Multiple threat detections in automated installer

[andyg2]

After looking through this installer script I took a chance and ran it. I immediately got a few threat detentions spring up.

Confirmed with Virus Total schedulestarlinkstatus.exe https://www.virustotal.com/gui/file/21df14bd23505ffa7b43cc46a996376875316cbbce76d7f47d700ea000df7118

StarlinkInstaller.exe https://www.virustotal.com/gui/file/abe3772189347e2d193cdcb9c72445934294a784754803331639128b434de0ce

starlinkprestart.exe https://www.virustotal.com/gui/file/024cb4ecb5926f2550bc4783c1ba325ff971cf63773654ae6991ce610dee6b68

unschedulestarlinkstatus.exe https://www.virustotal.com/gui/file/794720968f5e1e9b0303f6fcdededfb31e02b0069be7877bbd920bcf9746987e

[Tysonpower]

As you can see in the Open source code (see .ps1 files) in the repo these detections are falls. The software doesen't do anything bad, but i think executing scripts via the commandline with admin prevs is something the virus scanners just don't like to see. Especially if it happens in the background, what is needed for this type of script. I#m not really into windows and the win version was made by someone from the community, so i don't know how to fix that sadly.

@tevslin Any idea how to fix that?

[andyg2]

As you can see in the Open source code (see .ps1 files) in the repo these detections are falls. The software doesen't do anything bad, but i think executing scripts via the commandline with admin prevs is something the virus scanners just don't like to see. Especially if it happens in the background, what is needed for this type of script. I#m not really into windows and the win version was made by someone from the community, so i don't know how to fix that sadly.

@tevslin Any idea how to fix that?

I find it very surprising that something which is supposed to schedule or de-schedule a task would be detected as a trojan horse.

The script downloads compiled executables so it's not as simple as checking the source code. So why are compiled executables required? Wouldn't powershell files be able to do everything required? Also I've written powershell scripts which schedule tasks as admin, so I know it's possible without an executable and none of those have ever been flagged by windows defender.

Maybe you have fallen victim to a supply chain attack but until this is sorted out I suggest you stop recommending this automated windows installer.

Decompiling StarlinkInstaller.exe with

angr failed Ghidra failed Hex-Rays failed BinaryNinja succeeded

However the source code is deliberately obfuscated. According to GPT4o, it's likely malware.

https://chatgpt.com/share/bd72d7d9-17d1-49cc-a367-18117bad3312

Observations:

Complexity: The code is purposefully made complex and obfuscated, potentially to hide its true functionality or to make reverse-engineering difficult.
Potential Malware: Given the level of obfuscation and manipulation of memory, this code could be part of a malware routine designed to evade detection or perform low-level tasks like modifying system memory or registers.
Trap Instruction: The trap(0xd); at the end suggests it might be invoking a CPU trap or exception, potentially crashing the program or invoking a debug interrupt.

[andyg2]

Further information from a friend:

I've analyzed the decompiled code you sent me, and there are many indicators that strongly 
suggest this is indeed malware. Here are my key observations:

Obfuscated and suspicious operations: The code contains numerous obfuscated operations, bit 
manipulations, and seemingly random memory accesses that are typical of malware tyring to hide its
 true purpose.
Potential code injection: There are multiple instances of modifying memory locations and code 
sections, which could be attempts at code injection or self-modification.
Suspicious API calls: The code uses low-level functions like __outsd, which are often used in 
malware for direct hardware access or to evade detection.
Anti-analysis techniques: The code contains multiple traps and undefined behavior, which could be
 attempts to thwart reverse engineering or debugger analysis.
Potential shellcode: Some sections resemble shellcode, with byte-by-byte operations and jumps to 
dynamically calculated addresses.
Suspicious string: The presence of strings like "0x130a0000" repeated throughout the code is 
unusual and could be part of an encoding or encryption scheme.
Potential exploit code: The function sub_4037cd contains opperations that could be part of an 
exploit, such as stack manipulation and potential buffer overflows.
Suspicious loops and conditions: There are many loops and conditions that seem to serve no logical
 purpose, which is common in malware trying to obscure its functionality.
Potential process/thread manipulation: There are operations that could be manipulating process or 
thread contexts, which is common in malware for persistence or hiding.

It's not possible to determine the exact nature or purpose of this malware without further 
analysis but the code exhibits many characteristics typical of malicious software. It's highly 
recommended to treat this file as malicious and handle it with extreme caution. If you encountered 
this file on a system, it would be advisable to perform a thorough security scan and potentially 
seek the assistance of a cybersecurity professional.

I'll continue to work on this and get back to you if I'm able to learn more.

So the obvious question is why on earth would a simple speed-test installation script go to so much trouble to obfuscate the code?

[Tysonpower]

Thanks for all the work first of all, from what i understand the exe files are generated with a tool called ps2exe, see the script:

https://github.com/Tysonpower/starlinkstatus/blob/main/windowsinstall/s2exe.ps1

If this is the case all should be fine, i think provifing the exe files is just nice so not everybody needs to download the ps2exe software or something.

I didn't build it so i can't say if the exes are fine or not, @tevslin please comment how the exes are generated, otherwise i will just remove them from the repo and add a comment how to generate them.

[andyg2]

Hi thanks for that info, with that I was able to decompile the scripts entirely with dnspy and I can confirm there's nothing nasty in them.

The code causing the alerts is indeed benign, for example: schtasks /delete /tn starlinkstatus /f and schtasks /create /sc minute /mo 15 /tn starlinkstatus /tr "$StarlinkFolder\starlinkprestart.exe" /f

the /f (force) flag is possibly causing the problems - I think they will work just as well without /f as they are already running as admin.

[tevslin]

Tyson, as you thought the exe files are generated with ps2exe and are just for convenience. Thanks for following up on this

From: Tysonpower @.> Sent: Sunday, August 18, 2024 2:34 PM To: Tysonpower/starlinkstatus @.> Cc: Tom Evslin @.>; Mention @.> Subject: Re: [Tysonpower/starlinkstatus] Multiple threat detections in automated installer (Issue #51)

Thanks for all the work first of all, from what i understand the exe files are generated with a tool called ps2exe, see the script:

https://github.com/Tysonpower/starlinkstatus/blob/main/windowsinstall/s2exe.ps1

If this is the case all should be fine, i think provifing the exe files is just nice so not everybody needs to download the ps2exe software or something.

I didn't build it so i can't say if the exes are fine or not, @tevslin https://github.com/tevslin please comment how the exes are generated, otherwise i will just remove them from the repo and add a comment how to generate them.

— Reply to this email directly, view it on GitHub https://github.com/Tysonpower/starlinkstatus/issues/51#issuecomment-2295351525 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AGLSBBTK3XTDYCO4AJV5ZVTZSDSK3AVCNFSM6AAAAABMVJG36WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJVGM2TCNJSGU . You are receiving this because you were mentioned. https://github.com/notifications/beacon/AGLSBBVZIDUVUN6YKV42TR3ZSDSK3A5CNFSM6AAAAABMVJG36WWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUI2BEOK.gif Message ID: @. @.> >

[Tysonpower]

Okay perfect! So this is all solved than :) All have a good night or day :) Greetings from Spain, currently on vacation :P

[tevslin]

Definitely not malware. I don’t know what the compiler generates directly but it seems to be exactly what the scripts do in their uncompiled form.

From: Andy Gee @.> Sent: Sunday, August 18, 2024 2:23 PM To: Tysonpower/starlinkstatus @.> Cc: Tom Evslin @.>; Mention @.> Subject: Re: [Tysonpower/starlinkstatus] Multiple threat detections in automated installer (Issue #51)

Further information from a friend:

I've analyzed the decompiled code you sent me, and there are many indicators that strongly suggest this is indeed malware. Here are my key observations:

Obfuscated and suspicious operations: The code contains numerous obfuscated operations, bit manipulations, and seemingly random memory accesses that are typical of malware tyring to hide its true purpose. Potential code injection: There are multiple instances of modifying memory locations and code sections, which could be attempts at code injection or self-modification. Suspicious API calls: The code uses low-level functions like __outsd, which are often used in malware for direct hardware access or to evade detection. Anti-analysis techniques: The code contains multiple traps and undefined behavior, which could be attempts to thwart reverse engineering or debugger analysis. Potential shellcode: Some sections resemble shellcode, with byte-by-byte operations and jumps to dynamically calculated addresses. Suspicious string: The presence of strings like "0x130a0000" repeated throughout the code is unusual and could be part of an encoding or encryption scheme. Potential exploit code: The function sub_4037cd contains opperations that could be part of an exploit, such as stack manipulation and potential buffer overflows. Suspicious loops and conditions: There are many loops and conditions that seem to serve no logical purpose, which is common in malware trying to obscure its functionality. Potential process/thread manipulation: There are operations that could be manipulating process or thread contexts, which is common in malware for persistence or hiding.

It's not possible to determine the exact nature or purpose of this malware without further analysis but the code exhibits many characteristics typical of malicious software. It's highly recommended to treat this file as malicious and handle it with extreme caution. If you encountered this file on a system, it would be advisable to perform a thorough security scan and potentially seek the assistance of a cybersecurity professional.

I'll continue to work on this and get back to you if I'm able to learn more.

— Reply to this email directly, view it on GitHub https://github.com/Tysonpower/starlinkstatus/issues/51#issuecomment-2295348600 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AGLSBBV2DCLBSTMWXQUTVMTZSDQ77AVCNFSM6AAAAABMVJG36WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJVGM2DQNRQGA . You are receiving this because you were mentioned. https://github.com/notifications/beacon/AGLSBBTD2MXFUHR3RSSZTHTZSDQ77A5CNFSM6AAAAABMVJG36WWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUI2A6XQ.gif Message ID: @. @.> >