- Joined
- Dec 7, 2020
It appears my antivirus of choice is still winning.
Malwarebytes' reason to block Kiwifarms
- Thread starter Rommelbutt
- Start date
It appears my antivirus of choice is still winning.
- Joined
- Sep 7, 2019
if you disable sample submission via group policy, windows defender will REPORT ITSELF because "something" blocked the registry entry from being written to...
- Joined
- Feb 16, 2016
Initially I thought WD was getting a ton of false positives until I set up BSA and Sandboxie to see what was actually going on when you ran the keygens. Turns out the keygens I thought was a false positives actually did do some shit it shouldn't have been doing if all it needed to do was generate keys, though unclear if the shit they did would have been useful to a hacker anymore since a lot of them were over 10 years old.
tl;dr those might not be positives that are quite as false as you think.
- Joined
- Jan 16, 2016
I don't regret buccaneering their lifetime subscription with a random key I found online, but eventually that has come to pass too when they cracked down on it and gave me a free 1 year premium subscription.
What did you see those keygens do?
- Joined
- Feb 16, 2016
I sandboxed my most used one, ran it again, then used BSA to spit out a report:
Code:
Detailed report of suspicious malware actions:
Created a mutex named: SBIE_VCM_Mutex
Detected keylogger functionality
Error reporting dialog change: machine\software\microsoft\windows\windows error reporting\dontshowui = 00000001
File handling change: machine\software\classes\undecided\shell\open\command = "c:\program files\sandboxie-plus\start.exe" open_with "%1"
File handling change: machine\software\classes\unknown\shell\open\command = "c:\program files\sandboxie-plus\start.exe" open_with "%1"
File handling change: machine\software\classes\unknown\shell\openas\command = "c:\program files\sandboxie-plus\start.exe" open_with "%1"
File handling change: machine\software\classes\unknown\shell\openwithsetdefaulton\command = "c:\program files\sandboxie-plus\start.exe" open_with "%1"
Got input locale identifiers
Hid file from user: C:\Windows\SbiePst.dat
Queried DNS: contacts.google.com
Queried DNS: signaler-pa.clients6.google.com
Queried DNS: t8.dropbox.com
Traces of Max++That's good enough to get me to run all keygens sandboxed from now on, after all they shouldn't be doing ANYTHING but spitting out keys, but perhaps I'm just retarded.
- Joined
- Sep 30, 2018
Bitch where did you get those Keygens from? That is
What's the app the keygen is for and name of the releaser/group that made it? This is why keygens usually come with an .NFO file and a hash so that people know they haven't been tampered with.
Unless you had Dropbox or Google contacts somehow installed in the sandbox/open in a browser it has no reason to check those things. On second thought, some keygens come with an updater in case there's a new version but that's exceedingly rare to have. My guess it's tried to download some sort of payload.
SbiePst.dat seems to be related to Sandboxie so that is normal.
I guess I'm with you running Keygens in a sandbox since they should just spit out numbers. Although sometimes that will require patching the original executable.
Last edited:
- Joined
- Sep 7, 2019
not sure I'm reading this wrong, but did it try to change that files TO open with sandboxie-plus (which I assume was the box you're running) or FROM? and if from, to what exactly?
- Joined
- Feb 16, 2016
In order:
>where
Emule originally, but it was also in a torrent release of the same
>what for and who
CS6 Master Collection, x-force is the release group, keygen actually works really well...outside the poz.
>why is it trying to set something to open with sandboxie
I'm sure that's an artifact of it trying to set some kind of sneaky backdoor, but because it's sandboxed it's pulling that as the executable instead of something more system related under normal circumstances, since it looks like it's setting an open with command to be some executable with the %1 argument tacked on, which looks a lot like the skeleton of a rundll32.exe command or something similar probably.
>where
Emule originally, but it was also in a torrent release of the same
>what for and who
CS6 Master Collection, x-force is the release group, keygen actually works really well...outside the poz.
>why is it trying to set something to open with sandboxie
I'm sure that's an artifact of it trying to set some kind of sneaky backdoor, but because it's sandboxed it's pulling that as the executable instead of something more system related under normal circumstances, since it looks like it's setting an open with command to be some executable with the %1 argument tacked on, which looks a lot like the skeleton of a rundll32.exe command or something similar probably.
- Joined
- Sep 7, 2019
why would malware try to set the shortcut to anything but itself? unless it's sandboxie interfering, but then why doesn't it say anything?.
at this point I'd just put it in a VM and see how it would behave in a "real" windows
- Joined
- Feb 16, 2016
Best guess it tries to grab something from dropbox (that probably doesn't exist anymore) and that's what it's trying to point to. Given that it also tries to hide something (which ends up being another sandboxie related file, but in a real environment probably is something else) that seems at least plausible.
This is a keygen that has to remain open for a while by the nature of the software it is for, so it wouldn't be impossible in a normal use case for it to do things in the background over a period of a few minutes, such as download something else.
NewHousewife
kiwifarms.net
- Joined
- May 28, 2023
As stated before in this thread, antimalware programs have become laughably bad.
I ran into a trojan called BBYStealer a few years ago spreading around which would harvest login cookies and saved passwords from browsers when run. There were little to no detections on almost all antimalware vendors, especially on VirusTotal because of how the trojan was designed to run.
I submitted a sample to the vendors hoping it would get their attention and I got a reply back from only one, saying that it was known about already. Yet there was no detections still even after a reanalysis.
I ran into a trojan called BBYStealer a few years ago spreading around which would harvest login cookies and saved passwords from browsers when run. There were little to no detections on almost all antimalware vendors, especially on VirusTotal because of how the trojan was designed to run.
I submitted a sample to the vendors hoping it would get their attention and I got a reply back from only one, saying that it was known about already. Yet there was no detections still even after a reanalysis.
std::string
kiwifarms.net
- Joined
- May 17, 2018
Most likely trying to grab some sort of crypto miner
Every piece of malware I've seen recently is pretty boring. They try to rummage through your browser files to see if you have credit card info stored, phone home and then start mining bitcoins.
You'd think with the current state of software that it could threaten to send incredibly weird furry porn to your boss or something but no it's just credit cards and buttcoins.
- Joined
- Sep 28, 2022
Old releases can't be trusted, not because they're bad but because they've passed through a lot of hands over the years. Out of curiosity I have downloaded things(mostly old games) from abandonware sites where the crack or keygen is suspect when compared to the original scene release even though they should be one and the same. One gets flagged while the original one passes just fine.
Not that I trust new releases that shows up under some "official" name either.