Another 2 years passed since last update of the 3R and since there is a new release of Regripper this week (https://github.com/keydet89/RegRipper3.0) it was a good opportunity to revisit it.
The update this time was a bit tricky — since the snapshots (2.8 vs. 3.0) differ a lot, I decided to get 2.8 as a base, and then add/overwrite changes from v3.0.
And last, but not least – remember of 3RPG tool!
This a bit unusual trick, because it relies on a test if Windows version that sample is running on is… legitimate/genuine.
Yes.. we live in these times. Lots of pirated versions of Windows still floating around, but less than say 10 years ago.
When I came up with the idea I googled around and discovered that to verify if Windows is genuine one has to run a single API: SLIsGenuineLocal.
Encouraged, I crafted a small .exe that shows a message that takes a form of either ‘Genuine, continue’ or ‘Pirated, exit’. Since sandbox engines are very unreliable I use 3 methods of message notification:
To demonstrate the technique, I submitted a test file to VirusTotal hoping that its internal behavioral engine will pick it up. I was not disappointed and after a few tunings and tweaks VT JukeBox presented me with the result as below:
Oh… can it be?
Now, this may come as a surprise, but it is undeniable that many Jukebox sessions I have seen in the past present this bit to the sample submitter:
I am absolutely, positively, undeniably and equivocally certain that this is a genuine mistake and VirusTotal team will fix it soon.
In the mean time, and to distract the audience, let’s remember that 5 engines detected my small .exe as malware:
The genius detectors are not surprising at all. As they say… garbage in, garbage out.