Malware Sandbox Environment

*Still being edited*

Circumventing malware which detects it is being run in a Virtual Machine

  • Do not run processes related to the Virtual Machine, such as VMware Tools
  • Do not use common malware analysis tools that are install. Wireshark is one that malware will look for installation files to determine if it’s being analyzed.
  • Perform registry edits to hide traces of the Virtual Machine platform
    • Malware will check locations such as HLKM/SYSTEM/CurrentControlSet/services/Disk/Enum for the 0 key (Disk 0). This location will give a description of the disk. ┬áIf the disk is a virtual machine, the key will look similar to the one below

Screen Shot 2015-06-22 at 4.42.10 PM

Clearing out this registry entry where there is no data can bypass malware which queries this key (this can be determined using Process Monitor)

Screen Shot 2015-06-22 at 4.42.23 PM