Skip to main content

Trojan.Win32.IEDummy_6018f52202


not-a-virus:HEUR:AdWare.Win32.InstallMonster.gen (Kaspersky), Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 6018f522029cfa4a5ba5d6e6afb97446

SHA1: 41c0ebd8f89ae40aa7382a7ad5a23f5321c87169

SHA256: a534ec946bf220d97f35df675366f1343bb48b1182a32ae1588cea520dc80299

SSDeep: 98304:xzV5FDvRqbCKApy0vsub uJA507DR1KrFEP54/ZA:xJ7EbC Xy9JvDRYrF4

Size: 3549152 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPXv0896v102v105v122Delphistub, UPolyXv05_v6

Company: Software Bundle Company

Created at: 1992-06-20 01:22:17

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1392

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1392 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1392 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ProgID]
"(Default)" = "6018f522029cfa4a5ba5d6e6afb97446.DynamicNS"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}]
"(Default)" = "DynamicNS"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\6018f522029cfa4a5ba5d6e6afb97446\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 8C D7 F0 AF 31 7E 59 A5 78 32 52 AD BB CD 7E"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCR\6018f522029cfa4a5ba5d6e6afb97446.DynamicNS\Clsid]
"(Default)" = "{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\6018f522029cfa4a5ba5d6e6afb97446.DynamicNS]
"(Default)" = "DynamicNS"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\6018f522029cfa4a5ba5d6e6afb97446\DEBUG]
"Trace Level"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1392

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Software Bundle Company
Product Name:
Product Version: 1.0.0.0
Legal Copyright: Copiright
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: Software Bundle
Comments:
Language: English (United States)

Company Name: Software Bundle CompanyProduct Name: Product Version: 1.0.0.0Legal Copyright: CopirightLegal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: Software BundleComments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX04096244531200d41d8cd98f00b204e9800998ecf8427e
UPX12449408222003222174725.4713676e39e3289dd2401cd6caaf1a60bfbf5
.rsrc466944024576209923.65806f8ad800ddaef627cd94ca2f6384da75f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 66
e79ce1a194f493d5f153e71549fbd5cd
a5e67ca8da17f69d43df1d19aaed89fa
6ba48876132d70d470a057b8ed1ad0fc
ad1d1f86dbf0a18b79d8484330259b3e
fe4d80742de31ed8cf4b356658c32dc6
2e2586e737b998b9567d5cccb2a4bfa2
42ac44e9f84ed45b61962f15d2052dba
3ea682619471ff3dc72e139b174ea733
e498bf898b69e7d15e6221923ad0997d
ab8e25852ae586c8ea9fb6989c1b70cc
deba8feed59c4351dfb3106b0137c6f5
448fd58eeeb747466654aaecc02342de
1d11272b3ddf400bd62b16104b62133d
9d4f5d7e10bba0a15a863ce35bd03f84
58e1a6d3878b0d145844126bdcefa5a8
570c26fce92bc19b34a992f44e1286f0
17f23fb508c5b7bddbedf9d78cf6aceb
3241db9f0fd67dd30074fa001d30a13c
17d3a0aae0d7762622bbb7d618c4e780
73c5a28f847e17fce2d0d2f02e119f16
ec1c3ac83471a003c19a6e20709eda49
be15113f44a88f53a250e999e3bd44f3
896377ebaad3d95db901f841b7c3758d
d27978ecf9e90048c84bf7447b4a150c
23247a03e576773d518e6d8ff9fd3ae9
697c45d7174e4702684ea69cf4b38cbf

Network Activity

URLs

URL IP
hxxp://bluestacks-club-download.ru/BlueStacks-SplitInstaller.exe46.30.40.94
hxxp://piroga.space/pages/inmon/im-typ.html
hxxp://piroga.space/pages/inmon/css/style.css
hxxp://piroga.space/pages/inmon/images/icon1-green.png
hxxp://piroga.space/pages/inmon/images/icon2-green.png
hxxp://piroga.space/pages/inmon/images/icon3-green.png
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/scripts/1/adnl.min.js
hxxp://neu-dl-api.cloudapp.net/api/vv/1?callback=cb_1465902533406&ts=1465902533406&sessionId=cxyt&rfr=&siteId=9306&aus=5584,1,0
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg
hxxp://neu-dl-api.cloudapp.net/api/vp/1?clk=rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmMwNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVsQGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUFxefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWbQ_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrTuPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db4OKDDzal8SAHc0&rfr=
hxxp://d.castplatform.com/api/vv/1?callback=cb_1465902533406&ts=1465902533406&sessionId=cxyt&rfr=&siteId=9306&aus=5584,1,040.127.174.50
hxxp://d.castplatform.com/api/vp/1?clk=rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmMwNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVsQGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUFxefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWbQ_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrTuPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db4OKDDzal8SAHc0&rfr=40.127.174.50
hxxp://cdn.castplatform.com/images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg198.232.124.20
hxxp://cdn.castplatform.com/scripts/1/adnl.min.js198.232.124.20

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pages/inmon/images/icon1-green.png HTTP/1.1

Accept: */*

Referer: hXXp://piroga.space/pages/inmon/im-typ.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: piroga.space

Connection: Keep-Alive

Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE

HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Tue, 14 Jun 2016 11:08:43 GMT

Content-Type: image/png

Content-Length: 3392

Last-Modified: Wed, 12 Aug 2015 13:59:00 GMT

Connection: keep-alive

ETag: "55cb5124-d40"

Accept-Ranges: bytes

.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[{l[W.?..g..fvR.]..2.4.z.N..?jOC......C....IS[....%Y............i].@..c.@.?Hs%.:&.....&..c.............#YIS...;.w.....cB.O......GE.l.3.n7.2Rv..FQ..JF. ...Lt.....?..m.cN...'yK...k..Y..l..........j...qO:.?.......n...8K........K7<9X.db.$.....b.............=-........<uhB..2......-/VI.Hzy.$."..?y...<.....-.iF..x.. ...N..ke....)......!._.mJc..p,a.Z.Gd.x.(...p.......j....~3.. .I..a....~4...S...NN0f.W..2.I.....t....i`..1d.6....E...^.oKGb$qm.}..;.f...g...h%x..t.K ..'.......(X...W.:...]#.p......>.._;.>j..{..V.(k.W...O\....oj..^.....K.lq>.<.......eJ........?..Yp.`.Ic........F............OV.../...n.....u.3...F..`... .....oj..b.......7"..;]i.B.. ...K.A{..W.^.g....9..?}..p....R.M....i..N.D....;......QK..,".....9.....ub>...P.....g:9/...:?.y?..a8...L....L.b.s............W...O|.S...w*...3=..J.,...:...3ok..mz....W....E.S.F.N...99K.v.S.P.......].!ey:]#C..!.8 .W...D;dq.......>;...|Y.,3D.Gq.Mg.D..i.|..X.......[.@.s8.8sVD.*cYmj.=.3..2........W...vw...fy9^.....z......pEQ. ...Q....T....#.[/..t.0z.h!..>t.....%".Bl.{.<.{.JW.....?.3h.{w...(...DF..p...dV.}X....PJ...n.A.....o. p.(..........H..3....H...N....F)p8....$.......Y....z:Tn.....W.q....6..D..G.Ud.f.....C.X....D......N..{..T.j......../."..=...g..)..<(hwX.rf...0...Z=J..=....1B..n.$U\.P.re.ku.u&8.nC.........W........so..../.O5...G.....OB#%...x...~..`.;.....^.m."...........q..S]..T.....Fj)>...|.jZ...['.....:.s.x..O.m.....[....\$0..{..&.r...^.U...?.o..Y.......ZW].

<<< skipped >>>

GET /pages/inmon/images/icon3-green.png HTTP/1.1

Accept: */*

Referer: hXXp://piroga.space/pages/inmon/im-typ.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: piroga.space

Connection: Keep-Alive

Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE

HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Tue, 14 Jun 2016 11:08:43 GMT

Content-Type: image/png

Content-Length: 1519

Last-Modified: Wed, 12 Aug 2015 13:59:00 GMT

Connection: keep-alive

ETag: "55cb5124-5ef"

Accept-Ranges: bytes

.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[.O[u.........(.E....o..............U0...Q`.%...}0..$..d....%&=<.H.|q.sNZ..R..=7.._/P...Z.....rN.....;..0`.......0`.....S<q..x.6...8. .....4=A].....Y...L<y~&\".I.G..X.Y,......L\{......./..s.Id.1L....si6o@.c.4.h...5:8.....!...............j..W.h..UvZ...bC.B....1..j\YZ..9...9....r0..8......V...\..[.HO.y..`.{w..SQ.[.m..L.V.nli.....L..`..n&...\.bZ.U.@.q...u.......wJ.~.f......:.......x.i.g.......s...>4...J...z .^r.z..3....RO<y.wI.).Z..v......^p.u.y"H....W*6Q..tX."?..w...'...%. .......f.|o....3.s......:.Zz].2.............|.v..U....c..z.b....i........>....q.S .....'k3...6.......>D.qY.E............................1e1=.Ff)..o..|_..O...z...P6. ... ....?O.S...=.DtU..c.-C....SG.%.Y....*.......#.=y.K.quyM.......g.(....\9y.Y..s\v....!.......>@..d............I..d{.m...!..zFR..........._#rr9.g....ut~....!..;....-....*w...Hx.E.C]........}.....c.n"..>.".._.ZQ.C.."....q.j"...... ......._I....S.g.....f...o3..Q...jpf......s.)...1B].SO..3..$N..].g(.z......D.......T...C/......u.a}....`. ":m.-m..W.....4..JJ.}...%.U.T....-.N.....m."..?YE...q=....|P.....X.H,.......|..J.F.#M.......w.t...Xrr&..e=;.a......R.e.RN...2....n-....g..8d../;....b......p..).&.0Xm.._.Gs.T..V.y.mo..3....h...F.-.^HH......k....2i...v..&.......j..s,...~ok......=......n.`.x..1.-.I...G..V...F...,U.K...Hb".;p...A/...s.V/.._....7q.S.|....&.~81v-..../...!.G.Q.m............\./*.$h...>..*.u.@b.ZM~h1yH..W.E...Wp].a.'{....8r.A,...r.....).hY...?.KE.u.........._...d

<<< skipped >>>

GET /api/vv/1?callback=cb_1465902533406&ts=1465902533406&sessionId=cxyt&rfr=&siteId=9306&aus=5584,1,0 HTTP/1.1

Accept: */*

Referer: hXXp://piroga.space/pages/inmon/im-typ.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d.castplatform.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Length: 1076

Content-Type: text/javascript; charset=utf-8

Server: Microsoft-HTTPAPI/2.0

X-Country: UA

P3P: CP='NON UNI COM NAV STA OUR IND'

Set-Cookie: cuuid=1b005f8b-3808-455f-98d8-86cc789ad08c; expires=Sun, 14 Jun 2026 11:08:52 GMT; domain=d.castplatform.com; path=/

X-Elapsed: 187

X-Node: NEU3961D1

Date: Tue, 14 Jun 2016 11:08:51 GMT

cb_1465902533406 && cb_1465902533406({"zones":[{"id":5584,"status":200,"enabled":true,"template":"Free_Creative_800x440","data":[{"clickTag":null,"clk":"rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmMwNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVsQGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUFxefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWbQ_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrTuPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db4OKDDzal8SAHc0","width":800,"height":440,"cUrl":"hXXp://d.castplatform.com/api/c/1?clk=%clk%","trackers":[{"type":"Url","content":"hXXp://d.castplatform.com/api/vp/1?clk=%clk%"}],"category":null,"assets":[{"assetDisplayType":1,"width":800,"height":440,"url":"//cdn.castplatform.com/images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg","javascript":"","clickTagVar":""}]}],"styles":null,"settings":{"adUnitTitle":""},"displayType":"Size"}],"ts":187});....

GET /api/vp/1?clk=rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmMwNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVsQGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUFxefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWbQ_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrTuPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db4OKDDzal8SAHc0&rfr= HTTP/1.1

Accept: */*

Referer: hXXp://piroga.space/pages/inmon/im-typ.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d.castplatform.com

Connection: Keep-Alive

Cookie: cuuid=1b005f8b-3808-455f-98d8-86cc789ad08c

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Length: 43

Content-Type: image/gif

Server: Microsoft-HTTPAPI/2.0

Set-Cookie: cuuid=325e96b9-5242-4408-913f-43e63cc3d2ed; expires=Sun, 14 Jun 2026 11:08:52 GMT; domain=d.castplatform.com; path=/

P3P: CP='NON UNI COM NAV STA OUR IND'

X-Elapsed: 0

Date: Tue, 14 Jun 2016 11:08:51 GMT

GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-Length: 43..Content-Type: image/gif..Server: Microsoft-HTTPAPI/2.0..Set-Cookie: cuuid=325e96b9-5242-4408-913f-43e63cc3d2ed; expires=Sun, 14 Jun 2026 11:08:52 GMT; domain=d.castplatform.com; path=/..P3P: CP='NON UNI COM NAV STA OUR IND'..X-Elapsed: 0..Date: Tue, 14 Jun 2016 11:08:51 GMT..GIF89a.............!.......,...........L..;..

GET /pages/inmon/im-typ.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: piroga.space

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.10.1

Vary: Accept-Encoding

Content-Type: text/html

Content-Encoding: gzip

Date: Tue, 14 Jun 2016 11:08:42 GMT

Transfer-Encoding: chunked

ETag: W/"5628d116-7b9"

Connection: keep-alive

Set-Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE; path=/

Last-Modified: Thu, 22 Oct 2015 12:05:42 GMT

364.............U.n.0......f..& .4 .4.]L..........18N.;....]..^.!....._y...8N.... ..:.s..../.....5l.`....?; .#... .1......a......nL#ICn 7..p....O..(....>...x.O]R...D9....p1#Nmz3I%#....{.v....Gl .....pL.c.9`D..@M?&].p..2...bk. ..S.Z..#.a!.#..X,.....U.F......mAx>. .2.t.`z....M.r....F.P...:Vo...Oj.....#..SC....l..MW,3.hVv..)Q/.....FN....q.y.r.....k...7kv.P..WX.4..E..LyYc..>......C._.......Y...d...WPz...z....R?..q.,}..|.R}..G5.e....K5.6.)$.D.......`...D.:... ..B .jF..x.@..oC.%".'e.......T..i[..P........z..C..8..:..Y.f.p.;........'.f%#:.{.1t3.{1...`^.W........[.T...0?0c..~...7.:>s.t.H...k...6.v.wd...T.#...$..u..q..6.8F...m......ziF.. {...f...\. .h7.[.;7Z....z..]'..._....huvom..e..7],d....q`.a.7.t..........*...........`]...gqf.......... ....EB.oy...z...3..`I6.....,...A........j.Ha.,...Pn......I'.~..P.FkQK\...^.^.....K.{..&."...O.W....r...D'@.vQ.......g.f.~.....i.......0......

GET /pages/inmon/css/style.css HTTP/1.1

Accept: */*

Referer: hXXp://piroga.space/pages/inmon/im-typ.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: piroga.space

Connection: Keep-Alive

Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE

HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Tue, 14 Jun 2016 11:08:43 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Oct 2015 12:08:45 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

ETag: W/"5628d1cd-70e"

Content-Encoding: gzip

28e.............U.n.@.}N.b...KA\.lB.....7.00...ah.F.....pYR-U.b..c...Ez.,.%.9."..-.5MSV..%..r2Z2~......XB_.O.(.%.........uY..(.../.H..O7..X^..TB...U.I9.......H4&.....0.5..`(e..a.B[%...RUDd..L....C.y..Q...z]...h......5.s...........:..L>..E.=HS...R...b c....C.j...^..%.J.R'..SL`..8U...e..k..y..@7...HL.C.E[... x_....1oa...6.~7...4.y..7..3.l.9.....#..b!....O..... .v ...e........k..........fB(3S............wX.......y...,p......I.n..^..tJ.......B..2!aT...B.t=v!.nv[..4L...t ..w..z.q;#...o}N;U}...|.....C3X....v.../c=.............cl...#..5..^..0.}an.h. .S7.7.~KZ.6......Y.d.......Y.`.L8...............y...O.l FY. ..#5..A.k.Wm........h2.'.....$...Qg...P....9........0......

GET /pages/inmon/images/icon2-green.png HTTP/1.1

Accept: */*

Referer: hXXp://piroga.space/pages/inmon/im-typ.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: piroga.space

Connection: Keep-Alive

Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE

HTTP/1.1 200 OK

Server: nginx/1.10.1

Date: Tue, 14 Jun 2016 11:08:43 GMT

Content-Type: image/png

Content-Length: 3782

Last-Modified: Wed, 12 Aug 2015 13:59:00 GMT

Connection: keep-alive

ETag: "55cb5124-ec6"

Accept-Ranges: bytes

.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<...hIDATx..[kl#W....yO......?..u..H..P..J...$@..K...l. .}..}P@@..J........q..H@3.E.u@.".Zg7.$..$q..f..\...c;....(W;.].x.~......;....?......c.|X........B...;D...rv&.M..eE...eZ..1Ts5....E?..{O.x....B.. ..=B...D...~.,,..p.493...XB.R...2&......1...., .5.....b[.B`ae...oF...p.FZ.,."..zh......p...yH.l>!4:. .[aXi.3.... |.. ..t.....J...../4...(T.meL..'9ceC.]R//...FkW.Z...vpb6d..?......=.x..M.RO....P..p[c-..K.p.,v........K.|.=......:!..2............<`....j....Mq...C<{*L2j.^05g.q=}qy`..sy ]3.UK.j.....o.Z.......2&u5{.fw.}6.Oe8cuCO._..<.Jd.9.;.......[4.2.i....y.K.Z.......q..J.A^..g......1..|.lN.)8............f.q]...4............I..c...=.2..[..2LZ.1rIf....3.....M...2.M.f..R siU..i..0.....9_.?.'...S.R#.sN.{.s.........@7...%..{........w>....A.V...{?..V9.*G.....,.......lA.:7.........E.q.C..._W.Dd.k;&D..4..E}3.}..X.c.)`.!.$...R.........X.<....^.PH..NO.)...^KM-.......:.8...Q..S7.`. ...V...D.@.'.<..x!..1.PU.ktr<R.@.W.......t....l..'d..n.'|v*...R..=.uau0..uC...S.......G....F............f...h.XN.h..-(..../....l.f..fI..`G.|.....\...bf..Q*...p....Y..R......w........\aj.TR..IUA.d.6...@.DqNi..8.#.l!)l(,V....6m.<...E..../.y....P.......y.........O.f....-.....Y....B.(.s..r....z<jf....m...[Hc...%5.....$..x.Z...u2.....h.........94{.....9...\.wE.?....!E.\l..S...).....A...2FV.y..Z..d.HEPsy....!.*X.......?s|.qM..y..U.s.......m....Zi.T......C....m.nB.......4.....Q.........) ...Ph..'.~|..nZ'.Fpk..:....3...)_|.~....H..gnM.J?k....$y......-.....

<<< skipped >>>

GET /scripts/1/adnl.min.js HTTP/1.1

Accept: */*

Referer: hXXp://piroga.space/pages/inmon/im-typ.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.castplatform.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 14 Jun 2016 11:08:50 GMT

Content-Type: text/javascript; charset=utf-8

Content-Length: 60114

Connection: keep-alive

Vary: Accept-Encoding

Content-MD5: Y2JFw1mhlW2JqbXKv8rOdw==

Last-Modified: Tue, 26 Apr 2016 08:45:42 GMT

ETag: 0x8D36DAF266AAE18

x-ms-write-protection: false

X-Node: cdn1

Server: NetDNA-cache/2.2

X-Cache: HIT

// CAST Delivery Agent v4.4.29 #8:45.!function(global,undefined){Array.prototype.indexOf||(Array.prototype.indexOf=function(e,t){if(this===undefined||null===this)throw new TypeError('"this" is null or not defined');var n=this.length>>>0;for(t= t||0,1/0===Math.abs(t)&&(t=0),0>t&&(t =n,0>t&&(t=0));n>t;t )if(this[t]===e)return t;return-1}),"object"!=typeof window.JSON&&(window.JSON={},window.JSON.stringify=function(e){if("[object Array]"===Object.prototype.toString.call(e)){if(e.length>0){for(var t=e.length,n=[],a=0;t>a; a)n.push(this.stringify(e[a]));return"[" n.join(", ") "]"}return"[]"}if("object"==typeof e&&null!==e){var n=[];for(a in e)n.push('"' a '": ' this.stringify(e[a]));return"{" n.join(", ") "}"}return"string"==typeof e?'"' e.replace(/"/g,'\\"') '"':e},window.JSON.parse=function(text,reviver){function walk(e,t){var n,a,i=e[t];if(i&&"object"==typeof i)for(n in i)Object.prototype.hasOwnProperty.call(i,n)&&(a=walk(i,n),a!==undefined?i[n]=a:delete i[n]);return reviver.call(e,t,i)}var cx=/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,j;if(text=String(text),cx.lastIndex=0,cx.test(text)&&(text=text.replace(cx,function(e){return"\\u" ("0000" e.charCodeAt(0).toString(16)).slice(-4)})),/^[\],:{}\s]*$/.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,"]").replace(/(?:^|:|,)(?:\s*\[) /g,"")))return j=eval("(" text ")"),"function"==typeof revive

<<< skipped >>>

GET /images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg HTTP/1.1

Accept: */*

Referer: hXXp://piroga.space/pages/inmon/im-typ.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.castplatform.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 14 Jun 2016 11:08:51 GMT

Content-Type: image/jpeg; charset=utf-8

Content-Length: 99940

Connection: keep-alive

Vary: Accept-Encoding

Content-MD5: 84yOv9Fknx6WvATYJ8//sw==

Last-Modified: Sun, 13 Mar 2016 09:05:27 GMT

ETag: 0x8D34B1E9EAC9EFB

x-ms-write-protection: false

X-Node: cdn2

Server: NetDNA-cache/2.2

X-Cache: HIT

......Exif..II*.................Ducky.......8......hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9d3aa1bc-879e-f341-bb50-ccda3be4d297" xmpMM:DocumentID="xmp.did:C9F120E4E8F211E5B83DE635D0776361" xmpMM:InstanceID="xmp.iid:C9F120E3E8F211E5B83DE635D0776361" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:963c8fb8-b4bf-3f44-ba12-95c7f2efc8d3" stRef:documentID="xmp.did:9d3aa1bc-879e-f341-bb50-ccda3be4d297"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d................................................................""""""""""................"""""""""""""""""""""""""""""""""""""""""""""""""........ ........................................................................................!.1...AQ.aq"...2B.....R#...b.r...3S..U...Cs$u6...c.4DTt%7....d..EeVv'8...5&.....................!1..AQ..aq......."2....BRb.r.#..3.....CS............?..V.&.....u.{f..,6.T.....)*4..#....:.S..g....v.b.u.......u.&. eR....T .1}-....r.....Upe7,ztr....1.H....]..D..A..G....W...........Nd.DN\.L=...M

<<< skipped >>>

GET /BlueStacks-SplitInstaller.exe HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bluestacks-club-download.ru

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 14 Jun 2016 11:08:46 GMT

Content-Type: application/octet-stream

Content-Length: 13469152

Connection: keep-alive

Last-Modified: Mon, 29 Jun 2015 12:25:46 GMT

ETag: "24c177c-cd85e0-519a730696680"

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I"...C}..C}..C}.b\v..C}.._s..C}.b\w..C}.b\y..C}..K"..C}..C|..C}..K ..C}.;ev.NC}.b5...C}.b5...C}..E{..C}.Rich.C}.........PE..L....S.L.................D...d......<7.......`....@.............................................................................x.......(............j...............................................................`...............................text....C.......D.................. ..`.rdata...<...`...>...H..............@..@.data...,)..........................@....sxdata.............................@....rsrc...(...........................@..@...............................................................................................................................................................................................................................................................................................................................................D.A.;..X.A.;.U....4....E.SVW...A..$...j.3._..h...W...A...h.....l.....p........W.M..]..]..]......W.M..]..]..]......W.M..]..]..].........`A.P.M.......E...h...P.M..e(...u...)..Y.].W.M..]..]..........A..U...5...M..l....M..)...hT.A..M..].........E.j.P.M..)........D*...u.....)...u..~)..Y;.Yu4.E.j.P.M..E.......P.M..-....u..U)..Y.M.......M......W.M..]..]..].......M..E.PhX.A..D.A..e.....u.8].u..$.A.3......j.[.%...h..A...0........W.M..]..]..]......9]...,............T....d.....bA...T....M...T....q ....

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

iexplore.exe_240:

%?9-*09,*19}*09

%?9-*09,*19}*09

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

SHLWAPI.dll

SHLWAPI.dll

SHDOCVW.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

IE-X-X

rsabase.dll

rsabase.dll

System\CurrentControlSet\Control\Windows

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

dw15 -x -s %u

watson.microsoft.com

watson.microsoft.com

IEWatsonURL

IEWatsonURL

%s -h %u

%s -h %u

iedw.exe

iedw.exe

Iexplore.XPExceptionFilter

Iexplore.XPExceptionFilter

jscript.DLL

jscript.DLL

mshtml.dll

mshtml.dll

mlang.dll

mlang.dll

urlmon.dll

urlmon.dll

wininet.dll

wininet.dll

shdocvw.DLL

shdocvw.DLL

browseui.DLL

browseui.DLL

comctl32.DLL

comctl32.DLL

IEXPLORE.EXE

IEXPLORE.EXE

iexplore.pdb

iexplore.pdb

ADVAPI32.dll

ADVAPI32.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

IExplorer.EXE

IExplorer.EXE

IIIIIB(II<.fg>

IIIIIB(II<.fg>

7?_____ZZSSH%

7?_____ZZSSH%

)z.UUUUUUUU

)z.UUUUUUUU

,....Qym

,....Qym

````2```

````2```

{.QLQIIIKGKGKGKGKGKG

{.QLQIIIKGKGKGKGKGKG

;33;33;0

;33;33;0

8888880

8888880

8887080

8887080

browseui.dll

browseui.dll

shdocvw.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

6.00.2900.5512 (xpsp.080413-2105)

Windows

Windows

Operating System

Operating System

6.00.2900.5512

6.00.2900.5512