{ "id": "50f6e304-0a30-47bc-b730-58ff9f4fb5f8", "created_at": "2026-04-06T01:31:05.050287Z", "updated_at": "2026-04-10T03:21:20.585356Z", "deleted_at": null, "sha1_hash": "e208a01b04680daede2511abf840f54c445aa3f8", "title": "Graftor - But I Never Asked for This… - Malware News - Malware Analysis, News and Indicators", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 125180, "plain_text": "Graftor - But I Never Asked for This… - Malware News - Malware\r\nAnalysis, News and Indicators\r\nPublished: 2017-09-05 · Archived: 2026-04-06 00:46:25 UTC\r\nThis post is authored by Holger Unterbrink and Matthew Molyett\r\nOverview\r\nFree software often downloaded from large freeware distribution sites is a boon for the internet, providing users with\r\nfunctionality that otherwise they would not be able to use. Often users, happy that they are getting something free, fail to pay\r\nattention to the hints in the licence agreement that they are receiving additional software services bundled with the freeware\r\nthey desire.\r\nGraftor aka LoadMoney adware dropper is a potentially unwanted program often installed as part of freeware software\r\ninstallers. We wanted to investigate the effects this software has on a user’s system. According to the analysis performed in\r\nour sandbox, Graftor and the associated affiliate files it downloads perform the following functions:\r\nHijacks the user's browser and injects advertising banners\r\nInstalls other potentially unwanted applications from partners like mail.ru\r\nIt does not ask the user, it just silently installs these programs\r\nRandom web page text is turned into links\r\nAdds Desktop and Browser Quick Launch links\r\nUser’s homepage is changed\r\nUser’s search provider is changed\r\nPartner adware is executed and it social engineers the user to install further software\r\nChecks for installed AV software\r\nChecks for sandbox environments\r\nAnti-Analysis protection\r\nUnnecessary API calls to overflow sandbox environments\r\nCreates/Modifies system certificates\r\nFunctionality\r\nOne of the first actions of the software is to install additional software on the user’s desktop, and change browser settings to\r\npoint to third party websites (Fig. 1):\r\nLooking at the Cisco Umbrella DNS data for the CnC domain used in this campaign, we can see that the campaign only\r\nlasted for a couple of days (Fig. 2a), but affected a significant number of people. Fig. 2b and 2c show domains of two of the\r\naffiliate applications which Graftor installed during our sandbox run. It is very likely that this includes users who didn’t\r\nintend to install these additional applications.\r\nRegularfood[.]gdn (Command and Control Server Domain)\r\nAffiliates (programs installed by Graftor):\r\nTechnical Details\r\nA few minutes after executing the original Graftor dropper (2263387661.exe), the software downloaded and installed a\r\nseries of additional executables. This results in the process tree looking like this (Fig.3): \r\nWe analysed the Graftor dropper/downloader (2263387661.exe). It comes with multiple stages of obfuscation. The first\r\nunpacking stage of the executable uses a heavily obfuscated but fairly simple unpacking algorithm which we will describe in\r\nthe following section.\r\nThis algorithm is obfuscated in the WinMain function distributed over several sub functions. Fig.4 shows you the complexity\r\nof the WinMain function in IDA, many of these building blocks are combined with further sub functions, jumping back and\r\nforth, which makes analysis particularly challenging.\r\nFirst, a new buffer is allocated (see Fig.5 at 00401395) :\r\nThen the bytes from 00416B6A (see Fig. 9 below) are decoded by different sub functions within the WinMain function. For\r\nexample see loc_4013EC in Fig.6.\r\nThe code avoids calling functions by address values, but instead calls them via the values stored in registers or variables. For\r\nexample the call ebx instruction in Fig. 5 at 00401395 results in a VirtualAlloc call. This makes the static analysis of the\r\ncode harder. E.g without deeper analysis it is difficult to identify the destination of the call at 00401395 shown in Fig. 5.\r\nhttps://malware.news/t/graftor-but-i-never-asked-for-this/14857\r\nPage 1 of 6\n\n2oQaIG-Zdx2J46h3lhEc9Y4J2vyoTnr04shUjUCHIABnegWcDD3iFYwDJfGZx0P6gzZ8Np_-7H4PpzHR96i0U9P1ejI4Qpm3p01QfQbCk2NRH78qgGWnkhkc\r\n7.21 KB\r\nFig. 6\r\nFinally the decoded bytes are handed over to a function (Fig. 7 write_unpkd_bytes2buf), which writes these bytes into a\r\nbuffer. This is the buffer which was allocated in Fig.5 at 00401395. The decoding loop starts again until all bytes are\r\ndecoded:\r\nFig. 8 shows the write_unpkd_bytes2buf function itself:\r\nThe end result is that despite all of the complexity and obfuscation, the unpacking algorithm is remarkably simple and\r\ntranslates to the following pseudo-code (see Fig. 9 comments):\r\nThis first stage of unpacking extracts the code into memory. After successfully unpacking this code it is executed via call\r\necx (see Fig. 10) - the second stage of the unpacker:\r\nThis second stage code is position independent. It is loaded into a random address space picked by the operating system. The\r\nVirtualAlloc function in Fig.5 which we have mentioned above, is called with LPVOID lpAddress set to NULL, which means\r\nthat the system determines where to allocate the memory region. This second stage is even more obfuscated by spaghetti\r\ncode than the first stage. It’s main task is to rebuild the Import Address Table (IAT) and resolve the addresses of certain\r\nlibrary functions (Fig. 11), plus modify the original PE file.\r\nIt stores the function addresses in different local variables. These are passed as arguments to several setup functions, for\r\nexample: change memory region 0x400000 - 0x59C000 to read/write/execute (see Fig. 12). In other words, change the\r\nwhole .text, .rdata, .data, and .rsrc section of the original PE file to read/write/execute. This enables the dropper to modify\r\nand execute the code stored in these regions. As we have already seen, in order to frustrate static analysis, most calls are\r\nobfuscated by either calling registers or variables (Fig.12).\r\nNext step at 002A14F6 is to allocate a buffer located at 01DC0000:\r\nThis buffer is filled with the bytes copied from 0042d049 from the original packed PE file:\r\nThis data is an encoded PE file. After copying the bytes to memory, it decodes them and writes them back to the buffer (Fig.\r\n16a) at 01DC0000 (Fig. 16b)\r\nThis stage is protected with an Anti-Debugging technique. The executable uses the following two GetTickCount calls to\r\nmeasure the time between the two calls (Fig. 17a and 17b). If it takes too long the executable will crash.\r\nAfter resolving more library function addresses and fixing the IAT of the PE file in memory, it sleeps for 258 milliseconds\r\nand jumps back to 004897D3, which we will call the third stage from now on.\r\nThe 2nd unpacking stage, the one we have just discussed, also decodes the URL which is later used to contact the command\r\nand control server.\r\nFirst it allocates a buffer e.g. at 002B0000 (Fig. 19a) and reads the encrypted URL from the original sample at 004020c0,\r\ndecodes it and stores it in the allocated buffer i.e. 002B0000 again (Fig. 19b).\r\nThe third stage (see above) is a C++ executable compiled with Visual Studio. Global object initializers allow custom classes\r\nto run during the C runtime initialization, before the apparent WinMain entry point. Organizing code in this way allows the\r\nmalware to prepare the system survey in a way that is hidden from analysts who commence their analysis from WinMain.\r\nLater, when the associated code is used, the execution is masked by memory redirection and virtual function calls.\r\nBelow you can see the callback function addresses stored in the .rdata segment of the PE file (Fig.20) and its initialization\r\nfunction InitCallbacks (Fig.21 and Fig. 23).\r\nhttps://malware.news/t/graftor-but-i-never-asked-for-this/14857\r\nPage 2 of 6\n\nFig. 20\r\nFig. 21\r\nFrom the pre-WinMain C Run Time library (CRT) initialization, the Callback function list gets created and populated with\r\nan association of named strings (e.g. “OS”), later observed in the CnC traffic and several system information collection\r\ncallback functions. For example a \"systemFS\" string in the CnC traffic, leads to a call to the\r\nGraftor_CollectSystemVolumeInformation function or \"OS\" triggers the call of Graftor_CollectWindowsInformation.\r\nFig. 22 shows an example of such function calls and pseudo code which would lead to a similar assembler code as\r\ndiscussed.\r\nFig. 22\r\nThe created list is linked to a global address location, which is later linked back again to local variables. \r\nSuch redirection is subtle in source code, but the resulting execution means that chains of memory accesses are seen instead\r\nof just nice clean references to the object.\r\nLater on, a string is passed along to look up the callback and call it indirectly (Fig.25).\r\nhttps://malware.news/t/graftor-but-i-never-asked-for-this/14857\r\nPage 3 of 6\n\nBy using std::basic_string\u003cwchar_t\u003e instead of just plain wchar_t arrays, every string interaction adds two function calls\r\nand indirection. Instead of the analyst seeing a wide string being pushed to one function, it is instead a series of three. Before\r\nsignificant markup is performed (or when viewed in a debugger) this is just a mess of function calls and memory\r\nmanipulation. Complicating the matter is that the std library is included rather than dynamically linked, so the analyst\r\ndoesn’t get dll calls as hints.\r\nFurther on, this 3rd stage is protected by another anti-debugging technique: the sample registers a\r\nVectoredExceptionHandler for FirstChanceExceptions (C0000005) as you can see in Fig. 26 and 27:\r\nThen it marks the code section as PAGE_NOACCESS.\r\nThis means an exception is triggered for every single instruction in this section. The exception handler function (see Fig. 27\r\nabove) overwrites the PAGE_NOACCESS access right for the memory location which caused the exception, with a\r\nPAGE_EXECUTE_READWRITE, so it can be executed. Then the exception handler function returns to the initial\r\ninstruction, it can now be executed, but the next instruction is still protected by PAGE_NOACCESS and will cause the next\r\nexception. With a debugger attached, this interrupts the debugging session for every instruction. Even if the exceptions are\r\ndirectly passed back to the executable, it massively slows down the execution speed.\r\nAt 004BB3FA the software starts preparing the internet request to the CnC server and encrypts the collected information to\r\nperform a GET request (Fig. 29a-c):\r\nTalos has decrypted the GET request that is sent to the CnC server. The decoded content consists of a JSON file, which you\r\ncan download here. \r\nThe executable is capable of sending the following informations to the C2 server:\r\nMAC, SID, HD serial number, username, GUID, hostname, HD size, HD devicename, Filesystem, OS version, browser\r\nversion, DotNET version, Video Driver, Language Settings, Memory, system bios version, domainname, computername,\r\nseveral processor related parameters, number of processors, other installed adware and unwanted programs, running\r\nprocesses, keyboard settings, Antispyware, Firewall, Antivirus and more.\r\nThe server responds to this with an encrypted configuration file which is processed here:\r\nThe same decryption algorithm which is used for the GET request, is also used to decrypt the CnC servers response. It\r\ngenerates a fairly simple stream seeded by the first byte of the packet and XORs it with the data. Underneath the encryption\r\nis a simple gzip stream.\r\nThe full decrypted file can be downloaded here. It contains the adware and other unwanted programs the Graftor\r\ndownloader is supposed to install for it’s partners/customers. You can see an example in Fig. 31.\r\nThe first URL from the ‘l’ key is used to download the partner executable and install it. The ‘a’ key is used as its command\r\nline parameters. We have yet to identify the exact meaning of all the keys; they are passed as parameters to a quite large\r\nJSON library. This library is also statically compiled into the binary. Besides the JSON library we also found a statically\r\ncompiled SQLite library, we haven’t fully investigated how it is used by the executable. However at this point we have\r\nenough information to detect and stop this adware downloader.\r\nThe information presented so far clearly shows the sophistication of this piece of software. With the data presented in the\r\ntwo decoded files, you have a good idea of the capabilities of the software and the impact it has on infected systems.\r\nGraftor, and the applications that it downloads also heavily check for AV products and use various techniques to detect if it\r\nis running in a sandbox environment. These are very similar to techniques commonly observed in malware.\r\nThe software makes many excessive API calls such as the following (Fig. 28) which has the effect of polluting sandbox\r\nanalysis. \r\nConclusion\r\nGraftor continues to be one of the most notorious potentially-unwanted-software downloaders we see in the wild. Users may\r\nbe unaware that it is being bundled and executed as part of the freeware installation, since these installation files silently\r\nexecute Graftor alongside the freeware.\r\nOnce Graftor is running, it exfiltrates a huge amount of user and machine identifiable information and installs additional\r\npotentially-unwanted-applications from its partners. The downloader requests administrative rights on the local machine,\r\nwith this access, it can do anything it wants to do on the user's machine.\r\nSolutions such as AMP for endpoints and AMP on network devices give administrators visibility of when software such as\r\nGraftor, and the further packages it downloads, are installed on devices. Similarly, network based detection can identify and\r\nblock the CnC activity (Snort SID 44214). Thought should be given to blocking access to freeware websites to prevent the\r\ndownload of the Graftor installer. However, much freeware does not come bundled with Graftor and may be of great use to\r\nsome users.\r\nAt the end of the day, keep in mind that if the software is free, you might be the product. Anyone using freeware should\r\nhttps://malware.news/t/graftor-but-i-never-asked-for-this/14857\r\nPage 4 of 6\n\nclosely review the EULA before installing it. We know it is painful, but trying to remove this kind of software is likely more\r\npainful.\r\nCoverage\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity\r\nassociated with this threat.AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security\r\nproducts. Umbrella prevents DNS resolution of the domains associated with malicious activity. Stealthwatch detects network\r\nscanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert\r\nadministrators.\r\nIOC\r\nAlternate Data Streams(ADS):\r\nC:\\Users\\dex\\AppData\\Local\\Temp\\2263387661.exe:Zone.Identifier\r\nC:\\Users\\dex\\AppData\\Local\\Temp\\QBPO5ppcuhJG.exe:tmp\r\nC:\\Users\\dex\\AppData\\Local\\Temp\\2263387661.exe:tmp\r\nC:\\Users\\dex\\AppData\\Local\\Temp\\AyWdp7tHPIeU.exe:tmp\r\nC:\\Windows\\System32\\regsvr32.exe:Zone.Identifier\r\nHashes:\r\n2263387661.exe (Graftor Dropper)\r\n9b9ce661a764d84a4636812e1dfcb03b (MD5)\r\nFd3ccf65eab21a77d2e440bd23c59d52e96a03a4 (SHA1)\r\n41474cd23ff0a861625ec1304f882891826829ed26ed1662aae2e7ebbe3605f2 (SHA256)\r\nDumped 2nd stage:\r\n40bde09fc059f205f67b181c34de666b (MD5)\r\n99c7627708c4ab1fca3222738c573e7376ab4070 (SHA1)\r\nEefdbe891e35390b84181eabe0ace6e202f5b2a050e800fb8e82327d5e57336d (SHA256)\r\nDumped 3rd stage:\r\n1e9f40e70ed3ab0ca9a52c216f807eff (MD5)\r\n7c4cd0ff0e004a62c9ab7f8bd991094226eca842 (SHA1)\r\n5eb2333956bebb81da365a26e56fea874797fa003107f95cda21273045d98385 (SHA256)\r\nURLs:\r\nCommand and Control Server GET Request:\r\nhxxp://kskmasdqsjuzom[.]regularfood[.]gdn/J/ZGF0YV9maWxlcz0yMyZ0eXBlPXN0YXRpYyZuYW1lPVRlbXAlNUMyMjYzMzg3NjYxLmV4ZSZyb\r\nSet-Cookie: GSID=3746aecf3b94384b9de720158c4e7d88; expires=Sat, 12-Aug-2017 15\r\nCommand and Control Server POST Request\r\nhxxp://kskmasdqsjuzom[.]regularfood[.]gdn/J/ZGF0YV9maWxlcz0yMyZ0eXBlPXN0YXRpYyZuYW1lPVRlbXAlNUMyMjYzMzg3NjYxLmV4ZSZyb\r\nSet-Cookie: GSID=3746aecf3b94384b9de720158c4e7d88; expires=Sat, 12-Aug-2017 15\r\nDomains from sandbox run:\r\narolina[.]torchpound[.]gdn\r\nbinupdate[.]mail[.]ru\r\ncrl[.]microsoft[.]com\r\ndreple[.]com\r\nhttps://malware.news/t/graftor-but-i-never-asked-for-this/14857\r\nPage 5 of 6\n\ngambling577[.]xyz\r\njvusdtufhlreari[.]twiceprint[.]gdn\r\nkskmasdqsjuzom[.]regularfood[.]gdn\r\nmentalaware[.]gdn\r\nmrds[.]mail[.]ru\r\nnottotrack[.]com\r\nplugpackdownload[.]net\r\ns2[.]symcb[.]com\r\nsputnikmailru[.]cdnmail[.]ru\r\nss[.]symcd[.]com\r\nxml[.]binupdate[.]mail[.]ru\r\nSnort Rules:\r\nSID 44214\r\nSource: https://malware.news/t/graftor-but-i-never-asked-for-this/14857\r\nhttps://malware.news/t/graftor-but-i-never-asked-for-this/14857\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://malware.news/t/graftor-but-i-never-asked-for-this/14857" ], "report_names": [ "14857" ], "threat_actors": [], "ts_created_at": 1775439065, "ts_updated_at": 1775791280, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e208a01b04680daede2511abf840f54c445aa3f8.pdf", "text": "https://archive.orkl.eu/e208a01b04680daede2511abf840f54c445aa3f8.txt", "img": "https://archive.orkl.eu/e208a01b04680daede2511abf840f54c445aa3f8.jpg" } }