sems – Sandbox and Virtual Machine Detection Tool

New malwares have advanced capabilities to detect virtual machines which are used on sandbox systems and any analysis tools. What malware analyst will firstly do to reverse a malware is to run it on virtual environment to study the execution and list any suspicious or malicious behavior performed by the virus.

sems is a good tool that can be used by malware researchers to verify if the existing virtual environment can be detected by malwares. the program will make a check for the signatures of any virtualization system, malware sandbox tools or well know malware analysis tools.

sems tool is sent to malware sandbox like any other malware samples and waited until the completion of analysis. Detected signatures can be seen in “File Operations” section of the sandbox report hence sems drops separate .txt files for each findings.

Signatures found when sems is run in Cuckoo

Signatures found when sems is run in Cuckoo

Systems that can be checked with this tool is VirtualBox Detection (Here this will check Files,Regedit,Folder,Services,Mac,Bios and Windows) , VMWare Detection (include Files, Folder, Regedit ,Services,Mac, Bios, Window, Magic,Memory,Version and IDTR, LDTR, TR, SMSW, I/O Port) QEMU Detection (will include Regedit, Bios and CPU) Cuckoo Sandbox Detection (include Files, Folder,Port ,Hooked Function ,Core Number,Pipe and Modules) Anubis , Thread Expert , Cuckoo , Sandboxie , CWSandbox (will include Computer Name, Core Number ,Modules,Check internet,Disk spaces and Files).

Also you will have check for static analysis tools and sniffers such as Immunity Debugger, Ollydbg, Ida Pro, Regshot, Fiddler, Wireshark, Process Monitor, Process Hacker and Process Explorer.

You can download and read more about sems over the following link:

Notify of
Inline Feedbacks
View all comments