Suspicious executable behaviour

[aziouk]

Hi, I am aware this project is not open source. When testing the exe I found it created the following process in virustotal sandbox;
+C:\Program Files\Google3992_1565437445\bin\updater.exe

I think perhaps I misunderstand, but is there any reason why a savegame editor would create inject a process command of this name?

For more details please see;
https://www.virustotal.com/gui/file/0da97836e56d981906e821449d309366b82ed9fee29d04a8824e2ab2c16cd4a5/behavior

The above url is the tests for the mw5 save editor released at https://github.com/wmtorode/MW5-SaveEditor/releases/tag/v1.6.5.

Is this a false positive, or reason for great concern? The test shows the current release of MW5-SaveEditor has code injected in C:\Program Files\Google3992_1565437445\bin\updater.exe. Why would the savegame editor inject code into a process of this name?

Best,
Adam

[wmtorode]

I believe this a false positive.

From my understanding of how virustotal works is to run the application in a VM of sorts and then report back on everything that occurred while the application ran? (correct me if I'm wrong on this)

from what I have read updater.exe is run on a scheduled tasks automatically on any PC with chrome installed (so that chrome checks for new versions and updates automatically) and from the screenshots in the full analysis, I can see chrome is pinned to the taskbar, so that likely explains it.

Beyond that, the save editor itself certainly doesn't inject or call any other application. The only other possibility would be that one of its components do. the major 3rd party components of the editor are:

• PyInstaller (used to create the exe and serves as the bootstraper to load the application when the exe is invoked)
• Qt (version 5.13.1 specifically)

both of these are fairly standard and well known components and both are open source. While its possible they might have some interactions with chrome's updater, I don't see any reports of them doing so at a glance or any reason for them to do so.

if its neither the scheduled chrome update check or one of those 2 components having an interaction I'm not aware of, then I'm at a loss to explain why virus total saw this.

Hope that helps
-Jamie

[aziouk]

Hi Jamie,

Thanks for your prompt and informing reply, it is appreciated because I'd really like to use the MW5-saveeditor 👯 .

I too, also suspected there was some possibility that virustotal was flagging this as a false positive.

Once again I really appreciate your reply, and agree with you if the detection is not correct the only other explanation is the virustotal is detecting changes in +C:\Program Files\Google3992_1565437445\bin\updater.exe happening in the sandbox init and misattributing it as something being dropped/injected by the EXE. In this case that is unfortunate as it makes it look like a root kit / trojan.

If we look at the files dropped in the mw5saveeditor EXE they all pass OK. It was just weird to also see A file written as "C:\Users\user\AppData\Local\Temp\5xjppjwc" by the executable. Which was what led me to look deeper into this, though I could not find any file written by the EXE for the Google bin updater.exe either, so, it seems on second inspection it is quite likely your explanation is entirely correct.

However, it is somewhat unusual to see randomly named files being dropped like \Users\user\AppData\Local\Temp\5xjppjwcal, which is what led me to closer inspect the behaviour discovering the google updater bin. In all likelihood your explanation is correct.

At present not enough evidence either way is available for me to conclude whether the exe is safe or not, and because it is closed source it is not possible to compare results to confirm a false positive.

I hope this helps prevent false positives in the future, and resolves it for other people that didn't download it because of this, if indeed this is a false report.

Thanks a lot for your prompt assistance, greatly appreciate it.

Best wishes,
Adam

[wmtorode]

I would suspect that "C:\Users\user\AppData\Local\Temp\5xjppjwc" is also likely another process on the system. "C:\Users\user\AppData\Local\Temp" is the default location for the %TEMP% directory for a user and a good way of making a temp directory that is unlikely to be currently in use is to add a random string to the end of that., my guess is that "C:\Users\user\AppData\Local\Temp\5xjppjwc" was ulitmately a directory some process spawned and then didn't end up needing and deleted when it was closed.

the save editor does also make use of such things through PyInstaller, which bootstraps and then unpacks files into temporary directories (in our case usually prefixed with _MEI ). those are then disposed of when execution terminates.

Ultimately, I can only give you my word that the exe is safe to run and it is of course your right to decide for yourself if something is safe enough to run or not and I respect you being suspicious of anything out of the ordinary, we'd probably have alot less issues with malware if more people took the time to check or even think before running something.

• Jamie.

[aziouk]

Thanks Jamie, I agree that this looks like the likely explanation for the behaviour virustotal reports, it is describing the sandbox, and not just the exe.

Also, you from your response you seem like a responsible individual, added to this the since the code base is well established enough that I am more than fairly satisfied now it is a false indicator.

Thanks for your patience responding, anyway, before I reported this I thought that 'if there had been a real problem someone else would have reported it far long before now', as it turns out, it seems very much like that conclusion was correct, but never say never so thought I'd check.

I now have peace of mind to install the editor myself, thanks again for your response and courteous explanation, greatly appreciated.

Best wishes,
Adam