Note: this report may be incomplete because the AI analysis reached the following limit(s): token.

# Analysis Report: VKSaver Installation Bundle

## Summary

**File:** `161ee3cc94b683d301f99f64e7ec1106767b6fc3ebb0b08bef7e22e9096998f5` (#AID=8#)
**Type:** PE x86 executable, UPX-packed (468,992 bytes)
**Unpacked:** #AID=9# — PE x86, 669,696 bytes, MSVC 2012
**Product:** VKSaver v3.3.130726.1469 by Audiovkontake.ru
**Purpose:** "VKSaver installation bundle" — an installer for a VKontakte audio downloader

---

## Key Detections / IOCs

| Category | Finding |
|----------|---------|
| **Embedded encrypted payload** | XOR-decrypted `downloader.exe` dropped to temp dir (key: `0x75bcd15`, rotating XOR with ROL13) |
| **Embedded encrypted payload** | XOR-decrypted DLL/MSI components (0x4970 and 0x9600 bytes respectively) |
| **Persistence** | `Software\Microsoft\Windows\CurrentVersion\Run` → "VKSaver" |
| **Persistence** | Scheduled task `\VKSaverUpdate` created via COM (`ITaskService`) |
| **DLL injection (AppInit_DLLs)** | Writes `vksaver3.dll` into `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs` and sets `LoadAppInit_DLLs=1` — injects into **every** GUI process |
| **Privilege escalation** | Acquires `SeDebugPrivilege` via `AdjustTokenPrivileges` |
| **Process termination** | Enumerates all processes, finds and kills `vksaver.exe` instances |
| **Browser modification** | Writes `vkontakte.ru .vkontakte.ru *.vkontakte.ru vk.com .vk.com *.vk.com audiovkontakte.ru v.audiovkontakte.ru` into Opera's `operaprefs_fixed.ini` proxy bypass list |
| **Bundled PUA installer** | Launches Yandex Browser MSI with `--partner vksaver-elements --distr /quiet /msicl` with options: `YAHOMEPAGE=y YAQSEARCH=y YABROWSER=y YBSENDSTAT=y` |
| **Browser hijacking** | Enumerates browser windows (iexplore, firefox, chrome, opera, safari, maxthon, browser, totalcmd, far) and sends `WM_CLOSE` to force restart with new homepage |
| **Kesakode** | No confidence matches (Conficker 0/100, Tidepool 0/100) — false positives only |

---

## Evidence

### Encrypted Payload Drop & Execution (sub_404a80, EA 16000)
The function at #AID=9# EA 16000 creates a temp directory, XOR-decrypts an embedded PE using key `0x75bcd15` with ROL13 rotation, writes it to `\downloader.exe`, and executes it via `CreateProcessW`. After execution, it cleans up the temp files.

### AppInit_DLLs Injection (sub_402360, EA 5984)
The function at #AID=9# EA 5984 opens `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows`, reads existing `AppInit_DLLs`, removes any previous "vksaver" entries, appends `vksaver3.dll`, writes it back, and sets `LoadAppInit_DLLs=1`. This causes the DLL to load into every Windows GUI process — a technique associated with both adware and rootkits.

### SeDebugPrivilege & Process Killing (sub_403190, EA 9616)
The function at #AID=9# EA 9616 elevates to `SeDebugPrivilege`, enumerates all running processes via `psapi.EnumProcesses`, opens each with `PROCESS_TERMINATE|PROCESS_QUERY_INFORMATION` access, checks if the module name contains "vksaver.exe", and terminates matching processes with 500ms delays.

### Uninstall/Cleanup Routine (sub_4029b0, EA 7600)
Deletes the `VKSaverUpdater` autorun key, queries `SOFTWARE\VKSaver` for `Install_Dir`, recursively deletes registry keys under `CurrentVersion\Uninstall\VKSaver` and `SOFTWARE\VKSaver`, and removes Start Menu shortcut folders.

### Main Install Flow (sub_402ce0, EA 8416)
Reads `MachineGuid` from `SOFTWARE\Microsoft\Cryptography`, performs cleanup of previous install, drops two XOR-encrypted PE files (DLL and installer), registers `vksaver3.dll` in `AppInit_DLLs`, writes `VKSaver` to `Run` key, creates Start Menu shortcuts (Launch VKSaver, Readme, Uninstall), modifies Opera proxy bypass URLs, creates a scheduled task for auto-update, then executes the Yandex Browser bundled installer.

### Browser Forced Restart (sub_403380, EA 10112)
Enumerates running processes, matches them against known browser executable names, finds their windows via `EnumWindows`, sends `WM_CLOSE` (0xF060) to visible windows, then after 5 retries terminates remaining browser processes using `SeDebugPrivilege`.

### Yandex Browser Bundling (sub_404dc0, EA 16832)
The installer GUI window procedure shows checkboxes for bundled components. When the user clicks Install, it constructs the command line `--partner vksaver-elements --distr /quiet /msicl "YAHOMEPAGE=y YAQSEARCH=y YABROWSER=y YBSENDSTAT=y"` and launches the bundled Yandex Browser MSI installer in quiet mode.

---

## Counter-Arguments / Caveats

1. **Legitimate product:** VKSaver was a widely-used, publicly known application for downloading audio from VKontakte. The version info, URLs (audiovkontakte.ru, vk.com), and overall structure are consistent with the known software.
2. **Yandex bundling:** Yandex Browser is a legitimate product from a major Russian tech company. Bundling was a common distribution practice in the Russian software ecosystem circa 2013.
3. **User consent flow:** The installer presents a GUI with checkboxes for optional components, though the "Express" option defaults to installing everything.
4. **AppInit_DLLs:** While aggressive, this technique was used by legitimate software for browser integration (toolbars, extensions) in this era.
5. **Kesakode:** No malware family match with any confidence.
6. **No C2/beacon:** No network communication to suspicious C2 infrastructure detected. URLs point to legitimate VK/Yandex domains.
7. **Old sample:** Dated 2013 (v3.3.130726), when bundling practices and AppInit_DLLs usage were more common and less scrutinized.

---

## Verdict

**Classification: Potentially Unwanted Application (PUA) / Adware Bundler**

**Confidence: 70/100 — Likely PUA (not clean, not classic malware)**

This is a **bundled installer for VKSaver** that exhibits several behaviors commonly flagged as PUA:

- **Drops and executes XOR-encrypted executables** (downloader.exe, DLL, MSI) — obfuscation beyond what a legitimate installer needs
- **Injects DLL into all GUI processes** via `AppInit_DLLs` — the most concerning behavior, as it enables monitoring/modification of any application's behavior
- **Silently installs Yandex Browser** with homepage/search engine hijacking enabled by default
- **Modifies browser proxy settings** to bypass Opera Turbo for VK-related domains
- **Kills competing browser instances** and forces restart with new settings
- **Acquires SeDebugPrivilege** for aggressive process manipulation
- **Creates persistent scheduled task** for auto-update

While the underlying VKSaver product is legitimate, the installer's techniques — encrypted payload drops, AppInit_DLLs injection, silent browser hijacking, and forced browser restarts — place it firmly in PUA/adware territory by modern standards.