PPINK : flagged as Suspicious during sandbox analysis

[mohit0121]

Hello Team, we are trying to whitelist this app but we have encountered these issues by our Infosec team.

1. Why this app is not digitally signed by a trusted CA?

2. This app is flagged as Suspicious during sandbox analysis. Attached report for reference from Falcon CrowdStrike

ppInk.exe _ Sandbox _ Counter Adversary Operations _ Dynamic Analysis.pdf
ppInk.exe _ Sandbox _ Counter Adversary Operations _ Intelligence.pdf
ppInk.exe _ Sandbox _ Counter Adversary Operations _ Mitre Attack.pdf
ppInk.exe _ Sandbox _ Counter Adversary Operations _Static Analysis.pdf

3. Virus total >> https://www.virustotal.com/gui/file/73fe4fef701bf731274e6e7efd97a1a91566e842ba44f70230fb81e433240736/details

4. Are these detections false positive? if yes, can they be safely ignored?

Request your Kind confirmation.

[pubpub-zz]

Hello Team, we are trying to whitelist this app but we have encountered these issues by our Infosec team.

sorry Not a team (unfortunately). I'm just on my own.

1. Why this app is not digitally signed by a  trusted CA?

Application is released as an open source therefore any one can recompile and sign the application.
I currently don't have any trusted certificate to use. if you can propose me with a solution to get some I may think about.

2. This app is flagged as Suspicious during sandbox analysis. Attached report for reference from Falcon CrowdStrike

ppInk.exe _ Sandbox _ Counter Adversary Operations _ Dynamic Analysis.pdf ppInk.exe _ Sandbox _ Counter Adversary Operations _ Intelligence.pdf ppInk.exe _ Sandbox _ Counter Adversary Operations _ Mitre Attack.pdf ppInk.exe _ Sandbox _ Counter Adversary Operations _Static Analysis.pdf

I have not been able to look through all elements but at least I can say:
"Malicious : Contains ability to capture the screen" -> this is the main function of this application 😉
"Suspicious : Found a potential E-Mail address in binary/memory" -> this is the mail address for @geovens. I keep it in order to respect copyright.
"Suspicious: Contains ability to retrieve keyboard strokes" -> required to get the global shortcut to activate the application
"Suspicious: Contains ability to open a port and listen for incoming connection" -> this is to be able to provide REST API control capability
(sorry for the other entries I've not been through)

3. Virus total >> https://www.virustotal.com/gui/file/73fe4fef701bf731274e6e7efd97a1a91566e842ba44f70230fb81e433240736/details
4. Are these detections false positive? if yes, can they be safely ignored?

The detection looks like a false positive : you should be able to report it for deeper analysis.

Request your Kind confirmation.

Hoping this will help you and feel free to star the project.

[mohit0121]

@pubpub-zz Thank you for taking out time in reviewing few of the detections., Much appreciated !

Would you be kind enough in reviewing the attached document ( 23 Detections) and provide your inputs, detection by detection. This will help us to whitelist the application and this tool will be deployed and used by our company globally. doable?

ppInk.exe _ Sandbox _ Counter Adversary Operations _ Dynamic Analysis.pdf

[pubpub-zz]

I've added my comments.
ppInk.exe..Sandbox..Counter.Adversary.Operations._.Dynamic.Analysis-1rep.pdf

If you finally deploy ppInk in your company, :

• remember to respect the copyright and the license
• I would be pleased if you star the project and recommend other users to do so
• finally, my software is open source and free, however to support my work, I would appreciate if your company could do a donation to support girls' education (unicef or any one else) ☺️

[mohit0121]

Certainly, Please guide me how to go about starring the project?

[pubpub-zz]

Certainly, Please guide me how to go about starring the project?