Free software often downloaded from large freeware distribution sites is a boon for the internet, providing users with functionality that otherwise they would not be able to use. Often users, happy that they are getting something free, fail to pay attention to the hints in the licence agreement that they are receiving additional software services bundled with the freeware they desire.
Graftor aka LoadMoney adware dropper is a potentially unwanted program often installed as part of freeware software installers. We wanted to investigate the effects this software has on a user’s system. According to the analysis performed in our sandbox, Graftor and the associated affiliate files it downloads perform the following functions:

  • Hijacks the user’s browser and injects advertising banners
  • Installs other potentially unwanted applications from partners like mail.ru
  • It does not ask the user, it just silently installs these programs
  • Random web page text is turned into links
  • Adds Desktop and Browser Quick Launch links
  • User’s homepage is changed
  • User’s search provider is changed
  • Partner adware is executed and it social engineers the user to install further software
  • Checks for installed AV software
  • Checks for sandbox environments
  • Anti-Analysis protection
  • Unnecessary API calls to overflow sandbox environments
  • Creates/Modifies system certificates
  • Functionality

<<


Talos Group

Talos Security Intelligence & Research Group