Hide a Virtual Machine
NB: Please note that I’m personally not a scam baiter and do not promote scambaiting, I don’t have time to waste on these people, I just hand up and not say anything. I’m just providing information on how they work and what users do to waste their time.
Within a virtual machine environment, there are a number of ways a scammer can check to see if you are running a Virtual Machine, most scammers know that Scambaiters PC’s run inside a VM so that the Scambaiter does not comprise their own PC, a Virtual Machine can be restored from a snapshot.
If we do not hide a virtual machine the scammer will know you’re trying to waste his time and drop your call, there are a number of places on the VM that I will step through to enable your PC to hide the fact it’s indeed a VM, below are the locations that the scammer will check.
To begin to hide a virtual machine, we need to download a BAT file VirtualBox system information modifier to your main PC. Credit to Jaymontana36, extract it to your desktop before you run it make sure your Virtual Machines is shutdown. Run the vBox System Info Mod BAT file and press any ket to continue after you see the info about the Sysinfo Mod.
Start by typing modifyvm As you can see from the belows I have changesd the Make and Model but left the rest as default
Once you are happy with your changes, press any key a couple of times when prompted, this will also restart your Virtual PC up again if you check Sysinfo again and task manager, it will show the changes that you made. Now we need to change the registry in a couple of places to change what is shown in the Device Manager, below are the registry hashes that we need to search for and what they change within the device manager. This is the first part of how to hide a virtual machine.
{4d36e967-e325-11ce-bfc1-08002be10318}
{4d36e968-e325-11ce-bfc1-08002be10318}
{4d36e965-e325-11ce-bfc1-08002be10318}
{4d36e96f-e325-11ce-bfc1-08002be10318}
The next stage to hide a virtual machine is to open up our registry editor, once we are inside navigate to HKEY_LOCAL_MACHINE > SYSTEM > ControlSet001 > Enum
We need to adjust the permissions so that the user we created for Windows will be allowed to modify the registry entries, Right-click on Enum and select permissions:
Click Add…
Enter the name that you used on the windows account set-up and then click Check Name, it should show like this if it found the name. Click OK
Now scroll down on click on the name, then click allow full control then click apply
Next click Advanced, then from the top click on Change.
Enter the name pf the user again and click Check Name
Click OK to drop back a screen, then click apply, place a tick in the Replace all Child Object Permissions, click apply again then click OK till you are back to the registry, the new users is now able to edit the registry so we can continue to hide a virtual machine
Right-click on Enun, click find, then paste our first hash in there from above and click find:
{4d36e967-e325-11ce-bfc1-08002be10318}
This field will change the Disk Drive type
Right-click to Modify the FriendlyName to Samsung 500 GB ATA
Now we are going to step through the other 3 hashes but without images.
For the Graphics adapter: Right-click Enum again, find and past in {4d36e968-e325-11ce-bfc1-08002be10318}
Right-click on Device Description and select Modify, change it to Nvidia GeForce GTX 1080
DVD/CD: Right-click Enum then find paste in {4d36e965-e325-11ce-bfc1-08002be10318}
Right-click on the FriendlyName and change it to NEC DVD-RW SATA DVD001
Mouse/Pointing Device: Right-click Enum and find then paste in {4d36e96f-e325-11ce-bfc1-08002be10318}
Right-click on DeviceDes and click modify it to Microsoft Pointing Device
on your keyboard press f3 twice to find the next entry
Right-click on DeviceDes and click modify it to Microsoft USB Pointing Device
Whilst in the registry we need to remove the Oracle VM VirtualBox Guest Additions 6.1.16 so it doesn’t show in the Add/Remove Programs, this is located in the following section of the registry
HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Uninstall
Right-click on Oracle VM VirtualBox Guest Additions 6.1.16 and click Delete
Now you can exit the registry, there is one thing that needs to be done each and every time we boot up the VM and that is to remove the icon from the task menu.
Open Task Manager and look for the following two processes and end them
Our final part of how to hide a virtual machine is to download some software that we would use daily, at the minute our new VM looks like a new PC that has never been used for anything, this will look rather suspicious to a seasoned scammer.
Firstly lets bulk install some software by pointing your web browser to Ninite which will allow you yo install multiple apps at a time
Just place a tick in the box to install software that you use on your own Pc, this is just to make your PC look like it’s not ever been used, personally, I just select things like Firefox, Zoom, Skype, Spotify, Open office, but you can select what you like. Once you are happy with your selection click on the ‘Get Your Ninite’ to download the install file, double click this and allow it to run, the more programs you ticked the longer the install, just be patient and let it compete, once complete do and remove the download from your downloads folder and remove it from your Recycle bin.
Looking at your desktop now you will see that as we continue to hide a virtual machine, we are looking more like a standard PC, from here I would look at what you have installed on your own PC and replicate it a little more on your VM, also change the standard windows background, a quick Google of desktop wallpapers, once you find and download one, go to the downloads folder, right-click on the image and set it as desktop background, OK this looks a lot more like a standard PC, we can continue to hide a virtual machine more by using it for an hour or so, browse the internet, so you have a history in your browser.
At this stage, you are ready to let scammers onto you PC, but they will be able to find out your location by checking your IP address, this can be resolved by using a VPN, you can also use other software to record what is happening on your VM and even use Wireshark to find out where in the world this scammer is, I may create another document to show how to do that,
Now we have completed how to hide a virtual machine, if you allow a scammer onto it, they may install a keylogger or other software that runs in the background, if we take a snapshot of our VM now, each time you have allowed a scammer onto the PC, you can then restore it again, this way you know you PC is clean, this can be done whilst the VM is running, from the top menus bar click on Machine
Give it a name and description and click Save.
This completes our hide a virtual machine, we hope you find it useful, we may in a future post off an articled of an attempted scam.
We have a number of Other Articles that may interest you, thanks for dropping by.