The file I just downloaded from sourceforge appears to be benign, it would be interesting to see the Sirius verdict of the one you downloaded that has a different hash.
Total tokens: 0 (0 request / 0 response)
File path: c:\users\dan\desktop\burn_card_maker.exe
File hash: e2410bc263fc06076ecc3619af4c4f50a96d54edee0b00b2b5fb0679394aea9e
File size: 3.01 MB
File publisher: This file is a signable file type but has not been digitally signed.
WhitelistCloud verdict: Safe
Final Verdict: Safe with 92% confidence.
=== Analysis Summary ===
The file “burn_card_maker.exe” is an MFC/Win32 GUI utility whose sole purpose is to write Amlogic bootloader images to SD cards (“card-making” mode). It contains no networking, no process injection, no anti-debugging, and exports nothing that could be used as a loader. While the entropy of several sections is moderately elevated (≈ 5–6.3), the overlay region is zero-length (no appended junk/encrypted blob) and ImportCrypt is 0 – it does not load any cryptographic libraries such as ADVAPI32!Crypt* or bcrypt. Imports are limited to Win32 GUI, GDI+, Shell, COM and simple registry helpers – all expected for a self-contained Windows utility. RequestedExecutionLevel=“requireAdministrator” is legitimate: SD-card firmware tools need raw-disk access, hence UAC elevation. File date (2015-10-19) and static metadata point to an old, but official, Amlogic factory support tool distributed to device OEMs. No digital signature is typical for low-level vendor utilities of that era (and the binary was never re-released on Windows Update or Microsoft WHQL pipelines). WhitelistCloud tags it “Safe” and we concur.
=== Detailed Analysis ===
1. Core functionality indicators
- Strings such as “SecureBoot SD bootloader”, “Erase bootloader”, “Erase Flash”, “Formating sdcard”, “sparse”, “image.cfg”, “aml_sdc_burn”, “bootloader.PARTITION”, and progress-dlg traces show a narrow, hardware-specific burn-card utility.
- The binary carries a resource section that includes UI bitmaps and an MFC manifest – consistent with a small desktop flashing tool rather than a dropper or RAT.
- No base64, no URL or IP literals, no suspicious pseudo-C2 artefacts, and no process-hollowing or reflective-injection hints.
2. Import & library profile
- A very high 600 imports were scraped by the PE parser, but inspection shows they are almost exclusively user32/gdi32/comdlg32/shell32 OLE automation and GUI helpers plus ADVAPI32 registry functions.
- Notable absences: no Winsock, WinInet, Urlmon, Ws2_32, or HTTP APIs; no CreateRemoteThread, VirtualAllocEx, WriteProcessMemory, SetWindowsHookEx; no CryptoAPI or BCrypt; no NT-undocumented NTAPI stubs. The “DangerousImportedLibrariesNormalized : 30.47” figure seems inflated by over-counting benign GDI/OLE libraries – real risk primitives are missing.
- COM usage (CoCreateInstance, DragDrop, OleInitialize) is justified for file-browse dialogs and clipboard bitmap handling for embedded logo graphics.
3. Section / entropy anomalies
- Section1 (.text) 6.16 entropy is slightly high but typical for C++/MFC code compiled with optimisations and linked with static GDI+; no packed section tricks (no raw/virt mismatch, no section with execute+write).
- Zero entropy and zero size for sections 6–11, and overlay entropy 0 and overlay size 0, rule out appended encrypted payloads often seen in trojanised flashers.
4. ASLR/DEP & runtime
- Binary opts into DEP and ASLR (DllCharacteristics 0x8140) – an indicator of legitimate, post-2010 compiler defaults, not malware packed with old toolchains.
- No CFG/SEHOP Guard flags (LoadConfigGuardFlags 0) is expected for VS2010-era builds.
5. Locale metadata
- VersionInfoLanguage: Chinese (Simplified, China) and Copyright 2013 Amlogic, matching Shenzhen-based Amlogic design house – plausible legitimate provenance rather than locale spoofing.
6. Digital signature / trust
- Unsigned, but this is common for factory support utilities distributed inside board support packages; absence of signature alone is not enough to classify as malicious.
7. WhitelistCloud
- Reputable reputation service classifies the hash as safe; nothing in the static features contradicts that verdict.
Likely software type / purpose
“Burn_Card_Maker” appears to be Amlogic’s OEM utility for preparing bootable SD cards used to flash Android or Linux onto set-top/OTT boxes, smart TVs and development boards. Functionality is limited to disk imaging, partition parsing, progress tracking and simple SD formatting – a standard vendor support tool rather than malware.
Malware type: N/A
Malware name: N/A
Final verdict: Safe with 92% confidence.
hybrid-analysis.com
opentip.kaspersky.com
