A forum for reverse engineering, OS internals and malware analysis
MAXS wrote:Gamarue has code Anti-Emulation and Anti-VM to detect the presence of Virtual machine, I was able to execute it on patched VM, but can you tell me does it have technique to disable USB spreading when it detects VM...It won't start if VM detected.
MAXS wrote:I suppose you thought about spreading. Then how I got to execute malware on VM?Prepare VM for malware analysis, what is the problem?
MAXS wrote:We didn't understand each other, I was able to start Gamarue under VM, but when I plug in USB, nothing happens, no spreading...Then your particular sample does not have this USB spreading feature.
h t t p : / / s u c k m y c o c k l a m e a v i n d u s t r y . i n / IsWow64Process k e r n e l 3 2 S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ E x p l o r e r \ A d v a n c e d S h o w S u p e r H i d d e n H i d d e n S h e l l _ T r a y W n d 0 S o f t w a r e I m a g e B a s e . e x e . b a t . v b s . p i f . c m d % s \ * . . . % s \ % s B a c k u p . % s . e x e % s % s ~ $ W . L N K . I N F . I N I T h u m b s . d b L a u n c h U 3 . e x e \ * \ d e s k t o p . i n i a u t o r u n . i n f NtQuerySystemInformation n t d l l NtQueryObject % s \ GetDiskFreeSpaceExW k e r n e l 3 2 . d l l % s \ D C I M % s \ W i n d o w s % s \ % s \ d e s k t o p . i n i % s \ ~ $ W % s . F A T 3 2 % s \ T h u m b s . d b ~ $ W % s . F A T 3 2 , _ l d r @ 1 6 d e s k t o p . i n i R E T T L S " " % s \ M y R e m o v a b l e D e v i c e ( % I 6 4 u G B ) . l n k s h e l l 3 2 . d l l r u n d l l 3 2 % s \ % s ( % I 6 4 u G B ) . l n k ABCDEFGHIJKLMNOPQRSTUVWXYZ % c : \ % s a u t o r u n . i n f