not-a-virus:HEUR:AdWare.Win32.InstallMonster.gen (Kaspersky), Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6018f522029cfa4a5ba5d6e6afb97446
SHA1: 41c0ebd8f89ae40aa7382a7ad5a23f5321c87169
SHA256: a534ec946bf220d97f35df675366f1343bb48b1182a32ae1588cea520dc80299
SSDeep: 98304:xzV5FDvRqbCKApy0vsub uJA507DR1KrFEP54/ZA:xJ7EbC Xy9JvDRYrF4
Size: 3549152 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: Software Bundle Company
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1392
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
Registry activity
The process %original file name%.exe:1392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ProgID]
"(Default)" = "6018f522029cfa4a5ba5d6e6afb97446.DynamicNS"
[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}]
"(Default)" = "DynamicNS"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
"CategoryCount" = "16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\6018f522029cfa4a5ba5d6e6afb97446\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 8C D7 F0 AF 31 7E 59 A5 78 32 52 AD BB CD 7E"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKCR\6018f522029cfa4a5ba5d6e6afb97446.DynamicNS\Clsid]
"(Default)" = "{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\6018f522029cfa4a5ba5d6e6afb97446.DynamicNS]
"(Default)" = "DynamicNS"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\6018f522029cfa4a5ba5d6e6afb97446\DEBUG]
"Trace Level"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1392
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Software Bundle Company
Product Name:
Product Version: 1.0.0.0
Legal Copyright: Copiright
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: Software Bundle
Comments:
Language: English (United States)
Company Name: Software Bundle CompanyProduct Name: Product Version: 1.0.0.0Legal Copyright: CopirightLegal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: Software BundleComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 2445312 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 2449408 | 2220032 | 2217472 | 5.47136 | 76e39e3289dd2401cd6caaf1a60bfbf5 |
.rsrc | 4669440 | 24576 | 20992 | 3.65806 | f8ad800ddaef627cd94ca2f6384da75f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 66
e79ce1a194f493d5f153e71549fbd5cd
a5e67ca8da17f69d43df1d19aaed89fa
6ba48876132d70d470a057b8ed1ad0fc
ad1d1f86dbf0a18b79d8484330259b3e
fe4d80742de31ed8cf4b356658c32dc6
2e2586e737b998b9567d5cccb2a4bfa2
42ac44e9f84ed45b61962f15d2052dba
3ea682619471ff3dc72e139b174ea733
e498bf898b69e7d15e6221923ad0997d
ab8e25852ae586c8ea9fb6989c1b70cc
deba8feed59c4351dfb3106b0137c6f5
448fd58eeeb747466654aaecc02342de
1d11272b3ddf400bd62b16104b62133d
9d4f5d7e10bba0a15a863ce35bd03f84
58e1a6d3878b0d145844126bdcefa5a8
570c26fce92bc19b34a992f44e1286f0
17f23fb508c5b7bddbedf9d78cf6aceb
3241db9f0fd67dd30074fa001d30a13c
17d3a0aae0d7762622bbb7d618c4e780
73c5a28f847e17fce2d0d2f02e119f16
ec1c3ac83471a003c19a6e20709eda49
be15113f44a88f53a250e999e3bd44f3
896377ebaad3d95db901f841b7c3758d
d27978ecf9e90048c84bf7447b4a150c
23247a03e576773d518e6d8ff9fd3ae9
697c45d7174e4702684ea69cf4b38cbf
Network Activity
URLs
URL | IP |
---|---|
hxxp://bluestacks-club-download.ru/BlueStacks-SplitInstaller.exe | 46.30.40.94 |
hxxp://piroga.space/pages/inmon/im-typ.html | |
hxxp://piroga.space/pages/inmon/css/style.css | |
hxxp://piroga.space/pages/inmon/images/icon1-green.png | |
hxxp://piroga.space/pages/inmon/images/icon2-green.png | |
hxxp://piroga.space/pages/inmon/images/icon3-green.png | |
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/scripts/1/adnl.min.js | |
hxxp://neu-dl-api.cloudapp.net/api/vv/1?callback=cb_1465902533406&ts=1465902533406&sessionId=cxyt&rfr=&siteId=9306&aus=5584,1,0 | |
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg | |
hxxp://neu-dl-api.cloudapp.net/api/vp/1?clk=rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmMwNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVsQGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUFxefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWbQ_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrTuPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db4OKDDzal8SAHc0&rfr= | |
hxxp://d.castplatform.com/api/vv/1?callback=cb_1465902533406&ts=1465902533406&sessionId=cxyt&rfr=&siteId=9306&aus=5584,1,0 | 40.127.174.50 |
hxxp://d.castplatform.com/api/vp/1?clk=rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmMwNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVsQGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUFxefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWbQ_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrTuPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db4OKDDzal8SAHc0&rfr= | 40.127.174.50 |
hxxp://cdn.castplatform.com/images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg | 198.232.124.20 |
hxxp://cdn.castplatform.com/scripts/1/adnl.min.js | 198.232.124.20 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /pages/inmon/images/icon1-green.png HTTP/1.1
Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: piroga.space
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE
HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Tue, 14 Jun 2016 11:08:43 GMT
Content-Type: image/png
Content-Length: 3392
Last-Modified: Wed, 12 Aug 2015 13:59:00 GMT
Connection: keep-alive
ETag: "55cb5124-d40"
Accept-Ranges: bytes
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[{l[W.?..g..fvR.]..2.4.z.N..?jOC......C....IS[....%Y............i].@..c.@.?Hs%.:&.....&..c.............#YIS...;.w.....cB.O......GE.l.3.n7.2Rv..FQ..JF. ...Lt.....?..m.cN...'yK...k..Y..l..........j...qO:.?.......n...8K........K7<9X.db.$.....b.............=-........<uhB..2......-/VI.Hzy.$."..?y...<.....-.iF..x.. ...N..ke....)......!._.mJc..p,a.Z.Gd.x.(...p.......j....~3.. .I..a....~4...S...NN0f.W..2.I.....t....i`..1d.6....E...^.oKGb$qm.}..;.f...g...h%x..t.K ..'.......(X...W.:...]#.p......>.._;.>j..{..V.(k.W...O\....oj..^.....K.lq>.<.......eJ........?..Yp.`.Ic........F............OV.../...n.....u.3...F..`... .....oj..b.......7"..;]i.B.. ...K.A{..W.^.g....9..?}..p....R.M....i..N.D....;......QK..,".....9.....ub>...P.....g:9/...:?.y?..a8...L....L.b.s............W...O|.S...w*...3=..J.,...:...3ok..mz....W....E.S.F.N...99K.v.S.P.......].!ey:]#C..!.8 .W...D;dq.......>;...|Y.,3D.Gq.Mg.D..i.|..X.......[.@.s8.8sVD.*cYmj.=.3..2........W...vw...fy9^.....z......pEQ. ...Q....T....#.[/..t.0z.h!..>t.....%".Bl.{.<.{.JW.....?.3h.{w...(...DF..p...dV.}X....PJ...n.A.....o. p.(..........H..3....H...N....F)p8....$.......Y....z:Tn.....W.q....6..D..G.Ud.f.....C.X....D......N..{..T.j......../."..=...g..)..<(hwX.rf...0...Z=J..=....1B..n.$U\.P.re.ku.u&8.nC.........W........so..../.O5...G.....OB#%...x...~..`.;.....^.m."...........q..S]..T.....Fj)>...|.jZ...['.....:.s.x..O.m.....[....\$0..{..&.r...^.U...?.o..Y.......ZW].
<<< skipped >>>
GET /pages/inmon/images/icon3-green.png HTTP/1.1
Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: piroga.space
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE
HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Tue, 14 Jun 2016 11:08:43 GMT
Content-Type: image/png
Content-Length: 1519
Last-Modified: Wed, 12 Aug 2015 13:59:00 GMT
Connection: keep-alive
ETag: "55cb5124-5ef"
Accept-Ranges: bytes
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[.O[u.........(.E....o..............U0...Q`.%...}0..$..d....%&=<.H.|q.sNZ..R..=7.._/P...Z.....rN.....;..0`.......0`.....S<q..x.6...8. .....4=A].....Y...L<y~&\".I.G..X.Y,......L\{......./..s.Id.1L....si6o@.c.4.h...5:8.....!...............j..W.h..UvZ...bC.B....1..j\YZ..9...9....r0..8......V...\..[.HO.y..`.{w..SQ.[.m..L.V.nli.....L..`..n&...\.bZ.U.@.q...u.......wJ.~.f......:.......x.i.g.......s...>4...J...z .^r.z..3....RO<y.wI.).Z..v......^p.u.y"H....W*6Q..tX."?..w...'...%. .......f.|o....3.s......:.Zz].2.............|.v..U....c..z.b....i........>....q.S .....'k3...6.......>D.qY.E............................1e1=.Ff)..o..|_..O...z...P6. ... ....?O.S...=.DtU..c.-C....SG.%.Y....*.......#.=y.K.quyM.......g.(....\9y.Y..s\v....!.......>@..d............I..d{.m...!..zFR..........._#rr9.g....ut~....!..;....-....*w...Hx.E.C]........}.....c.n"..>.".._.ZQ.C.."....q.j"...... ......._I....S.g.....f...o3..Q...jpf......s.)...1B].SO..3..$N..].g(.z......D.......T...C/......u.a}....`. ":m.-m..W.....4..JJ.}...%.U.T....-.N.....m."..?YE...q=....|P.....X.H,.......|..J.F.#M.......w.t...Xrr&..e=;.a......R.e.RN...2....n-....g..8d../;....b......p..).&.0Xm.._.Gs.T..V.y.mo..3....h...F.-.^HH......k....2i...v..&.......j..s,...~ok......=......n.`.x..1.-.I...G..V...F...,U.K...Hb".;p...A/...s.V/.._....7q.S.|....&.~81v-..../...!.G.Q.m............\./*.$h...>..*.u.@b.ZM~h1yH..W.E...Wp].a.'{....8r.A,...r.....).hY...?.KE.u.........._...d
<<< skipped >>>
GET /api/vv/1?callback=cb_1465902533406&ts=1465902533406&sessionId=cxyt&rfr=&siteId=9306&aus=5584,1,0 HTTP/1.1
Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.castplatform.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 1076
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
X-Country: UA
P3P: CP='NON UNI COM NAV STA OUR IND'
Set-Cookie: cuuid=1b005f8b-3808-455f-98d8-86cc789ad08c; expires=Sun, 14 Jun 2026 11:08:52 GMT; domain=d.castplatform.com; path=/
X-Elapsed: 187
X-Node: NEU3961D1
Date: Tue, 14 Jun 2016 11:08:51 GMT
cb_1465902533406 && cb_1465902533406({"zones":[{"id":5584,"status":200,"enabled":true,"template":"Free_Creative_800x440","data":[{"clickTag":null,"clk":"rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmMwNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVsQGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUFxefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWbQ_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrTuPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db4OKDDzal8SAHc0","width":800,"height":440,"cUrl":"hXXp://d.castplatform.com/api/c/1?clk=%clk%","trackers":[{"type":"Url","content":"hXXp://d.castplatform.com/api/vp/1?clk=%clk%"}],"category":null,"assets":[{"assetDisplayType":1,"width":800,"height":440,"url":"//cdn.castplatform.com/images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg","javascript":"","clickTagVar":""}]}],"styles":null,"settings":{"adUnitTitle":""},"displayType":"Size"}],"ts":187});....
GET /api/vp/1?clk=rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmMwNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVsQGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUFxefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWbQ_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrTuPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db4OKDDzal8SAHc0&rfr= HTTP/1.1
Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.castplatform.com
Connection: Keep-Alive
Cookie: cuuid=1b005f8b-3808-455f-98d8-86cc789ad08c
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 43
Content-Type: image/gif
Server: Microsoft-HTTPAPI/2.0
Set-Cookie: cuuid=325e96b9-5242-4408-913f-43e63cc3d2ed; expires=Sun, 14 Jun 2026 11:08:52 GMT; domain=d.castplatform.com; path=/
P3P: CP='NON UNI COM NAV STA OUR IND'
X-Elapsed: 0
Date: Tue, 14 Jun 2016 11:08:51 GMT
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-Length: 43..Content-Type: image/gif..Server: Microsoft-HTTPAPI/2.0..Set-Cookie: cuuid=325e96b9-5242-4408-913f-43e63cc3d2ed; expires=Sun, 14 Jun 2026 11:08:52 GMT; domain=d.castplatform.com; path=/..P3P: CP='NON UNI COM NAV STA OUR IND'..X-Elapsed: 0..Date: Tue, 14 Jun 2016 11:08:51 GMT..GIF89a.............!.......,...........L..;..
GET /pages/inmon/im-typ.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: piroga.space
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.10.1
Vary: Accept-Encoding
Content-Type: text/html
Content-Encoding: gzip
Date: Tue, 14 Jun 2016 11:08:42 GMT
Transfer-Encoding: chunked
ETag: W/"5628d116-7b9"
Connection: keep-alive
Set-Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE; path=/
Last-Modified: Thu, 22 Oct 2015 12:05:42 GMT
364.............U.n.0......f..& .4 .4.]L..........18N.;....]..^.!....._y...8N.... ..:.s..../.....5l.`....?; .#... .1......a......nL#ICn 7..p....O..(....>...x.O]R...D9....p1#Nmz3I%#....{.v....Gl .....pL.c.9`D..@M?&].p..2...bk. ..S.Z..#.a!.#..X,.....U.F......mAx>. .2.t.`z....M.r....F.P...:Vo...Oj.....#..SC....l..MW,3.hVv..)Q/.....FN....q.y.r.....k...7kv.P..WX.4..E..LyYc..>......C._.......Y...d...WPz...z....R?..q.,}..|.R}..G5.e....K5.6.)$.D.......`...D.:... ..B .jF..x.@..oC.%".'e.......T..i[..P........z..C..8..:..Y.f.p.;........'.f%#:.{.1t3.{1...`^.W........[.T...0?0c..~...7.:>s.t.H...k...6.v.wd...T.#...$..u..q..6.8F...m......ziF.. {...f...\. .h7.[.;7Z....z..]'..._....huvom..e..7],d....q`.a.7.t..........*...........`]...gqf.......... ....EB.oy...z...3..`I6.....,...A........j.Ha.,...Pn......I'.~..P.FkQK\...^.^.....K.{..&."...O.W....r...D'@.vQ.......g.f.~.....i.......0......
GET /pages/inmon/css/style.css HTTP/1.1
Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: piroga.space
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE
HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Tue, 14 Jun 2016 11:08:43 GMT
Content-Type: text/css
Last-Modified: Thu, 22 Oct 2015 12:08:45 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
ETag: W/"5628d1cd-70e"
Content-Encoding: gzip
28e.............U.n.@.}N.b...KA\.lB.....7.00...ah.F.....pYR-U.b..c...Ez.,.%.9."..-.5MSV..%..r2Z2~......XB_.O.(.%.........uY..(.../.H..O7..X^..TB...U.I9.......H4&.....0.5..`(e..a.B[%...RUDd..L....C.y..Q...z]...h......5.s...........:..L>..E.=HS...R...b c....C.j...^..%.J.R'..SL`..8U...e..k..y..@7...HL.C.E[... x_....1oa...6.~7...4.y..7..3.l.9.....#..b!....O..... .v ...e........k..........fB(3S............wX.......y...,p......I.n..^..tJ.......B..2!aT...B.t=v!.nv[..4L...t ..w..z.q;#...o}N;U}...|.....C3X....v.../c=.............cl...#..5..^..0.}an.h. .S7.7.~KZ.6......Y.d.......Y.`.L8...............y...O.l FY. ..#5..A.k.Wm........h2.'.....$...Qg...P....9........0......
GET /pages/inmon/images/icon2-green.png HTTP/1.1
Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: piroga.space
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE
HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Tue, 14 Jun 2016 11:08:43 GMT
Content-Type: image/png
Content-Length: 3782
Last-Modified: Wed, 12 Aug 2015 13:59:00 GMT
Connection: keep-alive
ETag: "55cb5124-ec6"
Accept-Ranges: bytes
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<...hIDATx..[kl#W....yO......?..u..H..P..J...$@..K...l. .}..}P@@..J........q..H@3.E.u@.".Zg7.$..$q..f..\...c;....(W;.].x.~......;....?......c.|X........B...;D...rv&.M..eE...eZ..1Ts5....E?..{O.x....B.. ..=B...D...~.,,..p.493...XB.R...2&......1...., .5.....b[.B`ae...oF...p.FZ.,."..zh......p...yH.l>!4:. .[aXi.3.... |.. ..t.....J...../4...(T.meL..'9ceC.]R//...FkW.Z...vpb6d..?......=.x..M.RO....P..p[c-..K.p.,v........K.|.=......:!..2............<`....j....Mq...C<{*L2j.^05g.q=}qy`..sy ]3.UK.j.....o.Z.......2&u5{.fw.}6.Oe8cuCO._..<.Jd.9.;.......[4.2.i....y.K.Z.......q..J.A^..g......1..|.lN.)8............f.q]...4............I..c...=.2..[..2LZ.1rIf....3.....M...2.M.f..R siU..i..0.....9_.?.'...S.R#.sN.{.s.........@7...%..{........w>....A.V...{?..V9.*G.....,.......lA.:7.........E.q.C..._W.Dd.k;&D..4..E}3.}..X.c.)`.!.$...R.........X.<....^.PH..NO.)...^KM-.......:.8...Q..S7.`. ...V...D.@.'.<..x!..1.PU.ktr<R.@.W.......t....l..'d..n.'|v*...R..=.uau0..uC...S.......G....F............f...h.XN.h..-(..../....l.f..fI..`G.|.....\...bf..Q*...p....Y..R......w........\aj.TR..IUA.d.6...@.DqNi..8.#.l!)l(,V....6m.<...E..../.y....P.......y.........O.f....-.....Y....B.(.s..r....z<jf....m...[Hc...%5.....$..x.Z...u2.....h.........94{.....9...\.wE.?....!E.\l..S...).....A...2FV.y..Z..d.HEPsy....!.*X.......?s|.qM..y..U.s.......m....Zi.T......C....m.nB.......4.....Q.........) ...Ph..'.~|..nZ'.Fpk..:....3...)_|.~....H..gnM.J?k....$y......-.....
<<< skipped >>>
GET /scripts/1/adnl.min.js HTTP/1.1
Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.castplatform.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 14 Jun 2016 11:08:50 GMT
Content-Type: text/javascript; charset=utf-8
Content-Length: 60114
Connection: keep-alive
Vary: Accept-Encoding
Content-MD5: Y2JFw1mhlW2JqbXKv8rOdw==
Last-Modified: Tue, 26 Apr 2016 08:45:42 GMT
ETag: 0x8D36DAF266AAE18
x-ms-write-protection: false
X-Node: cdn1
Server: NetDNA-cache/2.2
X-Cache: HIT
// CAST Delivery Agent v4.4.29 #8:45.!function(global,undefined){Array.prototype.indexOf||(Array.prototype.indexOf=function(e,t){if(this===undefined||null===this)throw new TypeError('"this" is null or not defined');var n=this.length>>>0;for(t= t||0,1/0===Math.abs(t)&&(t=0),0>t&&(t =n,0>t&&(t=0));n>t;t )if(this[t]===e)return t;return-1}),"object"!=typeof window.JSON&&(window.JSON={},window.JSON.stringify=function(e){if("[object Array]"===Object.prototype.toString.call(e)){if(e.length>0){for(var t=e.length,n=[],a=0;t>a; a)n.push(this.stringify(e[a]));return"[" n.join(", ") "]"}return"[]"}if("object"==typeof e&&null!==e){var n=[];for(a in e)n.push('"' a '": ' this.stringify(e[a]));return"{" n.join(", ") "}"}return"string"==typeof e?'"' e.replace(/"/g,'\\"') '"':e},window.JSON.parse=function(text,reviver){function walk(e,t){var n,a,i=e[t];if(i&&"object"==typeof i)for(n in i)Object.prototype.hasOwnProperty.call(i,n)&&(a=walk(i,n),a!==undefined?i[n]=a:delete i[n]);return reviver.call(e,t,i)}var cx=/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,j;if(text=String(text),cx.lastIndex=0,cx.test(text)&&(text=text.replace(cx,function(e){return"\\u" ("0000" e.charCodeAt(0).toString(16)).slice(-4)})),/^[\],:{}\s]*$/.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,"]").replace(/(?:^|:|,)(?:\s*\[) /g,"")))return j=eval("(" text ")"),"function"==typeof revive
<<< skipped >>>
GET /images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg HTTP/1.1
Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.castplatform.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 14 Jun 2016 11:08:51 GMT
Content-Type: image/jpeg; charset=utf-8
Content-Length: 99940
Connection: keep-alive
Vary: Accept-Encoding
Content-MD5: 84yOv9Fknx6WvATYJ8//sw==
Last-Modified: Sun, 13 Mar 2016 09:05:27 GMT
ETag: 0x8D34B1E9EAC9EFB
x-ms-write-protection: false
X-Node: cdn2
Server: NetDNA-cache/2.2
X-Cache: HIT
......Exif..II*.................Ducky.......8......hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9d3aa1bc-879e-f341-bb50-ccda3be4d297" xmpMM:DocumentID="xmp.did:C9F120E4E8F211E5B83DE635D0776361" xmpMM:InstanceID="xmp.iid:C9F120E3E8F211E5B83DE635D0776361" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:963c8fb8-b4bf-3f44-ba12-95c7f2efc8d3" stRef:documentID="xmp.did:9d3aa1bc-879e-f341-bb50-ccda3be4d297"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d................................................................""""""""""................"""""""""""""""""""""""""""""""""""""""""""""""""........ ........................................................................................!.1...AQ.aq"...2B.....R#...b.r...3S..U...Cs$u6...c.4DTt%7....d..EeVv'8...5&.....................!1..AQ..aq......."2....BRb.r.#..3.....CS............?..V.&.....u.{f..,6.T.....)*4..#....:.S..g....v.b.u.......u.&. eR....T .1}-....r.....Upe7,ztr....1.H....]..D..A..G....W...........Nd.DN\.L=...M
<<< skipped >>>
GET /BlueStacks-SplitInstaller.exe HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bluestacks-club-download.ru
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2016 11:08:46 GMT
Content-Type: application/octet-stream
Content-Length: 13469152
Connection: keep-alive
Last-Modified: Mon, 29 Jun 2015 12:25:46 GMT
ETag: "24c177c-cd85e0-519a730696680"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I"...C}..C}..C}.b\v..C}.._s..C}.b\w..C}.b\y..C}..K"..C}..C|..C}..K ..C}.;ev.NC}.b5...C}.b5...C}..E{..C}.Rich.C}.........PE..L....S.L.................D...d......<7.......`....@.............................................................................x.......(............j...............................................................`...............................text....C.......D.................. ..`.rdata...<...`...>...H..............@..@.data...,)..........................@....sxdata.............................@....rsrc...(...........................@..@...............................................................................................................................................................................................................................................................................................................................................D.A.;..X.A.;.U....4....E.SVW...A..$...j.3._..h...W...A...h.....l.....p........W.M..]..]..]......W.M..]..]..]......W.M..]..]..].........`A.P.M.......E...h...P.M..e(...u...)..Y.].W.M..]..]..........A..U...5...M..l....M..)...hT.A..M..].........E.j.P.M..)........D*...u.....)...u..~)..Y;.Yu4.E.j.P.M..E.......P.M..-....u..U)..Y.M.......M......W.M..]..]..].......M..E.PhX.A..D.A..e.....u.8].u..$.A.3......j.[.%...h..A...0........W.M..]..]..]......9]...,............T....d.....bA...T....M...T....q ....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
iexplore.exe_240:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512