GCIH · Question #454
Analysis of malicious code identifies a function that searches for specific processes and hardware on a victim host. If the processes or hardware are found, the malicious executable does not install i
The correct answer is A. Detecting virtual machines. Malware that checks for specific processes or hardware before executing is using sandbox or virtual machine evasion to avoid analysis and detection.
Question
Analysis of malicious code identifies a function that searches for specific processes and hardware on a victim host. If the processes or hardware are found, the malicious executable does not install itself. What is a common purpose of this type of malware functionality?
Options
- ADetecting virtual machines
- BRemote code execution
- CRunning polymorphic code
- DDisabling local anti-virus
How the community answered
(33 responses)- A76% (25)
- B9% (3)
- C3% (1)
- D12% (4)
Why each option
Malware that checks for specific processes or hardware before executing is using sandbox or virtual machine evasion to avoid analysis and detection.
Security researchers and automated sandboxes typically analyze malware inside virtual machines or emulated environments. Malware developers add checks for VM-specific processes (e.g., vmtoolsd.exe, vboxservice.exe) and hardware artifacts (e.g., virtual network adapters, low disk space) to detect these environments. If a VM or sandbox is detected, the malware aborts installation to prevent behavioral analysis and signature creation by security researchers.
Remote code execution is an attack capability that allows code to run on a remote system; it is not related to the self-preservation check described in the question.
Polymorphic code refers to malware that mutates its own code to evade signature-based detection, which is a different technique unrelated to environmental hardware or process checks.
Disabling antivirus is an action a malware takes after it has already installed itself, not a reason to abort installation before it begins.
Concept tested: Malware sandbox and virtual machine evasion techniques
Source: https://attack.mitre.org/techniques/T1497/
Topics
Community Discussion
No community discussion yet for this question.