[likeamirror]

Hello.

I ran a ZeuS binary in a virtual machine, but all I saw was the process briefly appearing in process explorer, and then disappearing. This could of course be the works of some sort of hook, but I doubt it.
So this is my question to anyone who have analyzed a ZeuS binary: Does it operate differently if it believe it is being executed in an emulated environment?

[Cody Johnston]

Most likely yes, depending on what it is packed with, it may have some detection for virtual machines (this is typical for a lot of malware). You can find some advice that may help you in bypassing those types of checks here (assuming you are using VirtualBox x64): http://www.kernelmode.info/forum/viewto ... =11&t=3478

[EP_X0FF]

Hello.

I ran a ZeuS binary in a virtual machine, but all I saw was the process briefly appearing in process explorer, and then disappearing. This could of course be the works of some sort of hook, but I doubt it.
So this is my question to anyone who have analyzed a ZeuS binary: Does it operate differently if it believe it is being executed in an emulated environment?

Hello,

what you expect from it? Flashes and sparks on the screen?

[likeamirror]

Hello.

I ran a ZeuS binary in a virtual machine, but all I saw was the process briefly appearing in process explorer, and then disappearing. This could of course be the works of some sort of hook, but I doubt it.
So this is my question to anyone who have analyzed a ZeuS binary: Does it operate differently if it believe it is being executed in an emulated environment?

Hello,

what you expect from it? Flashes and sparks on the screen?

I had some WMI rig set up on the registry to monitor it, and as mentioned in OP process explorer opened. I observed absolutely nothing other than it opening for a brief moment and then closing. I am asking if this is typical for a rootkit, or if it's just closing when it detects a VM.

Most likely yes, depending on what it is packed with, it may have some detection for virtual machines (this is typical for a lot of malware). You can find some advice that may help you in bypassing those types of checks here (assuming you are using VirtualBox x64): http://www.kernelmode.info/forum/viewto ... =11&t=3478

Thanks a lot the response. :) I'll take a look at that thread.

[EP_X0FF]

So maybe you share your sample, so we will be more specific.

[Evilcry]

Some ZeuS variant (if I remember well a variant derived from Gameover) has the supa dupa CreateToolhelp32Snapshot looking for "VBoxservice.exe" / "vmtoolsd.exe".