VMWARE)
    • SOFTWARE\Wine (WINE)
    • SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters (HYPER-V)
    • SYSTEM\CurrentControlSet\Services\Disk\Enum
    • SYSTEM\CurrentControlSet\Enum\IDE
    • SYSTEM\CurrentControlSet\Enum\SCSI

  • File system artifacts: Known file system VM

    • “system32\drivers\VBoxMouse.sys”
    • “system32\drivers\VBoxGuest.sys”
    • “system32\drivers\VBoxSF.sys”
    • “system32\drivers\VBoxVideo.sys”
    • “system32\vboxdisp.dll”
    • “system32\vboxhook.dll”
    • “system32\vboxmrxnp.dll”
    • “system32\vboxogl.dll”
    • “system32\vboxoglarrayspu.dll”
    • “system32\vboxoglcrutil.dll”
    • “system32\vboxoglerrorspu.dll
    • “system32\vboxoglfeedbackspu.dll”
    • “system32\vboxoglpackspu.dll”
    • “system32\vboxoglpassthroughspu.dll”
    • “system32\vboxservice.exe”
    • “system32\vboxtray.exe”
    • “system32\VBoxControl.exe”
    • “system32\drivers\vmmouse.sys”
    • “system32\drivers\vmhgfs.sys”
    • “system32\drivers\vm3dmp.sys”
    • “system32\drivers\vmci.sys”
    • “system32\drivers\vmhgfs.sys”
    • “system32\drivers\vmmemctl.sys”
    • “system32\drivers\vmmouse.sys”
    • “system32\drivers\vmrawdsk.sys”
    • “system32\drivers\vmusbmouse.sys”

  • Directories artifacts: Known directories

    • “%PROGRAMFILES%\oracle\virtualbox guest additions\”
    • “%PROGRAMFILES%\VMWare\”

For additional informations about windows VM, there is an awesome Github repo, that is also a tool made by LordNoteworthy called Al-khaser.

GNU/Linux Techniques

On GNU/Linux systems too, there is things to check:

  • DMI Table: Checks if the DMI table (/sys/class/dmi/id/) contains vendor strings of known VMs.

    • “innotek”
    • “virtualbox”
    • “vbox”
    • “kvm”
    • “qemu”
    • “vmware”
    • “vmw”
    • “oracle”
    • “xen”
    • “bochs”
    • “parallels”
    • “bhyve”

  • Kernel Ring Buffer (/dev/kmsg): Checks printk messages to see if Linux detected an hypervisor.

    • “Hypervisor detected”

  • VM device tree (/proc/device-tree): Some virtualization technologies can be detected using /proc/device-tree .

    • “/proc/device-tree/hypervisor/compatible”
    • “/proc/device-tree/fw-cfg”

Final notes

There are so many techniques to detect a virtualization environment. Note that here I focused on Windows and Linux environments but there are also others systems like MacOS and you can find more resources and techniques on internet.

If you want to analyze some malware samples, I advise you to test your virtual machine from those evade script. Otherwise, certains malware will not drop all payloads or block themselves on the current system.

I will conclude with this excellent blog from CheckPoint’s researchers for providing many evasion techniques on their website: https://evasions.checkpoint.com/ .

References