How malware fingerprints VMware, VirtualBox, and automated sandboxes through artefact checks, hardware queries, and behavioural tests — and how to build a convincing lived-in analysis VM that passes all checks.
Sign in to mark this article as read and track your progress.
Beyond detecting debuggers, malware checks whether it is running inside a virtual machine or an automated sandbox. If the environment looks artificial, the malware terminates or executes benign decoy behaviour.
VM detection is like a kidnapper checking if the ransom drop location is a police sting. They look for unmarked vans, people with earpieces, and suspiciously empty streets. If anything feels staged, they abort. Your analysis VM needs to look like a messy teenager''s bedroom, not a sterile FBI surveillance post.
Virtual machine software leaves registry keys, files, and processes that malware can enumerate:
| Artefact | VMware | VirtualBox |
|---|---|---|
| Registry keys | HKLM\SOFTWARE\VMware, Inc.\VMware Tools | HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions |
| Processes | vmtoolsd.exe, vmwaretray.exe | VBoxService.exe, VBoxTray.exe |
| Files | C:\Windows\System32\vmGuestLib.dll | C:\Windows\System32\VBoxGuest.sys |
| Services | VMware Physical Disk Helper Service | VBoxSF |
| MAC prefix | 00:0C:29, 00:50:56 | 08:00:27 |
1. Uninstall VMware Tools / VirtualBox Guest Additions
(accept reduced functionality — no shared folders, no clipboard sync)
2. Change MAC address to a Dell or HP OUI prefix (e.g., 00:1A:A0)
3. Rename suspicious processes (if Tools must be installed)
4. Delete or rename suspicious registry keys
The CPUID instruction with leaf 0x1 returns ECX with bit 31 set if a hypervisor is present:
MOV EAX, 1
CPUID
TEST ECX, 80000000h ; bit 31 = hypervisor present
JNZ vm_detected
Bypass (VirtualBox):
VBoxManage modifyvm "VM_Name" --paravirt-provider none
This instructs VirtualBox not to set the hypervisor bit. VMware requires registry modification or a third-party tool.
A real workstation typically has:
Malware checks:
; Check RAM
CALL GlobalMemoryStatusEx
CMP [dwTotalPhys], 0x80000000 ; < 2 GB?
JL vm_suspected
; Check CPU cores
CALL GetSystemInfo
CMP [dwNumberOfProcessors], 2
JL vm_suspected
Bypass: Configure VM with 4+ GB RAM and 2+ CPU cores.
# Malware PowerShell check
$disk = Get-WmiObject Win32_DiskDrive | Select-Object -First 1
if ($disk.Size -lt 60GB) { exit }
Bypass: Set virtual disk to 100 GB dynamically allocated.
Sandboxes often run at 800×600 or 1024×600.
Bypass: Set VM resolution to 1920×1080 and maximise the window.
The most sophisticated checks look for evidence of real user activity:
| Check | What It Looks For | Bypass |
|---|---|---|
| Mouse movement | Minimum pixel distance moved | Run mouse jiggler script in VM |
| Recent documents | Files in Recent Items folder | Populate with dummy Office documents |
| Browser history | Sites visited in Chrome/Firefox | Browse a few legitimate sites |
| Desktop content | Number of files/icons on desktop | Add files and shortcuts |
| Uptime | System running < 10 minutes | Boot VM and wait 15+ minutes before analysis |
| Installed software | Only security tools present | Install common apps (Chrome, VLC, WinRAR) |
Automated sandboxes have distinctive characteristics beyond VM artefacts:
# Common sandbox detection checks in Python (for educational reference)
import os, platform, ctypes
# Check username
if os.getenv('USERNAME') in ['sandbox', 'malware', 'virus', 'analyst']:
sys.exit()
# Check hostname
if platform.node() in ['SANDBOX', 'CUCKOO', 'CAPE']:
sys.exit()
# Check recent file count in Documents
docs = len(os.listdir(os.path.expanduser('~/Documents')))
if docs < 3:
sys.exit() # too clean — sandbox
Bypass: Set a realistic username (first name + last name), set hostname to a corporate-looking name (e.g., DELL-WS-4821), populate Documents folder.
A convincing analysis VM should look like a real user''s machine:
Hardware configuration:
RAM: 4–8 GB
CPU cores: 2–4
Disk: 100 GB
Resolution: 1920×1080
MAC: Dell or HP OUI prefix (not VMware/VirtualBox)
CPUID: Hypervisor bit cleared
Software configuration:
OS: Windows 10, realistic username, corporate hostname
Browsers: Chrome with bookmarks and history
Office: Microsoft Office with recent documents
Common apps: VLC, WinRAR, 7-Zip, Adobe Reader
Background: Real desktop wallpaper, icons, files
User activity simulation:
Recent documents: 5+ Office files in Documents
Desktop files: 3–5 files and shortcuts
Browser history: 10+ legitimate sites visited
Uptime: Boot 30+ minutes before analysis
Run these tools inside your analysis VM before detonating any sample. They reveal exactly which artefacts malware could detect.
Pafish: tests ~30 VM, sandbox, and debugger checks. Any check that triggers is a gap to fix.
Al-Khaser: more extensive — tests 100+ checks across all categories. Essential for hardening against sophisticated samples.
# Run in your analysis VM
Pafish.exe # shows PASS/FAIL for each check
Al-Khaser.exe # more comprehensive check suite
Fix every failed check before analysing sophisticated malware.