nerdexam
GIAC

GCIH · Question #454

Analysis of malicious code identifies a function that searches for specific processes and hardware on a victim host. If the processes or hardware are found, the malicious executable does not install i

The correct answer is A. Detecting virtual machines. Malware that checks for specific processes or hardware before executing is using sandbox or virtual machine evasion to avoid analysis and detection.

Malware Analysis & Advanced Persistent Threats

Question

Analysis of malicious code identifies a function that searches for specific processes and hardware on a victim host. If the processes or hardware are found, the malicious executable does not install itself. What is a common purpose of this type of malware functionality?

Options

  • ADetecting virtual machines
  • BRemote code execution
  • CRunning polymorphic code
  • DDisabling local anti-virus

How the community answered

(33 responses)
  • A
    76% (25)
  • B
    9% (3)
  • C
    3% (1)
  • D
    12% (4)

Why each option

Malware that checks for specific processes or hardware before executing is using sandbox or virtual machine evasion to avoid analysis and detection.

ADetecting virtual machinesCorrect

Security researchers and automated sandboxes typically analyze malware inside virtual machines or emulated environments. Malware developers add checks for VM-specific processes (e.g., vmtoolsd.exe, vboxservice.exe) and hardware artifacts (e.g., virtual network adapters, low disk space) to detect these environments. If a VM or sandbox is detected, the malware aborts installation to prevent behavioral analysis and signature creation by security researchers.

BRemote code execution

Remote code execution is an attack capability that allows code to run on a remote system; it is not related to the self-preservation check described in the question.

CRunning polymorphic code

Polymorphic code refers to malware that mutates its own code to evade signature-based detection, which is a different technique unrelated to environmental hardware or process checks.

DDisabling local anti-virus

Disabling antivirus is an action a malware takes after it has already installed itself, not a reason to abort installation before it begins.

Concept tested: Malware sandbox and virtual machine evasion techniques

Source: https://attack.mitre.org/techniques/T1497/

Topics

#VM detection#sandbox evasion#anti-analysis#process enumeration

Community Discussion

No community discussion yet for this question.

Full GCIH Practice