Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
Pique Proof-of-Concept (PoC) Report
Anti-Debugging and Anti-Emulation
(U) Anti-Emulation
(U) Virtual environments, virtual machines and commercial sandbox technologies built upon
them are collectively known as emulation environments. Emulation environments pose a risk to
malware because they are used by system defenders to analyze malware at runtime. Malware
authors have spent a lot of resources and written many routines to detect emulation environments
in an attempt to protect their malware. However, in recent years we’ve seen a decrease in anti-
emulation techniques in malware and attribute this trend to the fact that emulation environments
have become so pervasive (think Cloud) that the presence of an emulation environment no longer
automatically means it’s a malware analysis platform or that it’s not a valid target.
(U) Detecting VMWare Artifacts
(U) VMWare leaves many detectable artifacts when installed on a system. Malware can use these
artifacts left in the file system, registry, and process listing. The following were run on a
Windows 10 Virtual Machine image.
(U) Using net start | findstr VMWare
(U) A quick and easy way to determine if the VMWare Tools Service is running on the system is
to open a command window and type net start | findstr VMWare as shown in Figure 6.
Figure 6. Using cmd.exe to Find the VMWare Service
Raytheon Blackbird Technologies, Inc.
16
07 August 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED