{"id":16589,"date":"2021-09-29T19:21:15","date_gmt":"2021-09-29T18:21:15","guid":{"rendered":"https:\/\/ekiwi-blog.de\/?p=16589"},"modified":"2022-07-30T15:27:43","modified_gmt":"2022-07-30T14:27:43","slug":"kindaichi-accounting-software-what-is-behind-it","status":"publish","type":"post","link":"https:\/\/ekiwi-blog.de\/en\/16589\/kindaichi-accounting-software-what-is-behind-it\/","title":{"rendered":"KINDAICHI Accounting Software &#8211; what is behind it?"},"content":{"rendered":"<p>Not the first time, I got an email recommending some accounting software from &#8220;Kindaichi&#8221;. I am not entirely sure if there is malware behind it. But let us have a closer look.<\/p>\n<p><!--more--><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of content<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/ekiwi-blog.de\/en\/16589\/kindaichi-accounting-software-what-is-behind-it\/#The_email\" >The email<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/ekiwi-blog.de\/en\/16589\/kindaichi-accounting-software-what-is-behind-it\/#The_company_homepage\" >The company homepage<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/ekiwi-blog.de\/en\/16589\/kindaichi-accounting-software-what-is-behind-it\/#The_download\" >The download<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/ekiwi-blog.de\/en\/16589\/kindaichi-accounting-software-what-is-behind-it\/#Installation\" >Installation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/ekiwi-blog.de\/en\/16589\/kindaichi-accounting-software-what-is-behind-it\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"The_email\"><\/span>The email<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The email I got promotes some accounting software from a company or with the name &#8220;Kindaichi&#8221;. So far nothing special, spam is common. The email looks like that.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16590\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_1.png\" alt=\"\" width=\"796\" height=\"653\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_1.png 796w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_1-300x246.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_1-768x630.png 768w\" sizes=\"auto, (max-width: 796px) 100vw, 796px\" \/><\/p>\n<blockquote><p>KINDAICHI Accounting Software, Community 2020 edition provide basic accounting software features, and it is FREE.<\/p><\/blockquote>\n<p>I find it very odd, that an email proposes this kind of software, which should be mainly used by companies, not end users.<\/p>\n<p>The email features a small <a title=\"How to read data from pdf using VBA\" href=\"https:\/\/ekiwi-blog.de\/en\/24960\/vba-read-pdf\/\">PDF<\/a> in the attachment, which seems to be clean of any malware. I checked it with virus total. But in general, I do not recommend opening any attachment from random mails. Also the download link does not point to any company website but rather to some cloud service. This is usually a red flag.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16592\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_2.png\" alt=\"\" width=\"526\" height=\"98\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_2.png 526w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_2-300x56.png 300w\" sizes=\"auto, (max-width: 526px) 100vw, 526px\" \/><\/p>\n<p>I opened the PDF in my virtual Linux machine. Looks very strange.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16594\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_3.png\" alt=\"\" width=\"919\" height=\"470\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_3.png 919w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_3-300x153.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_3-768x393.png 768w\" sizes=\"auto, (max-width: 919px) 100vw, 919px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_company_homepage\"><\/span>The company homepage<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you look the software up on Google, there is not much information to be found. The first result is now the german version of this blog post. The company website looks very simple, it is basically a Bootstrap template with the same download links as in the email. No SSL.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16596\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_4.png\" alt=\"\" width=\"1278\" height=\"826\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_4.png 1278w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_4-300x194.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_4-1024x662.png 1024w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_4-768x496.png 768w\" sizes=\"auto, (max-width: 1278px) 100vw, 1278px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_download\"><\/span>The download<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>OK, another thing I do not recommend, downloading the software from the internet. Again, I am doing that in my virtual machine, which I can reset afterwards. The download is located on a cloud service name &#8220;pCloud&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16598\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_5.png\" alt=\"\" width=\"734\" height=\"487\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_5.png 734w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_5-300x199.png 300w\" sizes=\"auto, (max-width: 734px) 100vw, 734px\" \/><\/p>\n<p>The ZIP file contains a lot of software, PDFs and an installer. Not very typical for malware, which is very odd.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16600\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_6.png\" alt=\"\" width=\"721\" height=\"686\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_6.png 721w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_6-300x285.png 300w\" sizes=\"auto, (max-width: 721px) 100vw, 721px\" \/><\/p>\n<p>However, if we check the file with VirusTotal.com, there are 7 virus scanners, which flag the file as malicious. If we look at the ZIP file above, we can see two files named &#8220;UltraViewer&#8221;, which seem to be some kind of remote control software. Might be legit, might be the case why VirusTotal.com finds some malware, but honestly, that&#8217;s very concerning.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16602\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_7.png\" alt=\"\" width=\"1176\" height=\"530\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_7.png 1176w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_7-300x135.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_7-1024x461.png 1024w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_7-768x346.png 768w\" sizes=\"auto, (max-width: 1176px) 100vw, 1176px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Installation\"><\/span>Installation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The next step is to try and install the software. I also did that in a virtual machine with Windows and no access to my local network.<\/p>\n<p>The ZIP file contains an installer.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16604\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_8.png\" alt=\"\" width=\"383\" height=\"89\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_8.png 383w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_8-300x70.png 300w\" sizes=\"auto, (max-width: 383px) 100vw, 383px\" \/><\/p>\n<p>If the installer is run, a menu appears, which looks very unsuspicious. The menu allows us to install the software. Sometimes the installer asks for a password, which can be found in the installation guide PDF.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16606\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_9.png\" alt=\"\" width=\"569\" height=\"602\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_9.png 569w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_9-284x300.png 284w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/p>\n<p>The software installs normally.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16608\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_10.png\" alt=\"\" width=\"499\" height=\"392\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_10.png 499w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_10-300x236.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_10-100x80.png 100w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_10-80x64.png 80w\" sizes=\"auto, (max-width: 499px) 100vw, 499px\" \/><\/p>\n<p>After the installation, the software can be started and offers to create a profile for your company. However, after starting the software asks for some license key, which I do not have, so I can not use the software.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16610\" src=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_11.png\" alt=\"\" width=\"862\" height=\"512\" srcset=\"https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_11.png 862w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_11-300x178.png 300w, https:\/\/ekiwi-blog.de\/wp-content\/uploads\/2021\/09\/kind_11-768x456.png 768w\" sizes=\"auto, (max-width: 862px) 100vw, 862px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>I am not sure the software is malware or not. VirusTotal warns with several warnings, which is usually a red flag. There is no real information about the software on the internet and the company homepage just looks like someone used a template and put some information in there, not like a real homepage.<\/p>\n<p>My advise is, to not open anything from the email and do not run the software. But I might be wrong. If you have more information, let me know. \ud83d\ude42<\/p>","protected":false},"excerpt":{"rendered":"<p>Not the first time, I got an email recommending some accounting software from &#8220;Kindaichi&#8221;. I am not entirely sure if<\/p>\n","protected":false},"author":1,"featured_media":16557,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1552],"tags":[1602,1565],"class_list":["post-16589","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-en","tag-security-en","tag-software-en"],"_links":{"self":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/16589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/comments?post=16589"}],"version-history":[{"count":0,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/posts\/16589\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media\/16557"}],"wp:attachment":[{"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/media?parent=16589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/categories?post=16589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ekiwi-blog.de\/en\/wp-json\/wp\/v2\/tags?post=16589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}