System Utilities decompilation - detected as PUP by most AV vendors but is it actually just a PUP?

[Khushal]

Content source

https://rifteyy.org/report/system-utilities-malware-analysis

Full writeup: System Utilities decompilation - detected as PUP by some AV vendors but is it actually just a PUP?

System Utilities is a signed, relatively reputable device optimizing software available at Softpedia, MajorGeeks and more third party mirrors. It is flagged by known and reputable engines such as ESET, Sophos, Malwarebytes and Fortinet as a potentially unwanted application but are they right?

In this report, we determine the border between a malware and PUP and the actual abilities of System Utilities that the most reputable AV vendors don't know about.

Spoiler: Verdict

It is a highly evasive sample protected with .NET Reactor that deploys various virtual environment checks, checks whether it is being debugged/analyzed/reverse engineered and most notably a 14 day timer before it starts the malicious activity.

 

[Parkinsond]

WPS Office adds items to W explorer context menu and install cloud elements (with autostart) without user knowledge or approval; however, not classified as PUP!

 

[Divergent]

System Utilities" is not merely a Potentially Unwanted Program (PUP) but a sophisticated AdClicker Trojan and Backdoor. It utilizes advanced evasion techniques, including a 14-day dormancy period and environment checks, to bypass automated sandboxes and initial AV scans. Once active, it manipulates the host browser to generate ad revenue silently and provides attackers with remote file manipulation capabilities.

MITRE ATT&CK Mapping

T1204.002
User Execution (Malicious File masquerading as utility).

T1497.001
Virtualization/Sandbox Evasion (VMWare/VirtualBox checks).

T1037.005
Boot or Logon Initialization Scripts (autoruns.exe persistence).

T1562.001
Impair Defenses (Disabling browser crash reports to hide instability).

CVE Profile
No specific CVE; exploits the trust model of Digitally Signed Code.

Live Evidence Extraction

Hashes (SHA256)
ce2f4094704b579018e2e8ba4f2c1f14d9072f3c405298e42df6c4eb6a1bed37 (DiagnosticDriver.exe)

ca58cd97efc7865c81137d9ab5bb2d31fec7a736da874c3a53d6a5d3f6f8fadc
(Downloader.exe)

Registry Keys/Paths %LocalAppData%\DiagnosticDriver

%LocalAppData%\SystemUtilities.

C2 Infrastructure
yasupro[.]net/api, ev[.]system-utilities[.]com/twa.

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1

Identification & Containment:
Scan for the \.\pipe\SystemUtilities named pipe across the fleet.

Isolate hosts showing traffic to yasupro[.]net or system-utilities[.]com via VLAN.

Revoke/Blacklist certificates from Centaurus Media Limited.

Phase 2

Eradication
Terminate DiagnosticDriver.exe, autoruns.exe, and Downloader.exe.

Delete the directories in %LocalAppData% and the corresponding startup entries identified by autoruns.exe.

Phase 3

Recovery
Restore browser configuration files (prefs.js for Firefox, Preferences for Chrome) as the malware modifies these to suppress error reporting.

Phase 4

Lessons Learned
Update EDR rules to flag binaries with a 14-day dormancy logic (delaying execution post-install).

Remediation - THE HOME USER TRACK

Priority 1

Safety
Immediately disconnect from the internet and run an offline scan with a reputable AV (e.g., ESET, which now correctly flags this as MSIL/Adware.DHT.A).


Priority 2

Identity
Reset all browser-stored passwords and MFA seeds only from a known clean device, as the malware has backdoor capabilities and monitors browser history.


Priority 3

Persistence
Check the "Startup" tab in Task Manager for autoruns.exe or System Utilities and disable them. Delete the DiagnosticDriver folder in your Local AppData.

Hardening & References

Baseline
CIS Benchmark for Windows 10/11: Enable "Block at First Sight" and "Cloud-delivered protection" in Windows Defender.

Framework
NIST SP 800-61r2: Follow standard Incident Handling lifecycle for data breach assessment due to remote file manipulation capabilities.

Tactical
Use dnSpy or DetectItEasy to verify suspicious "optimizers" before installation if they originate from 3rd-party mirrors.

Sources

rifteyy.org Technical Analysis