Bottetoundra719 Posted June 13 Posted June 13 Hello folks! Hope you all are doing well. As an avid Windows 7 user and enjoyer, I tend to have to rely on backports or older versions of software. However, as expected, there are some cases where this approach hits a wall fast, and modern apps with no backportability happen to be needed. In this case, I've heard many people recommend VxKex, which seems to be an extended kernel of some sorts. However, the general consensus seems to be mixed between VxKex by i486 and VxKex-NEXT by YuZhouRen86. Being unsure, I put them in VirusTotal, the results were 30/66 for VxKex (i486), and 43/68 for VxKex-NEXT (YuZhouRen86). After that, I went to the Behavior section, and both had: - Image File Execution Options Injection (If I recall correctly, this had to do with the kernel hooking.) - Registry Modification (I'd say this is expected behaviour for an extended kernel.) - Input Capture (I recall this had something to do with the pointer input history thing from Windows 8 and later) - Process Injection (Expected) - All the Discovery techniques (Process Discovery, File and Directory Discovery etc.) But, after these, there are 3 (well, 4, but I'll get to that a tad later) that I didn't quite understand: - Data Destruction - Data Encrypted for Impact - File and Directory Permissions Modification I do not know much about why extended kernel would need those, although they might as well just be benign. However, the fourth one I just told you about was unique to VxKex-NEXT, which was: - Virtualisation/Sandbox Evasion Why exactly would an extended kernel have to know whether it's in a sandboxed environment or not? Or is this perhaps a false positive on VirusTotal's (and its scanners') part? I also decided to check out the hashes of these two files on Threat.Rip, and the results came out as VxKex (i486) having a score of 71/100, and VxKex-NEXT (YuZhouRen86) having a score of 100/100! The biggest red flag here seems to be how VxKex-NEXT tried to do Privilege Escalation. I'm no expert at this, as I'm just a paranoid Windows 7 user trying to stay safe hehe! So if you have experience in data and heuristics analysis, then please let me know your thoughts. Have a good day! VxKex (i486): Download Link: https://github.com/i486/VxKex/releases/download/Version1.1.5.1679/KexSetup_Release_1_1_5_1679.exe VirusTotal: https://www.virustotal.com/gui/file/a4c9af98ca721a82e8470ab5f81fcfb2bda74fcbc36bdfbea8854934ad3f0420 Threat.Rip Link: https://www.threat.rip/file/a4c9af98ca721a82e8470ab5f81fcfb2bda74fcbc36bdfbea8854934ad3f0420 VxKex-NEXT: Download Link: https://github.com/YuZhouRen86/VxKex-NEXT/releases/download/1.1.4.2085/KexSetup_Release_1_1_4_2085.exe VirusTotal Link: https://www.virustotal.com/gui/file/8985542047792393c391e63bf1d3cb50e2b199b084772d50057a5f7061d720a5/behavior Threat.Rip Link: https://www.threat.rip/file/8985542047792393c391e63bf1d3cb50e2b199b084772d50057a5f7061d720a5
HarryTri Posted June 15 Posted June 15 (edited) On 6/13/2026 at 11:11 PM, Bottetoundra719 said: Virtualisation/Sandbox Evasion This means that the software can evade a virtual machine or a sandboxed application from the host OS, I don't think this is desirable (for me at least). Of course it may also mean the opposite, it isn't really clear. Edited June 15 by HarryTri
Bottetoundra719 Posted June 15 Author Posted June 15 (edited) 1 hour ago, HarryTri said: This means that the software can evade a virtual machine or a sandboxed application from the host OS. As far as I know, Virtualisation/Sandbox Evasion is when an app (in most cases malware) tries to detect whether it's in a sandbox or not. The MITRE ATT&CK behaviour section of VxKex-NEXT only shows the Evasion, not the Escape. (As far as I know, Virtualisation/Sandbox Escape is when the app actually tries to escape the sandbox and interact with the host OS directly) I'm not sure why this is the case, although this Virtualisation/Sandbox Evasion technique alert could be triggered by driver checks, registry entries etc. However, as plausible as this could be, in my opinion, if VxKex (i486) doesn't flag this, then VxKex-NEXT (YuZhouRen86) should also theoretically have no reason to either. (and it flagged it twice!) I kind of doubt these kinds of flags can be excused or ignored as "false positives", but I'm not entirely sure. Edited June 15 by Bottetoundra719 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now