Genuine Anti-sandbox trick

May 28, 2020 in Anti-*

This a bit unusual trick, because it relies on a test if Windows version that sample is running on is… legitimate/genuine.

Yes.. we live in these times. Lots of pirated versions of Windows still floating around, but less than say 10 years ago.

When I came up with the idea I googled around and discovered that to verify if Windows is genuine one has to run a single API: SLIsGenuineLocal.

Encouraged, I crafted a small .exe that shows a message that takes a form of either ‘Genuine, continue’ or ‘Pirated, exit’. Since sandbox engines are very unreliable I use 3 methods of message notification:

  • I print to STDOUT
  • I show a message box
  • I create a file with a name equal to the message chosen

To demonstrate the technique, I submitted a test file to VirusTotal hoping that its internal behavioral engine will pick it up. I was not disappointed and after a few tunings and tweaks VT JukeBox presented me with the result as below:

Oh… can it be?

Now, this may come as a surprise, but it is undeniable that many Jukebox sessions I have seen in the past present this bit to the sample submitter:

I am absolutely, positively, undeniably and equivocally certain that this is a genuine mistake and VirusTotal team will fix it soon.

In the mean time, and to distract the audience, let’s remember that 5 engines detected my small .exe as malware:

The genius detectors are not surprising at all. As they say… garbage in, garbage out.

Comments are closed.