This seems a bit Wrong that i paid for this razer naga mouse but am left with your unfair ultimatum for full control over a simple things like the L.E.D. Function . Which even though was unspoken by Razer is clearly implied.
"You can have control over this function, But only if we can dump this large amount of Bloat-ware on you computer that far exceeds the the space required for that function and take up a large chunk of you system recourses without a choice of where its installed... so what do you say we got a DEAL ".
when put like that would any one agree to it? probably not. but this is what razer is doing.
I mean 11 Processes and that's just what's running under razers name I'm sure there's more.
a bit over kill for LED control don't you think especially when I know for a fact the mouse has enough memory to hold the selected LED information. because that's how Logitech stores the LED date and they offer two programs a big over blown resource hungry monster like Synapse and a small stand alone EXE that doesn't require installation that not only lets you edit the LED patterns but the Key bindings as well. once done the mouse stays the way you wanted it and there no Logitech anywhere to be found in the task manager. where razers small program? oh they don't have one.
So what's all that stuff running in the background anyway? that is useless to the user. Well considering they used unfair underhanded method used to force it on the users PC's. its obvious its telemetry and analytical data collecting software.
That's the only type of software I know of that will make a tech company change from your best friend to a raving lunatic just to get it on you machine.
So now i have it brake out the Arduino and play hack the mouse. well until next time!!!!
Page 1 / 1
Omg, my eyes hurt. How can you read with this font? :P
You can try using 3rd party app like OpenRGB software, so it'll control Chroma without having Synapse running.
You can try using 3rd party app like OpenRGB software, so it'll control Chroma without having Synapse running.
that's the route ill take if I cant get the date to store on the mouse itself. I'm going to attempt to structure the firmware in a similar fashion as the Logitech I have. hardware hacking its fun.
Ok i was just playing around with openRGB not as many effects and they have logo and scroll zones backswords. but when I closed the program I was surprised to see the Naga Classic was still doing the patterns set by OpenRGB. So I figured it must still be running in the background. But come to find its not running anywhere. Which means the mouse DOSE store the patterns to memory. this also means when you close Synapse and the pattern returns to default its not a hardware limitation. It Razer doing this because well... Telemetry data is like tech company heroin and they don't like being cut-off.
Well I know how to deal with this, think of it this way These are the videogames I play. I know way more programing languages than one person should and have to much time on my hands. I tear programs apart for fun.
So "Hack the mouse" CANCELED (it didn't sound fun any).
its time for a new game...
My current Game for a while has been the windows 11 OS and I've completely bent it to my will. I've beaten Microsoft into a dark corner in there own operating system... All UN-installable Bloatware Gone, No telemetry (in all areas), less than 20 services left running, a nearly empty task scheduler and trusted installer level system access.
I've beaten that game. But now another Telemetry Junkie has caught my attention by treating there user like a product, Its time to take take them to rehab.
New target... I mean game =Synapse= and considering How the last game I played with Microsoft Went. Razer doesn't stand a chance.
There a big difference between a "Developer" that dose it because its a job and need to make a living. And the Un-labeled that do it because they find it fun and never want to stop. Who do you think has the better tricks? the 9to5 or the 24/7.
Well I know how to deal with this, think of it this way These are the videogames I play. I know way more programing languages than one person should and have to much time on my hands. I tear programs apart for fun.
So "Hack the mouse" CANCELED (it didn't sound fun any).
its time for a new game...
My current Game for a while has been the windows 11 OS and I've completely bent it to my will. I've beaten Microsoft into a dark corner in there own operating system... All UN-installable Bloatware Gone, No telemetry (in all areas), less than 20 services left running, a nearly empty task scheduler and trusted installer level system access.
I've beaten that game. But now another Telemetry Junkie has caught my attention by treating there user like a product, Its time to take take them to rehab.
New target... I mean game =Synapse= and considering How the last game I played with Microsoft Went. Razer doesn't stand a chance.
There a big difference between a "Developer" that dose it because its a job and need to make a living. And the Un-labeled that do it because they find it fun and never want to stop. Who do you think has the better tricks? the 9to5 or the 24/7.
Get a load of the rap sheet
Preliminary analysis of Razor synapse installer
RISK ASSESSMENT
Spyware
Found a string that may be used as part of an injection method
Persistence
Writes data to a remote process
Fingerprint
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Queries the display settings of system associated file extensions
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation language
Evasive
Possibly tries to evade analysis by sleeping many times
Network Behavior
Contacts 6 domains and 4 hosts
MALICIOUS INDICATORS
SUSPICIOUS INDICATOR
Environment Awareness
Possibly tries to evade analysis by sleeping many times
Reads the active computer name
Reads the cryptographic machine GUID
General
Reads configuration files
Installation/Persistence
Drops executable files
Network Related
Found potential IP address in binary/memory
Sends traffic on typical HTTP outbound port, but without HTTP header
Uses a User Agent typical for browsers, although no browser was ever launched
Ransomware/Banking
Checks warning level of secure to non-secure traffic redirection
System Destruction
Opens file with deletion access rights
System Security
Modifies Software Policy Settings
Modifies proxy settings
Queries sensitive IE security settings
Queries the display settings of system associated file extensions
Unusual Characteristics
CRC value set in PE header does not match actual value
Imports suspicious APIs
Installs hooks/patches the running process
Reads information about supported languages
details
"RazerSynapseInstaller_V1.0.87.116.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE"; Key: "EN-US")
"RazerSynapseInstaller_V1.0.87.116.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "EN-US")
"RazerSynapseInstaller_V1.0.87.116.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE"; Key: "00000409")
"RazerInstaller.exe" (Path: "HKCU\\CONTROL PANEL\\INTERNATIONAL"; Key: "LOCALENAME")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE"; Key: "EN-US")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "EN-US")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE"; Key: "00000409")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE"; Key: "EN")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "EN")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "TR-TR")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "ID-ID")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "BE")
"RazerInstaller.exe" (Path: "HKLM\\SYS
INFORMMATIVE ATTRIBUTES
Environment Awareness
Queries volume information
External Systems
Detected Suricata Alert
Sample was identified as clean by Antivirus engines
General
Accesses Software Policy Settings
Accesses System Certificates Settings
Contacts domains
Contacts server
Contains PDB pathways
Creates a writable file in a temporary directory
Creates mutants
Drops files marked as clean
GETs files from a webserver
Loads the .NET runtime environment
Sample shows a variety of benign indicators
Scanning for window names
Spawns new processes
Spawns new processes that are not known child processes
The input sample is signed with a certificate
The input sample is signed with a valid certificate
The input sample possibly contains the RDTSCP instruction
Installation/Persistence
Connects to LPC ports
Dropped files
Touches files in the Windows directory
Network Related
Found potential URL in binary/memory
System Security
Creates or modifies windows services
Opens the Kernel Security Device Driver (KsecDD) of Windows
Unusual Characteristics
Matched Compiler/Packer signature
CrowdStrike AI
File Details
All Details:
OnOff
RazerSynapseInstaller_V1.0.87.116.exe
Filename
RazerSynapseInstaller_V1.0.87.116.exe
Size
4.1MiB (4270568 bytes)
Type
peexe assembly executable
Description
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Architecture
WINDOWS
SHA256
2096cc8e75dd6175700654eaffd5117cf2f87f9cb20429a52ed389bc1f9b9817
Preliminary analysis of Razor synapse installer
RISK ASSESSMENT
Spyware
Found a string that may be used as part of an injection method
Persistence
Writes data to a remote process
Fingerprint
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Queries the display settings of system associated file extensions
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation language
Evasive
Possibly tries to evade analysis by sleeping many times
Network Behavior
Contacts 6 domains and 4 hosts
MALICIOUS INDICATORS
- Installation/Persistence
- Allocates virtual memory in a remote process
- Writes data to a remote process
SUSPICIOUS INDICATOR
- Anti-Reverse Engineering
- Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
details
"RazerSynapseInstaller_V1.0.87.116.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE"; Key: "EN-US")
"RazerSynapseInstaller_V1.0.87.116.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "EN-US")
"RazerSynapseInstaller_V1.0.87.116.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE"; Key: "00000409")
"RazerInstaller.exe" (Path: "HKCU\\CONTROL PANEL\\INTERNATIONAL"; Key: "LOCALENAME")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE"; Key: "EN-US")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "EN-US")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\LOCALE"; Key: "00000409")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\EXTENDEDLOCALE"; Key: "EN")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "EN")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "TR-TR")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "ID-ID")
"RazerInstaller.exe" (Path: "HKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE"; Key: "BE")
"RazerInstaller.exe" (Path: "HKLM\\SYS
INFORMMATIVE ATTRIBUTES
CrowdStrike AI
- Executable Process Memory Analysis
- Suspicious1
- N/A (Address: -, Flags: -)
File Details
All Details:
OnOff
RazerSynapseInstaller_V1.0.87.116.exe
Filename
RazerSynapseInstaller_V1.0.87.116.exe
Size
4.1MiB (4270568 bytes)
Type
peexe assembly executable
Description
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Architecture
WINDOWS
SHA256
2096cc8e75dd6175700654eaffd5117cf2f87f9cb20429a52ed389bc1f9b9817
So That is there trade offer they get to run all of that and that's just the installation process just weakening your system a bit getting it ready for synapse. so when it's actually installed you only see part of what's going on. and we get a few little macros functions and some blinking lights, that sounds fair right I mean compromise system Integrity alone would be worth that.
this is the worst I've actually ever seen any company not only are they hitting you with the most Telemetry software I've seen in a single program they don't mention it at all maybe somewhere in the fine print but it's basically free product testing data that use to cost tech companies Millions. now since the whole internet Privacy Act thing in 2017 they're allowed to spy on people to gather well I know Microsoft likes to call it (diagnostic data) just take it directly from pretty much any modern device you own connected to the internet and don't have to pay you a dime. most tech manufacturers that do it heavily at least try to make it worth it by at least giving you decent software and features the only features I see in synapse here the macroeing and the lights other than that it's just one big ad Fest. What I see is the tech company equivalent of slapping you in the face giving you the finger and taking the data from you and then forcing you to watch 12 solid hours of ads.
But yeah razor you make the best mice and keyboards but we had to pay for those you didn't give them to us I feel like I paid you to spy on me and that's not cool.
this is the worst I've actually ever seen any company not only are they hitting you with the most Telemetry software I've seen in a single program they don't mention it at all maybe somewhere in the fine print but it's basically free product testing data that use to cost tech companies Millions. now since the whole internet Privacy Act thing in 2017 they're allowed to spy on people to gather well I know Microsoft likes to call it (diagnostic data) just take it directly from pretty much any modern device you own connected to the internet and don't have to pay you a dime. most tech manufacturers that do it heavily at least try to make it worth it by at least giving you decent software and features the only features I see in synapse here the macroeing and the lights other than that it's just one big ad Fest. What I see is the tech company equivalent of slapping you in the face giving you the finger and taking the data from you and then forcing you to watch 12 solid hours of ads.
But yeah razor you make the best mice and keyboards but we had to pay for those you didn't give them to us I feel like I paid you to spy on me and that's not cool.
Nothing in that malware "report" stands out as malicious.
The exe looks like a typical self-extracting zip file containing a .net installer which then downloads and runs whatever installers you selected to install.
As for the actual Razer Synapse app the only time it sends telemetry (log files etc.) is if you send feedback (click on the user account button in the top right corner, click 'Feedback', fill in the form and click Send).
If you don't believe me, open 'Razer Synapse 3.exe' with DnSpyEx and look for yourself.
The exe looks like a typical self-extracting zip file containing a .net installer which then downloads and runs whatever installers you selected to install.
As for the actual Razer Synapse app the only time it sends telemetry (log files etc.) is if you send feedback (click on the user account button in the top right corner, click 'Feedback', fill in the form and click Send).
If you don't believe me, open 'Razer Synapse 3.exe' with DnSpyEx and look for yourself.
LittleJay85
Nada nesse "relatório" de malware se destaca como malicioso.
O exe se parece com um típico arquivo zip auto-extraível contendo um instalador .net que baixa e executa qualquer instalador que você selecionou para instalar.
Quanto ao aplicativo Razer Synapse real, a única vez que ele envia telemetria (arquivos de log etc.) .[/citar]
https://www.hybrid-analysis.com/sample/66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e
AndreAzevedo
To start with that's Razer Central not Synapse.
But I'm presuming you understand how to read and interpret those reports and have programming, Win32 API, PE format and Reverse Engineering knowledge?
Those "Suspicious Indicators" aren't out of the ordinary for a .NET application.
LittleJay85
To start with that's Razer Central not Synapse.
But I'm presuming you understand how to read and interpret those reports and have programming, Win32 API, PE format and Reverse Engineering knowledge?
Those "Suspicious Indicators" aren't out of the ordinary for a .NET application.
I just know that synapse 3 doesn't work without Raze Central, and synapse 3 is an extended package of executables.
and yes I appreciate the art of Reverse Engineering.
The problem with hybrid-analysis.com is that it flags a lot of false positives.
In that Razer Central analysis for example,
Found a cryptographic related string
details
"FromBase64String" (Indicator: "frombase64string"; File: "66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e.bin")
"AesCryptoServiceProvider" (Indicator: "aescryptoserviceprovider"; File: "66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e.bin")
source
String
relevance
10/10
ATT&CK ID
T1486 (Show technique in the MITRE ATT&CK matrix)
FromBase64String and AesCryptoServiceProvider are used throughout a lot of legitimate software, including Microsoft Windows (eg. Bitlocker uses Aes encryption). But hybrid-analysis.com gives it an ATT&CK ID T1486 and a relevance 10/10 which adds to its Threat Score.
Under Unusual Characteristics it lists Input file contains API references not part of its Import Address Table (IAT)
But for a .Net application this is normal.
I'm just trying to make people aware that you cant always trust the report generated, especially when legitimate software is run through it.
In that Razer Central analysis for example,
Found a cryptographic related string
details
"FromBase64String" (Indicator: "frombase64string"; File: "66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e.bin")
"AesCryptoServiceProvider" (Indicator: "aescryptoserviceprovider"; File: "66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e.bin")
source
String
relevance
10/10
ATT&CK ID
T1486 (Show technique in the MITRE ATT&CK matrix)
FromBase64String and AesCryptoServiceProvider are used throughout a lot of legitimate software, including Microsoft Windows (eg. Bitlocker uses Aes encryption). But hybrid-analysis.com gives it an ATT&CK ID T1486 and a relevance 10/10 which adds to its Threat Score.
Under Unusual Characteristics it lists Input file contains API references not part of its Import Address Table (IAT)
But for a .Net application this is normal.
I'm just trying to make people aware that you cant always trust the report generated, especially when legitimate software is run through it.
LittleJay85
The problem with hybrid-analysis.com is that it flags a lot of false positives.
In that Razer Central analysis for example,
Found a cryptographic related string
details
"FromBase64String" (Indicator: "frombase64string"; File: "66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e.bin")
"AesCryptoServiceProvider" (Indicator: "aescryptoserviceprovider"; File: "66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e.bin")
source
String
relevance
10/10
ATT&CK ID
T1486 (Show technique in the MITRE ATT&CK matrix)
FromBase64String and AesCryptoServiceProvider are used throughout a lot of legitimate software, including Microsoft Windows (eg. Bitlocker uses Aes encryption). But hybrid-analysis.com gives it an ATT&CK ID T1486 and a relevance 10/10 which adds to its Threat Score.
Under Unusual Characteristics it lists Input file contains API references not part of its Import Address Table (IAT)
But for a .Net application this is normal.
I'm just trying to make people aware that you cant always trust the report generated, especially when legitimate software is run through it.
Ok , what do you have to say about this hooks?
"/email]GetAsyncKeyState@USER32.DLL[/email]" in "RazerCentral.exe"
"/email]GetForegroundWindow@USER32.DLL[/email]" in "RazerCentral.exe"
"/email]CreateCompatibleBitmap@GDI32.DLL[/email]" in "RazerCentral.exe"
"/email]ExitWindowsEx@USER32.DLL[/email]" in "RazerCentral.exe"
"/email]Wow64Transition@NTDLL.DLL[/email]" in "RazerCentral.exe"
"/email]GetKeyState@USER32.DLL[/email]" in "RazerCentral.exe"
Do any of them run away from the synapse software proposal?
Reply
Sign up
Already have an account? Login
Log in with Razer ID to create new threads and earn badges.
LOG INEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.