Cymbeline

6 hours ago, msmcleod said:

While I can't say for sure that this isn't infected somehow, I strongly suspect this is a false positive.

The ASIOLink has to use RPC to bridge ASIO calls between processes (FWIW BitBridge & JBridge do a similar thing). It also uses network calls for the ASIO over network functionality. It may be that the developer decided to use the RDP protocol to enable RPC calls over the network, which would save him having to roll his own solution.

The zero sized sections within the PE is most likely the result of removing the copy protection.

I can't see anything in the list of suspicious characteristics that can't be explained by the nature of what ASIOLink does, but someone would have to monitor network activity closely to be absolutely sure (i.e. check if any remote sites are being contacted or if there's any unexplained incoming traffic).

Thank you for explaining. I'm with you and highly doubt it's malicious.

11 hours ago, Simeon Amburgey said:

I was not aware this was an issue and I have not experienced anything crazy but will check it out. The only thing I could think of is where you might have originally downloaded your version.  @msmcleod, any thoughts on this?

Thanks for the answer. I downloaded it from the link above in this thread.

I happily installed this software to solve a specific problem with my UAD Apollo interface. I then shared what i did on the Apollo forum thinking i could help other people.

But then someone there explained that the file is malicious and does all kinds of things it shouldn't be doing.

Did anybody here have any issues with it after installing it or anything to share about it?

Thanks.

Quote

Well, thats a very suspicious file. I wouldn't open it.

Registry Keys Opened
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
\Registry\MACHINE\System\CurrentControlSet\Control \SafeBoot\Option
\Registry\Machine\Software\Policies\Microsoft\Wind ows\Safer\CodeIdentifiers
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\Safer\CodeIdentifiers\TransparentEnabled
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\Code Identifiers
\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe\RpcThreadPoolThrottle
\REGISTRY\MACHINE\Software\Policies\Microsoft\Wind ows NT\Rpc

Remote Access
Reads terminal service related keys

MITRE ATT&CK™ Techniques Detection
This report has 3 indicators that were mapped to 4 attack techniques and 4 tactics.

Defense Evasion, Privilege Escalation

Also activates Remote Desktop Protocol and more suspicious stuff... Why?

And

Quote

The software seems to be binded with some sort of malicious software, indeed. FUD Crypter's are used to fool Anti-virus scans, therefore called FULL UNDETECTED Crypter's. You can reverse engineere some of it, and you'll see the things i've posted. It shouldn't activate remote desktop and other things, just like backdoors/trojans does.

>
Installation/Persistance
Monitors specific registry key for changes
Remote Access Related
Reads terminal service related keys (often RDP related)
Unusual Characteristics
Imports suspicious APIs
Installs hooks/patches the running process
Hiding 2 Suspicious Indicators
<
Anti-Reverse Engineering
PE file contains zero-size sections
Installation/Persistance
Touches files in the Windows directory

I'm sure the "original" installer is clean, but this copy doesn't seem to be.