Anti-VM Technique with MSAcpi_ThermalZoneTemperature

The Win32_TemperatureProbe WMI class represents the properties of a temperature sensor (electronic thermometer).

Image for post
Image for post
command: wmic /namespace:\\root\WMI path MSAcpi_ThermalZoneTemperature get CurrentTemperature

Most of the information that the Win32_TemperatureProbe WMI class provides comes from SMBIOS. Real-time readings for the CurrentReading property cannot be extracted from SMBIOS tables. For this reason, current implementations of WMI do not populate the CurrentReading property. The CurrentReading property’s presence is reserved for future use.

Win32_TemperatureProbe has 35 properties:

Image for post
Image for post
source: https://wutils.com/wmi/root/cimv2/win32_temperatureprobe/

See below the return of the function in a non-virtualized environment:

Image for post
Image for post

Now we can see the result of the same function on a virtual machine:

Image for post
Image for post

Return was MSAcpi_ThermalZoneTerperature not supported”, its occurs because this function is not supported on virtualized processors ;)

Using a interactive sandbox like ANY.RUN( https://any.run) is possible to defeat easily:

Image for post
Image for post
https://app.any.run/tasks/6538d7c8-a1d2-4eaa-8a9f-3858338cf260

Last year, Talos is uncover a new piece of malware with a similar behavior, which has remained under the radar for the past two years while it continues to be developed. Several weeks ago, we identified the use of the latest version of this RAT (Remote Access Tool). In this article, we will discuss the technical capabilities, the evolution, development and potential attribution of what we are calling GravityRAT.

Image for post
Image for post
https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

My snippet:

https://gist.github.com/teixeira0xfffff/36293713c254c69a7ba2353e8d64afce

Resources:

reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store