not-a-virus:HEUR:AdWare.NSIS.Gottle.gen (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7c24a1ae2b2140639ce361b6c3526f36
SHA1: 2c7199c3b05df176febcbc3168e74667d1c1aa0f
SHA256: 30446296cf19c911324087eecadc9a2708995b6b71686239a7774244338da3e5
SSDeep: 98304:rjp0NGfjDYKEgZ44SFzwq0z4RkltohlR4:J0IfjCi44Sl0sRkYlR4
Size: 4178112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
APNStub.exe:1360
%original file name%.exe:224
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process APNStub.exe:1360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (571 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (153 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
The process %original file name%.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\ApnToolbarInstaller.exe (51118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\UAC.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\pantallatoolbar (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\ioSpecial.ini (6921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\ApnIC.dll (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\LangDLL.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\captura.bmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\modern-wizard.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\ApnStub.exe (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\InstallOptions.dll (14 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (0 bytes)
Registry activity
The process APNStub.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Ask.com.tmp\General]
"eichk" = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&p2=^M3^YYYYYY^YY^UA&encb={incbid}&chk={ic_chk}&ts={random}&guid={guid}&dt={dt}&wft={wft}&inst={inst}&tb={tb}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&dot={dot}"
"inst" = "200"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Ask.com.tmp\General]
"slwo" = "0"
"Guid" = "a7a13dfa-094d-4ed7-8f59-312d514e4183"
"cr" = "0"
"iedis" = "0"
"homepageurl" = "http://www.search.ask.com/?l=dis&o=13876"
"cbid" = "^M3"
"hloc" = "en-US"
"dtid" = "^YYYYYY^YY^UA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Ask.com.tmp\General]
"dbr" = "132"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Ask.com.tmp\Installer]
"homepageurl" = "http://www.search.ask.com/?l=dis&o=13876"
"eichk" = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&p2=^M3^YYYYYY^YY^UA&encb={incbid}&chk={ic_chk}&ts={random}&guid={guid}&dt={dt}&wft={wft}&inst={inst}&tb={tb}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&dot={dot}"
[HKCU\Software\Ask.com.tmp\General]
"qsrc" = "2871"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Ask.com.tmp\Installer]
"Guid" = "a7a13dfa-094d-4ed7-8f59-312d514e4183"
"oi" = "nop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Ask.com.tmp\General]
"dt" = "9500"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Ask.com.tmp\Installer]
"nthp" = "0"
[HKCU\Software\Ask.com.tmp\General]
"o" = "13874"
"l" = "dis"
"crif" = "1"
"apn_dbr" = "ie_6.0.2900.5512"
[HKCU\Software\Ask.com.tmp\Installer]
"crif" = "1"
[HKCU\Software\Ask.com.tmp\General]
"client" = "ic"
"hos" = "5.1.1.sp3.x86"
"Locale" = "en_US"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F CE 87 E8 06 3E 41 23 93 DD B2 B1 81 9B 38 A0"
[HKCU\Software\Ask.com.tmp\Installer]
"repurl" = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&p2=^M3^YYYYYY^YY^UA&encb={incbid}&chk={ic_chk}&ts={random}&guid="
[HKCU\Software\Ask.com.tmp\General]
"tb-version" = "5.12.2.0"
"nthp" = "0"
[HKCU\Software\Ask.com.tmp\Macro]
"slwo" = "0"
[HKCU\Software\Ask.com.tmp\General]
"dot" = "6"
[HKCU\Software\Ask.com.tmp\Installer]
"ff-max-version" = "13.*"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Ask.com.tmp\General]
"location" = "Kharkiv,Ukraine"
"tb-installer-path" = "http://apnmedia.ask.com/media/toolbar/supertoolbar/profile-ask/EverestWrapper.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Ask.com.tmp\General]
"make-offer" = "1"
"repurl" = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&p2=^M3^YYYYYY^YY^UA&encb={incbid}&chk={ic_chk}&ts={random}&guid="
[HKCU\Software\Ask.com.tmp\Macro]
"dtid" = "^YYYYYY^YY^UA"
[HKCU\Software\Ask.com.tmp\General]
"ff-max-version" = "13.*"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Ask.com.tmp\General]
"wft" = "remote"
"harch" = "32"
[HKCU\Software\Ask.com.tmp\Macro]
"cbid" = "^M3"
[HKCU\Software\Ask.com.tmp\General]
"to" = ""
"ewrap" = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=ewrap&p2=^M3^YYYYYY^YY^UA&stb={wr_tbr}&ssa={wr_sa}&shpr={wr_hpr}¶m={param}&ts={random}&guid={guid}&dt={dt}&inst={inst}&tb={tb}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&wft={wft}&dot={dot}&erd={erd}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Ask.com.tmp\Macro]
"location" = "Kharkiv,Ukraine"
[HKCU\Software\Ask.com.tmp\General]
"oi" = "nop"
"tb" = "MP3"
"clientv" = "9.9.9.9"
[HKCU\Software\Ask.com.tmp\Macro]
"crumb" = "2016.08.16 19.21.19-dubprdapntlfe20-UA-S2hhcmtpdixVa3JhaW5l"
[HKCU\Software\Ask.com.tmp\General]
"saguid" = "55705d64-367c-4b8b-a716-4d0ff26d18ff"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Ask.com.tmp\Macro]
"Locale" = "en_US"
"qsrc" = "2871"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Ask.com.tmp\General]
"einst" = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=einst&p2=^M3^YYYYYY^YY^UA&stb={wr_tbr}&ssa={wr_sa}&shpr={wr_hpr}&res={ci_res}&erc={ci_erc}&itime={itime}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&ts={random}&guid={guid}&wft={wft}&dot={dot}&inst={inst}&tb={tb}&dt={dt}&erd={erd}"
"iev" = "6.0.2900.5512"
[HKCU\Software\Ask.com.tmp\Installer]
"make-offer" = "1"
[HKCU\Software\Ask.com.tmp\General]
"same-partner" = "0"
[HKCU\Software\Ask.com.tmp\Macro]
"to" = ""
[HKCU\Software\Ask.com.tmp\General]
"fv" = ""
"fflu" = "-2"
"crumb" = "2016.08.16 19.21.19-dubprdapntlfe20-UA-S2hhcmtpdixVa3JhaW5l"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Ask.com.tmp\General]
"ielu" = "-2"
[HKCU\Software\Ask.com.tmp\Macro]
"l" = "dis"
"o" = "13874"
[HKCU\Software\Ask.com.tmp\General]
"iv" = "6.0.2900.5512"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 25 3B 72 F4 FA 5C 57 B1 48 5B 87 EF 93 AA 17"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| b28c334c03cee7c5e829c43ae75dae5a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AskSLib.dll |
| 016b4cb0f363e8563ae9d4c97189ae5d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv2.tmp\ApnIC.dll |
| 23ee55d0c183cc6e85c8fb97fb5973e8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv2.tmp\ApnStub.exe |
| 5f877d4957b9e034fd4b66e048d44ed6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv2.tmp\ApnToolbarInstaller.exe |
| 325b008aec81e5aaa57096f05d4212b5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv2.tmp\InstallOptions.dll |
| 9384f4007c492d4fa040924f31c00166 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv2.tmp\LangDLL.dll |
| 09caf01bc8d88eeb733abc161acff659 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv2.tmp\UAC.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
APNStub.exe:1360
%original file name%.exe:224 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (571 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (153 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\ApnToolbarInstaller.exe (51118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\UAC.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\pantallatoolbar (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\ioSpecial.ini (6921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\ApnIC.dll (3624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\LangDLL.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\captura.bmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\modern-wizard.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\ApnStub.exe (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\InstallOptions.dll (14 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 77824 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 270336 | 16544 | 16896 | 4.13355 | 4ad1dbda51389ca208c78d800fb4d3b6 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 5289
0a1caace976174f8bffc383c4c3c0fa8
10b90b6977362ac27f3b8f9e55fb2112
113b8bfaa4a667866331d6eaab49b3b5
07dcce2efc4528e5d8adabeea1e0cecd
016292c38b3893997566dbd729b66681
ab2e82403ab8cc939f747461235322d2
70ff7f1363de1fc27ba28fad06e8107b
2ab5679f64a24b543e750511f2e24c09
2dbb7a2137cea5ae1a5aaa68e45808ec
57e3ed1dc4ca2e280f022ea90a2b1d63
1c06aab792fbcc46761060c6bc6fb9a0
aa57da7981ab91acc8af54c9f667a857
a415900327031e7142301af0a5372a72
b2da861ad5a75abb7fb1ecf5355850a8
104a944882c9e6102eefe777cdf3c7b1
bf199224a6ea8b808a538eb4e4d393a3
1a10e2a7b4fb3f3fb7d699e65f7242be
37795bcb1dbfef7199de46eeb128694d
3155c272cbddd1bae5435decd2f938dd
20e0d864e4867b55dd8f65932bce0af4
1e51ae01f0bcb83fed67649a82df26d7
1b83c1ca7d04e4654bf6de9679ae0f80
14ad3eaa55b34fef24c47acbf30921d5
537a2e720d6938ab16d3ec8e45f8cbb3
d0e4d19dac089b2c18c19d28d643b6b0
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://e5728.b.akamaiedge.net/media/toolbar/stub/1.0.0.0/ApnIC.dll?tb=MP3&version=1.0.0.0 | |
| hxxp://e6845.dscb1.akamaiedge.net/pca3.crl | |
| hxxp://e6845.dscb1.akamaiedge.net/pca3-g5.crl | |
| hxxp://e6845.dscb1.akamaiedge.net/CSC3-2010.crl | |
| hxxp://websearch.ask.com/installed?client=ic&tb=MP3&dtid=&id=a7a13dfa-094d-4ed7-8f59-312d514e4183&ipid=&iev=6.0.2900.5512&iedis=0&ielu=-2&fflu=-2&iv=&nv=&clientv=9.9.9.9&said=55705d64-367c-4b8b-a716-4d0ff26d18ff&browser-lang=en&apn_dbr=ie_6.0.2900.5512&cr=0 | 199.36.102.106 |
| hxxp://crl.verisign.com/pca3.crl | 23.37.37.163 |
| hxxp://apnmedia.ask.com/media/toolbar/stub/1.0.0.0/ApnIC.dll?tb=MP3&version=1.0.0.0 | 95.101.250.206 |
| hxxp://crl.verisign.com/pca3-g5.crl | 23.37.37.163 |
| hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl | 23.37.37.163 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
HEAD /media/toolbar/stub/1.0.0.0/ApnIC.dll?tb=MP3&version=1.0.0.0 HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/6.7
Host: apnmedia.ask.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "b28c334c03cee7c5e829c43ae75dae5a:1359414902"
Last-Modified: Mon, 28 Jan 2013 22:20:56 GMT
Accept-Ranges: bytes
Content-Length: 248008
Content-Type: application/octet-stream
Date: Tue, 16 Aug 2016 23:21:15 GMT
Connection: keep-alive
GET /media/toolbar/stub/1.0.0.0/ApnIC.dll?tb=MP3&version=1.0.0.0 HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/6.7
Host: apnmedia.ask.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "b28c334c03cee7c5e829c43ae75dae5a:1359414902"
Last-Modified: Mon, 28 Jan 2013 22:20:56 GMT
Accept-Ranges: bytes
Content-Length: 248008
Content-Type: application/octet-stream
Date: Tue, 16 Aug 2016 23:21:15 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...,...,...,...T...,...~...,.......,...T..V,.......,.......,...,..L,...T...,...T...,...~...,...T...,..Rich.,..........................PE..L...s.5P...........!......................................................................@.........................`c.......V...................................!...................................#..@...............@............................text............................... ..`.rdata..K...........................@..@.data...H<...p.......X..............@....rsrc................t..............@..@.reloc...1.......2...z..............@..B.........................................................................................................................................................................................................................................................................................................................|$..v..D$.f..f;L$.t.@@.L$.u.3...|$..v..L$..D$.f..f;.u.@@AA.L$.u.3.....f;......@..D$...P.t$..D$...P.t$..2,.......D$...P.t$..D$...P.t$...,.................V..........-...D$..t.V.} ..Y..^...U...u..u..u..u.......E....].U...u..u..u..u.......E....].U...u..u..u..u... ...E....].U...u..u..u..u... ...E....].U.....V.E.WP........E......Y._^....U..QV...>.u$j..M.......>.u...p....p......M........^..U..QV..j..M.......F....s.@.F..M......^..U..QVW..j..M.......G...v....s.H.G..w........M.#......_..^.........V.... ...
<<< skipped >>>
GET /installed?client=ic&tb=MP3&dtid=&id=a7a13dfa-094d-4ed7-8f59-312d514e4183&ipid=&iev=6.0.2900.5512&iedis=0&ielu=-2&fflu=-2&iv=&nv=&clientv=9.9.9.9&said=55705d64-367c-4b8b-a716-4d0ff26d18ff&browser-lang=en&apn_dbr=ie_6.0.2900.5512&cr=0 HTTP/1.1
User-Agent: ic Windows NT 5.1 MSIE 6.0 Firefox/ Def132 .NET CLR 2.0.50727 .NET CLR 3.0.04506.648 .NET CLR 3.5.21022 .NET4.0C
Host: websearch.ask.com
HTTP/1.1 200 OK
Date: Tue, 16 Aug 2016 23:21:20 GMT
Server: Apache
Content-Length: 2689
Connection: close
Content-Type: text/xml;charset=UTF-8
<?xml version="1.0" encoding="UTF-8"?>.<options id="MP3"><option id="to" value="" client="macro"/>.<option id="dtid" value="^YYYYYY^YY^UA" client="macro"/>.<option id="tb-version" value="5.12.2.0" client="stub"/>.<option id="location" value="Kharkiv,Ukraine" client="macro"/>.<option id="locale" value="en_US" client="macro"/>.<option id="repurl" value="hXXp://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&p2=^M3^YYYYYY^YY^UA&encb={incbid}&chk={ic_chk}&ts={random}&guid=" client="installer"/>.<option id="same-partner" value="0" client=""/>.<option id="ff-max-version" value="13.*" client="installer"/>.<option id="homepageurl" value="hXXp://VVV.search.ask.com/?l=dis&o=13876" client="installer"/>.<option id="tb-installer-path" value="hXXp://apnmedia.ask.com/media/toolbar/supertoolbar/profile-ask/EverestWrapper.exe" client="stub"/>.<option id="nthp" value="0" client="installer"/>.<option id="cbid" value="^M3" client="macro"/>.<option id="einst" value="hXXp://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=einst&p2=^M3^YYYYYY^YY^UA&stb={wr_tbr}&ssa={wr_sa}&shpr={wr_hpr}&res={ci_res}&erc={ci_erc}&itime={itime}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&ts={random}&guid={guid}&wft={wft}&dot={dot}&inst={inst}&tb={tb}&dt={dt}&erd={erd}" client="wrapper"/>.<option id="oi"
<<< skipped >>>
GET /pca3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "6df834358a0bb5e934947d15c0372dc3:1466795723"
Last-Modified: Fri, 24 Jun 2016 19:15:23 GMT
Date: Tue, 16 Aug 2016 23:21:16 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..160623000000Z..160930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H...............DA.............Q>...#........H#......;....._.....v.W..@.:k[.#..,...:...DI. ,g... ..].w.b.d.....1.p.s...];Bs..E.9>...l}....5].....
GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "49ddd5ee9b8941ed8ccf55aec088f07c:1467490816"
Last-Modified: Sat, 02 Jul 2016 20:20:16 GMT
Date: Tue, 16 Aug 2016 23:21:16 GMT
Content-Length: 571
Connection: keep-alive
Content-Type: application/pkix-crl
0..70...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..160630000000Z..160930235959Z0#0!..n.N/.v...J..%R.t..160630163929Z0...*.H..............h...._.......VT..`.\.Y._.=lg.....*.eLto........v.V-.6W.`fa..#.kwE..vH... .....d.A..)n.>...9l..@B.....6....................<.N....PA..G.EH9.R._...._3....7.N..7...'.t.t......N).....I.g......@.#.."..`.../%......;6..h....Q.L8.e..b/.8.t..W..@.t.O.2-.C$f....P..HTTP/1.1 200 OK..Server: Apache..ETag: "49ddd5ee9b8941ed8ccf55aec088f07c:1467490816"..Last-Modified: Sat, 02 Jul 2016 20:20:16 GMT..Date: Tue, 16 Aug 2016 23:21:16 GMT..Content-Length: 571..Connection: keep-alive..Content-Type: application/pkix-crl..0..70...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..160630000000Z..160930235959Z0#0!..n.N/.v...J..%R.t..160630163929Z0...*.H..............h...._.......VT..`.\.Y._.=lg.....*.eLto........v.V-.6W.`fa..#.kwE..vH... .....d.A..)n.>...9l..@B.....6....................<.N....PA..G.EH9.R._...._3....7.N..7...'.t.t......N).....I.g......@.#.."..`.../%......;6..h....Q.L8.e..b/.8.t..W..@.t.O.2-.C$f....P....
<<< skipped >>>
GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "c6fd6fbd2d519ad5614d8723c7da2722:1471381821"
Last-Modified: Tue, 16 Aug 2016 21:10:21 GMT
Date: Tue, 16 Aug 2016 23:21:19 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..V.0..U....0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..160816210004Z..160830210004Z0..T.0!.....S.@.k....6..c..140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...9t.*.].....~.....160114221207Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. L..0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.y...p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_224:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv2.tmp\InstallOptions.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv2.tmp\InstallOptions.dll
an Ares. Behalve de Ares zal onze werkbalk ook aan u aangeboden worden als deel van de download manager. Deze download manager is niet geassocie?rd met de maker van Ares op geen enkele manier en werkt als een onafhankelijke entiteit die zijn betrouwbaarheid verzekert. Deze download manager vormt deel uit van deze webpagina?s veiligheids maatregelen die de betrouwbaarheid en veiligheid van zijn downloads garanderen. Het belangrijkste doel van deze webpagina is om u in staat te stellen de bestaande virussen en malware in de miljoenen downloads die momenteel op Internet beschikbaar zijn te filteren.
an Ares. Behalve de Ares zal onze werkbalk ook aan u aangeboden worden als deel van de download manager. Deze download manager is niet geassocie?rd met de maker van Ares op geen enkele manier en werkt als een onafhankelijke entiteit die zijn betrouwbaarheid verzekert. Deze download manager vormt deel uit van deze webpagina?s veiligheids maatregelen die de betrouwbaarheid en veiligheid van zijn downloads garanderen. Het belangrijkste doel van deze webpagina is om u in staat te stellen de bestaande virussen en malware in de miljoenen downloads die momenteel op Internet beschikbaar zijn te filteren.
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv2.tmp\InstallOptions.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv2.tmp\InstallOptions.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv2.tmp
en en installatie van Ares. Behalve de Ares zal onze werkbalk ook aan u aangeboden worden als deel van de download manager. Deze download manager is niet geassocie?rd met de maker van Ares op geen enkele manier en werkt als een onafhankelijke entiteit die zijn betrouwbaarheid verzekert. Deze download manager vormt deel uit van deze webpagina?s veiligheids maatregelen die de betrouwbaarheid en veiligheid van zijn downloads garanderen. Het belangrijkste doel van deze webpagina is om u in staat te stellen de bestaande virussen en malware in de miljoenen downloads die momenteel op Internet beschikbaar zijn te filteren.
en en installatie van Ares. Behalve de Ares zal onze werkbalk ook aan u aangeboden worden als deel van de download manager. Deze download manager is niet geassocie?rd met de maker van Ares op geen enkele manier en werkt als een onafhankelijke entiteit die zijn betrouwbaarheid verzekert. Deze download manager vormt deel uit van deze webpagina?s veiligheids maatregelen die de betrouwbaarheid en veiligheid van zijn downloads garanderen. Het belangrijkste doel van deze webpagina is om u in staat te stellen de bestaande virussen en malware in de miljoenen downloads die momenteel op Internet beschikbaar zijn te filteren.
@.reloc
@.reloc
comdlg32.dll
comdlg32.dll
InstallOptions.dll
InstallOptions.dll
PASSWORD
PASSWORD
Field %d
Field %d
All Files|*.*
All Files|*.*
$ /,,,,// )
$ /,,,,// )
,,,,// )
,,,,// )
,,,,//
,,,,//
.reloc
.reloc
SShL0
SShL0
PeekNamedPipe
PeekNamedPipe
CreatePipe
CreatePipe
nsExec.dll
nsExec.dll
9Â9|9
9Â9|9
: :0:5:>:
: :0:5:>:
u.Wj@
u.Wj@
MSVCRT.dll
MSVCRT.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
/password
/password
Uploading %s
Uploading %s
nsv2.tmp
nsv2.tmp
ze wizard zal u door de download leiden en installatie van Ares. Behalve de Ares zal onze werkbalk ook aan u aangeboden worden als deel van de download manager. Deze download manager is niet geassocie?rd met de maker van Ares op geen enkele manier en werkt als een onafhankelijke entiteit die zijn betrouwbaarheid verzekert. Deze download manager vormt deel uit van deze webpagina?s veiligheids maatregelen die de betrouwbaarheid en veiligheid van zijn downloads garanderen. Het belangrijkste doel van deze webpagina is om u in staat te stellen de bestaande virussen en malware in de miljoenen downloads die momenteel op Internet beschikbaar zijn te filteren.
ze wizard zal u door de download leiden en installatie van Ares. Behalve de Ares zal onze werkbalk ook aan u aangeboden worden als deel van de download manager. Deze download manager is niet geassocie?rd met de maker van Ares op geen enkele manier en werkt als een onafhankelijke entiteit die zijn betrouwbaarheid verzekert. Deze download manager vormt deel uit van deze webpagina?s veiligheids maatregelen die de betrouwbaarheid en veiligheid van zijn downloads garanderen. Het belangrijkste doel van deze webpagina is om u in staat te stellen de bestaande virussen en malware in de miljoenen downloads die momenteel op Internet beschikbaar zijn te filteren.
c:\%original file name%.exe
c:\%original file name%.exe
%Program Files%\Ares
%Program Files%\Ares
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
zard zal u door de download leiden en installatie van Ares. Behalve de Ares zal onze werkbalk ook aan u aangeboden worden als deel van de download manager. Deze download manager is niet geassocie?rd met de maker van Ares op geen enkele manier en werkt als een onafhankelijke entiteit die zijn betrouwbaarheid verzekert. Deze download manager vormt deel uit van deze webpagina?s veiligheids maatregelen die de betrouwbaarheid en veiligheid van zijn downloads garanderen. Het belangrijkste doel van deze webpagina is om u in staat te stellen de bestaande virussen en malware in de miljoenen downloads die momenteel op Internet beschikbaar zijn te filteren.
zard zal u door de download leiden en installatie van Ares. Behalve de Ares zal onze werkbalk ook aan u aangeboden worden als deel van de download manager. Deze download manager is niet geassocie?rd met de maker van Ares op geen enkele manier en werkt als een onafhankelijke entiteit die zijn betrouwbaarheid verzekert. Deze download manager vormt deel uit van deze webpagina?s veiligheids maatregelen die de betrouwbaarheid en veiligheid van zijn downloads garanderen. Het belangrijkste doel van deze webpagina is om u in staat te stellen de bestaande virussen en malware in de miljoenen downloads die momenteel op Internet beschikbaar zijn te filteren.
755631031
755631031
1048896
1048896
)-.Yln
)-.Yln
Nullsoft Install System v2.46
Nullsoft Install System v2.46