Rather evil if you’re not experienced. Run in a controlled environment (And submitted to Avast! as it wasn’t caught until it started attempting to download various files.)
What it has attempted:
- Connecting to external Sources of Malware.
- Renamed and hid all my browsers installed.
- Overwrote Icons for recently played games, hid the actual ones.
- Dropped a few files here and there.
- Messed with Avast! a little.
2016-10-29 08:21 - 2016-10-29 08:22 - 04614728 _____ (advancedpccare.net ) C:\Users\Michael\Downloads\apcsetupwclk.exe
2016-10-29 08:20 - 2016-10-29 08:20 - 00002133 ___RS C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Аvast SаfеZоne Brоwser.lnk
2016-10-29 08:20 - 2016-10-29 08:20 - 00002103 ___RS C:\Users\Public\Desktop\Аvаst SafеZonе Вrowser.lnk
2016-10-29 08:20 - 2016-10-29 08:20 - 00002092 ___RS C:\Users\Michael\Desktop\САM.lnk
2016-10-29 08:20 - 2016-10-29 08:20 - 00001307 ___RS C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gоoglе Сhrоmе.lnk
2016-10-29 08:20 - 2016-10-29 08:20 - 00001272 ___RS C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Моzillа Firеfоx.lnk
2016-10-29 08:20 - 2016-10-29 08:20 - 00001242 ___RS C:\Users\Public\Desktop\Моzillа Firefox.lnk
2016-10-29 08:20 - 2016-10-29 08:20 - 00001206 ___RS C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Stаrt Tоr Вrоwsеr.lnk
2016-10-29 08:20 - 2016-10-29 08:20 - 00001044 _____ C:\Users\Michael\Desktop\Play WarThunder.lnk
2016-10-29 08:20 - 2016-10-29 08:20 - 00000000 ____D C:\Users\Michael\AppData\Roaming\SPI
2016-10-29 08:20 - 2016-10-29 08:20 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\InterStat
2016-10-29 08:20 - 2016-10-29 08:20 - 00000000 ____D C:\Users\Michael\AppData\Roaming\InterStat
2016-10-29 08:20 - 2016-10-29 08:20 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Browsers
2016-10-29 08:20 - 2016-10-29 08:20 - 00000000 ____D C:\Users\Michael\AppData\Local\CrashRpt <== This was created by Firefox when the malware force-ended it.
S1 zqziqxqw; \??\C:\WINDOWS\system32\drivers\zqziqxqw.sys [X]
Which no longer exists in that folder…
Messed with my Hosts file a little.
The other notable thing was, it messed with Avast! SafeZone Browser… (Avast, really?)
File was submitted to Avast! via email and Virustotal
And 11 that added detection now when I search on the sha256 hash: https://virustotal.com/en/file/608a0d3c3c24814b4e109b58ab5d39adfa777a55f4d2eccad5e377e9fa7d112c/analysis/1477769685/
VT scanned file is being studied: “The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem”. As with a Signed file, verified signature, the status could later change, so we have to wait and see.
Could also that this is a PUP-detection only.
Has been under scrutiny before this year: https://www.reasoncoresecurity.com/bandicam.exe-5291f211e1407ab9c057b924350031937b40d9cd.aspx
So what it is gonna be? PUP or real malware this keymaker? Or just mal-flagged because of it’s reputation as crack - warez?
Or later we get this file maybe probably safe to use?
polonus
Hi Polonus,
It’s most certainly not safe to use, nor is any keymaker!
Hello Alan,
We greatly appreciate your help! The file does modify the network configuration settings in the registry, Although the ‘hosts’ file may not appear to be modified the registry/network configuration is modified. Here is an analysis of the file… In the future, when posting samples to the forum, please ‘password protect’ them to reduce the risk of execution.
https://sandbox.deepviz.com/report/hash/110a522a002aa1dec3b1d12be1f2f336/
Perry
The fact that it attempted to hide browsers, games etc, and use it’s own files, suggests it’s malicious and not a keygen.
It also does the following:
Tries to detect whether it is being emulated
Avoids the use of the DNS to connect to some URLs
My understanding of checking to see if it's being emulated, basically means it's checking to see if it's a VM or not. (Do correct me if I'm wrong.)
No program should ever need to check that, unless it has a malicious payload. Avoiding DNS is a big no no as well.
Hi Michael,
Whatever the final outcome of the state of maliciousness, wise decision of yours not to have it on your system.
You certainly took the time to establish the true status of that executable and it fell through for you and likely for others as well.
Hope those that ponder on downloading can draw conclusions through what this thread results present.
Thanks for looking into it for all of us all here, and the evaluation of this more than likely unwanted program.
polonus
Polonus,
F-Secure agrees with you. Based on the description though, I wonder why, given what it does.
Greetings,
Thank you for your submission.
Our analysis indicates that the file you submitted is Adware/Riskware.
Adware is a program that delivers advertising content to the user. It is usually annoying but harmless.
For more information about this detection please visit the URL below:
https://www.f-secure.com/sw-desc/adware.shtml
We will be adding the detection in an upcoming database update to identify the file.
Our latest database updates are available here:
https://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/140
If there is anything else we can help you with, please do not hesitate to contact us again.
Best regards,
Ahmed Nabil
F-Secure Security Labs
Visit our Labs blog at https://labsblog.f-secure.com/
Give and get advice in our F-Secure Community at https://community.f-secure.com
Contact Support at https://www.f-secure.com/support
Given I established it as modifying files related to AV’s, and modifying Network Settings, I definitely would not classify that as a harmless adware file. But whatever gets it detected I suppose.