Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do
[-] Windows version: 6.2 build 9200
[-] Running in WoW64: False
[-] CPU: AuthenticAMD
Hypervisor: analseks
CPU brand: AMD Ryzen 5 2600X Six-Core Processor
[-] Debuggers detection
[] Using IsDebuggerPresent() ... OK
[] Using BeingDebugged via PEB access ... OK
[-] CPU information based detections
[] Checking the difference between CPU timestamp counters (rdtsc) ... OK
[] Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit ... traced!
[] Checking hypervisor bit in cpuid feature bits ... traced!
[] Checking cpuid hypervisor vendor for known VM vendors ... OK
[-] Generic sandbox detection
[] Checking username ... OK
[] Checking file path ... OK
[] Checking common sample names in drives root ... OK
[] Checking if disk size <= 60GB via DeviceIoControl() ... OK
[] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... OK
[] Checking if Sleep() is patched using GetTickCount() ... OK
[] Checking if NumberOfProcessors is < 2 via PEB access ... OK
[] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK
[] Checking if pysical memory is < 1Gb ... OK
[] Checking operating system uptime using GetTickCount() ... OK
[*] Checking if operating system IsNativeVhdBoot() ... OK
[-] Sandboxie detection
[*] Using GetModuleHandle(sbiedll.dll) ... OK
[-] Wine detection
[] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK
[] Reg key (HKCU\SOFTWARE\Wine) ... OK
[-] VirtualBox detection
[] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... OK
[] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK
[] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK
[] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX) ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX) ... OK
[] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox) ... OK
[] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK
[] Driver files in C:\WINDOWS\system32\drivers\VBox ... OK
[] Additional system files ... OK
[] Looking for a MAC address starting with 08:00:27 ... OK
[] Looking for pseudo devices ... OK
[] Looking for VBoxTray windows ... OK
[] Looking for VBox network share ... OK
[] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK
[] Looking for VBox devices using WMI ... OK
[-] VMware detection
[] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK
[] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... OK
[] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK
[] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK
[] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56 ... OK
[] Looking for network adapter name ... OK
[] Looking for pseudo devices ... OK
[] Looking for VMware serial number ... OK
[-] Qemu detection
[] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK
[-] Bochs detection
[] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[] cpuid AMD wrong value for processor name ... OK
[*] cpuid Intel wrong value for processor name ... OK
[-] Pafish has finished analyzing the system, check the log file for more information
and visit the project's site:
a0rtega
commented
1 year ago
[-] Windows version: 6.2 build 9200 [-] Running in WoW64: False [-] CPU: AuthenticAMD Hypervisor: analseks CPU brand: AMD Ryzen 5 2600X Six-Core Processor
[-] Debuggers detection [] Using IsDebuggerPresent() ... OK [] Using BeingDebugged via PEB access ... OK
[-] CPU information based detections [] Checking the difference between CPU timestamp counters (rdtsc) ... OK [] Checking the difference between CPU timestamp counters (rdtsc) forcing VM exit ... traced! [] Checking hypervisor bit in cpuid feature bits ... traced! [] Checking cpuid hypervisor vendor for known VM vendors ... OK
[-] Generic reverse turing tests [] Checking mouse presence ... OK [] Checking mouse movement ... traced! [] Checking mouse speed ... traced! [] Checking mouse click activity ... traced! [] Checking mouse double click activity ... traced! [] Checking dialog confirmation ... traced! [*] Checking plausible dialog confirmation ... traced!
[-] Generic sandbox detection [] Checking username ... OK [] Checking file path ... OK [] Checking common sample names in drives root ... OK [] Checking if disk size <= 60GB via DeviceIoControl() ... OK [] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... OK [] Checking if Sleep() is patched using GetTickCount() ... OK [] Checking if NumberOfProcessors is < 2 via PEB access ... OK [] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK [] Checking if pysical memory is < 1Gb ... OK [] Checking operating system uptime using GetTickCount() ... OK [*] Checking if operating system IsNativeVhdBoot() ... OK
[-] Sandboxie detection [*] Using GetModuleHandle(sbiedll.dll) ... OK
[-] Wine detection [] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK [] Reg key (HKCU\SOFTWARE\Wine) ... OK
[-] VirtualBox detection [] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK [] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK [] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... OK [] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK [] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK [] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX) ... OK [*] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX) ... OK [] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox) ... OK [] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK [] Driver files in C:\WINDOWS\system32\drivers\VBox ... OK [] Additional system files ... OK [] Looking for a MAC address starting with 08:00:27 ... OK [] Looking for pseudo devices ... OK [] Looking for VBoxTray windows ... OK [] Looking for VBox network share ... OK [] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK [] Looking for VBox devices using WMI ... OK
[-] VMware detection [] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK [] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... OK [] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK [] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK [] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:50:56 ... OK [] Looking for network adapter name ... OK [] Looking for pseudo devices ... OK [] Looking for VMware serial number ... OK
[-] Qemu detection [] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK [] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK [*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK
[-] Bochs detection [] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK [] cpuid AMD wrong value for processor name ... OK [*] cpuid Intel wrong value for processor name ... OK
[-] Pafish has finished analyzing the system, check the log file for more information and visit the project's site: