I downloaded a cracked install from tpb (haxnode). It was a loader exe that loaded the original exe and supposedly removed the drm in RAM. It required admin permissions, I didn't trust it, but i ran in a vm and nothing happened.
Then i told myself "i have microsoft defender and windows firewall control, they will warn me" and I ran it in my main laptop, and still nothing happened. Like, literally nothing happened. The original program would not start. It would simply exit. Nothing. The other 6 almost identical torrents from the same uploader but with a different program version had a similar result. I gave up.
Then i reboot, and firstly i notice a couple DOS prompts flashing on the screen, and windows firewall control asking me if "aspnet_compiler.exe" is allowed to access the internet or not.
Suspicious, i go to check that "aspnet_compiler.exe" and it's located in the .net system folder, i scan it with microsoft defender and it doesn't report as a virus. I do not pay attention to the fact that it doesn't have a valid Microsoft signature, and i tell myself "probably just a windows update" and i whitelist it on the firewall.
After a few hours I realize "wait a minute: it's impossible that an official windows exe isn't signed by microsoft!" I go back to scan it, not infected... or it looks like, defender says "ignored because in whitelist". What? The "loader" put c:* in the whitelist!
The "crack loader" wasn't a virus per se. It dropped an obfuscated batch in startup, which had a base64 encoded attachment of the actual malware, that was copied in the .net framework directory with unassuming names...
And this for a $60 perpetual license program that i should buy anyway because it's for work
Did you configure the VM so that it didn't blatantly look like a VM? Of course malware is gonna act like a good boi when it detects that it's being run in a VM
it probably did exactly in the VM what it did outside the VM.
Yeah true, I misinterpreted "and nothing happened [in the VM]" to mean "and nothing bad happened"
How do you do that? I've always wanted to know!
Nice try malware dev 🤣
Really though, there's a bunch of stuff it can probe... Hard drive name, driver names, mac addresses, hardware profile/resource allotments).
Theresa a bunch of YouTube vids that go over virtual machine detections and hardening your VM to make it less obviously a VM.
(EDIT: Forgot to be thankful, thanks man!) Always thought those would be the ineffective ones as those videos get a lot of views, so I thought all malware devs already knew about the ones adviced in youtube.
Also, nice jk! I'm not into malware dev tho. I always felt like collecting data and being creepy is a google's and big tech's thing.