├── README.md ├── al-khaser.exe ├── antiVM.py ├── antiVM.rules └── png └── show.gif /README.md: -------------------------------------------------------------------------------- 1 | # antiVM ida pro plugin 2 | 3 | ## Description 4 | The antiVM aims to quickly identify anti-virtual machine and anti-sandbox behavior. This can speed up malware analysis. 5 | 6 | This antiVM.rules is based on an extension of [here](https://github.com/Yara-Rules). Then, using the [al-khaser](https://github.com/LordNoteworthy/al-khaser) to test and enrich the rules. 7 | 8 | Unfortunately, the al-khaser don not provide release any more. You can find this in this repo. 9 | 10 | # How to use 11 | 12 | Just put the `antiVM.py` and `antiVM.rules` in your `ida7.x plugins` directory and here we go. 13 | 14 | Before using the plugin you must install the python Yara module:`pip install yara-python` 15 | 16 | The plugin can be launched from the menu using `Edit->Plugins->antiVM` or using `Ctrl-Alt-A` 17 | ![show](https://github.com/Hipepper/antiVM/raw/main/png/show.gif) 18 | 19 | # some todo 20 | 21 | some yara rules are broad like this one. This may bring some false positives. 22 | ``` 23 | rule sandBox_usernames { 24 | meta: 25 | Author = "jentle" 26 | reference = "https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/" 27 | 28 | strings: 29 | $s1="CurrentUser" wide 30 | $s2="Sandbox" wide 31 | $s3="Emily" wide 32 | $s4="HAPUBWS" wide 33 | $s5="Hong Lee" wide 34 | $s6="IT-ADMIN" wide 35 | $s7="milozs" wide 36 | $s8="Peter Wilson" wide 37 | $s9="timmy" wide 38 | $s10="user" wide 39 | $s11="sand box" wide 40 | $s12="malware" wide 41 | $s13="maltest" wide 42 | $s14="test user" wide 43 | $s15="virus" wide 44 | condition: 45 | any of them 46 | } 47 | ``` 48 | 49 | So some malicious behavior rules will be expanded in the future. And more IOA need to be collected. 50 | -------------------------------------------------------------------------------- /al-khaser.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hipepper/antiVM/2349ad405c517f5f5c4e4a4c39344fdb53255829/al-khaser.exe -------------------------------------------------------------------------------- /antiVM.py: -------------------------------------------------------------------------------- 1 | import idaapi 2 | import idautils 3 | import ida_bytes 4 | import idc 5 | import ida_kernwin 6 | import yara 7 | import string 8 | import os 9 | 10 | from tkinter import messagebox 11 | 12 | PLUGIN_NAME = "antiVM" 13 | PLUGIN_HOTKEY = "Ctrl-Alt-A" 14 | VERSION = '1.0.0' 15 | globalRuleFile = os.path.join(os.path.dirname(os.path.abspath(__file__)), "antiVM.rules") 16 | # globalRuleFile = "antiVM.rules" 17 | 18 | try: 19 | class Kp_Menu_Context(idaapi.action_handler_t): 20 | def __init__(self): 21 | idaapi.action_handler_t.__init__(self) 22 | 23 | 24 | @classmethod 25 | def get_name(self): 26 | return self.__name__ 27 | 28 | 29 | @classmethod 30 | def get_label(self): 31 | return self.label 32 | 33 | 34 | @classmethod 35 | def register(self, plugin, label): 36 | self.plugin = plugin 37 | self.label = label 38 | instance = self() 39 | return idaapi.register_action(idaapi.action_desc_t( 40 | self.get_name(), # Name. Acts as an ID. Must be unique. 41 | instance.get_label(), # Label. That's what users see. 42 | instance # Handler. Called when activated, and for updating 43 | )) 44 | 45 | 46 | @classmethod 47 | def unregister(self): 48 | """Unregister the action. 49 | After unregistering the class cannot be used. 50 | """ 51 | idaapi.unregister_action(self.get_name()) 52 | 53 | 54 | @classmethod 55 | def activate(self, ctx): 56 | # dummy method 57 | return 1 58 | 59 | 60 | @classmethod 61 | def update(self, ctx): 62 | if ctx.form_type == idaapi.BWN_DISASM: 63 | return idaapi.AST_ENABLE_FOR_WIDGET 64 | return idaapi.AST_DISABLE_FOR_WIDGET 65 | 66 | 67 | class Searcher(Kp_Menu_Context): 68 | def activate(self, ctx): 69 | self.plugin.search() 70 | return 1 71 | 72 | except: 73 | pass 74 | 75 | p_initialized = False 76 | 77 | 78 | 79 | class YaraSearchResultChooser(idaapi.Choose): 80 | def __init__(self, title, items, flags=0, width=None, height=None, embedded=False, modal=False): 81 | idaapi.Choose.__init__( 82 | self, 83 | title, 84 | [ 85 | ["Address", idaapi.Choose.CHCOL_HEX|10], 86 | ["Rule Name", idaapi.Choose.CHCOL_PLAIN|20], 87 | ["Match Name", idaapi.Choose.CHCOL_PLAIN|20], 88 | ["Match", idaapi.Choose.CHCOL_PLAIN|40], 89 | ["Type", idaapi.Choose.CHCOL_PLAIN|10], 90 | ], 91 | flags=flags, 92 | width=width, 93 | height=height, 94 | embedded=embedded) 95 | self.items = items 96 | self.selcount = 0 97 | self.n = len(items) 98 | 99 | 100 | def OnClose(self): 101 | return 102 | 103 | 104 | def OnSelectLine(self, n): 105 | self.selcount += 1 106 | ida_kernwin.jumpto(self.items[n][0]) 107 | 108 | 109 | def OnGetLine(self, n): 110 | res = self.items[n] 111 | res = [idc.atoa(res[0]), res[1], res[2], res[3], res[4]] 112 | return res 113 | 114 | 115 | def OnGetSize(self): 116 | n = len(self.items) 117 | return n 118 | 119 | 120 | def show(self): 121 | return self.Show() >= 0 122 | 123 | #-------------------------------------------------------------------------- 124 | # Plugin 125 | #-------------------------------------------------------------------------- 126 | class antiVM_Plugin_t(idaapi.plugin_t): 127 | comment = "antiVM plugin for IDA Pro (using yara framework)" 128 | help = "" 129 | wanted_name = PLUGIN_NAME 130 | wanted_hotkey = PLUGIN_HOTKEY 131 | flags = idaapi.PLUGIN_KEEP 132 | 133 | 134 | def init(self): 135 | global p_initialized 136 | 137 | # register popup menu handlers 138 | try: 139 | Searcher.register(self, "antiVM") 140 | except: 141 | pass 142 | 143 | if p_initialized is False: 144 | p_initialized = True 145 | idaapi.register_action(idaapi.action_desc_t( 146 | "antiVM", 147 | "Find antiVM rule matches!", 148 | self.search, 149 | None, 150 | None, 151 | 0)) 152 | idaapi.attach_action_to_menu("Edit/antiVM", "antiVM", idaapi.SETMENU_APP) 153 | print("=" * 80) 154 | print(r" _ ___ ____ __ ") 155 | print(r" | | (_) \ / / \/ |") 156 | print(r" __ _ _ __ | |_ _ \ \ / /| \ / |") 157 | print(r" / _` | '_ \| __| | \ \/ / | |\/| |") 158 | print(r" | (_| | | | | |_| | \ / | | | |") 159 | print(r" \__,_|_| |_|\__|_| \/ |_| |_|") 160 | print("=" * 80) 161 | 162 | return idaapi.PLUGIN_KEEP 163 | 164 | def term(self): 165 | pass 166 | 167 | 168 | def toVirtualAddress(self, offset, segments): 169 | va_offset = 0 170 | for seg in segments: 171 | if seg[1] <= offset < seg[2]: 172 | va_offset = seg[0] + (offset - seg[1]) 173 | return va_offset 174 | 175 | 176 | def search(self, yara_file): 177 | memory, offsets = self.get_memory() 178 | try: 179 | rules = yara.compile(yara_file) 180 | except: 181 | print("ERROR: Cannot compile Yara rules from %s" % yara_file) 182 | return 183 | values = self.yarasearch(memory, offsets, rules) 184 | c = YaraSearchResultChooser("antiVM results", values) 185 | r = c.show() 186 | title = "antiVM result" 187 | message = "antiVM rules path:" + str(globalRuleFile) + "\n" 188 | message += "find anti nums:" + str(len(values)) 189 | messagebox.showinfo(title,message) 190 | 191 | 192 | def yarasearch(self, memory, offsets, rules): 193 | values = list() 194 | matches = rules.match(data=memory) 195 | for rule_match in matches: 196 | name = rule_match.rule 197 | for match in rule_match.strings: 198 | match_string = match[2] 199 | match_type = 'unknown' 200 | if all(chr(c) in string.printable for c in match_string): 201 | match_string = match_string.decode('utf-8') 202 | match_type = 'ascii string' 203 | elif all(chr(c) in string.printable+'\x00' for c in match_string) and (b'\x00\x00' not in match_string): 204 | match_string = match_string.decode('utf-16') 205 | match_type = 'wide string' 206 | else: 207 | match_string = " ".join("{:02x}".format(c) for c in match_string) 208 | match_type = 'binary' 209 | 210 | value = [ 211 | self.toVirtualAddress(match[0], offsets), 212 | name, 213 | match[1], 214 | match_string, 215 | match_type 216 | ] 217 | values.append(value) 218 | return values 219 | 220 | 221 | def get_memory(self): 222 | result = bytearray() 223 | segment_starts = [ea for ea in idautils.Segments()] 224 | offsets = [] 225 | start_len = 0 226 | for start in segment_starts: 227 | end = idc.get_segm_attr(start, idc.SEGATTR_END) 228 | result += ida_bytes.get_bytes(start, end - start) 229 | offsets.append((start, start_len, len(result))) 230 | start_len = len(result) 231 | return bytes(result), offsets 232 | 233 | 234 | def run(self, arg): 235 | if os.path.exists(globalRuleFile) != True: 236 | print("ERROR: can not find antiVM.rules in the root path!!") 237 | exit() 238 | print("antiVM INFO:",globalRuleFile) 239 | yara_file = globalRuleFile 240 | self.search(yara_file) 241 | 242 | 243 | # register IDA plugin 244 | def PLUGIN_ENTRY(): 245 | return antiVM_Plugin_t() 246 | -------------------------------------------------------------------------------- /antiVM.rules: -------------------------------------------------------------------------------- 1 | /* 2 | This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. 3 | */ 4 | 5 | import "pe" 6 | 7 | private rule WindowsPE 8 | { 9 | condition: 10 | uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 11 | } 12 | 13 | rule DebuggerCheck__PEB : AntiDebug DebuggerCheck { 14 | meta: 15 | weight = 1 16 | Author = "naxonez" 17 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 18 | strings: 19 | $ ="IsDebugged" 20 | condition: 21 | any of them 22 | } 23 | 24 | rule DebuggerCheck__GlobalFlags : AntiDebug DebuggerCheck { 25 | meta: 26 | weight = 1 27 | Author = "naxonez" 28 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 29 | strings: 30 | $ ="NtGlobalFlags" 31 | condition: 32 | any of them 33 | } 34 | 35 | rule DebuggerCheck__QueryInfo : AntiDebug DebuggerCheck { 36 | meta: 37 | weight = 1 38 | Author = "naxonez" 39 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 40 | strings: 41 | $ ="QueryInformationProcess" 42 | condition: 43 | any of them 44 | } 45 | 46 | rule DebuggerCheck__RemoteAPI : AntiDebug DebuggerCheck { 47 | meta: 48 | weight = 1 49 | Author = "naxonez" 50 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 51 | strings: 52 | $ ="CheckRemoteDebuggerPresent" 53 | condition: 54 | any of them 55 | } 56 | 57 | rule DebuggerHiding__Thread : AntiDebug DebuggerHiding { 58 | meta: 59 | Author = "naxonez" 60 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 61 | weight = 1 62 | strings: 63 | $ ="SetInformationThread" 64 | condition: 65 | any of them 66 | } 67 | 68 | rule DebuggerHiding__Active : AntiDebug DebuggerHiding { 69 | meta: 70 | weight = 1 71 | Author = "naxonez" 72 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 73 | strings: 74 | $ ="DebugActiveProcess" 75 | condition: 76 | any of them 77 | } 78 | 79 | // 20150909 - Issue #39 - Commented because of High FP rate 80 | /* 81 | rule DebuggerTiming__PerformanceCounter : AntiDebug DebuggerTiming { 82 | meta: 83 | weight = 1 84 | Author = "naxonez" 85 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 86 | strings: 87 | $ ="QueryPerformanceCounter" 88 | condition: 89 | any of them 90 | } 91 | */ 92 | 93 | // 20150909 - Issue #39 - Commented because of High FP rate 94 | /* 95 | rule DebuggerTiming__Ticks : AntiDebug DebuggerTiming { 96 | meta: 97 | weight = 1 98 | Author = "naxonez" 99 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 100 | strings: 101 | $ ="GetTickCount" 102 | condition: 103 | any of them 104 | } 105 | */ 106 | 107 | // 20150909 - Issue #39 - Commented because of High FP rate 108 | /* 109 | rule DebuggerOutput__String : AntiDebug DebuggerOutput { 110 | meta: 111 | weight = 1 112 | Author = "naxonez" 113 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 114 | strings: 115 | $ ="OutputDebugString" 116 | condition: 117 | any of them 118 | } 119 | */ 120 | 121 | // 20150909 - Issue #39 - Commented because of High FP rate 122 | /* 123 | rule DebuggerException__UnhandledFilter : AntiDebug DebuggerException { 124 | meta: 125 | weight = 1 126 | Author = "naxonez" 127 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 128 | strings: 129 | $ ="SetUnhandledExceptionFilter" 130 | condition: 131 | any of them 132 | } 133 | */ 134 | 135 | rule DebuggerException__ConsoleCtrl : AntiDebug DebuggerException { 136 | meta: 137 | weight = 1 138 | Author = "naxonez" 139 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 140 | strings: 141 | $ ="GenerateConsoleCtrlEvent" 142 | condition: 143 | any of them 144 | } 145 | 146 | rule DebuggerException__SetConsoleCtrl : AntiDebug DebuggerException { 147 | meta: 148 | weight = 1 149 | Author = "naxonez" 150 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 151 | strings: 152 | $ ="SetConsoleCtrlHandler" 153 | condition: 154 | any of them 155 | } 156 | 157 | rule ThreadControl__Context : AntiDebug ThreadControl { 158 | meta: 159 | weight = 1 160 | Author = "naxonez" 161 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 162 | strings: 163 | $ ="SetThreadContext" 164 | condition: 165 | any of them 166 | } 167 | 168 | rule DebuggerCheck__DrWatson : AntiDebug DebuggerCheck { 169 | meta: 170 | weight = 1 171 | Author = "naxonez" 172 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 173 | strings: 174 | $ ="__invoke__watson" 175 | condition: 176 | any of them 177 | } 178 | 179 | rule SEH__v3 : AntiDebug SEH { 180 | meta: 181 | weight = 1 182 | Author = "naxonez" 183 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 184 | strings: 185 | $ = "____except__handler3" 186 | $ = "____local__unwind3" 187 | condition: 188 | any of them 189 | } 190 | 191 | rule SEH__v4 : AntiDebug SEH { 192 | // VS 8.0+ 193 | meta: 194 | weight = 1 195 | Author = "naxonez" 196 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 197 | strings: 198 | $ = "____except__handler4" 199 | $ = "____local__unwind4" 200 | $ = "__XcptFilter" 201 | condition: 202 | any of them 203 | } 204 | 205 | rule SEH__vba : AntiDebug SEH { 206 | meta: 207 | weight = 1 208 | Author = "naxonez" 209 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 210 | strings: 211 | $ = "vbaExceptHandler" 212 | condition: 213 | any of them 214 | } 215 | 216 | rule SEH__vectored : AntiDebug SEH { 217 | meta: 218 | weight = 1 219 | Author = "naxonez" 220 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 221 | strings: 222 | $ = "AddVectoredExceptionHandler" 223 | $ = "RemoveVectoredExceptionHandler" 224 | condition: 225 | any of them 226 | } 227 | 228 | // 20150909 - Issue #39 - Commented because of High FP rate 229 | /* 230 | rule DebuggerPattern__RDTSC : AntiDebug DebuggerPattern { 231 | meta: 232 | weight = 1 233 | Author = "naxonez" 234 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 235 | strings: 236 | $ = {0F 31} 237 | condition: 238 | any of them 239 | } 240 | */ 241 | 242 | // 20150909 - Issue #39 - Commented because of High FP rate 243 | /* 244 | rule DebuggerPattern__CPUID : AntiDebug DebuggerPattern { 245 | meta: 246 | weight = 1 247 | Author = "naxonez" 248 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 249 | strings: 250 | $ = {0F A2} 251 | condition: 252 | any of them 253 | } 254 | */ 255 | 256 | // 20150909 - Issue #39 - Commented because of High FP rate 257 | /* 258 | rule DebuggerPattern__SEH_Saves : AntiDebug DebuggerPattern { 259 | meta: 260 | weight = 1 261 | Author = "naxonez" 262 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 263 | strings: 264 | $ = {64 ff 35 00 00 00 00} 265 | condition: 266 | any of them 267 | } 268 | */ 269 | 270 | // 20150909 - Issue #39 - Commented because of High FP rate 271 | /* 272 | rule DebuggerPattern__SEH_Inits : AntiDebug DebuggerPattern { 273 | meta: 274 | weight = 1 275 | Author = "naxonez" 276 | reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 277 | strings: 278 | $ = {64 89 25 00 00 00 00} 279 | condition: 280 | any of them 281 | } 282 | */ 283 | 284 | rule SEH_Save : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH 285 | { 286 | meta: 287 | author = "Malware Utkonos" 288 | original_author = "naxonez" 289 | source = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 290 | strings: 291 | $a = { 64 ff 35 00 00 00 00 } 292 | condition: 293 | WindowsPE and $a 294 | } 295 | 296 | rule SEH_Init : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH 297 | { 298 | meta: 299 | author = "Malware Utkonos" 300 | original_author = "naxonez" 301 | source = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" 302 | strings: 303 | $a = { 64 A3 00 00 00 00 } 304 | $b = { 64 89 25 00 00 00 00 } 305 | condition: 306 | WindowsPE and ($a or $b) 307 | } 308 | 309 | 310 | rule Check_Dlls 311 | { 312 | meta: 313 | Author = "Nick Hoffman" 314 | Description = "Checks for common sandbox dlls" 315 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 316 | strings: 317 | $dll1 = "sbiedll.dll" wide nocase ascii fullword 318 | $dll2 = "dbghelp.dll" wide nocase ascii fullword 319 | $dll3 = "api_log.dll" wide nocase ascii fullword 320 | $dll4 = "dir_watch.dll" wide nocase ascii fullword 321 | $dll5 = "pstorec.dll" wide nocase ascii fullword 322 | $dll6 = "vmcheck.dll" wide nocase ascii fullword 323 | $dll7 = "wpespy.dll" wide nocase ascii fullword 324 | condition: 325 | 2 of them 326 | } 327 | 328 | rule Check_Qemu_Description 329 | { 330 | meta: 331 | Author = "Nick Hoffman" 332 | Description = "Checks for QEMU systembiosversion key" 333 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 334 | strings: 335 | $key = "HARDWARE\\Description\\System" nocase wide ascii 336 | $value = "SystemBiosVersion" nocase wide ascii 337 | $data = "QEMU" wide nocase ascii 338 | condition: 339 | all of them 340 | } 341 | 342 | rule Check_Qemu_DeviceMap 343 | { 344 | meta: 345 | Author = "Nick Hoffman" 346 | Description = "Checks for Qemu reg keys" 347 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 348 | strings: 349 | $key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii 350 | $value = "Identifier" nocase wide ascii 351 | $data = "QEMU" wide nocase ascii 352 | condition: 353 | all of them 354 | } 355 | 356 | rule Check_VBox_Description 357 | { 358 | meta: 359 | Author = "Nick Hoffman" 360 | Description = "Checks Vbox description reg key" 361 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 362 | strings: 363 | $key = "HARDWARE\\Description\\System" nocase wide ascii 364 | $value = "SystemBiosVersion" nocase wide ascii 365 | $data = "VBOX" nocase wide ascii 366 | condition: 367 | all of them 368 | } 369 | rule Check_VBox_DeviceMap 370 | { 371 | meta: 372 | Author = "Nick Hoffman" 373 | Description = "Checks Vbox registry keys" 374 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 375 | strings: 376 | $key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii 377 | $value = "Identifier" nocase wide ascii 378 | $data = "VBOX" nocase wide ascii 379 | condition: 380 | all of them 381 | } 382 | rule Check_VBox_Guest_Additions 383 | { 384 | meta: 385 | Author = "Nick Hoffman" 386 | Description = "Checks for the existence of the guest additions registry key" 387 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 388 | strings: 389 | $key = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" wide ascii nocase 390 | condition: 391 | any of them 392 | } 393 | rule Check_VBox_VideoDrivers 394 | { 395 | meta: 396 | Author = "Nick Hoffman" 397 | Description = "Checks for reg keys of Vbox video drivers" 398 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 399 | strings: 400 | $key = "HARDWARE\\Description\\System" nocase wide ascii 401 | $value = "VideoBiosVersion" wide nocase ascii 402 | $data = "VIRTUALBOX" nocase wide ascii 403 | condition: 404 | all of them 405 | } 406 | rule Check_VMWare_DeviceMap 407 | { 408 | meta: 409 | Author = "Nick Hoffman" 410 | Description = "Checks for the existence of VmWare Registry Keys" 411 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 412 | strings: 413 | $key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" wide ascii nocase 414 | $value = "Identifier" wide nocase ascii 415 | $data = "VMware" wide nocase ascii 416 | condition: 417 | all of them 418 | } 419 | rule Check_VmTools 420 | { 421 | meta: 422 | Author = "Nick Hoffman" 423 | Description = "Checks for the existence of VmTools reg key" 424 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 425 | strings: 426 | $ ="SOFTWARE\\VMware, Inc.\\VMware Tools" nocase ascii wide 427 | condition: 428 | any of them 429 | } 430 | rule Check_Wine 431 | { 432 | meta: 433 | Author = "Nick Hoffman" 434 | Description = "Checks for the existence of Wine" 435 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 436 | strings: 437 | $ ="wine_get_unix_file_name" 438 | condition: 439 | any of them 440 | } 441 | 442 | rule vmdetect 443 | { 444 | meta: 445 | author = "nex" 446 | description = "Possibly employs anti-virtualization techniques" 447 | 448 | strings: 449 | // Binary tricks 450 | $vmware = {56 4D 58 68} 451 | $virtualpc = {0F 3F 07 0B} 452 | $ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF} 453 | $vmcheckdll = {45 C7 00 01} 454 | $redpill = {0F 01 0D 00 00 00 00 C3} 455 | 456 | // Random strings 457 | $vmware1 = "VMXh" 458 | $vmware2 = "Ven_VMware_" nocase 459 | $vmware3 = "Prod_VMware_Virtual_" nocase 460 | $vmware4 = "hgfs.sys" nocase 461 | $vmware5 = "mhgfs.sys" nocase 462 | $vmware6 = "prleth.sys" nocase 463 | $vmware7 = "prlfs.sys" nocase 464 | $vmware8 = "prlmouse.sys" nocase 465 | $vmware9 = "prlvideo.sys" nocase 466 | $vmware10 = "prl_pv32.sys" nocase 467 | $vmware11 = "vpc-s3.sys" nocase 468 | $vmware12 = "vmsrvc.sys" nocase 469 | $vmware13 = "vmx86.sys" nocase 470 | $vmware14 = "vmnet.sys" nocase 471 | $vmware15 = "vmicheartbeat" nocase 472 | $vmware16 = "vmicvss" nocase 473 | $vmware17 = "vmicshutdown" nocase 474 | $vmware18 = "vmicexchange" nocase 475 | $vmware19 = "vmdebug" nocase 476 | $vmware20 = "vmmouse" nocase 477 | $vmware21 = "vmtools" nocase 478 | $vmware22 = "VMMEMCTL" nocase 479 | $vmware23 = "vmx86" nocase 480 | $vmware24 = "vmware" nocase 481 | $virtualpc1 = "vpcbus" nocase 482 | $virtualpc2 = "vpc-s3" nocase 483 | $virtualpc3 = "vpcuhub" nocase 484 | $virtualpc4 = "msvmmouf" nocase 485 | $xen1 = "xenevtchn" nocase 486 | $xen2 = "xennet" nocase 487 | $xen3 = "xennet6" nocase 488 | $xen4 = "xensvc" nocase 489 | $xen5 = "xenvdb" nocase 490 | $xen6 = "XenVMM" nocase 491 | $virtualbox1 = "VBoxHook.dll" nocase 492 | $virtualbox2 = "VBoxService" nocase 493 | $virtualbox3 = "VBoxTray" nocase 494 | $virtualbox4 = "VBoxMouse" nocase 495 | $virtualbox5 = "VBoxGuest" nocase 496 | $virtualbox6 = "VBoxSF" nocase 497 | $virtualbox7 = "VBoxGuestAdditions" nocase 498 | $virtualbox8 = "VBOX HARDDISK" nocase 499 | 500 | // MAC addresses 501 | $vmware_mac_1a = "00-05-69" 502 | $vmware_mac_1b = "00:05:69" 503 | $vmware_mac_1c = "000569" 504 | $vmware_mac_2a = "00-50-56" 505 | $vmware_mac_2b = "00:50:56" 506 | $vmware_mac_2c = "005056" 507 | $vmware_mac_3a = "00-0C-29" nocase 508 | $vmware_mac_3b = "00:0C:29" nocase 509 | $vmware_mac_3c = "000C29" nocase 510 | $vmware_mac_4a = "00-1C-14" nocase 511 | $vmware_mac_4b = "00:1C:14" nocase 512 | $vmware_mac_4c = "001C14" nocase 513 | $virtualbox_mac_1a = "08-00-27" 514 | $virtualbox_mac_1b = "08:00:27" 515 | $virtualbox_mac_1c = "080027" 516 | 517 | condition: 518 | any of them 519 | } 520 | 521 | rule Check_Debugger 522 | { 523 | meta: 524 | Author = "Nick Hoffman" 525 | Description = "Looks for both isDebuggerPresent and CheckRemoteDebuggerPresent" 526 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 527 | condition: 528 | pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and 529 | pe.imports("kernel32.dll","IsDebuggerPresent") 530 | } 531 | 532 | rule Check_DriveSize 533 | { 534 | meta: 535 | Author = "Nick Hoffman" 536 | Description = "Rule tries to catch uses of DeviceIOControl being used to get the drive size" 537 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 538 | 539 | strings: 540 | $physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase 541 | $dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO 542 | condition: 543 | pe.imports("kernel32.dll","CreateFileA") and 544 | pe.imports("kernel32.dll","DeviceIoControl") and 545 | $dwIoControlCode and 546 | $physicaldrive 547 | } 548 | rule Check_FilePaths 549 | { 550 | meta: 551 | Author = "Nick Hoffman" 552 | Description = "Checks for filepaths containing popular sandbox names" 553 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 554 | strings: 555 | $path1 = "SANDBOX" wide ascii 556 | $path2 = "\\SAMPLE" wide ascii 557 | $path3 = "\\VIRUS" wide ascii 558 | condition: 559 | all of ($path*) and pe.imports("kernel32.dll","GetModuleFileNameA") 560 | } 561 | 562 | rule Check_UserNames 563 | { 564 | meta: 565 | Author = "Nick Hoffman" 566 | Description = "Looks for malware checking for common sandbox usernames" 567 | Sample = "de1af0e97e94859d372be7fcf3a5daa5" 568 | strings: 569 | $user1 = "MALTEST" wide ascii 570 | $user2 = "TEQUILABOOMBOOM" wide ascii 571 | $user3 = "SANDBOX" wide ascii 572 | $user4 = "VIRUS" wide ascii 573 | $user5 = "MALWARE" wide ascii 574 | condition: 575 | all of ($user*) and pe.imports("advapi32.dll","GetUserNameA") 576 | } 577 | 578 | 579 | rule Check_OutputDebugStringA_iat 580 | { 581 | 582 | meta: 583 | Author = "http://twitter.com/j0sm1" 584 | Description = "Detect in IAT OutputDebugstringA" 585 | Date = "20/04/2015" 586 | 587 | condition: 588 | pe.imports("kernel32.dll","OutputDebugStringA") 589 | } 590 | 591 | // 20150909 - Issue #39 - Commented because of High FP rate 592 | /* 593 | rule Check_unhandledExceptionFiler_iat { 594 | meta: 595 | Author = "http://twitter.com/j0sm1" 596 | Description = "it's checked if UnhandledExceptionFilter is imported" 597 | Date = "20/04/2015" 598 | Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter" 599 | condition: 600 | pe.imports("kernel32.dll","UnhandledExceptionFilter") 601 | } 602 | */ 603 | 604 | // 20150909 - Issue #39 - Commented because of High FP rate 605 | /* 606 | rule check_RaiseException_iat { 607 | meta: 608 | Author = "http://twitter.com/j0sm1" 609 | Description = "it's checked if RaiseException is imported" 610 | Date = "20/04/2015" 611 | Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html" 612 | condition: 613 | pe.imports("kernel32.dll","RaiseException") 614 | } 615 | */ 616 | 617 | rule Check_FindWindowA_iat { 618 | 619 | meta: 620 | Author = "http://twitter.com/j0sm1" 621 | Description = "it's checked if FindWindowA() is imported" 622 | Date = "20/04/2015" 623 | Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow" 624 | 625 | strings: 626 | $ollydbg = "OLLYDBG" 627 | $windbg = "WinDbgFrameClass" 628 | 629 | condition: 630 | pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg) 631 | } 632 | 633 | rule DebuggerCheck__MemoryWorkingSet : AntiDebug DebuggerCheck { 634 | meta: 635 | author = "Fernando Mercês" 636 | date = "2015-06" 637 | description = "Anti-debug process memory working set size check" 638 | reference = "http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/" 639 | 640 | condition: 641 | pe.imports("kernel32.dll", "K32GetProcessMemoryInfo") and 642 | pe.imports("kernel32.dll", "GetCurrentProcess") 643 | } 644 | 645 | rule WMI_VM_Detect : WMI_VM_Detect 646 | { 647 | meta: 648 | 649 | version = 2 650 | threat = "Using WMI to detect virtual machines via querying video card information" 651 | behaviour_class = "Evasion" 652 | author = "Joe Giron" 653 | date = "2015-09-25" 654 | description = "Detection of Virtual Appliances through the use of WMI for use of evasion." 655 | 656 | strings: 657 | 658 | $selstr = "SELECT Description FROM Win32_VideoController" nocase ascii wide 659 | $selstr2 = "SELECT * FROM Win32_VideoController" nocase ascii wide 660 | $vm1 = "virtualbox graphics adapter" nocase ascii wide 661 | $vm2 = "vmware svga ii" nocase ascii wide 662 | $vm3 = "vm additions s3 trio32/64" nocase ascii wide 663 | $vm4 = "parallel" nocase ascii wide 664 | $vm5 = "remotefx" nocase ascii wide 665 | $vm6 = "cirrus logic" nocase ascii wide 666 | $vm7 = "matrox" nocase ascii wide 667 | 668 | condition: 669 | any of ($selstr*) and any of ($vm*) 670 | 671 | 672 | } 673 | 674 | rule anti_dbg { 675 | meta: 676 | author = "x0r" 677 | description = "Checks if being debugged" 678 | version = "0.2" 679 | strings: 680 | $d1 = "Kernel32.dll" nocase 681 | $c1 = "CheckRemoteDebuggerPresent" 682 | $c2 = "IsDebuggerPresent" 683 | $c3 = "OutputDebugString" 684 | $c4 = "ContinueDebugEvent" 685 | $c5 = "DebugActiveProcess" 686 | condition: 687 | $d1 and 1 of ($c*) 688 | } 689 | 690 | rule anti_dbgtools { 691 | meta: 692 | author = "x0r" 693 | description = "Checks for the presence of known debug tools" 694 | version = "0.1" 695 | strings: 696 | $f1 = "procexp.exe" nocase 697 | $f2 = "procmon.exe" nocase 698 | $f3 = "processmonitor.exe" nocase 699 | $f4 = "wireshark.exe" nocase 700 | $f5 = "fiddler.exe" nocase 701 | $f6 = "windbg.exe" nocase 702 | $f7 = "ollydbg.exe" nocase 703 | $f8 = "winhex.exe" nocase 704 | $f9 = "processhacker.exe" nocase 705 | $f10 = "hiew32.exe" nocase 706 | $c11 = "\\\\.\\NTICE" 707 | $c12 = "\\\\.\\SICE" 708 | $c13 = "\\\\.\\Syser" 709 | $c14 = "\\\\.\\SyserBoot" 710 | $c15 = "\\\\.\\SyserDbgMsg" 711 | condition: 712 | any of them 713 | } 714 | 715 | rule antisb_joesanbox { 716 | meta: 717 | author = "x0r" 718 | description = "Anti-Sandbox checks for Joe Sandbox" 719 | version = "0.1" 720 | strings: 721 | $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase 722 | $c1 = "RegQueryValue" 723 | $s1 = "55274-640-2673064-23950" 724 | condition: 725 | all of them 726 | } 727 | 728 | rule antisb_anubis { 729 | meta: 730 | author = "x0r" 731 | description = "Anti-Sandbox checks for Anubis" 732 | version = "0.1" 733 | strings: 734 | $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase 735 | $c1 = "RegQueryValue" 736 | $s1 = "76487-337-8429955-22614" 737 | $s2 = "76487-640-1457236-23837" 738 | condition: 739 | $p1 and $c1 and 1 of ($s*) 740 | } 741 | 742 | rule antisb_threatExpert { 743 | meta: 744 | author = "x0r" 745 | description = "Anti-Sandbox checks for ThreatExpert" 746 | version = "0.1" 747 | strings: 748 | $f1 = "dbghelp.dll" nocase 749 | condition: 750 | all of them 751 | } 752 | 753 | rule antisb_sandboxie { 754 | meta: 755 | author = "x0r" 756 | description = "Anti-Sandbox checks for Sandboxie" 757 | version = "0.1" 758 | strings: 759 | $f1 = "SbieDLL.dll" nocase 760 | condition: 761 | all of them 762 | } 763 | 764 | rule antisb_cwsandbox { 765 | meta: 766 | author = "x0r" 767 | description = "Anti-Sandbox checks for CWSandbox" 768 | version = "0.1" 769 | strings: 770 | $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase 771 | $s1 = "76487-644-3177037-23510" 772 | condition: 773 | all of them 774 | } 775 | 776 | rule antivm_virtualbox { 777 | meta: 778 | author = "x0r" 779 | description = "AntiVM checks for VirtualBox" 780 | version = "0.1" 781 | strings: 782 | $s1 = "VBoxService.exe" nocase 783 | condition: 784 | any of them 785 | } 786 | 787 | rule antivm_vmware { 788 | meta: 789 | author = "x0r" 790 | description = "AntiVM checks for VMWare" 791 | version = "0.1" 792 | strings: 793 | $s1 = "vmware.exe" nocase 794 | $s2 = "vmware-authd.exe" nocase 795 | $s3 = "vmware-hostd.exe" nocase 796 | $s4 = "vmware-tray.exe" nocase 797 | $s5 = "vmware-vmx.exe" nocase 798 | $s6 = "vmnetdhcp.exe" nocase 799 | $s7 = "vpxclient.exe" nocase 800 | $s8 = { b868584d56bb00000000b90a000000ba58560000ed } 801 | condition: 802 | any of them 803 | } 804 | 805 | rule antivm_bios { 806 | meta: 807 | author = "x0r" 808 | description = "AntiVM checks for Bios version" 809 | version = "0.2" 810 | strings: 811 | $p1 = "HARDWARE\\DESCRIPTION\\System" nocase 812 | $p2 = "HARDWARE\\DESCRIPTION\\System\\BIOS" nocase 813 | $c1 = "RegQueryValue" 814 | $r1 = "SystemBiosVersion" 815 | $r2 = "VideoBiosVersion" 816 | $r3 = "SystemManufacturer" 817 | condition: 818 | 1 of ($p*) and 1 of ($c*) and 1 of ($r*) 819 | } 820 | 821 | rule disable_antivirus { 822 | meta: 823 | author = "x0r" 824 | description = "Disable AntiVirus" 825 | version = "0.2" 826 | strings: 827 | $p1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" nocase 828 | $p2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" nocase 829 | $p3 = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" nocase 830 | $c1 = "RegSetValue" 831 | $r1 = "AntiVirusDisableNotify" 832 | $r2 = "DontReportInfectionInformation" 833 | $r3 = "DisableAntiSpyware" 834 | $r4 = "RunInvalidSignatures" 835 | $r5 = "AntiVirusOverride" 836 | $r6 = "CheckExeSignatures" 837 | $f1 = "blackd.exe" nocase 838 | $f2 = "blackice.exe" nocase 839 | $f3 = "lockdown.exe" nocase 840 | $f4 = "lockdown2000.exe" nocase 841 | $f5 = "taskkill.exe" nocase 842 | $f6 = "tskill.exe" nocase 843 | $f7 = "smc.exe" nocase 844 | $f8 = "sniffem.exe" nocase 845 | $f9 = "zapro.exe" nocase 846 | $f10 = "zlclient.exe" nocase 847 | $f11 = "zonealarm.exe" nocase 848 | condition: 849 | ($c1 and $p1 and 1 of ($f*)) or ($c1 and $p2) or 1 of ($r*) or $p3 850 | } 851 | 852 | rule disable_uax { 853 | meta: 854 | author = "x0r" 855 | description = "Disable User Access Control" 856 | version = "0.1" 857 | strings: 858 | $p1 = "SOFTWARE\\Microsoft\\Security Center" nocase 859 | $r1 = "UACDisableNotify" 860 | condition: 861 | all of them 862 | } 863 | 864 | rule disable_firewall { 865 | meta: 866 | author = "x0r" 867 | description = "Disable Firewall" 868 | version = "0.1" 869 | strings: 870 | $p1 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy" nocase 871 | $c1 = "RegSetValue" 872 | $r1 = "FirewallPolicy" 873 | $r2 = "EnableFirewall" 874 | $r3 = "FirewallDisableNotify" 875 | $s1 = "netsh firewall add allowedprogram" 876 | condition: 877 | (1 of ($p*) and $c1 and 1 of ($r*)) or $s1 878 | } 879 | 880 | rule disable_registry { 881 | meta: 882 | author = "x0r" 883 | description = "Disable Registry editor" 884 | version = "0.1" 885 | strings: 886 | $p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase 887 | $c1 = "RegSetValue" 888 | $r1 = "DisableRegistryTools" 889 | $r2 = "DisableRegedit" 890 | condition: 891 | 1 of ($p*) and $c1 and 1 of ($r*) 892 | } 893 | 894 | rule disable_dep { 895 | meta: 896 | author = "x0r" 897 | description = "Bypass DEP" 898 | version = "0.1" 899 | strings: 900 | $c1 = "EnableExecuteProtectionSupport" 901 | $c2 = "NtSetInformationProcess" 902 | $c3 = "VirtualProctectEx" 903 | $c4 = "SetProcessDEPPolicy" 904 | $c5 = "ZwProtectVirtualMemory" 905 | condition: 906 | any of them 907 | } 908 | 909 | rule disable_taskmanager { 910 | meta: 911 | author = "x0r" 912 | description = "Disable Task Manager" 913 | version = "0.1" 914 | strings: 915 | $p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase 916 | $r1 = "DisableTaskMgr" 917 | condition: 918 | 1 of ($p*) and 1 of ($r*) 919 | } 920 | 921 | rule check_patchlevel { 922 | meta: 923 | author = "x0r" 924 | description = "Check if hotfix are applied" 925 | version = "0.1" 926 | strings: 927 | $p1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Hotfix" nocase 928 | condition: 929 | any of them 930 | } 931 | 932 | rule win_hook { 933 | meta: 934 | author = "x0r" 935 | description = "Affect hook table" 936 | version = "0.1" 937 | strings: 938 | $f1 = "user32.dll" nocase 939 | $c1 = "UnhookWindowsHookEx" 940 | $c2 = "SetWindowsHookExA" 941 | $c3 = "CallNextHookEx" 942 | condition: 943 | $f1 and 1 of ($c*) 944 | } 945 | 946 | rule vmdetect_misc : vmdetect 947 | { 948 | meta: 949 | author = "@abhinavbom" 950 | maltype = "NA" 951 | version = "0.1" 952 | date = "31/10/2015" 953 | description = "Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names." 954 | strings: 955 | $vbox1 = "VBoxService" nocase ascii wide 956 | $vbox2 = "VBoxTray" nocase ascii wide 957 | $vbox3 = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase ascii wide 958 | $vbox4 = "SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions" nocase ascii wide 959 | 960 | $wine1 = "wine_get_unix_file_name" ascii wide 961 | 962 | $vmware1 = "vmmouse.sys" ascii wide 963 | $vmware2 = "VMware Virtual IDE Hard Drive" ascii wide 964 | 965 | $miscvm1 = "SYSTEM\\ControlSet001\\Services\\Disk\\Enum" nocase ascii wide 966 | $miscvm2 = "SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum" nocase ascii wide 967 | 968 | // Drivers 969 | $vmdrv1 = "hgfs.sys" ascii wide 970 | $vmdrv2 = "vmhgfs.sys" ascii wide 971 | $vmdrv3 = "prleth.sys" ascii wide 972 | $vmdrv4 = "prlfs.sys" ascii wide 973 | $vmdrv5 = "prlmouse.sys" ascii wide 974 | $vmdrv6 = "prlvideo.sys" ascii wide 975 | $vmdrv7 = "prl_pv32.sys" ascii wide 976 | $vmdrv8 = "vpc-s3.sys" ascii wide 977 | $vmdrv9 = "vmsrvc.sys" ascii wide 978 | $vmdrv10 = "vmx86.sys" ascii wide 979 | $vmdrv11 = "vmnet.sys" ascii wide 980 | 981 | // SYSTEM\ControlSet001\Services 982 | $vmsrvc1 = "vmicheartbeat" ascii wide 983 | $vmsrvc2 = "vmicvss" ascii wide 984 | $vmsrvc3 = "vmicshutdown" ascii wide 985 | $vmsrvc4 = "vmicexchange" ascii wide 986 | $vmsrvc5 = "vmci" ascii wide 987 | $vmsrvc6 = "vmdebug" ascii wide 988 | $vmsrvc7 = "vmmouse" ascii wide 989 | $vmsrvc8 = "VMTools" ascii wide 990 | $vmsrvc9 = "VMMEMCTL" ascii wide 991 | $vmsrvc10 = "vmware" ascii wide 992 | $vmsrvc11 = "vmx86" ascii wide 993 | $vmsrvc12 = "vpcbus" ascii wide 994 | $vmsrvc13 = "vpc-s3" ascii wide 995 | $vmsrvc14 = "vpcuhub" ascii wide 996 | $vmsrvc15 = "msvmmouf" ascii wide 997 | $vmsrvc16 = "VBoxMouse" ascii wide 998 | $vmsrvc17 = "VBoxGuest" ascii wide 999 | $vmsrvc18 = "VBoxSF" ascii wide 1000 | $vmsrvc19 = "xenevtchn" ascii wide 1001 | $vmsrvc20 = "xennet" ascii wide 1002 | $vmsrvc21 = "xennet6" ascii wide 1003 | $vmsrvc22 = "xensvc" ascii wide 1004 | $vmsrvc23 = "xenvdb" ascii wide 1005 | 1006 | // Processes 1007 | $miscproc1 = "vmware2" ascii wide 1008 | $miscproc2 = "vmount2" ascii wide 1009 | $miscproc3 = "vmusrvc" ascii wide 1010 | $miscproc4 = "vmsrvc" ascii wide 1011 | $miscproc5 = "vboxservice" ascii wide 1012 | $miscproc6 = "vboxtray" ascii wide 1013 | $miscproc7 = "xenservice" ascii wide 1014 | 1015 | $vmware_mac_1a = "00-05-69" 1016 | $vmware_mac_1b = "00:05:69" 1017 | $vmware_mac_2a = "00-50-56" 1018 | $vmware_mac_2b = "00:50:56" 1019 | $vmware_mac_3a = "00-0C-29" 1020 | $vmware_mac_3b = "00:0C:29" 1021 | $vmware_mac_4a = "00-1C-14" 1022 | $vmware_mac_4b = "00:1C:14" 1023 | $virtualbox_mac_1a = "08-00-27" 1024 | $virtualbox_mac_1b = "08:00:27" 1025 | 1026 | condition: 1027 | 2 of them 1028 | } 1029 | 1030 | 1031 | 1032 | rule vme_dll { 1033 | meta: 1034 | Author = "jentle" 1035 | strings: 1036 | $S1 = "avghookx.dll" wide // AVG 1037 | $S2 = "avghooka.dll" wide // AVG 1038 | $S3 = "snxhk.dll" wide // Avast 1039 | $S4 = "sbiedll.dll" wide // Sandboxie 1040 | $S5 = "dbghelp.dll" wide // WindBG 1041 | $S6 = "api_log.dll" wide // iDefense Lab 1042 | $S7 = "dir_watch.dll" wide// iDefense Lab 1043 | $S8 = "pstorec.dll" wide // SunBelt Sandbox 1044 | $S9 = "vmcheck.dll" wide // Virtual PC 1045 | $S10 = "wpespy.dll" wide // WPE Pro 1046 | $S11 = "cmdvrt64.dll" wide // Comodo Container 1047 | $S12 = "cmdvrt32.dll" wide // Comodo Container 1048 | condition: 1049 | any of them 1050 | } 1051 | 1052 | 1053 | rule vme_processName { 1054 | meta: 1055 | Author = "jentle" 1056 | strings: 1057 | $s1="sample.exe" wide 1058 | $s2="bot.exe" wide 1059 | $s3="sandbox.exe" wide 1060 | $s4="malware.exe"wide 1061 | $s5="test.exe" wide 1062 | $s6="klavme.exe" wide 1063 | $s7="myapp.exe"wide 1064 | $s8="testapp.exe"wide 1065 | condition: 1066 | any of them 1067 | } 1068 | 1069 | rule sandBox_usernames { 1070 | meta: 1071 | Author = "jentle" 1072 | reference = "https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/" 1073 | 1074 | strings: 1075 | $s1="CurrentUser" wide 1076 | $s2="Sandbox" wide 1077 | $s3="Emily" wide 1078 | $s4="HAPUBWS" wide 1079 | $s5="Hong Lee" wide 1080 | $s6="IT-ADMIN" wide 1081 | $s7="milozs" wide 1082 | $s8="Peter Wilson" wide 1083 | $s9="timmy" wide 1084 | $s10="user" wide 1085 | $s11="sand box" wide 1086 | $s12="malware" wide 1087 | $s13="maltest" wide 1088 | $s14="test user" wide 1089 | $s15="virus" wide 1090 | condition: 1091 | any of them 1092 | } 1093 | 1094 | rule sandBox_hostnames { 1095 | meta: 1096 | Author = "jentle" 1097 | 1098 | strings: 1099 | $s1="SANDBOX" wide 1100 | $s2="7SILVIA" wide 1101 | $s3="HANSPETER-PC" wide 1102 | $s4="JOHN-PC" wide 1103 | $s5="MUELLER-PC" wide 1104 | $s6="WIN7-TRAPS" wide 1105 | $s7="FORTINET" wide 1106 | $s8="TEQUILABOOMBOOM" wide 1107 | condition: 1108 | any of them 1109 | } 1110 | -------------------------------------------------------------------------------- /png/show.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hipepper/antiVM/2349ad405c517f5f5c4e4a4c39344fdb53255829/png/show.gif --------------------------------------------------------------------------------