Some suspicious/malicious Indicators: Compiler/Packer Signature: Compiler: Borland Delphi (2), Packer: Inno Setup Module 5.50 [SFX] - ver. (5.5.0) Borl.Delphi, File has multiple binary anomalies ( File ignores Code Integrity, File ignores DEP, ALSR is disabled, Contains zero-size sections, CRC value set in PE header does not match actual value ), Contains ability to open the clipboard, Found more than one unique User-Agent (InnoTools_Downloader), Checks if process is being debugged, Queries kernel debugger information, Queries process information, Queries sensitive IE security settings, Queries the internet cache settings, Reads the active computer name, Reads the cryptographic machine GUID, Reads terminal service related keys, Reads the registry for installed applications, Checks for a ADS file, Checks for the presence of an Antivirus engine ( Executes one or more WMI queries wmi SELECT * FROM AntiVirusProduct), Creates guarded memomry sections, Runs a Keylogger, Tries to sleep for a long time, Modifies auto-execute functionality, Modifies proxy settings, Queries sensitive IE security settings, Opens the Kernel Security Device Driver, Creates and modifies windows services, Writes data to a remote process (“C:\Windows\System32\rundll32.exe” & “C:\Windows\System32\regsvr32.exe”), Raised Suricata alerts > ETPRO POLICY InnoTools Downloader User-Agent (InnoTools Downloader) > ETPRO ADWARE_PUP Observed Suspicious UA (InnoTools_Downloader) > ETPRO HUNTING Suspicious User-Agent containing Loader Observed
Certificate Details:
Algorithm: sha1WithRSAEncryption
Version: 3
Issuer: /C=US/O=Thawte, Inc./CN=Thawte Code Signing CA - G2 Serial: 134716351233678962206661072085851957985
Serial (Hex): 65596cec842f63b39f082afbd5d9eae1
Valid from: May 30 00:00:00 2012 GMT
Valid until: May 30 23:59:59 2013 GMT
C (countryName): DE [4445]
CN (commonName): Chinery & Heindoerfer GbR
L (localityName): Hamburg
O (organizationName): Chinery & Heindoerfer GbR
ST (stateOrProvinceName): Hamburg
Regarding this file and based on its actual function and what it actually does, I rate this file as Riskware/PUP. The classification of various antivirus companies as “Trojan.Dropper.Dapato” is a false positive.
This is a well-known application highly used by people. Installer contains a plugin which prompts user during installation with offers to install other known applications. It is not harmful for users, but for some can be nagging. However, there are two use-cases here, users who want to be able to install this without issues, without being sandboxed by CIS (therefore clean verdict needs to be held) and users who are very strict about what they install on their systems, therefore offer has to be blocked. So, for this case the following measure has been put in place: maintain the vendor in trusted vendor list and safe verdict for installer (in order not to break functionality, being a highly used application), but add detection for the plugin which is responsible for displaying the 3rd party offer, so upon installation CIS will block it.
Some suspicious/malicious Indicators: Compiler/Packer Signature: Compiler: Microsoft Visual C/C++(6.0), Packer: NSIS - Borl.Delphi, File has multiple binary anomalies ( File ignores Code Integrity, File ignores DEP, Has unusual entropy sections > “.rsrc” with unusual entropies “7.36056401773”, Contains a virtualized section, Checksum mismatches the PE header value, Contains zero-size sections, Contains another file > type: CAB, location: overlay, offset: “0x00008A00” & type: Nullsoft, location: overlay, offset: “0x00008C08”, Foreign language identified in PE resource > Chinese, The file-ratio of the overlay is suspicious > “94.60%”), Contains ability to open the clipboard, Contains ability to download files from the internet , Contains ability to read monitor info, Contains ability to lookup privileges, Contains ability to enumerate processes/modules/threads, Contains references to WMI/WMIC, Found multiple Anti-VM Strings (Indicator: “win32_computersystem”, “win32_videocontroller”, “win32_process”, “hyper-v”), Tries to delay the analysis, Installs system startup script or application (Adds ““C:\Program Files (x86)\Kuai8\K8GM.exe” -background” to Windows startup via registry), Allocates read-write-execute memory, Sends control codes to connected devices, Resolves APIs dynamically to possibly evade static detection, Modifies memory of “c:\windows\explorer.exe”, Drops mutliple executable files, Uses a User Agent typical for browsers, although no browser was ever launched (Found user agent > NSISDL/1.2 (Mozilla)), Downloads executable from an malicious URL (GET /setup/kuai8_rjaz.exe HTTP/1.0 Host: d1.kuai8.com User-Agent: NSISDL/1.2) > VirusTotal, Suricata ETPRO MALWARE > Win32/Obfuscator.XY requesting “soft.xml” from an well known malicious URL > VirusTotal, Sending data to an malicous URL (POSTs data to “stat.kuai8box.com”), Network usage summary: 14 URLs contacted > 6 servers > 12 sessions > sending “109.77 KB” and receiving “12.26 MB”