Category Archives: malware

Say Hi To Cuckoo Sandbox!

Cuckoo is an open source automated malware analysis tool. Cuckoo can execute files and monitor the behaviour. And if you are running FreeFixer, your suspicious files will also be analysed by the sandbox. For free.

I’ll try to explain what Cuckoo can do more in detail by using examples from the Cuckoo reports on files listed here at

One of the most useful features is that Cuckoo can trace API calls. Here’s an example from RunBoosterUpdateTask64.exe, where you can see that it calls CreateServiceW to register a driver named WinDivert64.sys. This is pretty useful if you are trying to find out what a particular file on your system is doing.

"call": {
  "category": "services",
  "status": 1,
  "stacktrace": [],
  "api": "CreateServiceW",
  "return_value": 4536928,
  "arguments": {
    "service_start_name": "",
    "start_type": 2,
    "service_handle": "0x0000000000453a60",
    "display_name": "WinDivert1.2",
    "error_control": 1,
    "service_name": "WinDivert1.2",
    "filepath": "C:\\Windows\\System32\\drivers\\WinDivert64.sys",
    "filepath_r": "C:\\Windows\\system32\\drivers\\WinDivert64.sys",
    "service_manager_handle": "0x0000000000453a00",
    "desired_access": 983551,
    "service_type": 1,
    "password": ""
  "time": 1576385586.79675,
  "tid": 2436,
  "flags": {}

Cuckoo also monitors host resolving. Here’s another example from the log where RunBoosterUpdateTask64.exe tries to get the IP address for

"resolves_host": [ "" ]

And the list goes on. Cuckoo detects anti-virtualisation tactics. For example, Cuckoo will notice if the file under test checks for existence of VMware/VirtualBox registry keys or files.

Here’s an example from armsvc.exe where Cuckoo notice that the process is trying to detect if it is running in VMware using an instruction:

  "markcount": 1,
  "families": [],
  "description": "Detects VMWare through the in instruction feature",
  "severity": 3,

Cuckoo will detect potential compressed or encrypted data in the executable files by measuring the entropy in the file. Cuckoo can also step through installation wizards and takes screenshots during the analysis. It will also log UDP and TCP connection.

I’m impressed by all the features.

So, I’ve set up a Cuckoo installation that will use to analyse files. The approach is simple. will upload files to sandbox and after a while the analysis will be displayed on the web site. I’ve decided to display the Summary, Generic, Dropped, Signatures, Yara, and Network sections from the sandbox report. Here’s an example report for armsvc.exe:

I’ve been running Cuckoo for some time now, and it has analysed more that 6000 files. I’m pretty happy with the result so far. Cuckoo just keeps on running, analysing one file after another.

I’ve identified a number of issues that needs to be addressed:

  • Lots of noise! The reports from Cuckoo can be quite verbose and it can be difficult for users to identify the most interesting parts of the log. This is pretty difficult problem that I’m not sure how to fix. An automated approach is needed to pinpoint the most interesting parts of the log.
  • Identical screenshots. The sandbox generates screenshots that are almost identical. I’m currently using ImageMagick to compare images for similarity but it does not work good enough. I think the code needs another round of tuning.
  • The web site needs to explain what the items in the log means. For example, what does UPD packets sent from the local host to at port 5355 mean? (It’s a name resolution for hosts on the same local link)
  • The JSON reports are shown in fixed size text-areas (<pre></pre>) with vertical and horizontal scrollbars. Works OK when the amount of JSON data is small. Works terrible when dealing with large amount of data. Please let me know if you have some ideas on how to present the JSON data in smart ways.

I’m hoping, now that you have another tool to analyse files, that this will help you to track down and remove that malware running on your machine.

WMI Commandline Utility Malware Pop Ups – Click NO!

I was helping out a FreeFixer user this morning, trying to track down some malware in his FreeFixer log that he sent me.

While searching for information about a .DLL file, I found a spam post on, which linked to another web page that started a download of an executable file.

And this one is pretty nasty. Look at the executable file. As you can see the file is digitally signed by Free Sky Business LP.


Typically, when you double-click on a file like this, Windows pops up an User Account Control dialog asking if you trust “Free Sky Business LP”. However, this one manage to pop-up and UAC for Microsoft’s WMI Commandline Utility.


If you click no, the UAC dialog will pop-up again and again and again…

Until you click Yes, which starts the installation of FileFinder.exe.


So watch out! Don’t click Yes if the Microsoft’s WMI Commandline Utility UAC dialog pops up.


Plugin Update SL – Warning! Stay away from this file

I’m in a hurry here, trying to wrap up the v1.12 release of FreeFixer, but I though I must write a few lines of about a file, digitally signed by Plugin Update SL, that was promoted as a Java update. Here’s how the ad appeared:

plugin update s.l ad - java update

When clicking on the ad, a download for something called Player_Setup.exe appeared. That file, is not a Java Update.

Plugin Update SL Certificate

The file is digitally signed by Plugin Update SL, which is a company that appears to be located on Tenerife, and if you run the file, it will start an installation of something called NewPlayer. During the installation, it offers lots of bundled unwanted software, such as Findopolis, FreeSoftToday, IStartSurf, etc, etc.

The VirusTotal scan also clearly shows why you should stay away from the Plugin Update SL malware file:

Plugin Update SL - Virus Total report

Some of the scanners report it as DomaIQ and SoftPulse.

Did you also find a file signed by Plugin Update SL? Was it also promoted as a Java update?

If you installed any of the bundled software, you can remove those with FreeFixer.

Hope this helped you avoid the Plugin Update SL software. Thanks for reading.

SW-Booster.exe, SW-Sustainer 1.80, saVee aNete 5.14

Played around with another download this morning. This time a bunch of new files and settings appeared. The first notable change was a new process and scheduled task called SW-Booster.exe appearing:sw-booster.exe

SW-Booster.exe is detected under names such as “a variant of Win32/TrojanDownloader.Agent.AFD” and “PUP.Optional.MultiPlug.A

Two new Firefox extensions also appeared, Y**tubeAdBlocker and saVee aNete 5.14:savee-anete-5.14

I’ve verified that FreeFixer removed these completely. There are also entries in the Programs and Features dialog.SW-Booster-SW-Sustainer 1.80

Please let me know if this helped you remove the SW-Booster malware by posting a comment.

Update 2014-11-21: Seems to be a variant around called SoftwareBooster.exe:

SoftwareBooster.exe task manager


eGdpSvc.exe – How To Uninstall

Back in July I was first notified about the eGdpSvc.exe file. At that time, only one of the 45 engines at VirusTotal detected the file and I didn’t know how it was distributed or how it ended up and the users’ machines.

Today, I noticed that eGdpSvc.exe is still distributed so I thought I’d make a quick uninstall guide that shows how to delete eGdpSvc.exe with the help of FreeFixer. This video also shows that the “more info” links in FreeFixer can be quite useful to determine if a file is legitimate or malware.

The more info links in FreeFixer

When looking at the “more info” page of eGdpSvc.exe in the video you’ll see that eGdpSvc.exe is currently detected by 14 of the anti-virus scanners at VirusTotal.

Do you click on the more info links while trying to determine if a files is legitimate or malware?