Anti-VM: Hyper-V / Windows Sandbox MAC

[recvfrom]

References:

• https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html

Once executed, the SUNSHUTTLE backdoor enumerates the victim’s MAC address and compares it to a hardcoded MAC address value “c8:27:cc:c2:37:5a”. If a match is found the backdoor exits. The MAC address is likely a default MAC address for the Windows sandbox network adapter.

[ayoubfaouzi]

Thanks @recvfrom, I will update it.

The MAC address detection as it is implemented now in this project is producing a false positive, which I am not quiet sure how SUNSHUTTLE does it properly. The problem is that the network interface in both the guest and the host will have that MAC address. So it is possible that if you run the tool inside a Windows physical machine with Hyper-V installed, it will find the MAC address and thinks it is a VM.

One workaround, though it is not reliable is: if the count of network adapters == 1 AND the mac address is in the blacklist, then is it a VM.

[recvfrom]

FYI: https://twitter.com/MalwareRE/status/1384193510245474313

The Hyper-V interface of Windows Sandbox gets assigned a new pseudo-randomly generated MAC every time Windows Sandbox is launched (i.e. would not equal c8:27:cc:c2:37:5a / C8-27-CC-C2-37-5A in a running VM). MAC prefix: 00:15:5D (MSFT's IEEE organizationally Unique ID).
... was hardcoded in the early versions of Windows Sandbox but no longer the case