not-a-virus:AdWare.Win32.ICLoader.agjy (Kaspersky), Gen:Variant.Mikey.54508 (B) (Emsisoft), Gen:Variant.Mikey.54508 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 181bcf826fd65d8603fdf638017c0377
SHA1: 0184fa30d6ac4835a9ef1357bb6d23139100faee
SHA256: c083a04d34b8fb3e27506bc2c4661b3f8eb3c5982dc56f90dc21380c1343931f
SSDeep: 3072:EaaaQnlQ4OuVN2zPgy MA BC3K5eq8m3KQ://QnlYRoK7p9
Size: 156408 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-23 22:35:17
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
FrameworkEngine.exe:1020
%original file name%.exe:3668
gpedit.exe:4048
insF1FC.tmp.exe:3304
Updater.exe:3460
fservice.exe:1832
regsvr32.exe:3208
regsvr32.exe:3176
cscript.exe:3508
cscript.exe:1588
cscript.exe:1988
cscript.exe:3984
cscript.exe:2364
updater.exe:4056
updater.exe:2120
updater.exe:240
updater.exe:1660
cservice.exe:3280
bservice.exe:536
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\insF1FC.tmp.exe (189223 bytes)
The process gpedit.exe:4048 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (1208 bytes)
The process insF1FC.tmp.exe:3304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\SafetySearch\framework\message_target.js (977 bytes)
%Program Files%\SafetySearch\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_messaging.js (730 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-left.png (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\pz_info (26 bytes)
%Program Files%\SafetySearch\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe (1231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_webrequest.js (129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\ie_installer.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\extension_info.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\registry.js (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\timer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe (2705 bytes)
%Program Files%\Bench\BService\1.1\bservice.exe (533 bytes)
%Program Files%\SafetySearch\framework\backgroundscript_engine.js (2 bytes)
%Program Files%\SafetySearch\framework\global.js (1 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-left.png (307 bytes)
%Program Files%\SafetySearch\icons\icon100.png (3 bytes)
%Program Files%\Bench\Updater\updater.exe (1175 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\userscript_engine.js (2 bytes)
%Program Files%\SafetySearch\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systemreport.js (537 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\utils.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafetySearch\Uninstall.lnk (1 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_bg.js (892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\webrequest.js (6 bytes)
%Program Files%\SafetySearch\framework\i18n.js (2 bytes)
%Program Files%\SafetySearch\CanvasFramework\canvas.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon48.png (1 bytes)
%Program Files%\SafetySearch\framework\utils.js (5 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
%Program Files%\SafetySearch\icons\icon48.png (1 bytes)
%Program Files%\SafetySearch\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke_async.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe (3419 bytes)
%Program Files%\SafetySearch\FrameworkEngine.exe (7635 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2CB4.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\backgroundscript_engine.js (1 bytes)
%Program Files%\SafetySearch\CanvasFramework\canvas_content.js (1 bytes)
%Program Files%\Bench\NmHost\manifest.json (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas.js (9 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-right.png (308 bytes)
%Program Files%\Bench\FService\1.1\fservice.exe (2951 bytes)
%Program Files%\SafetySearch\CanvasFramework\webrequest.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox_installer.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess2.dll (838 bytes)
%Program Files%\SafetySearch\framework\xhr.js (3 bytes)
%Program Files%\SafetySearch\CanvasFramework\registry.js (863 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\install.rdf (1 bytes)
%Program Files%\SafetySearch\framework-ui\browser_button.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\loader.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\canvas.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns238D.tmp (15 bytes)
%Program Files%\Bench\Updater\1.7.0.0\updater.exe (10772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\lang.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\uninstall.js (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\console.js (1 bytes)
%Program Files%\SafetySearch\framework\lang.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\message_target.js (870 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-left.png (316 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_webrequest.js (129 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess.dll (8 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-top.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\io.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2A72.tmp (15 bytes)
%Program Files%\Bench\BService\1.1\bhelper.dll (2719 bytes)
%Program Files%\SafetySearch\framework-ui\notifications.js (2 bytes)
%Program Files%\SafetySearch\framework\browser.js (12 bytes)
%Program Files%\SafetySearch\framework\extension_info.js (836 bytes)
%Program Files%\SafetySearch\config.xml (2 bytes)
%Program Files%\Bench\FService\1.1\fhelper.dll (5261 bytes)
%Program Files%\Bench\CService\1.0\chelper.dll (7665 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon100.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\extension_info.js (613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\get.dat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_bg.js (892 bytes)
%Program Files%\SafetySearch\framework-ui\context_menu_item_handler.html (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\main_installer.js (1 bytes)
%Program Files%\SafetySearch\framework\loader.js (428 bytes)
%Program Files%\SafetySearch\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns24E5.tmp (15 bytes)
%Program Files%\SafetySearch\framework\initialize.js (532 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\projectInstaller.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_workaround.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon128.png (4 bytes)
%Program Files%\SafetySearch\framework\messaging.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\jquery.min.js (4587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\api.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\info.xml (351 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\middle-right.png (234 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\notifications.js (797 bytes)
%Program Files%\SafetySearch\framework\console.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content.js (7 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\middle-left.png (235 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-right.png (311 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-middle.png (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\i18n.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_loader.js (906 bytes)
%Program Files%\SafetySearch\CanvasFramework\jquery.min.js (2735 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\md5.js (3 bytes)
%Program Files%\Bench\CService\1.0\cservice.exe (3215 bytes)
%Program Files%\SafetySearch\framework-ui\context_menu.js (1 bytes)
%Program Files%\SafetySearch\icons\icon32.png (1 bytes)
%Program Files%\Bench\NmHost\nmhost.exe (4497 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns1E8A.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\icon.ico (32 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns3686.tmp (15 bytes)
%Program Files%\SafetySearch\extension_info.json (1 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_browseraction.js (822 bytes)
%Program Files%\SafetySearch\framework\invoke.js (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_browseraction.js (822 bytes)
%Program Files%\SafetySearch\framework\userscript_engine.js (3 bytes)
%Program Files%\SafetySearch\FrameworkBHO.dll (9500 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\System.dll (23 bytes)
%Program Files%\SafetySearch\framework\timer.js (934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke.js (406 bytes)
%Program Files%\SafetySearch\framework-ui\notification.html (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\installer.js (898 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\bootstrap.js (1 bytes)
%Program Files%\SafetySearch\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExecCv.dll (15 bytes)
%Program Files%\SafetySearch\framework\json2.js (2 bytes)
%Program Files%\SafetySearch\icons\icon128.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd21B7.tmp (595 bytes)
%Program Files%\Bench\Wd\wd.exe (2526 bytes)
%Program Files%\SafetySearch\FrameworkBHO64.dll (9651 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd21B6.tmp (274 bytes)
%Program Files%\SafetySearch\framework\io.js (2 bytes)
%Program Files%\SafetySearch\framework\api.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\md5dll.dll (14 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns21C7.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe (18662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\storage.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\messaging.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsDownloadCv.dll (3577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_installer.js (6 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-right.png (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_common.js (6 bytes)
%Program Files%\SafetySearch\framework\storage.js (3 bytes)
%Program Files%\SafetySearch\framework\invoke_async.js (1 bytes)
%Program Files%\SafetySearch\framework\updater.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\migrate.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe (5016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systeminfo.js (4 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2CB4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns21C7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3185.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\pz_info (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\get.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns238D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExecCv.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd1841.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns24E5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess2.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\md5dll.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3492.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2A72.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns1E8A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns3686.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsDownloadCv.dll (0 bytes)
The process Updater.exe:3460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Tasks\bench-sys.job (328 bytes)
The process fservice.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Bench\FService\1.1\fhelper.dll (204 bytes)
The process regsvr32.exe:3208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\SafetySearch\FrameworkBHO64.dll (495 bytes)
The process regsvr32.exe:3176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\SafetySearch\FrameworkBHO.dll (405 bytes)
The process cscript.exe:3508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Bench\NmHost\manifest.json (215 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (79 bytes)
%Program Files%\Bench\NmHost\data\installer\fjnoekdlmmjagmmlchagfonjgbioomoo (1 bytes)
C:\Windows\System32\drivers\etc\hosts (1823 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (2 bytes)
The process cscript.exe:1588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe (495 bytes)
The process cscript.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\api.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\userscript_engine.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\bootstrap.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_loader.js (906 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\extension_info.js (613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\timer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_bg.js (892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke_async.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\i18n.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_messaging.js (730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\loader.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke.js (406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_webrequest.js (129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\io.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon100.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\console.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon128.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\uninstall.js (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\lang.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\messaging.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\message_target.js (870 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\registry.js (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\backgroundscript_engine.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\storage.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_browseraction.js (822 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\jquery.min.js (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\notifications.js (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\utils.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\webrequest.js (6 bytes)
The process cscript.exe:2364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (4 bytes)
%Program Files%\SafetySearch\FrameworkEngine.exe (294 bytes)
%Program Files%\SafetySearch\extension_info.json (2 bytes)
The process updater.exe:4056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Tasks\bench-S-1-5-21-732923889-1296844034-1208581001-1000.job (328 bytes)
The process updater.exe:2120 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\BenchUpdater\products.xml (497 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\info.xml (0 bytes)
The process updater.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Tasks\bench-S-1-5-21-732923889-1296844034-1208581001-1000.job (326 bytes)
The process updater.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Bench\Updater\products.xml (431 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd21B7.tmp (0 bytes)
The process cservice.exe:3280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Bench\CService\1.0\chelper.dll (233 bytes)
The process bservice.exe:536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Bench\BService\1.1\bhelper.dll (90 bytes)
Registry activity
The process FrameworkEngine.exe:1020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\TypeLib]
"(Default)" = "{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}]
"AppPath" = "%Program Files%\SafetySearch\"
[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}]
"(Default)" = "SafetySearch"
[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}]
"(Default)" = "IKangoEngine"
[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0]
"(Default)" = "EngineLib"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}]
"AppName" = "FrameworkEngine.exe"
[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\LocalServer32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkEngine.exe"
[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\TypeLib]
"(Default)" = "{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}"
[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\LocalServer32]
"ServerExecutable" = "%Program Files%\SafetySearch\FrameworkEngine.exe"
[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}]
"Policy" = "3"
[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafetySearch"
[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\0\win32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkEngine.exe"
The process %original file name%.exe:3668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process gpedit.exe:4048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForceList]
"1" = "fjnoekdlmmjagmmlchagfonjgbioomoo;http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]
"1" = "fjnoekdlmmjagmmlchagfonjgbioomoo;http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}User]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]
The process insF1FC.tmp.exe:3304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"DisplayVersion" = "1.0"
[HKLM\SOFTWARE\SafetySearch]
"CDN" = "safetysearch-a.akamaihd.net"
[HKLM\SOFTWARE\Bench\NmHost]
"(Default)" = "%Program Files%\Bench\NmHost\nmhost.exe"
[HKLM\SOFTWARE\SafetySearch]
"InstallTime" = "1480365683"
[HKLM\SOFTWARE\Bench\CService]
"PID" = "2031"
[HKLM\SOFTWARE\Bench\FService]
"Path" = "%Program Files%\Bench\FService\1.1"
[HKLM\SOFTWARE\SafetySearch]
"straoi" = "nov 28, 2016"
[HKLM\SOFTWARE\AdvertisingSupport]
"Existing" = "1"
[HKLM\SOFTWARE\Bench\CService]
"ZoneId" = "14136871"
[HKLM\SOFTWARE]
"38989" = "SafetySearch"
[HKLM\SOFTWARE\Bench\CService]
"Version" = "1.0"
[HKLM\SOFTWARE\AdvertisingSupport]
"Seen" = "1"
[HKLM\SOFTWARE\Bench\CService]
"aoi" = "1480365683"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER]
"iexplore.exe" = "0"
[HKLM\SOFTWARE\Bench\CService]
"Path" = "%Program Files%\Bench\CService\1.0"
[HKLM\SOFTWARE\Bench\FService\38989]
"{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}" = ""
[HKLM\SOFTWARE\Bench\CService]
"straoi" = "nov 28, 2016"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe"
[HKLM\SOFTWARE\SafetySearch]
"SystemId" = "c62e94071dfd4f9df8f37d998ede05ad"
[HKLM\SOFTWARE\AdvertisingSupport]
"SystemId" = "c62e94071dfd4f9df8f37d998ede05ad"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch/icon.ico"
[HKLM\SOFTWARE\Bench\BService]
"Path" = "%Program Files%\Bench\BService\1.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"DisplayName" = "SafetySearch"
[HKLM\SOFTWARE\Bench\FService]
"Version" = "1.1"
[HKLM\SOFTWARE\Bench\CService\38989]
"(Default)" = ""
[HKLM\SOFTWARE\Bench\Updater\38989]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch"
[HKLM\SOFTWARE\Bench\Wd\38989]
"(Default)" = ""
[HKLM\SOFTWARE\SafetySearch]
"UTCInstallTime" = "1480358483"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "11001"
[HKLM\SOFTWARE\SafetySearch]
"PID" = "2031"
[HKLM\SOFTWARE\Bench\Updater]
"Path" = "%Program Files%\Bench\Updater\updater.exe"
[HKLM\SOFTWARE\Bench\BService]
"Version" = "1.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"NoRepair" = "1"
[HKLM\SOFTWARE\SafetySearch]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch"
"FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER_32" = "0"
[HKLM\SOFTWARE\Bench\FService\38989]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"Publisher" = "Stunning Apps"
[HKLM\SOFTWARE\Bench\CService]
"Format" = "//{domain}/loaders/{pid}/l.js?pid={pid}&systemid={systemid}&ext={ext}&aoi={aoi}&zoneid={zoneid}&crr={crr}&type=d"
[HKLM\SOFTWARE\SafetySearch]
"ZoneId" = "14136871"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "11001"
[HKLM\SOFTWARE\Bench\NmHost\38989]
"(Default)" = ""
[HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.bench.nmhost]
"(Default)" = "%Program Files%\Bench\NmHost\manifest.json"
[HKLM\SOFTWARE\Bench\CService]
"ext" = "SafetySearch"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess.dll,"
[HKLM\SOFTWARE\AdvertisingSupport]
"SeenDate" = "1480358483"
[HKLM\SOFTWARE\SafetySearch]
"Seen" = "1"
[HKLM\SOFTWARE\Bench\BService\38989]
"(Default)" = ""
[HKLM\SOFTWARE\Bench\CService]
"Domain" = "safetysearch-a.akamaihd.net"
[HKLM\SOFTWARE\SafetySearch]
"SeenDate" = "1480358483"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"NoModify" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetySearch" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BService" = "%Program Files%\Bench\BService\1.1\bservice.exe"
"FService" = "%Program Files%\Bench\FService\1.1\fservice.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetySearch-repairJob" = "wscript.exe C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js SafetySearch-repairJob"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD" = "%Program Files%\Bench\Wd\wd.exe"
"CService" = "%Program Files%\Bench\CService\1.0\cservice.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\SafetySearch]
"Seen"
[HKLM\SOFTWARE\AdvertisingSupport]
"Seen"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafetySearch-repairJob"
"Wd"
The process regsvr32.exe:3176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"
[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\0\win32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkBHO.dll"
[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"
[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"
[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}]
"(Default)" = "IKangoToolbar"
[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}]
"(Default)" = "SafetySearch"
[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafetySearch"
[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0]
"(Default)" = "Framework 1.0 Type Library"
[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7782DBE4-75A1-453D-B9FD-643F752E4532}" = "SafetySearch"
[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkBHO.dll"
[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}]
"(Default)" = "IKangoBHO"
[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkBHO.dll"
"ThreadingModel" = "Apartment"
[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}]
"(Default)" = "SafetySearch BHO"
[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"
[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib]
"Version" = "1.0"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}]
"NoExplorer" = "1"
"(Default)" = "SafetySearch BHO"
The process cscript.exe:1588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\SafetySearch]
"czoneid" = "12199"
The process cscript.exe:3984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Bench\InstalledExtensions]
"38989" = ""
The process cscript.exe:2364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}]
"Flags" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7782DBE4-75A1-453D-B9FD-643F752E4532}"
Dropped PE files
| MD5 | File path |
|---|---|
| 8e4be86a6eb429ec81eda3e027d0d29d | c:\Program Files\Bench\BService\1.1\bhelper.dll |
| e52deb34958a6b9c9defd04072ba320c | c:\Program Files\Bench\BService\1.1\bservice.exe |
| 59ee67deedd9086cbd4fa6b8d857ee70 | c:\Program Files\Bench\CService\1.0\chelper.dll |
| fffee0f36c519fa973cf697a65b22371 | c:\Program Files\Bench\CService\1.0\cservice.exe |
| 807855debcc9534020d05dbfba5dbf3a | c:\Program Files\Bench\FService\1.1\fhelper.dll |
| 8d5c6e316e1c04772e50ecc268a1d8da | c:\Program Files\Bench\FService\1.1\fservice.exe |
| 5820ed0b943181e5c0cd842d73698d60 | c:\Program Files\Bench\NmHost\nmhost.exe |
| 729975e07ead4a4b14d020c2bb446833 | c:\Program Files\Bench\Updater\1.7.0.0\updater.exe |
| 27862bc4eb31d1e68b866a9f32c87fd4 | c:\Program Files\Bench\Updater\updater.exe |
| b361e5282cbdd81b2222a3fe60f20b40 | c:\Program Files\Bench\Wd\wd.exe |
| 731d623281519541f71a696b71c16b90 | c:\Program Files\SafetySearch\FrameworkBHO.dll |
| b29b7a811a626b60b460cb1c1a51ff87 | c:\Program Files\SafetySearch\FrameworkBHO64.dll |
| 888e7cba78f0bee1d0a669b9687330d0 | c:\Program Files\SafetySearch\FrameworkEngine.exe |
| ba251b19a0dcbcde8f910dc97dd5074f | c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe |
| 2796990b18b323edd2446efec850a354 | c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe |
| 82771129b12517cf5c6e2244d14e8360 | c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe |
| 161f9defe2b6718d7773d964f5c6dfd2 | c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe |
| 6431e91e5005953ea0ff94cc702160d2 | c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe |
| da9d120e344d0749718e769d0ed22b44 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\insF1FC.tmp.exe |
| 05450face243b3a7472407b999b03a72 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess.dll |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 912 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | validation.sls.microsoft.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
FrameworkEngine.exe:1020
%original file name%.exe:3668
gpedit.exe:4048
insF1FC.tmp.exe:3304
Updater.exe:3460
fservice.exe:1832
regsvr32.exe:3208
regsvr32.exe:3176
cscript.exe:3508
cscript.exe:1588
cscript.exe:1988
cscript.exe:3984
cscript.exe:2364
updater.exe:4056
updater.exe:2120
updater.exe:240
updater.exe:1660
cservice.exe:3280
bservice.exe:536 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\insF1FC.tmp.exe (189223 bytes)
C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (1208 bytes)
%Program Files%\SafetySearch\framework\message_target.js (977 bytes)
%Program Files%\SafetySearch\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_messaging.js (730 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-left.png (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\pz_info (26 bytes)
%Program Files%\SafetySearch\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe (1231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_webrequest.js (129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\ie_installer.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\extension_info.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\registry.js (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\timer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe (2705 bytes)
%Program Files%\Bench\BService\1.1\bservice.exe (533 bytes)
%Program Files%\SafetySearch\framework\backgroundscript_engine.js (2 bytes)
%Program Files%\SafetySearch\framework\global.js (1 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-left.png (307 bytes)
%Program Files%\SafetySearch\icons\icon100.png (3 bytes)
%Program Files%\Bench\Updater\updater.exe (1175 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\userscript_engine.js (2 bytes)
%Program Files%\SafetySearch\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systemreport.js (537 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\utils.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafetySearch\Uninstall.lnk (1 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_bg.js (892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\webrequest.js (6 bytes)
%Program Files%\SafetySearch\framework\i18n.js (2 bytes)
%Program Files%\SafetySearch\CanvasFramework\canvas.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon48.png (1 bytes)
%Program Files%\SafetySearch\framework\utils.js (5 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
%Program Files%\SafetySearch\icons\icon48.png (1 bytes)
%Program Files%\SafetySearch\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke_async.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe (3419 bytes)
%Program Files%\SafetySearch\FrameworkEngine.exe (7635 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2CB4.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\backgroundscript_engine.js (1 bytes)
%Program Files%\SafetySearch\CanvasFramework\canvas_content.js (1 bytes)
%Program Files%\Bench\NmHost\manifest.json (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas.js (9 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-right.png (308 bytes)
%Program Files%\Bench\FService\1.1\fservice.exe (2951 bytes)
%Program Files%\SafetySearch\CanvasFramework\webrequest.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox_installer.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess2.dll (838 bytes)
%Program Files%\SafetySearch\framework\xhr.js (3 bytes)
%Program Files%\SafetySearch\CanvasFramework\registry.js (863 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\install.rdf (1 bytes)
%Program Files%\SafetySearch\framework-ui\browser_button.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\loader.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\canvas.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns238D.tmp (15 bytes)
%Program Files%\Bench\Updater\1.7.0.0\updater.exe (10772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\lang.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\uninstall.js (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\console.js (1 bytes)
%Program Files%\SafetySearch\framework\lang.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\message_target.js (870 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-left.png (316 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_webrequest.js (129 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess.dll (8 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-top.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\io.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2A72.tmp (15 bytes)
%Program Files%\Bench\BService\1.1\bhelper.dll (2719 bytes)
%Program Files%\SafetySearch\framework-ui\notifications.js (2 bytes)
%Program Files%\SafetySearch\framework\browser.js (12 bytes)
%Program Files%\SafetySearch\framework\extension_info.js (836 bytes)
%Program Files%\SafetySearch\config.xml (2 bytes)
%Program Files%\Bench\FService\1.1\fhelper.dll (5261 bytes)
%Program Files%\Bench\CService\1.0\chelper.dll (7665 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon100.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\extension_info.js (613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\get.dat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_bg.js (892 bytes)
%Program Files%\SafetySearch\framework-ui\context_menu_item_handler.html (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\main_installer.js (1 bytes)
%Program Files%\SafetySearch\framework\loader.js (428 bytes)
%Program Files%\SafetySearch\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns24E5.tmp (15 bytes)
%Program Files%\SafetySearch\framework\initialize.js (532 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\projectInstaller.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_workaround.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon128.png (4 bytes)
%Program Files%\SafetySearch\framework\messaging.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\jquery.min.js (4587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\api.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\info.xml (351 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\middle-right.png (234 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\notifications.js (797 bytes)
%Program Files%\SafetySearch\framework\console.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content.js (7 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\middle-left.png (235 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-right.png (311 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-middle.png (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\i18n.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_loader.js (906 bytes)
%Program Files%\SafetySearch\CanvasFramework\jquery.min.js (2735 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\md5.js (3 bytes)
%Program Files%\Bench\CService\1.0\cservice.exe (3215 bytes)
%Program Files%\SafetySearch\framework-ui\context_menu.js (1 bytes)
%Program Files%\SafetySearch\icons\icon32.png (1 bytes)
%Program Files%\Bench\NmHost\nmhost.exe (4497 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns1E8A.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\icon.ico (32 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns3686.tmp (15 bytes)
%Program Files%\SafetySearch\extension_info.json (1 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_browseraction.js (822 bytes)
%Program Files%\SafetySearch\framework\invoke.js (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_browseraction.js (822 bytes)
%Program Files%\SafetySearch\framework\userscript_engine.js (3 bytes)
%Program Files%\SafetySearch\FrameworkBHO.dll (9500 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\System.dll (23 bytes)
%Program Files%\SafetySearch\framework\timer.js (934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke.js (406 bytes)
%Program Files%\SafetySearch\framework-ui\notification.html (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\installer.js (898 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\bootstrap.js (1 bytes)
%Program Files%\SafetySearch\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExecCv.dll (15 bytes)
%Program Files%\SafetySearch\framework\json2.js (2 bytes)
%Program Files%\SafetySearch\icons\icon128.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd21B7.tmp (595 bytes)
%Program Files%\Bench\Wd\wd.exe (2526 bytes)
%Program Files%\SafetySearch\FrameworkBHO64.dll (9651 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd21B6.tmp (274 bytes)
%Program Files%\SafetySearch\framework\io.js (2 bytes)
%Program Files%\SafetySearch\framework\api.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\md5dll.dll (14 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns21C7.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe (18662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\storage.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\messaging.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsDownloadCv.dll (3577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_installer.js (6 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-right.png (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_common.js (6 bytes)
%Program Files%\SafetySearch\framework\storage.js (3 bytes)
%Program Files%\SafetySearch\framework\invoke_async.js (1 bytes)
%Program Files%\SafetySearch\framework\updater.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\migrate.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe (5016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systeminfo.js (4 bytes)
C:\Windows\Tasks\bench-sys.job (328 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (79 bytes)
%Program Files%\Bench\NmHost\data\installer\fjnoekdlmmjagmmlchagfonjgbioomoo (1 bytes)
C:\Windows\System32\drivers\etc\hosts (1823 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\api.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\userscript_engine.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\bootstrap.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_loader.js (906 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\extension_info.js (613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\timer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_bg.js (892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke_async.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\i18n.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_messaging.js (730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\loader.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke.js (406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_webrequest.js (129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\io.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon100.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\console.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon128.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\uninstall.js (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\lang.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\messaging.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\message_target.js (870 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\registry.js (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\backgroundscript_engine.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\storage.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_browseraction.js (822 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\jquery.min.js (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\notifications.js (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\utils.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\webrequest.js (6 bytes)
C:\Windows\Tasks\bench-S-1-5-21-732923889-1296844034-1208581001-1000.job (328 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\BenchUpdater\products.xml (497 bytes)
%Program Files%\Bench\Updater\products.xml (431 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetySearch" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BService" = "%Program Files%\Bench\BService\1.1\bservice.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FService" = "%Program Files%\Bench\FService\1.1\fservice.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetySearch-repairJob" = "wscript.exe C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js SafetySearch-repairJob"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD" = "%Program Files%\Bench\Wd\wd.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CService" = "%Program Files%\Bench\CService\1.0\cservice.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.1.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.0
File Description:
Comments:
Language: Language Neutral
Company Name: Product Name: Product Version: 1.1.0.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.0.0File Description: Comments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 70748 | 71168 | 4.59942 | 82c456d343592e9e366847f6b73b39d6 |
| .rdata | 77824 | 25020 | 25088 | 3.22801 | 2bde5eac7ad12da7ba53279929920a7d |
| .data | 106496 | 29660 | 21504 | 0.816513 | 604e239442f8b7da60746ee2c6a44683 |
| .rsrc | 139264 | 27456 | 27648 | 4.02543 | 1201cd04fb4d0015033ccad9ac736b35 |
| .reloc | 167936 | 4804 | 5120 | 4.43662 | 8d41a58665602d3c48e6a4ec841329f9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 3
043b5becf3173c8b310c330f9e54bac0
4e1a385f850ea93ee6d6e6216c0e3f20
046a8b11d4587bc86a2597ed5c99ecb0
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://a1073.d.akamai.net/get/.eJwtjDEOgCAQBP-yNYV4RNDPEBIRiUQJUGn8u6exnZ2dCy5nG2dMZEYzCjRXN0yIe20uJV8gkN-570gKnMfuP1sqSYPRjH7TLsmFyp7SigSYBc-dXI6ZE2Xly_0AGrwgww.LjL5MHmwXlFPQLOaRKBOG_1NMQc | |
| hxxp://d2rx3wo6u6259k.cloudfront.net/installer-run/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 | |
| hxxp://54.235.90.58/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 | |
| hxxp://a402.g.akamai.net/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 | |
| hxxp://d2rx3wo6u6259k.cloudfront.net/tbi-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 | |
| hxxp://d2rx3wo6u6259k.cloudfront.net/id-check/c62e94071dfd4f9df8f37d998ede05ad/ | |
| hxxp://d2rx3wo6u6259k.cloudfront.net/newuser-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/0/xriderexe/14136871/0/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&os=7&admin=1&version=20150820 | |
| hxxp://www.installping5.info/tbi-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 | 52.222.174.193 |
| hxxp://www.installping5.info/id-check/c62e94071dfd4f9df8f37d998ede05ad/ | 52.222.174.193 |
| hxxp://fjnoekdlmmjagmmlchagfonjgbioomoo/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 | |
| hxxp://www.installping5.info/newuser-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/0/xriderexe/14136871/0/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&os=7&admin=1&version=20150820 | 52.222.174.193 |
| hxxp://www.installping5.info/installer-run/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 | 52.222.174.193 |
| hxxp://www.update-srv.info/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 | 212.30.134.183 |
| hxxp://www.vac-p2.info/get/.eJwtjDEOgCAQBP-yNYV4RNDPEBIRiUQJUGn8u6exnZ2dCy5nG2dMZEYzCjRXN0yIe20uJV8gkN-570gKnMfuP1sqSYPRjH7TLsmFyp7SigSYBc-dXI6ZE2Xly_0AGrwgww.LjL5MHmwXlFPQLOaRKBOG_1NMQc | 212.30.134.161 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /tbi-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Server: nginx/1.8.0
Date: Mon, 28 Nov 2016 18:42:25 GMT
X-Powered-By: PHP/5.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 28 Nov 2016 18:41:30 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 8de312de5733c1d56008ab19876f303d.cloudfront.net (CloudFront)
X-Amz-Cf-Id: DGuX31Gfa_APPlUF3VAMhCdc-NYhZjzehhfpU5C9da_llZxU6jngeA==
GET /newuser-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/0/xriderexe/14136871/0/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&os=7&admin=1&version=20150820 HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Server: nginx/1.8.0
Date: Mon, 28 Nov 2016 18:42:25 GMT
X-Powered-By: PHP/5.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 28 Nov 2016 18:41:30 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 8d84df16ba20ff1d2ca3914948494e04.cloudfront.net (CloudFront)
X-Amz-Cf-Id: brTcyJNx3DZmJx_mCvvFe5uj9RnfyRAOp7NROlfBIxQFawErSYV0kw==
GET /latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: VVV.update-srv.info
HTTP/1.1 200 OK
Content-Type: application/json
Server: nginx/1.4.6 (Ubuntu)
Content-Length: 285
Date: Mon, 28 Nov 2016 18:41:27 GMT
Connection: keep-alive
{. "ext_id": "fjnoekdlmmjagmmlchagfonjgbioomoo", . "ip": "54.225.95.126", . "url": "hXXp://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4".}HTTP/1.1 200 OK..Content-Type: application/json..Server: nginx/1.4.6 (Ubuntu)..Content-Length: 285..Date: Mon, 28 Nov 2016 18:41:27 GMT..Connection: keep-alive..{. "ext_id": "fjnoekdlmmjagmmlchagfonjgbioomoo", . "ip": "54.225.95.126", . "url": "hXXp://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4".}..
GET /latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: fjnoekdlmmjagmmlchagfonjgbioomoo
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.4.6 (Ubuntu)
Date: Mon, 28 Nov 2016 18:46:37 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: hXXp://VVV.update-srv.info/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4
<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..HTTP/1.1 302 Moved Temporarily..Server: nginx/1.4.6 (Ubuntu)..Date: Mon, 28 Nov 2016 18:46:37 GMT..Content-Type: text/html..Content-Length: 169..Connection: keep-alive..Location: hXXp://VVV.update-srv.info/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>....
GET /installer-run/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 26
Connection: close
Server: nginx/1.8.0
Date: Mon, 28 Nov 2016 18:42:19 GMT
X-Powered-By: PHP/5.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 28 Nov 2016 18:42:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: WiLa6LCdowVfv52NmC1anhKr10kNPq54IfwsVQbJSddlZFyPnMd_rQ==
2031:14136871:nov 28, 2016..
GET /get/.eJwtjDEOgCAQBP-yNYV4RNDPEBIRiUQJUGn8u6exnZ2dCy5nG2dMZEYzCjRXN0yIe20uJV8gkN-570gKnMfuP1sqSYPRjH7TLsmFyp7SigSYBc-dXI6ZE2Xly_0AGrwgww.LjL5MHmwXlFPQLOaRKBOG_1NMQc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
X-Builder-DL: 1
Host: VVV.vac-p2.info
HTTP/1.1 200 OK
Content-Disposition: attachment; filename="SafetySearch.exe"
Content-Type: application/octet-stream
Server: nginx/1.4.6 (Ubuntu)
Content-Length: 2961832
Date: Mon, 28 Nov 2016 18:41:21 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................K.......[...............b.......R.......U.....Rich............................PE..L.....KU.................b...........3............@.......................................@................................. ................................0..8....................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data....\..........................@....ndata...................................rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......C..H.P.u..u..u...p.@..K...SV.5..C.W.E.P.u...t.@..e...E..E.P.u...x.@..}..e....@.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...<.@..E..P.E..E.P.u...|.@..u....E..9}...n....~X.te.v4..P.@..E...tU.}.j.W.E......E.......T.@..vXW..X.@..u..5L.@.W..h ....E..E.Pj.h..C.W....@..u.W...u....E.P.u.....@._^3.[.....L$....C...i......T.....tUVW.q.3.;5..C.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5..C.r.[_^...U..QQ
<<< skipped >>>
GET /id-check/c62e94071dfd4f9df8f37d998ede05ad/ HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 1
Connection: close
Server: nginx/1.8.0
Date: Mon, 28 Nov 2016 16:22:20 GMT
X-Powered-By: PHP/5.3.3
Age: 8405
X-Cache: Hit from cloudfront
Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: kT19U7bpRxYn_M7VXPEFMkNjXtkTRm2ttmTh0XsVfSHiEZno9SNNwQ==
1..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
bservice.exe_536:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
bservice.pdb
bservice.pdb
KERNEL32.dll
KERNEL32.dll
SetWindowsHookExW
SetWindowsHookExW
UnhookWindowsHookEx
UnhookWindowsHookEx
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
? ?$?(?,?0?4?8?
? ?$?(?,?0?4?8?
4 4@4`4|4
4 4@4`4|4
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
bhelper.dll
bhelper.dll
Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_bhelper_mutex0
Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_bhelper_mutex0
%Program Files%\Bench\BService\1.1\bservice.exe
%Program Files%\Bench\BService\1.1\bservice.exe
fservice.exe_1832:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
D:\Work\canvas-kango\misc\FirefoxHook\bin\fservice.pdb
D:\Work\canvas-kango\misc\FirefoxHook\bin\fservice.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
9 9$9(9,90949~9
9 9$9(9,90949~9
8Ÿ9l9x9
8Ÿ9l9x9
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
kernel32.dll
kernel32.dll
USER32.DLL
USER32.DLL
fhelper.dll
fhelper.dll
lGlobal\{99C44C16-7756-43C1-8225-7AA442EA393E}_fhelper_mutex0
lGlobal\{99C44C16-7756-43C1-8225-7AA442EA393E}_fhelper_mutex0
%Program Files%\Bench\FService\1.1\fservice.exe
%Program Files%\Bench\FService\1.1\fservice.exe
cservice.exe_3280:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
D:\Users\craig\Documents\canvas-kango\framework\installer\cservice.pdb
D:\Users\craig\Documents\canvas-kango\framework\installer\cservice.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
9 9$9(9,90949~9
9 9$9(9,90949~9
8Ÿ9l9x9
8Ÿ9l9x9
: :<:>
: :<:>
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
kernel32.dll
kernel32.dll
USER32.DLL
USER32.DLL
chelper.dll
chelper.dll
lGlobal\{0CF04375-3346-4EF0-B153-8378FF716E2C}_chelper_mutex0
lGlobal\{0CF04375-3346-4EF0-B153-8378FF716E2C}_chelper_mutex0
%Program Files%\Bench\CService\1.0\cservice.exe
%Program Files%\Bench\CService\1.0\cservice.exe
wd.exe_1404:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
wd.pdb
wd.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
: :$:(:,:0:4:~:
: :$:(:,:0:4:~:
combase.dll
combase.dll
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
kernel32.dll
kernel32.dll
Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_watchdog_mutex0
Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_watchdog_mutex0
\bservice.exe
\bservice.exe
bservice.exe
bservice.exe
\bservice64.exe
\bservice64.exe
bservice64.exe
bservice64.exe
\cservice.exe
\cservice.exe
cservice.exe
cservice.exe
\cservice64.exe
\cservice64.exe
cservice64.exe
cservice64.exe
\fservice.exe
\fservice.exe
fservice.exe
fservice.exe
\fservice64.exe
\fservice64.exe
fservice64.exe
fservice64.exe
%Program Files%\Bench\Wd\wd.exe
%Program Files%\Bench\Wd\wd.exe