*Still being edited*
Circumventing malware which detects it is being run in a Virtual Machine
- Do not run processes related to the Virtual Machine, such as VMware Tools
- Do not use common malware analysis tools that are install. Wireshark is one that malware will look for installation files to determine if it’s being analyzed.
- Perform registry edits to hide traces of the Virtual Machine platform
- Malware will check locations such as HLKM/SYSTEM/CurrentControlSet/services/Disk/Enum for the 0 key (Disk 0). This location will give a description of the disk. If the disk is a virtual machine, the key will look similar to the one below
Clearing out this registry entry where there is no data can bypass malware which queries this key (this can be determined using Process Monitor)