What is mentioned in this article is true. This is a typical process of analyzing a suspicious file. It might not be the best or even the most professional way, but still, it is a way.
Methodology
- Hypervisor: Type 2, Virtualbox, version: 7.014 with extension pack installed.
- Settings of Guest: NAT, CPU: 2 cores, Storage: 250 GB VDI, GPU: 128 MB VirtualBox default, 4 GB RAM
- Host: Linux Mint x64, up-to-date
- Guest: Windows 11 Home
- Tools:
- Microsoft Defender (all settings to max, e.g., Memory Integrity: On, etc. Considering that the majority is using it as the default solution, I thought it was best for this test)
- Malwarebytes (as second opinion scanner)
- Emsisoft Emergency Kit portable (second opinion scanner, from portableapps.com)
- VirusTotal Site
- ProcessHacker portable
- WireShark
The Plot
Unfortunately, many users use cracked programs. Even small businesses are utilizing pirated software. The reason is simple: the cost. Some programs are expensive or one-feature-only necessary, so paying the extra fee isn’t a viable option. Some of you might say don’t use them, and I can’t disagree with you. But I am not in charge of how companies should work. Others might suggest using a free, usually open-source, alternative. I agree, but these tools are typically suitable only for home users or require an extra learning curve. Considering there is no guarantee or support, it might not be a viable option for businesses.
Anyway, the purpose of this article is not to judge how a business operates, so let’s step to the core of this article: The cracked program. This program was used for only one feature offered, so its cost wasn’t justified. Still, pirating is not the answer, but who am I to judge? So, I asked for the cracked file to analyze it further. Let’s see what I discovered.
The Analysis
I ran my virtual machine (see methodology) and downloaded the cracked file. It was a zip file. I extracted the file, and Microsoft Defender warned me of the threat. I expected that because the file contained a keygen. A key generator is a program used to generate keys that “trick” the software from which they are obtained legally. By default, they are considered threats by the malware scanners. Most of the time, they are risky. Usually, they contain backdoors that allow hackers to exploit a system. I scanned it with Malwarebytes and the Emsisoft Emergency Kit and got the same results only for the keygen. It was expected. The .exe file was legit; only the keygen was suspicious. It is a widespread technique.
Legitimate programs that are not cracked and have a keygen that does the job are typical. I uploaded both files to VirusTotal and got the same results. The hash of the original software was okay, but the keygen was identified as a threat by 46 scanners. That can’t be good news, can it? But I ignored all the warnings and ran the file and the keygen. I wanted to know if it was dangerous or not firsthand. The company used it for years without noticing something suspicious. So, I might be wrong. I am only human, after all.
I installed the program successfully and activated it. Nothing seemed suspicious at first glance. The task manager didn’t report something that would be worth my attention. I ran a full scan with the abovementioned tools, and there was no report. I deleted the keygen after activating the program, so there was nothing to report. Afterward, I ran the process hacker and noticed a process reported as genuine, but it was just for a while now and then. Still, that was something unexpected. I should stress that it was a clean install of Windows 11 without any tuning. So, I expected to see normal behavior even from the registry.
I clicked the file location, and I noticed something strange. For a genuine host process, running from a local file rather than the default Windows file was a bit odd. I thought I had something that needed further investigation. I scanned the file, but there was no report of any scanner. But for me, it was alarming. Normally, I would run another anti-malware tool to scan it, but I don’t think I would have a different result.
I utilized WireShark to see if I would find something suspicious. I noticed a strange domain among the legal ones. It seemed like a Russian or something. I don’t have anything with Russians, but seeing a domain like that now and then without something to justify it is odd. Moreover, it seemed to be related to the suspicious process. I cloned the VM and reran the original screenshot of the Windows installation. Nothing was odd, and the process wasn’t there. The cloned one remained the same. I tried to find out if it was a legit program process, but I couldn’t find anything related to it. I cloned the original and reinstalled the file. Same behavior again. It couldn’t be random.
Some of you might say it was a process necessary for the keygen to keep the license under control. That would be true if it were a KMS or something similar. The legit program didn’t require online activation either. So, I don’t believe it was that. By experience and considering all the facts, it was a sophisticated exploit of the keygen’s backdoor. Running only the keygen in a clean installation had the same behavior. It seemed to run silently in the background until it was too late to deal with it. In a matter of time, it would install or run other kinds of malware, such as a trojan or anything else, even ransomware. Unfortunately, there are not only immediate kinds of ransomware whose side effects are noted simultaneously. The worst kind are the silent ones running in the background.
Some are pretty “clever” to avoid anti-malware detections disguised as legitimate processes. Others are silently hibernating, running for a while, and being exploited when the hacker wants to or by installing other malware. It depends on the payload or the hacker’s intentions. That’s why hardware and software firewall configuration are essential as well. An advanced firewall would warn you of strange behavior. And this is precisely what happened when I installed a dedicated third-party firewall. It reported and blocked the malicious connection. Through further investigation, it was revealed that, indeed, it was suspicious. So, it was enough for me that this keygen wasn’t innocent. And nothing would have happened if I hadn’t ignored Microsoft Defender’s warning. That’s why precaution is more important than dealing with the malware afterward. Better safe than sorry.
Epilogue
I didn’t have the time to check what kind of attack would have been utilized to know how it would behave. It might work as an info stealer or a malware chain. I don’t know how much damage is done to the company silently, but I only know one thing: Pirating software is dangerous, not to mention illegal. There is even a myth that companies are willingly pirating their software to have control over it. I don’t know if that’s true, but there is still one truth. Most of the time, we are responsible for an attack. We might not be the primary target, but when we mess with shady practices, we seek trouble. And trouble might find us one way or another. So, if you choose to pirate, be extra cautious. Nothing is offered for free for the love of it.
Not all hackers and crackers are Robin Hoods who like to save the Internet from the bad companies that offer their products at a price. It might just be the cheese that catches a mouse in their trap. And this mouse might be you or me someday, somehow. Just think that maybe we might cause this havoc by installing pirated software. Free is tempting, but is it worth the risk? It would be best to consider this well before installing something that wasn’t meant to be pirated. Even the originals are exploitable, so they offer patches and updates. Pirated ones can’t take these patches, and malicious people know that. They know the exploits of a previous version. And that makes their lives easier. So, the final decision is up to you. As always, stay safe and stay in the know.