anti-analysis/anti-vm/vm-detection
rule:
meta:
name: reference anti-VM strings
namespace: anti-analysis/anti-vm/vm-detection
authors:
- moritz.raabe@mandiant.com
scopes:
static: file
dynamic: file
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
references:
- https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm_*
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp
examples:
- Practical Malware Analysis Lab 17-02.dll_
features:
- or:
- string: /HARDWARE\\ACPI\\(DSDT|FADT|RSDT)\\BOCHS/i
- string: /HARDWARE\\DESCRIPTION\\System\\(SystemBiosVersion|VideoBiosVersion)/i
- string: /HARDWARE\\DESCRIPTION\\System\\CentralProcessor/i
- string: /HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0/i
- string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\IDE/i
- string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\Disk\\Enum\\/i
- string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\SystemInformation\\SystemManufacturer/i
- string: /A M I/i
- string: /Hyper-V/i
- string: /Kernel-VMDetection-Private/i
# https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L699
- string: /KVMKVMKVM/i
description: KVM
- string: /Microsoft Hv/i
description: Microsoft Hyper-V or Windows Virtual PC
# https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L8
- string: /avghookx.dll/i
description: AVG
- string: /avghooka.dll/i
description: AVG
- string: /snxhk.dll/i
description: Avast
- string: /pstorec.dll/i
description: SunBelt Sandbox
- string: /vmcheck.dll/i
description: Virtual PC
- string: /wpespy.dll/i
description: WPE Pro
- string: /cmdvrt64.dll/i
description: Comodo Container
- string: /cmdvrt32.dll/i
description: Comodo Container
# https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L46
- string: /sample.exe/i
- string: /bot.exe/i
- string: /sandbox.exe/i
- string: /malware.exe/i
- string: /test.exe/i
- string: /klavme.exe/i
- string: /myapp.exe/i
- string: /testapp.exe/i
last edited: 2023-11-24 10:34:28