KillerInstinct
commented
9 years ago I believe this runs mostly fine in my sandbox. http://cuckoo.killerinstinct.me/analysis/1102/
Closed MerX1030 closed 9 years ago
KillerInstinct
commented
9 years ago I believe this runs mostly fine in my sandbox. http://cuckoo.killerinstinct.me/analysis/1102/
MerX1030
commented
9 years ago I think works fine on your setup since you are using KVM - QEMU. And the sample author in this case only targets virtualbox as seen on the following strings:
Set Col = WMI.ExecQuery("Select * from Win32_ComputerSystemProduct")
For Each Ob in Col
if instr( lcase( ob.name),"virtual") >0 then
On
What if the author also included "QEMU" in the search string?
KillerInstinct
commented
9 years ago I changed that to be: if instr( lcase( ob.name),"qemu") >0 then
EDIT: http://cuckoo.killerinstinct.me/analysis/1140/
Still works for me. :)
MerX1030
commented
9 years ago Hmmmm. Can you try this command in cmd inside your VM? wmic path win32_computersystemproduct get * /format:list
For my VM since I'm using virtualbox it's: Caption=Computer System Product Description=Computer System Product IdentifyingNumber=0 Name=VirtualBox SKUNumber= UUID=F31932CF-DAA6-D047-A885-D239B07E9E18 Vendor=innotek GmbH Version=1.2
I'll probably need to consider using KVM to avoid anti-vm for virtualbox and vmware. :)
KillerInstinct
commented
9 years ago MerX1030
commented
9 years ago :+1:
I just encountered a simple anti-vm technique used in a vbs script that is said to be related to a recent cyberattack in french tv stations. The sample just issues the WMI query "Select * from Win32_ComputerSystemProduct" then compares the results to VM related strings.
Do you have an idea on how to circumvent this? Thanks!
Sample for your reference: MD5:de8e6e14b7e548eda7d4ff33bb3705ad SHA1:4c6f4d6dec81bef99ee4df32cb400266ed6c2aed SHA256:01bc2c57163901f1a5ad02be2a66dbd8d001d97186a22de01d95eefc2c2e9154