Anti-VM Technique with MSAcpi_ThermalZoneTemperature


The Win32_TemperatureProbe WMI class represents the properties of a temperature sensor (electronic thermometer).

command: wmic /namespace:\\root\WMI path MSAcpi_ThermalZoneTemperature get CurrentTemperature

Most of the information that the Win32_TemperatureProbe WMI class provides comes from SMBIOS. Real-time readings for the CurrentReading property cannot be extracted from SMBIOS tables. For this reason, current implementations of WMI do not populate the CurrentReading property. The CurrentReading property’s presence is reserved for future use.

Win32_TemperatureProbe has 35 properties:


See below the return of the function in a non-virtualized environment:

Now we can see the result of the same function on a virtual machine:

Return was “MSAcpi_ThermalZoneTerperature not supported”, its occurs because this function is not supported on virtualized processors ;)

Using a interactive sandbox like ANY.RUN( is possible to defeat easily:

Last year, Talos is uncover a new piece of malware with a similar behavior, which has remained under the radar for the past two years while it continues to be developed. Several weeks ago, we identified the use of the latest version of this RAT (Remote Access Tool). In this article, we will discuss the technical capabilities, the evolution, development and potential attribution of what we are calling GravityRAT.

My snippet:


Thanks Alexandre Borges for your presentation:


Written by

reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade