Anti-VM Technique with MSAcpi_ThermalZoneTemperature
The Win32_TemperatureProbe WMI class represents the properties of a temperature sensor (electronic thermometer).
Most of the information that the Win32_TemperatureProbe WMI class provides comes from SMBIOS. Real-time readings for the CurrentReading property cannot be extracted from SMBIOS tables. For this reason, current implementations of WMI do not populate the CurrentReading property. The CurrentReading property’s presence is reserved for future use.
Win32_TemperatureProbe has 35 properties:
See below the return of the function in a non-virtualized environment:
Now we can see the result of the same function on a virtual machine:
Return was “MSAcpi_ThermalZoneTerperature not supported”, its occurs because this function is not supported on virtualized processors ;)
Using a interactive sandbox like ANY.RUN( https://any.run) is possible to defeat easily:
Last year, Talos is uncover a new piece of malware with a similar behavior, which has remained under the radar for the past two years while it continues to be developed. Several weeks ago, we identified the use of the latest version of this RAT (Remote Access Tool). In this article, we will discuss the technical capabilities, the evolution, development and potential attribution of what we are calling GravityRAT.
My snippet:
function Get-AntiVMwithTemperature {
$t = Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi"$valorTempKelvin = $t.CurrentTemperature / 10
$valorTempCelsius = $valorTempKelvin - 273.15$valorTempFahrenheit = (9/5) * $valorTempCelsius + 32return $valorTempCelsius.ToString() + " C : " + $valorTempFahrenheit.ToString() + " F : " + $valorTempKelvin + "K"
}
https://gist.github.com/teixeira0xfffff/36293713c254c69a7ba2353e8d64afce
Resources:
