Encouraged, I crafted a small .exe that shows a message that takes a form of either ‘Genuine, continue’ or ‘Pirated, exit’. Since sandbox engines are very unreliable I use 3 methods of message notification:<\/p>\n\n\n\n
- I print to STDOUT<\/li>
- I show a message box<\/li>
- I create a file with a name equal to the message chosen<\/li><\/ul>\n\n\n\n
To demonstrate the technique, I submitted a test file to VirusTotal hoping that its internal behavioral engine will pick it up. I was not disappointed and after a few tunings and tweaks VT JukeBox presented me with the result<\/a> as below:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt2-1.png\")
<\/a><\/figure>\n\n\n\nOh… can it be?<\/p>\n\n\n\n
Now, this may come as a surprise, but it is undeniable that many Jukebox sessions I have seen in the past present this bit to the sample submitter:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt3.png\")
<\/figure>\n\n\n\nI am absolutely, positively, undeniably and equivocally certain that this is a genuine mistake and VirusTotal team will fix it soon.<\/p>\n\n\n\n
In the mean time, and to distract the audience, let’s remember that 5 engines detected my small .exe as malware:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/vt4.png\")
<\/figure>\n\n\n\nThe genius detectors are not surprising at all. As they say… garbage in, garbage out.<\/p>\n","protected":false},"excerpt":{"rendered":"
This a bit unusual trick, because it relies on a test if Windows version that sample is running on is… legitimate\/genuine. Yes.. we live in these times. Lots of pirated versions of Windows still floating around, but less than say … Continue reading