Malicious Repacked KMSpico

KMSpico is a well-known tool to activate Microsoft’s product, though it has stopped update already and it’s illegal.

And there are lots of repacked version on the Internet, we got a sample which looks a bit more interesting.

This time I want to direct run the sample in Sandboxie.

Like other malicious repacked KMSpico, it drops a malware and run it during installation.

Dropped File Path: “C:\Program Files (x86)\Common Files\InstallShield\Update\ISUSPM.exe”

It’s a heavily obfuscated .NET-based malware, but it’s not the most important point in this blog post.

SpyShelter told me the setup file wanted to create a schedule task which will use wscript to run an INI file periodically.

So I found the INI file.

It looks like a INI file on the first sight, but did you mention the first 2 characters? There are the beginning of a comment in some of programming languages like C/C++/JavaScript. And it will be “run” periodically, so script must hide in it.

When I scrolled down to browse other parts of this INI file, I found something abnormal. As the image shown above, there are lots of signs of javascript.

A better way to find the hidden script is just using some text editor to highlight some keywords.

Looks much more better than before.

This script will download a file and run it with “/VERYSILENT” argument, this argument is widely used by some installers.

Related MD5:




X-Sec Antivirus Detection:

Cloud Engine:

Cloud:Trojan.Win32.Dropper(For malicious repacked KMSpico)

Cloud:Trojan.Win32.Generic(For dropped malware)

Cloud:Trojan.Script.Downloader(For dropped script)