Graftor – But I Never Asked for This…

September 5, 2017 - 0 Comments


Free software often downloaded from large freeware distribution sites is a boon for the internet, providing users with functionality that otherwise they would not be able to use. Often users, happy that they are getting something free, fail to pay attention to the hints in the licence agreement that they are receiving additional software services bundled with the freeware they desire.
Graftor aka LoadMoney adware dropper is a potentially unwanted program often installed as part of freeware software installers. We wanted to investigate the effects this software has on a user’s system. According to the analysis performed in our sandbox, Graftor and the associated affiliate files it downloads perform the following functions:

  • Hijacks the user’s browser and injects advertising banners
  • Installs other potentially unwanted applications from partners like
  • It does not ask the user, it just silently installs these programs
  • Random web page text is turned into links
  • Adds Desktop and Browser Quick Launch links
  • User’s homepage is changed
  • User’s search provider is changed
  • Partner adware is executed and it social engineers the user to install further software
  • Checks for installed AV software
  • Checks for sandbox environments
  • Anti-Analysis protection
  • Unnecessary API calls to overflow sandbox environments
  • Creates/Modifies system certificates
  • Functionality

<<


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.