Known Evasion Tricks divided by engaded system.
VMWare Envoronment :
MAC Addresses : 

00:05:69
00:0C:29
00:1C:14
00:50:56
VMWare Files : 

C:\\WINDOWS\\system32\\drivers\\vmmouse.sys
C:\\WINDOWS\\system32\\drivers\\vmhgfs.sys
VMWare RegKeys: 

(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMWARE")

(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMWARE")

(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VMWARE")

(HKEY_LOCAL_MACHINE, "SOFTWARE\\VMware, Inc.\\VMware Tools")
General SandBox
General Key Concepts: 

Mouse position: if ((position1.x == position2.x) && (position1.y == position2.y))

Generic User Names: VIRUS, SANDBOX, MALWARE, TEST

Sample Path: \\MALWARE, \\VIRUS, \\SAMPLE, \\SANDBOX, \\TEST

Driver: \\\\.\\PhysicalDrive0, C:\\

Sleep Patching: 
time1 = GetTickCount();
  Sleep(500);
  if ((GetTickCount() - time1) > 450 ) return FALSE;
  else return TRUE;

Number of Processors:
__asm__ volatile (
      "mov %%fs:0x18, %%eax;"
      "mov %%ds:0x30(%%eax), %%eax;"
      "mov %%ds:0x64(%%eax), %%eax;"
      : "=a"(NumberOfProcessors));
  return NumberOfProcessors < 2 ? TRUE : FALSE;

Memory Less than 1G:
MEMORYSTATUSEX statex;
  statex.dwLength = sizeof (statex);

  GlobalMemoryStatusEx(&statex);
  return (statex.ullTotalPhys/1024) < 1048576 ? TRUE : FALSE;
QUEMU Environment:
RegKeys: 

(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "QEMU")
(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "QEMU")
SANDBoxie Environment:
DLL Detect: 

GetModuleHandle("sbiedll.dll")
WINE Environment:
RegKeys 

("kernel32.dll", "wine_get_unix_file_name")
(HKEY_CURRENT_USER, "SOFTWARE\\Wine")
Virtual Box Envoronment :
Virtual Box Strings: 

"vboxservice.exe" //Process

"vboxtray.exe" //Process

"VirtualBox Shared Folders" //Network Share

"VBoxTrayToolWndClass"  //TrayWindow

"VBoxTrayToolWnd" //TrayWindow

"\x08\x00\x27" //MAC Addresses"

"\\\\.\\VBoxMiniRdrDN"

"\\\\.\\pipe\\VBoxMiniRdDN"

"\\\\.\\VBoxTrayIPC"

"\\\\.\\pipe\\VBoxTrayIPC"
VirtualBox Files : 

"\\system32\\vboxdisp.dll"

"\\system32\\vboxhook.dll"

"\\system32\\vboxmrxnp.dll"

"\\system32\\vboxogl.dll"

"\\system32\\vboxoglarrayspu.dll"

"\\system32\\vboxoglcrutil.dll"

"\\system32\\vboxoglerrorspu.dll"

"\\system32\\vboxoglfeedbackspu.dll"

"\\system32\\vboxoglpackspu.dll"

"\\system32\\vboxoglpassthroughspu.dll"

"\\system32\\vboxservice.exe"

"\\system32\\vboxtray.exe"

"\\system32\\VBoxControl.exe"

"\\oracle\\virtualbox guest additions\\"

"\\system32\\drivers\\VBoxMouse.sys"

"\\system32\\drivers\\VBoxGuest.sys"

"\\system32\\drivers\\VBoxSF.sys"

"\\system32\\drivers\\VBoxVideo.sys"
VMWare RegKeys: 

(HKEY_LOCAL_MACHINE, "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier", "VBOX")

(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "SystemBiosVersion", "VBOX")

(HKEY_LOCAL_MACHINE, "SOFTWARE\\Oracle\\VirtualBox Guest Additions")

(HKEY_LOCAL_MACHINE, "HARDWARE\\Description\\System", "VideoBiosVersion", "VIRTUALBOX")

(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\DSDT\\VBOX__")

(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\FADT\\VBOX__")

(HKEY_LOCAL_MACHINE, "HARDWARE\\ACPI\\RSDT\\VBOX__")

(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosDate", "06/23/99")

"SYSTEM\\ControlSet001\\Services\\VBoxGuest"

"SYSTEM\\ControlSet001\\Services\\VBoxMouse"

"SYSTEM\\ControlSet001\\Services\\VBoxService"

"SYSTEM\\ControlSet001\\Services\\VBoxSF"

"SYSTEM\\ControlSet001\\Services\\VBoxVideo"

MORE ON COMING .... (just need to figure out time to write them down)


if you want to contribute, please drop me an email !

Powered by Marco Ramilli