When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways.

The Questions:

If I encounter the MALWARE , what shound I do?

PS:

How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!!

Please help ME .

THANKS!!!

Can you share the sample?:)

Have you tried opening it in a debugger? I would do that, and then look for where/when it checks for the Virtual machine and then patch it so that it believes you're not in one.

On 26/8/2017 at 4:22 AM, ONDragon said:

When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways.

The Questions:

If I encounter the MALWARE , what shound I do?

PS:

How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!!

Please help ME .

THANKS!!!

do not install vmware tools and set your virtual machine configuration file to prevent detection (there's info about that you can google); if it is vmprotect 3 then it uses some more complicated methods to detect vm. Best approach would be to unpack the sample first, then analyze. Best regards.

On 10/4/2017 at 1:16 AM, null_endian said:

Have you tried opening it in a debugger? I would do that, and then look for where/when it checks for the Virtual machine and then patch it so that it believes you're not in one.

the ollydbg and windbg crash if you open a sample of malware packed with vmp v3 

 

On 10/14/2017 at 2:17 PM, Aesculapius said:

do not install vmware tools and set your virtual machine configuration file to prevent detection (there's info about that you can google); if it is vmprotect 3 then it uses some more complicated methods to detect vm. Best approach would be to unpack the sample first, then analyze. Best regards.

i try all stuff that i can find in google but still the same problem idk what to do 

19 hours ago, zixkhalid said:

the ollydbg and windbg crash if you open a sample of malware packed with vmp v3 

 

i try all stuff that i can find in google but still the same problem idk what to do 

WM detection tricks are limited, although VMP3 uses new methods, here's a compilation that could help narrow the search:

 

https://shasaurabh.blogspot.ca/2017/07/virtual-machine-detection-techniques.html

 

several other possible paths come to mind, you can run you malware in a test machine without VM, you can easily reach OEP, and at that point you can carefully set your breakpoints to cover all possible malware techniques like process injection or process hollowing, etc, to get the unpacked sample. Once you get the unpacked code, you can kill the process and avoid any unneeded damage to your test windows installation. Also, most samples are already analyzed by someone else (google it). You can drop your sample here: https://www.hybrid-analysis.com/ and learn as much as possible from it, look for similar upload samples, etc.  BR.