Skip to content
Reverse Engineering
Anti-Analysisbeginner

MAC Address VM Detection

Malware compares each NIC's MAC OUI prefix against known VMware, VirtualBox, Hyper-V and QEMU ranges to decide if it is running inside a VM.

Every network interface card has a MAC address whose first three bytes form the Organizationally Unique Identifier (OUI), assigned to the hardware vendor. Hypervisors generate virtual NICs with their own registered OUIs, so a guest's MAC prefix is a reliable fingerprint of the virtualisation platform underneath it.

Malware enumerates the host's adapters, extracts each MAC's leading three bytes, and matches them against a hard-coded table of hypervisor OUIs — 00:05:69, 00:0C:29, 00:1C:14, 00:50:56 (VMware); 08:00:27 (VirtualBox); 00:15:5D (Hyper-V); 52:54:00 (QEMU/KVM). A hit strongly implies an analysis VM, and the sample responds by sleeping, exiting cleanly, or skipping its malicious behaviour so automated sandboxes record nothing of interest.

The check is trivial to implement and extremely cheap, which is why it is a near-universal first line of anti-VM logic and ships in commodity loaders as well as off-the-shelf evasion tooling like Pafish.

How it works

c
#include <windows.h>
#include <iphlpapi.h>

// Known hypervisor OUIs (first 3 MAC bytes)
static const unsigned char vm_ouis[][3] = {
    {0x00,0x05,0x69}, {0x00,0x0C,0x29}, {0x00,0x1C,0x14}, {0x00,0x50,0x56}, // VMware
    {0x08,0x00,0x27},                                                       // VirtualBox
    {0x00,0x15,0x5D},                                                       // Hyper-V
    {0x52,0x54,0x00},                                                       // QEMU/KVM
};

BOOL RunningInVM(void)
{
    IP_ADAPTER_INFO info[16];
    DWORD len = sizeof(info);
    if (GetAdaptersInfo(info, &len) != ERROR_SUCCESS) return FALSE;

    for (IP_ADAPTER_INFO *a = info; a; a = a->Next) {
        for (size_t i = 0; i < sizeof(vm_ouis) / 3; i++) {
            if (memcmp(a->Address, vm_ouis[i], 3) == 0)
                return TRUE;   // MAC OUI matches a hypervisor vendor
        }
    }
    return FALSE;
}

On Linux the same logic reads /sys/class/net/*/address or parses the output of ip link, comparing the first three octets against the identical OUI table.

Detection & analysis

Static analysis:

  • Look for GetAdaptersInfo/GetAdaptersAddresses (Windows) or reads of /sys/class/net/.../address (Linux), followed by byte comparisons against three-byte constants. The literal OUI bytes — 0C 29, 00 27, 15 5D, 52 54 00 — embedded in the binary are a giveaway.
  • The presence of an array of three-byte vendor prefixes used in a memcmp/cmp loop is the signature.

Dynamic analysis:

  • Spoof the guest NIC's MAC to a non-virtualised OUI (most hypervisors let you set a custom MAC on the virtual adapter); after the change, the check returns clean and the malware proceeds, exposing its real behaviour.
  • Hook GetAdaptersInfo/GetAdaptersAddresses and rewrite the returned Address bytes to a benign vendor prefix.

Detection rule hint:

Flag code that enumerates network adapters and compares the first three MAC bytes against a set of known hypervisor OUIs (00:0C:29, 08:00:27, 00:15:5D, 52:54:00, etc.) — legitimate applications almost never inspect their own NIC vendor prefix to alter behaviour.

Votes

Comments(0)