Recently we have been informed by a customer about the following malware analysis (sample MD5 27aa08d113034eae5565fe2e8813a01e):
One of our behavior signatures detected that the malware has tried to detect virtual machines. This is often done to hinder analysis and thus to hide the malicious payload. After investigation and reverse engineering (credits to antnet) the following VM and Sandbox detections where found:
Get VMware version (exceptions expected & handled using this privileged
instruction outside a VM):
00409E27 IN EAX,DX ; eax = 'VMXh', ecx = 0A, dx = 'VX'
00409E27 IN EAX,DX ; eax = 'VMXh', ecx = 0A, dx = 'VY'
00409E27 IN EAX,DX ; eax = 'VMXh', ecx = 0A, dx = '@' (0x40)
Illegal/unknown instruction (exception handled):
00409EB1 DB 0F
00409EB2 DB 3F
00409EB3 DB 07
00409EB4 DB 0B
Get content of descriptors:
00409F22 SLDT WORD PTR SS:[EBP-28C]
00409F29 STR WORD PTR SS:[EBP-290]
00409F30 SGDT FWORD PTR SS:[EBP-44]
00409F34 SIDT FWORD PTR SS:[EBP-3C]
Get content of segment registers (exceptions on undefined regs handled).
FindFirstFile/FindNextFile on [system directory]\drivers and check names:
hgfs.sys
vmhgfs.sys
prleth.sys
prlfs.sys
prlmouse.sys
prlvideo.sys
prl_pv32.sys
vpc-s3.sys
vmsrvc.sys
vmx86.sys
vmnet.sys
GetModuleHandle. Check if DLL loaded:
dbghelp
SbieDll
api_log
dir_watch
pstorec
GetUserName. Check for:
currentuser
sandbox
honey
vmware
nepenthes
snort
andy
roo
GetComputerName. Check if: "TU-4NH09SMCG1HC"
GetModuleFileName (this exe name). Check if: "InsideTm"
RegQueryValueEx on
"HKLM\HARDWARE\Description\System\\SystemBiosVersion". Check if: "vbox"
RegQueryValueEx on
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\\ProductID" and
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ProductID". Check
ProductID for:
55274-640-2673064-23950
76487-644-3177037-23510
76487-337-8429955-22614
RegEnumKey on "HKLM\SOFTWARE\Microsoft". Check names for:
Hyper-V
VirtualMachine
RegEnumKey on "HKLM\SYSTEM\ControlSet001\Services". Check names for:
vmicheartbeat
vmicvss
vmicshutdown
vmicexchange
vmci
vmdebug
vmmouse
VMTools
VMMEMCTL
vmware
vmx86
vpcbus
vpc-s3
vpcuhub
msvmmouf
VBoxMouse
VBoxGuest
VBoxGuest
VBoxSF
xenevtchn
xennet
xennet6
xensvc
xenvdb
RegQueryValueEx on "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus
0\Target Id 0\Logical Unit Id 0\\Identifier". Check Identifier for:
vmware
vbox
RegEnumKey on:
"HKLM\HARDWARE\ACPI\DSDT"
"HKLM\HARDWARE\ACPI\FADT"
"HKLM\HARDWARE\ACPI\RSDT"
Check names for:
VBOX
xen
GetProcAddress kernel32.CreateProcessA and check for patch: E9 (jmp).
Note that CreateProcessW is not checked.
Snapshot of running processes. Check for:
vmware
vmount2
vmusrvc
vmsrvc
VBoxService
vboxtray
xenservice
joeboxserver
joeboxcontrol
wireshark
sniff_hit
sysAnalyzer
filemon
procexp
procmon
regmon
autoruns
GetAdaptersInfo. Checks MAC address for 0x0569, 0x0C29, 0x1C14 and 0x5056. The all belong to VMWare MAC address prefixes.
GetProcAddress. Check if kernel32 or ntdll export the function:
"wine_get_unix_file_name".
FindFirstFile/FindNextFile on "C:\*.*". Check if any file or directory
name is a 60 char hex string (unique to the PC) used for encoding.