PPINK : flagged as Suspicious during sandbox analysis

[mohit0121]

Hello Team, we are trying to whitelist this app but we have encountered these issues by our Infosec team.

1. Why this app is not digitally signed by a trusted CA?

2. This app is flagged as Suspicious during sandbox analysis. Attached report for reference from Falcon CrowdStrike

ppInk.exe Sandbox Counter Adversary Operations _ Dynamic Analysis.pdf ppInk.exe Sandbox Counter Adversary Operations _ Intelligence.pdf ppInk.exe Sandbox Counter Adversary Operations _ Mitre Attack.pdf ppInk.exe Sandbox Counter Adversary Operations _Static Analysis.pdf

3. Virus total >> https://www.virustotal.com/gui/file/73fe4fef701bf731274e6e7efd97a1a91566e842ba44f70230fb81e433240736/details

4. Are these detections false positive? if yes, can they be safely ignored?

Request your Kind confirmation.

[pubpub-zz]

Hello Team, we are trying to whitelist this app but we have encountered these issues by our Infosec team.

sorry Not a team (unfortunately). I'm just on my own.

1. Why this app is not digitally signed by a  trusted CA?

Application is released as an open source therefore any one can recompile and sign the application. I currently don't have any trusted certificate to use. if you can propose me with a solution to get some I may think about.

2. This app is flagged as Suspicious during sandbox analysis. Attached report for reference from Falcon CrowdStrike

ppInk.exe Sandbox Counter Adversary Operations _ Dynamic Analysis.pdf ppInk.exe Sandbox Counter Adversary Operations _ Intelligence.pdf ppInk.exe Sandbox Counter Adversary Operations _ Mitre Attack.pdf ppInk.exe Sandbox Counter Adversary Operations _Static Analysis.pdf

I have not been able to look through all elements but at least I can say: "Malicious : Contains ability to capture the screen" -> this is the main function of this application 😉 "Suspicious : Found a potential E-Mail address in binary/memory" -> this is the mail address for @geovens. I keep it in order to respect copyright. "Suspicious: Contains ability to retrieve keyboard strokes" -> required to get the global shortcut to activate the application "Suspicious: Contains ability to open a port and listen for incoming connection" -> this is to be able to provide REST API control capability (sorry for the other entries I've not been through)

3. Virus total >> https://www.virustotal.com/gui/file/73fe4fef701bf731274e6e7efd97a1a91566e842ba44f70230fb81e433240736/details
4. Are these detections false positive? if yes, can they be safely ignored?

The detection looks like a false positive : you should be able to report it for deeper analysis.

Request your Kind confirmation.

Hoping this will help you and feel free to star the project.

[mohit0121]

@pubpub-zz Thank you for taking out time in reviewing few of the detections., Much appreciated !

Would you be kind enough in reviewing the attached document ( 23 Detections) and provide your inputs, detection by detection. This will help us to whitelist the application and this tool will be deployed and used by our company globally. doable?

ppInk.exe Sandbox Counter Adversary Operations _ Dynamic Analysis.pdf

[pubpub-zz]

I've added my comments. ppInk.exe..Sandbox..Counter.Adversary.Operations._.Dynamic.Analysis-1rep.pdf

If you finally deploy ppInk in your company, :

• remember to respect the copyright and the license
• I would be pleased if you star the project and recommend other users to do so
• finally, my software is open source and free, however to support my work, I would appreciate if your company could do a donation to support girls' education (unicef or any one else) ☺️

[mohit0121]

Certainly, Please guide me how to go about starring the project?

[pubpub-zz]

Certainly, Please guide me how to go about starring the project?