PUA:Win32/GameHack Overview

PUA:Win32/GameHack is a generic Microsoft Defender detection for potentially unwanted programs (PUAs) associated with cheats or game hacking tools. While these programs are not always truly malicious, they can pose security risks or violate the terms of service of legitimate software. Also, the use of such software can lead to game or system instability, as not all of such programs are tested well enough. However, the main danger is that these programs can spread other malware or serve as a vector for its distribution.

The main reason for this is that using these tools requires disabling the system’s security software. This gives the green light to any threats that are contained in the GameHack. The file may contain encrypted or compressed data, which allows you to evade detection or conceal its true functionality. Some versions modify or create registry keys, which may as well serve as a cover for malicious activities.

Technical Analysis

Let’s examine how PUA:Win32/GameHack behaves on the target system. For the test sample, I have chosen Solara.dir, a cheat for one popular cubic game. When the executable file is launched, the system process rundll32.exe is accessed by several instances of the cheat.

"C:\Windows\system32\rundll32.exe"
"C:\Windows\system32\rundll32.exe" "C:\Users\\AppData\Local\Temp\Solara/Microsoft.Web.WebView2.Core.dll",#1
"C:\Windows\system32\rundll32.exe" "C:\Users\\AppData\Local\Temp\Solara/Microsoft.Web.WebView2.WinForms.dll",#1

The first thing the app does is check the system for a virtual environment or sandbox. It checks some values in the system, including:

\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Main Functionality

Next, the chosen cheat performs its primary function. It uses an archiver to unpack the files of a cheat:

"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Solara.Dir.zip"
C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\t1244hhg.u4j" "C:\Users\user\Desktop\Solara.Dir.zip"

Most files are unpacked into a temporary directory, into a randomly named folder. The latter is a rather concerning behavior: programs rarely use such strange names:

C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara
C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara\Microsoft.Web.WebView2.Core.dll
C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara\Monaco\combined.html
C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara\Monaco\fileaccess

Further, the GameHack program then executes scripts using the Command Prompt. It primarily targets the files that it has just dropped, but the functionality of such requests closely resembles what dropper malware can do.

"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\\AppData\Local\Temp^" && C:\Windows\system32\wscript.exe ^"C:\Users\\AppData\Local\Temp\Solara/Monaco/fileaccess/index.js^"
"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\\AppData\Local\Temp^" && C:\Windows\system32\wscript.exe ^"C:\Users\\AppData\Local\Temp\Solara/Monaco/fileaccess/node_modules/accepts/index.js^"
"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\\AppData\Local\Temp^" && C:\Windows\system32\wscript.exe ^"C:\Users\\AppData\Local\Temp\Solara/Monaco/fileaccess/node_modules/array-flatten/array-flatten.js^"

These manipulations with Command Prompt are accompanied by the calls to several other elements. Once again, I cannot see a sign of malicious activity in this case, but it is as edgy as it can get.

C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

After these commands, the cheat can inject its code into the game process, adding features that give the player an unfair advantage. These features might include the ability to fly, unlock all inventory, or other advantages that give the player an unfair edge over others. Once again, I’d emphasize that such actions go against the rules of the vast majority of games.

Is PUA:Win32/GameHack False Positive?

Sometimes GameHack can be a false positive detection. In most cases, this is because of how anti-cheat solutions operate. Anti-cheat systems often work at the low-level of the system, injecting their code into the game process, checking the integrity of files, and analyzing network traffic. In other words, anti-cheat systems can use similar methods as cheats, which can trigger anti-malware detections.

False positive detections typically disappear quickly, unlike real hacks, as the developers promptly contact anti-malware vendors to resolve these issues. In addition, they can inform users about it on official platforms and advise them to add the game folder to the exceptions, which can be a practical solution.

How To Remove PUA:Win32/GameHack?

If you encounter a GameHack detection and suspect it’s not a false positive, here’s what you can do. You can use GridinSoft Anti-Malware to help you get rid of this and other threats, just follow the instructions below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post What is PUA:Win32/GameHack? appeared first on Gridinsoft Blog.

PUABundler:Win32/DriverPack Overview

PUABundler:Win32/DriverPack is a detection from Microsoft Defender, associated with the eponymous DriverPack Solution program. Initially, it was a program developed by a Russian author for automatic driver installation on Windows XP. However, since Windows began carrying all the necessary drivers in the installation, driver updaters have become useless. Moreover, the fact that a program operates with drivers creates significant security threats and thus should undergo diligent checks.

And that is where DriverPack shows its dark nature. Over time, it started installing additional software during its own installation – so-called software bundling. Today, DriverPack is synonymous with a bunch of unwanted and sometimes malicious software that can easily brick a freshly installed Windows. This is evidenced by many users on the Internet who have decided to take the easy way out and use DriverPack to install drivers. After using this program, at best, users get a bunch of garbage in the system. At worst, certain devices or system components may malfunction or fail.

Why is PUABundler:Win32/DriverPack Dangerous?

To understand why using DriverPack is dangerous, it’s important to understand its operation. The first version of DriverPack was a standalone installer that installed drivers on devices that don’t have ones. But these days, this program tries to update existing drivers on the system – an edgy approach, if you ask me. The problem is that the program sources newer drivers from questionable places. This may result in aforementioned failures across the system, but, what is worse – it is a direct malware risk.

Another issue is the unwanted software bundled with PUABundler:Win32/DriverPack. Regardless of the user choice, DriverPack installs its services, injects advertisements all across the system, and modifies browser homepages in all browsers. For the latter, instead of the standard search and homepage, DriverPack sets Internet-start.net (see the scan report) as the default homepage and search engine. Although the official website claims to cooperate with antivirus vendors, users tend to see a different picture.

User Experience

I decided to simulate a clean OS setup and driver installation using DriverPack (sample analysis report) in fully automatic mode. This allowed me to get a complete opinion on what PUABundler DriverPack is. There are several red flags that appear even before the installation, but more are to come.

The first warning sign is the claim about false positives from certain antiviruses on the main page. Although this may be the case, false positives are normally a temporare occasion. You should not expect a legit program being detected as unwanted or malicious on a continuous basis, otherwise it is not an occasional situation and a real detection. And the claim on the website suggests that the latter is true. During the launch and operation of the installer itself, Microsoft Defender really flagged PUA presence in the system.

And, sure enough, the described changes to the web browser popped up. PUABundler:Win32/DriverPack modified the homepage and the default search engine. The latter, in turn, shows questionable search results, which is a rather straightforward phishing risk: by manipulating the results, fraudsters behind the search engine can push malicious results to the top. The unwanted program does all this to generate revenue through ads and user redirects, not for the convenience of users. And these ads are the reason why some of the DriverPack samples are tagged as adware.

Technical Analysis

Let’s now examine the technical aspects of this unwanted software. I analyzed a copy downloaded from the official website. Notably, it has 53 out of 75 detections on VirusTotal, and the reason is obvious. During installation, PUABundler:Win32/DriverPack leverages the Mshta.exe process, typically used to execute HTML applications. It then loads an executable from AppData\Local\Temp into a temporary folder and executes the following command:

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\\AppData\Local\Temp\wgulwvl5\wgulwvl5.cmdline"
"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\DriverPack\run.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} --sfx "software.exe"

During installation, DriverPack checks the system’s software and hardware components by going through certain registry keys. This is a standard procedure for such programs, designed to locate drivers, so it is barely a bad sign. And even if we suppose a malicious intent, the worst thing this data may be used for is to distinguish this system from the others.

HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

Suspicious network activity

First thing DriverPack modifies during execution is firewall settings – mostly to let its own executable files communicate with the remote servers. Still, the fact that the developer does not specify the source of the drivers, it is not a great thing to have such an all-encompassing access.

"C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\\AppData\Roaming\DRPSu\temp\run_command_26701.txt""
netsh advfirewall firewall delete rule name="DriverPack aria2c.exe"
rundll32 kernel32,Sleep
"C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Program Files (x86)\DriverPack\tools\aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\\AppData\Roaming\DRPSu\temp\run_command_45238.txt""
netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Program Files (x86)\DriverPack\tools\aria2c.exe"

Payload

PUABundler:Win32/DriverPack utilizes the aria2c.exe utility to download several strangely-named files. This is rather concerning, as such a filename leaves no clue on what is the purpose of it and what are the possible effects.

"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\DriverPack\run.hta" --sfx "c99687e9829de410b66ad7006b0604c3fddb4582050ce205c1d00ff9f309e6b8.exe"
C:\Program Files (x86)\DriverPack\run.hta --sfx "c99687e9829de410b66ad7006b0604c3fddb4582050ce205c1d00ff9f309e6b8.exe"
C:\Program Files (x86)\DriverPack\start.bat "c99687e9829de410b66ad7006b0604c3fddb4582050ce205c1d00ff9f309e6b8.exe"

This represents just a fraction of what DriverPack downloads. During installation, it downloads the bundled applications – several browsers, a strange copy of Avast antivirus, and the “widgets” for the DriverPack itself. As there is no way to disable the installation of these bundled apps, this is just another concerning element of that program.

C:\Program Files (x86)\DriverPack\Tools\driverpack-wget.exe
C:\Program Files (x86)\DriverPack\programs\AvastAntivirusA.exe
C:\Program Files (x86)\DriverPack\programs\downloader_elements.exe
C:\Program Files (x86)\DriverPack\programs\downloader_browser.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverPack\DriverPack.lnk

During execution, the shell displays a “virtual assistant” that occasionally speaks to the user. Nothing really malicious here, but it may be spooky to someone who did not expect a program installer to have sound effects. And overall, there are more than enough problems for the DriverPack to be considered a dangerous thing.

How To Remove DriverPack?

Manual removal of PUABundler:Win32/DriverPack is not really an option, so I recommend an automated removal with GridinSoft Anti-Malware. Follow the guide below to get your system cleaned of DriverPack PUA and all other malicious elements that may be present.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post PUABundler:Win32/DriverPack appeared first on Gridinsoft Blog.

Movidown Overview

Movidown is a potentially unwanted program (PUA) that markets itself as a utility for controlling fan speeds. But when something gets 54/74 detections on VirusTotal, you know there’s more to the story. In reality, this utility has a darker side – it primarily functions as a loader for browser hijackers and adware. Movidown typically gets into the computer without the user’s explicit consent, often through deceptive methods like installers with hidden add-ons, misleading ads, or links on dubious websites.

Once installed, Movidown does more than adjust fan speeds as advertised. It collects basic system information (fingerprinting) and alters browser settings. While it isn’t a virus in the traditional sense, it may and will disrupt the browsing experience and create phishing risks. Among other things, it can lead to frequent redirects to dangerous or malicious sites, and even phishing pages. They, in turn, may attempt to steal personal information or trick the user into downloading actual malware.

Technical Analysis

Let’s have a closer look on how Movidown behaves on a compromised system to better understand its nature. As mentioned earlier, it is a utility for controlling fan speeds, so some of its actions within the system might seem logical. For instance, the first thing it does after launching is check the system’s hardware for signs of a virtual environment. Malicious programs often do this check, though it is also normal for hardware management utilities. Movidown checks the following system locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir

This isn’t an exhaustive list, but such checks can serve both legitimate and malicious purposes. The utility’s need for low-level access to hardware justifies these actions. Though further checks are more concerning, as the utility checks Microsoft Defender settings.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
C:\Program Files (x86)\Windows Defender\MpClient.dll
C:\Program Files (x86)\Windows Defender\MpOAV.dll
C:\Program Files (x86)\Windows Defender\MsMpLics.dll

Payload Delivery

Unlike a typical dropper malware, this unwanted app follows a slightly different scenario. Normally, a dropper connects to a command server, fetches the current configuration, and then downloads the payload. Movidown virus, in turn, does so immediately upon activation. It appears to have a configuration file embedded into the structure, so all the malicious actions happen without additional steps. It loads a couple of randomly-named files to different folders, including C:\ProgramData – a directory that is hidden by default.

C:\ProgramData\jewkkwnf\jewkkwnf.exe
%SAMPLEPATH%\66b9e7f54cf7b_pro.exe

In this case, ExtreamFanV6.exe is the utility itself, while jewkkwnf.exe is the unwanted software, which functions as a browser hijacker with adware components. Although it’s not fully-fledged malware, technically, Movidown can deliver any type of malicious software.

Establishing Persistence

The next step involves the unwanted software establishing persistence for itself and the payload it have downloaded. For that purpose, it adds itself to the startup processes using Task Scheduler. It also places copies of its files to several directories across the disk.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6
schtasks /create /f /RU "" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
schtasks /create /f /RU "" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk

The first registry key adds the utility to startup, while the second and third tasks ensure the payload is activated every time the system starts and every hour, with the highest privileges. It’s important to note that while the utility is capable of reading keyboard input, this functionality isn’t inherently malicious — it’s necessary for the operation of “hotkeys”.

C2 Connection

During execution, Movidown communicates with several command servers and tries to get what appears to be certificates. While being a legitimate purpose, this may also be the way to provide deployed malware with a certificate, so it will stay under the radar of security software.

TCP 204.79.197.203:443
TCP 77.105.164.24:50505
TCP 23.59.198.43:443
GET http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt 200
GET http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c 200

It’s also worth noting that this unwanted app contacts a server at 77.105.164.24, which is based in Russia. Software itself and any information about it on the Web says nothing about it, so it is worth keeping in mind.

How to Remove Movidown

Removing the Movidown utility itself is straightforward—you can uninstall it using the standard Windows “Installed apps” menu. However, the unwanted software it installs alongside itself can be more challenging to remove. I recommend using GridinSoft Anti-Malware, as this solution will allow you to remove Movidown in just a few clicks. It will also provide long-term protection against any kind of malicious software, and also from network threats. ВеTo remove this unwanted software, follow the instructions below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Movidown Unwanted Application appeared first on Gridinsoft Blog.

PUA:Win32/SBYinYing Overview

PUA:Win32/SBYinYing is identified by Microsoft Defender as a potentially unwanted program. This detection is most commonly associated with a file named “EMP.dll”, which is typically found in pirated games. Torrents, especially those offering cracked games, are the main distributors of this malware. This is an ideal distribution method for malicious software because running cracked games often requires disabling antivirus software or adding the game to an exclusion list.

Once this PUA infiltrates a system, it starts doing its nasty job, particularly showing excessive ads and gathering basic information about the user. It is not as severe as regular spyware, but still creates a less than favorable situation for anyone who cares about privacy. And the aforementioned advertising behavior is what adds on top of that risk. Promotions that Win32/SBYinYing shows may contain phishing redirects, downloading links for unwanted programs or sometimes even straight up malware.

Technical Analysis

The previous information about PUA:Win32/SBYinYing provided a general overview, but to fully understand the nature of this threat, a more in-depth analysis is required. Let’s examine how this unwanted app behaves within a system using the “EMP.dll” file from a repackaged game as an example. While some behaviors of this software may be related to bypassing license checks, other actions raise significant concerns.

Execution

Since “EMP.dll” is not an executable .exe file, it requires another process to run it. In this case, a part of the installer calls for the rundll32.exe, a default process for launching dynamic-link libraries. The execution command looks like this:

C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\EMP.dll

The DLL file contains a section that may hold compressed or packed code. Similar to regular malware, PUA:Win32/SBYinYing performs standard checks to detect whether it is running in a virtual environment or a sandbox. It does this by examining certain system parameters, specifically:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display

SBYinYing queries various system settings, including information about hardware (disks, volumes) and software (policy settings, cryptographic machine GUIDs, etc.). It will cease further execution shall any of these contain traces of virtualization or sandboxing.

Defense Evasion

The next step involves identifying and evading security solutions. The techniques used here are more typical for malware, than for unwanted programs. File obfuscation, data encryption, attempts to disable or modify security software, injection into legitimate processes – Win32/SBYinYing does all of this. Among other things, the malware checks the following locations:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles

These places contain information about installed antivirus/anti-malware software. Typically, malicious programs change their behavior depending on which AV-vendor is present.

Privilege Escalation and Persistence

After basic checks, an unwanted program goes for escalating its privileges. It leverages legitimate processes like WerFault.exe and rundll32.exe, making this step relatively straightforward. As mentioned earlier, the malware uses rundll32.exe to execute the DLL library, allowing it to run malicious code embedded within the DLL. Additionally, the malware terminates the wmiadap.exe process with parameters /F /T /R, which appears to be an effort to evade detection or stop system monitoring. Here’s what the commands look like:

C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1052 -s 460
C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5188 -s 432
C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2296 -s 484

WerFault.exe is a legitimate system process used for error reporting in Windows and Windows applications. In addition to leveraging this process, the malware creates scheduled tasks, enabling it to persist by running each time the system starts.

Network Activity

The malware exhibits notable network activity, making several DNS requests to connect to the internet. Some of the observed connections include:

TCP 40.88.32.150:443
TCP 65.9.73.63:443 (firefox.settings.services.mozilla.com)
TCP 54.187.157.95:443 (pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com)
10.216.185.205.in-addr.arpa
125.21.88.13.in-addr.arpa
130.155.190.20.in-addr.arpa

There are also numerous internal addresses that may be used to make the analysis harder. These connections suggest that the malware could be communicating with command servers, potentially exfiltrating data or receiving further instructions.

Does PUA:Win32/SBYinYing Steal Data?

While it’s theoretically possible for PUA:Win32/SBYinYing to steal data, in practice, this is unlikely. This unwanted app mostly works as adware, and the information it collects mostly serves for fingerprinting the system. Still, adware can redirect users to potentially dangerous websites, which in turn could be a source of more harmful malware. And that is when user data gets in risk.

This might explain why some users report that their Facebook and Steam accounts were compromised after PUA:Win32/SBYinYing was found on their systems. Another plausible explanation is the general risk associated with using pirated software. Using cracked games or software increases the likelihood that a user will eventually have their personal data stolen or files lost.

How to Remove PUA:Win32/SBYinYing?

To remove PUA:Win32/SBYinYing, it’s advisable to use advanced anti-malware software. Some users encounter difficulties when trying to eliminate this threat with Microsoft Defender. For this reason, I recommend using GridinSoft Anti-Malware as a tool to remove PUA:Win32/SBYinYing. You can follow the step-by-step guide below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Additionally, I strongly recommend refraining from downloading pirated games and software, as this is the most common method of distributing malware. Not only is it dangerous, but it’s also illegal.

The post PUA:Win32/SBYinYing appeared first on Gridinsoft Blog.

What is PUABundler:Win32/YandexBundled?

PUABundler:Win32/YandexBundled is a generic detection name used by Windows Defender for potentially unwanted software from the Russian company Yandex. While Yandex and its products are legitimate (putting aside the fact that the company is Russian, which we’ll discuss later), their software distribution methods have led most anti-malware vendors to flag them as potentially unwanted.

Once installed, YandexBundled installs its software and makes changes to system settings and the current browser without the user’s explicit permission. It modifies the browser’s homepage and default search engine. Early versions of Yandex software integrated so deeply into the system that they were almost impossible to remove manually. Now, it is easier to do, but the overall daring behavior of the program, along with unwanted sources, is what forces security vendors into flagging it.

Spreading Methods

There is an official Yandex product page, though it’s rare for users to intentionally download Yandex software. There are several primary methods of spreading PUABundler:Win32/YandexBundled:

Software Bundles. In this case, the program is usually included in the installation package of other software that the user intends to install. This is especially common with cracked repacks of paid software by Russian repackers.

“Recommended Software” in Free Programs. This is one of the few ways to monetize free software and a legal way to distribute potentially unwanted software. The only problem is that sometimes unscrupulous developers hide the checkboxes for installing additional software. As a result, the user cannot opt out of the installation.

Runtime Analysis

As mentioned earlier, one of the big issues with YandexBundled is the way it gets to the system. To demonstrate this, I found a sample that distributes Yandex software. This is a typical example of a bundled installer for various questionable programs. The file itself is called TapSetup.exe; I’ve encountered the same file name in the selection of software from the same website, mostly to cracked applications.

As we can see in the screenshot above, the icing on the cake is the footer of the installation window, where all checkboxes are enabled by default. This means that by clicking “Next,” Yandex software will be installed. Considering that people tend to click through the installation menus, all this junk may get in.

Unwanted Activity & Data Collection

After installation, users are greeted with a browser that promotes Russian services and sites. Moreover, regardless of the browser you use, the unwanted software changes settings and adds its extension to all installed browsers on the system. That is suboptimal at least for being an automated action, that happens without your consent. However, there is one more concerning thing to talk about.

As I mentioned earlier, this is a Russian company, and in Russia, the “Sovereign Internet Law” is in effect. This means that all traffic should be recorded and kept on software providers’ servers. It may be accessed on demand by law enforcement without any additional permits. This is the key concern of having and using any Russian software on your computer. Even though similar speculations revolve around US companies and the FBI, the latter still requires a court order to access the information. And, well, you won’t likely be a point of interest for the feds unless you do something illegal.

Legal State Keylogger

One particular program that installs YandexBundler is Punto Switcher, a software whose developer Yandex acquired some time ago. In short, this program automatically switches the keyboard layout between multiple languages. As you might guess, for such an application to work correctly, it needs to read keystrokes, essentially functioning as a keylogger. Additionally, the application has a journaling feature that saves all entered information to a file. And since the program freely connects to the Internet, there is a high chance of this data ending up on Yandex servers.

Not only does Punto Switcher serve as a legal method for distributing PUABundler:Win32/YandexBundled (see the image below), but it also provides an excellent opportunity to legally monitor users. Although the application offers the option to disable auto-switching, it is unlikely that this would disable keystroke logging.

Technical Analysis

Let’s briefly look at the technical aspects of PUABundler:Win32/YandexBundled to determine how dangerous this unwanted software really is. One of the main concerns is that this software reads user/profile data from web browsers:

c:\Users\user\appdata\local\google\chrome\user data\default\history
c:\Users\user\appdata\local\google\chrome\user data\default\history-journal
c:\Users\user\appdata\local\google\chrome\user data\default\local storage\leveldb\current
c:\Users\user\appdata\local\google\chrome\user data\default\preferences
c:\Users\user\appdata\local\google\chrome\user data\default\top sites

While the program likely gets the profile info to transfer it to Yandex, this is once again the example of unauthorized access. Yandex software simply doesn’t care whether you want this to happen or not, it just does this – and consequently collects all of your data from this profile.

It gets even more concerning when we have a look at registry keys that the program accesses. It methodically goes through entries that contain information about installed programs and geolocation.

\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

While there may be a legitimate reason for the program to get this information, the overall nature of the software makes such sharing questionable.

How to Remove PUABundler:Win32/YandexBundled?

If you encounter PUABundler:Win32/YandexBundled, there are two ways to remove it. The first, and less effective, method is manual removal. The second, and recommended, method is using specialized tools. Since this unwanted software embeds itself deeply in the system, I recommend using the second method. GridinSoft Anti-Malware is an optimal solution, as it not only removes threats with just two clicks but also allows resetting browser settings with one click. This will remove all unwanted extensions and homepage settings.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post PUABundler:Win32/YandexBundled appeared first on Gridinsoft Blog.

Such applications are commonly distributed through software bundling. This supposes installation along with pirated software, game mods and similar software from questionable sources.

Stopabit Virus Overview

Stopabit is a malicious software that manifests as a process within the Windows Task Manager. It falls into the Potentially Unwanted Applications (PUAs) category, working as proxyware. This means that Stopabit can route third-party traffic through the system it is active in. Aside from this, it pretends to be a convenient tool to schedule short breaks in your PC usage, presumably to take care of your eyes.

Key danger of proxyware is the unauthorized usage of the system’s bandwidth. During the installation, Stopabit says it will monetize using Globalhop SDK. The latter looks legit only on surface: as numerous analyses from well-known security vendors show, this SDK was repeatedly used to route illegal traffic. As gray proxy services are rather popular in the Darknet, it is pretty easy to understand where this traffic comes from.

EULA of Stopabit App - with the rows regarding the use of Globalhop SDK

EULA of Stopabit App - with the rows regarding the use of Globalhop SDK

Similarly to other proxyware apps, Stopabit mainly gets into user devices through pirated software and similar illegal programs like keygens and activators. Sometimes, it can infiltrate systems through fake versions of mods for popular games.

Stopabit Runtime Analysis

To understand how Stopabit works, let’s go through each step of its actions by analyzing one of its samples. Immediately after the installation, it sends the notification to the tray, offering to start using the tool.

The interface of the program is pretty ascetic, to say the least. There is only one panel with possible actions; the rest of things that are available from the tray are just EULA, some basic settings and program info. Thing is – all these functions are already present in Windows, as a part of the Focus app.

And well, the main course of Stopabit is its proxyware module. It starts together with the program, and appears to have its own persistence settings. Even when you stop the program from the tray, the corresponding process in the Task Manager keeps running. This means proxy connections will keep operating until you remove the program completely.

System Reconnaissance

Stopabit tries to gather detailed information about the system by interacting with the Windows Registry, querying running processes, and reading various system configuration settings. It also tries to get information on the installed software, including software policies and cryptographic machine GUID, the OS version, system information, query environment variables, and get the disk size, system language, geographical location, and time zone information.

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles
HKCU\Software\Classes\Local
HKCU\Software\Classes\Local Settings\MuiCache\1F4\52C64B7E\LanguageList

The registry keys include interface and language preferences, application settings, internet connection, session and recovery details, installed applications, internet settings, security certificates, Windows settings, registry values, and security policies.

It also tries to detect virtual machines to hinder analysis by this value

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles

This registry key is related to color management in Windows. The malware understands whether it is in a virtualized environment depending on the response received.

C2 connection

The malware uses secure web protocols (HTTPS) to communicate with its command and control server. This makes detecting malicious traffic an exceptionally hard task, as this blocks the ability to detect it by specific parts. It also transmits data using the following non-standard ports – another anti-detect and anti-sniff feature. All the possible C2 servers are hardcoded into the sample, probably during the compilation.

track.stopabit.com/v1/?c=381B2D6D-3DF2-41A2-8798-9AD14FB5F586&i=ba6361541ad79f7d5bb94c8f8cec972d&e=preinstall&n=Stopabit&v=1.0.2.0
128.140.126.44:32069 (UDP)
a83f:8110:0:0:1400:1400:2800:3800:53 (UDP)
a83f:8110:2800:0:2800:0:1800:0:53 (UDP)

How To Remove Stopabit?

Removing Stopabit almost mandatory involves using anti-malware software. GridinSoft Anti-Malware is a great solution to remove Stopabit and other malware in a few clicks. Manual removal is barely possible, since this application creates numerous backup copies around the disk, that will restore the threat back. This tool will find and delete them all at once.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Stopabit Virus appeared first on Gridinsoft Blog.

Weather Zero Overview

Weather Zero appears to be a program that displays real-time weather information. At first glance, it seems to be just a tiny weather widget that sits in the lower right corner. To be completely fair, it is less than useful in modern Windows 10/11 systems, as they have a similar widget built directly into the taskbar. But the key problem of the app goes far beyond duplicating the system functions: it has some malware-like capabilities. Weather Zero can in fact act as a dropper, aiming at delivering a payload of other malware to the target system.

The most widespread way of spreading for Weather Zero is some shady software that you can find online. Game mods, trainers, cheats, “patches” for older games, or outright pirated software – all this typically comes from no-name developers that are free to inject whatever junkware they want. And Weather Zero is just another participant in this scheme.

Technical Analysis

To prove the claims made earlier, let’s get into the technical aspects of Weather Zero and uncover why this program is not what it claims to be.

The first red flag is that this program performs checks for virtual environments and debuggers, which is unusual for a typical application. Normally, apps are agnostic about their environments; hardware checks may be a thing, but it is about a rather short checklist. With this app, I’ve seen the checks of the following files and registry keys:

C:\WINDOWS\wininit.ini
C:\Windows\system32\drivers\etc\hosts
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
HKEY_LOCAL_MACHINE\Hardware\description\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option

As inferred from the names of these keys, the program is checking BIOS information, hardware details, and specifically searching for keys related to virtual machines. This behavior is definitely not typical for a weather widget.

After ensuring it is not running in a virtual environment, the program collects basic system information. This “fingerprint” does not include confidential data but is used to identify the infected machine. This step, like the previous one, is characteristic of malware rather than a regular weather widget.

C2 Connection

The dubious program connects to its command and control (C2) servers by calling to the following IP addresses.

TCP 172.67.211.190:443
TCP 20.99.132.105:443
TCP 104.26.11.57:443
UDP 192.168.0.13:137
TCP 142.250.69.195:80

Notably, a lot of them correspond to weatherzero.com, microsoft.com, Azure, Google, Cloudflare, and Amazon Web Services. This may be the indication that Weather Zero makes some genuine calls, or simply does some useless actions to confuse the security systems.

Payload

Next, the app in question proceeds with its primary task – delivering its payload into the system. The program drops the following DLL files into the temporary system folder %USERPROFILE%\AppData\Local\Temp:

nsaE521.tmp\INetC.dll
nsvF2EC.tmp\INetC.dll
nsz528C.tmp\INetC.dll
nso2BAD.tmp\INetC.dll

Since Weather Zero was installed with administrative privileges, it can execute these DLL files with the highest level of privileges. The payload I’ve got in my observations appears to be something dull and uninteresting, but I suspect this is due to its detection of a virtualized environment. It is not clear whether this junkware can deploy “serious” malware, or stop on adware and browser hijackers, like some of the similar programs do.

How To Remove Weather Zero?

To remove Weather Zero, use GridinSoft Anti-Malware: it will reliably remove the virus and protect against other threats, regardless of their source. Download it through the link below and follow the guide to make your system as clean as new.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Weather Zero appeared first on Gridinsoft Blog.

Usually, these unwanted programs are distributed as “recommended software” in freeware, shareware or cracked installers. The name “Packunwan” stands for the unwanted program that uses packing, which makes the analysis more complicated. Programs detected with this name are almost always some no-name tools or duplicates of other programs.

PUA:Win32/Packunwan Overview

The PUA:Win32/Packunwan is a potentially unwanted application (PUA) detection. However, the analysis of samples collected on the Web revealed much more malicious functionality. Due to the diverse nature of reports, it is challenging to ascertain their precise behavior without in-depth analysis. At the same time, this unwanted program was not attributed to any known developer or company, leading to speculation that these programs may be of dubious origin.

While PUAs are not necessarily viruses, they can still be disruptive and pose security risks. Packunwan typically displays unwanted advertisements on your computer. It can also track your browsing activity and change your browser settings. Among the most noticeable is the change to your homepage or search engine.

On the other hand, the behavior of this program is in fact far beyond “showing unwanted ads”. Reviewing the sample shows that it collects way too much system information, which in combination with packing and detection evasion makes it look fishy. The overall activity of Packunwan can lead to compromised privacy and malware injection.

Packunwan Technical Analysis

As I’ve just said, while analyzing Packunwan malware samples, I’ve seen a lot of questionable actions. In particular, it collects way too much info about the system. Not enough to call it spyware, but still more than I would consider acceptable. Also, its networking is outright strange, bordering with what you would expect from dropper malware. Even though not all samples were like this, there was a consistent behavior pattern.

Launch & System Discovery

Upon execution, the reviewed Packunwan sample checks the computer’s location settings for no obvious reason. This is the standard behavior for malware, but not a “driver updater”. To do this, it queries the registry for specific values related to country code configurations.

After that, the program starts gathering system information. By checking the selection of registry entries and system functions querying, it retrieves the list of installed software, OS information and system drivers. The latter is needed for the functionality of the “driver updater”, but can also be useful to discover whether the system is a virtual machine.

One anti-analysis trick that I am sure about is checking the disk info through the registry query. The malware checks SCSI registry keys, which uncover whether it is a virtual disk space created by a sandbox environment or a virtual machine. SCSI technology is not supported these days, and it is unlikely for a geek who tries to play with geriatric hardware to use questionable apps.

HKLM\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001
HKLM\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000

Persistence and Detection Evasion

PUA:Win32/Packunwan uses various obfuscation techniques to dodge the detection. As its name implies, its files are packed, i.e. compressed and encrypted. The sample I reviewed encrypted data using RC4 PRGA. Additionally, it attempts to conceal itself by creating files in user directories with extensions that do not match the file type. It at the same time disguises the payload as a part of the “driver updater” files.

For persistence, the program creates Windows services and adds entries to Registry Run keys/startup folders. While being a rather widespread step, it remains effective, especially in poorly protected systems. Packunwan also does not allow you to opt-out of the startup from the interface – a common practice among unwanted programs.

Network Communications

I’ve mentioned that Packunwan is usually distinctive for its networking activity. Though, not every sample had that much of strange things happening in the background as the one I had a deeper look on. Throughout a short period of time, it performs consequent access to the remote server. You can see the example of one of these messages below:

Sure enough, driver updaters should get the drivers they are about to install somewhere. But as far as I’m aware, not even a single program creates that much chaos in networking logs. It is either a poor software design, or the attempt to conceal something by blending it into this mess.

How To Remove PUA:Win32/Packunwan

You will need an antimalware tool to remove PUA:Win32/Packunwan. I recommend GridinSoft Anti-Malware – it will be the optimal solution in such a case. You should run a full scan, whether it is an adware PUA or a dropper. It might take a little longer, but it will guarantee a more effective cleaning.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post PUA:Win32/Packunwan appeared first on Gridinsoft Blog.

Win32/InstallCore may not look like a serious threat, but the effects of its activity are not pleasant either. Unwanted programs, adware, junk apps – this PUA is not picky about things it spreads. It is a serious threat to users that requires attention and removal.

What is PUADlmanager:Win32/InstallCore?

It is the name for the detection of a program that packages additional software with the main one. It is not a stand-alone program, but rather an application on top of the program installer. Once you launch such infused installer, InstallCore is up, too, ready to perform its dirty deeds.

The prefix “PUADlmanager” (PUA Download Manager) says clearly about this property. The thing InstallCore tries to accomplish is downloading and installing things in the background, without user’s permission. This way, ones who spread the program try to monetize their effort. Typically, those apps are unwanted programs of some sort and adware.

Things like Win32/InstallCore are often spread embedded into pirated software. Some of the freeware program may contain this, too, particularly ones from platforms like Softonic, Download.com and FileHippo.

Is InstallCore a False Positive?

As far as I recon, false positives of PUADlmanager:Win32/InstallCore can occur in several cases. One of the users on the Information Security Stack Exchange forum noted that it can be related to security signature updates or in case of installing third-party software. This is not always a threat, but rather belongs to the “gray” category, as it is not as dangerous as malware.

Another example of a false positive was discussed on the JDownloader Community forum, where Windows Defender mistakenly detected malware in the JDownloader.exe file. In this case, the JDownloader developers reported the false positive and asked users to report it as well, confirming that JDownloader does not contain malware. There was also a discussion on the Microsoft forum about a false positive on the Five Nights at Freddy’s game installer.

Antivirus programs regularly update their malware signature databases. Sometimes, new signatures can mistakenly classify safe files or programs as malicious. However, users may not pay attention to additional programs that are offered for installation along with the main software. If such additional software falls into the PUA/PUP category, Windows Defender will detect it as such.

How does PUADlmanager:Win32/InstallCore affect my computer?

As I wrote above, the danger of PUADlmanager is that it downloads and installs numerous unwanted programs without users’ concent and knowledge. Most of them may have unpredictable consequences for the computer and user data. To test the thing, I’ve found several examples of apps that Windows Defender detected as Win32/InstallCore.

In one instance, the app had no real functionality, being just a shell with an attractive interface. It was advertised as software to help download files, particularly from torrents, but didn’t really provide any real features. This became clear when I discovered that despite promises of advanced features for an additional fee, the program actually provided no utility and could perform suspicious activities on my PC.

However, uselessness is not the only issue here. As soon as I pressed the “Install” button, numerous other programs started to appear. Driver updaters, “free” VPNs, system tuners – plenty of them. Their sheer volume made the virtual machine I was running the test on exceptionally slow.

One more thing that was definitely an effect of InstallCore activity is advertisements flooding the websites. It looks like aside from the unwanted programs, this PUA also brought an adware of some sort. Irrelevant advertisements both in the browser and system tray kept popping up until the malware removal.

On top of that, the browser started opening the pages which demand installing some questionable browser plugins. Among other things, I’ve noticed a well-known plugin, called Dragon Angel. This thing works as a browser hijacker, and is usually promoted in this exact way. Though, it may be a lesser evil here, as browser plugins can also work as infostealers and crypto hijackers.

Overall, PUADlmanager:Win32/InstallCore is not a severe threat by any measures<. But the effects of its activity are nowhere near pleasant, too: they make the system hard to use, distract you with ads, and potentially compromise the computer for further infections. This should be removed as soon as possible.

How to remove PUADlmanager:Win32/InstallCore from PC?

To prevent PUADlmanager:Win32/InstallCore, I recommend to use a reliable antivirus software capable of detecting and removing all malware components. GridinSoft Anti-Malware offers an effective solution to detect and eliminate this kind of threats, providing comprehensive system protection.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Manual removal of InstallCore and related unwanted programs is possible, but it requires some knowledge and can be a time-consuming process. To prevent infection, it is important to avoid downloading programs from unverified sources, do not open suspicious email attachments.

The post PUADlmanager:Win32/InstallCore appeared first on Gridinsoft Blog.

Frequently, this detection appears after the use of cracked software, keygen tools, trainers, cheat engines, and software programs that change the behavior of other applications. Using such tools is often illegal and can lead to serious legal consequences, aside from being dangerous from cybersecurity perspective.

PUA:Win32/Caypnamer.A!ml Overview

PUA:Win32/Caypnamer.A!ml is a detection name Microsoft Defender uses to identify a potentially unwanted application (PUA). The name “Caypnamer” does not have a specific definition, so I made my own assumptions about its meaning during the research.

Most of the time, this detection appears to cracked software, keygen tools, trainers, or cheat engines. These are often obtained from unreliable sources or through illicit means. Users unknowingly download and execute these programs, introducing malicious code into their systems. While it is illegal to use such tools, it also carries the risk of infecting your device with malware.

The main thing in common amongst all the mentioned software is the ability to interfere with the processes’ memory. Some of them inject the code into a running program to change the internal values (cheat engines, trainers), some do this to make the program skip certain procedures, most commonly license checks. In my opinion, this is the main thing that defines Caypnamer over other PUA names.

Is PUA:Win32/Caypnamer.A!ml a False Positive?

Sometimes, the detection of PUA:Win32/Caypnamer.A!ml can be a false positive. This is because it is a detection of Microsoft Defender, specifically, the AI detection system. The “!ml” particle at the end stands for machine learning. This detection is usually triggered when the app can interfere with a program’s files and memory.

Technical Analysis

Let’s examine PUA:Win32/Caypnamer.A!ml step by step to understand how it works. While being just risky rather than outright malicious, it makes quite a few actions that should not be here. I’ve made the analysis based on the sample of a trainer for one of the popular games.

Virtualization/Sandbox Evasion

After the launch, Caypnamer performs several checks that detect if it’s running within a virtual machine or sandbox environment. It accesses the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

This awareness aims to evade analysis attempts conducted within such controlled environments. It is not clear why the trainer will need to know about whether it is running on the VM/sandbox.

Discovery

Further actions of the Caypnamer is are barely safe either. It conducts reconnaissance on the infected system to gather information about its configuration and environment. Some of the Caypnamer samples are capable of antivirus detection evasion, and such data is what gives the thing a clue on how to do this.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

It reads software policies to understand the security measures and identify potential vulnerabilities. Additionally, it may query system time settings and time zone information to tailor its behavior or evade detection based on time-based triggers.

How To Remove a Caypnamer.A!ml?

If you are unsure of the validity of the detection, you can use a third-party anti-malware tool. I recommend GridinSoft Anti-Malware. This program will help you determine if there are any dangerous programs on your system.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post PUA:Win32/Caypnamer.A!ml appeared first on Gridinsoft Blog.