anti-analysis/anti-vm/vm-detection

reference anti-VM strings targeting VirtualBox

rule:
  meta:
    name: reference anti-VM strings targeting VirtualBox
    namespace: anti-analysis/anti-vm/vm-detection
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: file
      dynamic: file
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/VirtualBox.cpp
    examples:
      - al-khaser_x86.exe_
  features:
    - or:
      - string: /VBOX/i
      - string: /VEN_VBOX/i
      - string: /VirtualBox/i
      - string: /06/23/99/i
      - string: /HARDWARE\\ACPI\\DSDT\\VBOX__/i
      - string: /HARDWARE\\ACPI\\FADT\\VBOX__/i
      - string: /HARDWARE\\ACPI\\RSDT\\VBOX__/i
      - string: /SOFTWARE\\Oracle\\VirtualBox Guest Additions/i
      - string: /SYSTEM\\ControlSet001\\Services\\VBoxGuest/i
      - string: /SYSTEM\\ControlSet001\\Services\\VBoxMouse/i
      - string: /SYSTEM\\ControlSet001\\Services\\VBoxService/i
      - string: /SYSTEM\\ControlSet001\\Services\\VBoxSF/i
      - string: /SYSTEM\\ControlSet001\\Services\\VBoxVideo/i
      - string: /VBoxMouse\.sys/i
      - string: /VBoxGuest\.sys/i
      - string: /VBoxSF\.sys/i
      - string: /VBoxVideo\.sys/i
      - string: /vboxdisp\.dll/i
      - string: /vboxhook\.dll/i
      - string: /vboxmrxnp\.dll/i
      - string: /vboxogl\.dll/i
      - string: /vboxoglarrayspu\.dll/i
      - string: /vboxoglcrutil\.dll/i
      - string: /vboxoglerrorspu\.dll/i
      - string: /vboxoglfeedbackspu\.dll/i
      - string: /vboxoglpackspu\.dll/i
      - string: /vboxoglpassthroughspu\.dll/i
      - string: /vboxservice\.exe/i
      - string: /vboxtray\.exe/i
      - string: /VBoxControl\.exe/i
      - string: /oracle\\virtualbox guest additions\\/i
      - string: /\\\\.\\VBoxMiniRdrDN/i
      - string: /\\\\.\\VBoxGuest/i
      - string: /\\\\.\\pipe\\VBoxMiniRdDN/i
      - string: /\\\\.\\VBoxTrayIPC/i
      - string: /\\\\.\\pipe\\VBoxTrayIPC/i
      - string: /VBoxTrayToolWndClass/i
      - string: /VBoxTrayToolWnd/i
      - string: /vboxservice\.exe/i
      - string: /vboxtray.exe/i
      - string: /vboxvideo/i
      - string: /VBoxVideoW8/i
      - string: /VBoxWddm/i
      - string: /PCI\\VEN_80EE&DEV_CAFE/i
      - string: /82801FB/i
      - string: /82441FX/i
      - string: /82371SB/i
      - string: /OpenHCD/i
      - string: /ACPIBus_BUS_0/i
      - string: /PCI_BUS_0/i
      - string: /PNP_BUS_0/i
      - string: /Oracle Corporation/i
      - string: /VBoxWdd/i
      - string: /VBoxS/i
        description: VirtualBox Shared Folders
      - string: /VBoxMouse/i
        description: VirtualBox Guest Mouse
      - string: /VBoxGuest/i
        description: VirtualBox Guest Driver
      - string: /VBoxVBoxVBox/i
      - string: /innotek GmbH/i
      - string: /drivers\\vboxdrv/i

last edited: 2023-11-24 10:34:28