Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f3e090350f6550bb8fd7061f7e68b2fe
SHA1: 9dfcbef3def83de7b9fb48b98396e988291129ff
SHA256: 78ad8f8548b605646a0a5f9df63ec4218f7253c4c1bf93cad2d0a183cb49650c
SSDeep: 12288:nxpJ8w51xLA7jyEnDFQQJGFX2DWhK8fhbmPYLrB5VkRwXM:xpiwBc9nkFXiWhKKF3lPXM
Size: 757472 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-22 21:07:51
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1380
Mutexes
The following mutexes were created/opened:
ShimCacheMutex
File activity
The process %original file name%.exe:1380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\__web.xml (10968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\decline.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\back.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\accept.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\cancel.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaBridge.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\close.png (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\version.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\NotifyIcon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\lua51.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Env.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\BundleInstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\definitions.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\extension.tlb (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\common.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\luacom.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\UiState.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\ProcessFreeFile.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Sandbox.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\DownloadThread.lua (581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\GuiInit.lua (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\__localxml.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Downloads.lua (9 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaXml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\DownloadList.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\skin.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\CallbackProxy.lua (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\AdvancedTests.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (33139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\next.png (3 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 00 95 BC 69 73 CA 3F 6B F3 F9 6A AA A7 7E 90"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
Dropped PE files
| MD5 | File path |
|---|---|
| 1dcfa038b79b3df456a3c584d96b639c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\FloatingProgress.dll |
| 1351244af9ca179c9081eda09662e904 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\LuaBridge.dll |
| 4a4845ba1666907f708c9c10a31ec227 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\LuaSocket\mime\core.dll |
| 4bf7db111acfa7c28ad36606107b3322 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\LuaSocket\socket\core.dll |
| 7292b642bd958aeb7fd7cfd19e45b068 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\LuaXml_lib.dll |
| 7e3c808299aa2c405dffa864471ddb7f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\System.dll |
| d02a497be5f89c44827f142c4662f591 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\UACInfo.dll |
| 13c3a33c1f6e43f38de533fd0b766c98 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\lua51.dll |
| ed7f7857933b38e5d10daf828e79af19 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\luacom.dll |
| 5694e7daf20c47c8d5e73d4a838c2ee6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\un.package.exe |
| ebc5bb904cdac1c67ada3fa733229966 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\version.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\__web.xml (10968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\decline.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\back.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\accept.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\cancel.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaBridge.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\close.png (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\version.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\NotifyIcon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\lua51.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Env.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\BundleInstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\definitions.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\extension.tlb (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\common.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\luacom.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\UiState.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\ProcessFreeFile.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Sandbox.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\DownloadThread.lua (581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\GuiInit.lua (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\__localxml.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Downloads.lua (9 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaXml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\DownloadList.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\skin.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\CallbackProxy.lua (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\AdvancedTests.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (33139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\next.png (3 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23294 | 23552 | 4.47651 | ad2ebf079e89cd95e3fda4bd0b869620 |
| .rdata | 28672 | 5272 | 5632 | 3.56156 | 45097a769b809e006a7e5c1f08e7cba2 |
| .data | 36864 | 109756 | 512 | 0.972488 | 4b5dfd97899e385b2193064eb045da6b |
| .ndata | 147456 | 176128 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 323584 | 191848 | 192000 | 2.99234 | 24de0349c4b4c3db8bc05d6181371a77 |
| .reloc | 516096 | 2680 | 3072 | 0 | d2a70550489de356a2cd6bfc40711204 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 3149
6d3bbc565043d7929cd81a783602d884
121e3443904b8abf088d2f37dc2f3719
e992badadde4d9816291c17c0d4e0beb
b5553982c3390ce955f09aaed6ba0c38
0d123bc72d4fdeeb0e14376b09cdf0ba
df6146735ef60cea1609ea2e78cc94ad
0a3ae0930c9ecdc8efb97bd7a900aab2
ca6786fc57b18a37275494d9629110d2
9cf3fd03c0fdc2717972896115d2353d
eda01d6a05020287c5ab4ad05b2f2312
08270b2b8b911464ab3d1b6e3640532b
a83e2273a653eacf57054512f14b969d
40d294a8b6da1d805926476117558df6
bc406a3c6a79646978d95faf0d93336e
85ea2261afe931cfea2b0077d186204b
1c20b4b8882ad6a3fb5c5ab78b9825cc
2adb87a3c426d354719c9ed68a4d9077
a014cb7435bb24b95b4d5f048414cadf
9165faefd44a675f5c1849066d09331f
d6dbaef55a6a622e3bcdbb4b760df683
5e9f09920d70e7071ab951addc5940ba
90f04d8a51a0a3cdaff2a1f01d170cea
f30fc68ea9b4207c57c40d1965c5d702
2b93d36a95572e6965417e69e2464aa2
4187459c7ebd96538cb8b3138de6f16e
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://service.downloadadmin.com/install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US | 50.22.63.140 |
| hxxp://service.downloadadmin.com/env?productKey=&s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=UA | 50.22.63.140 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /env?productKey=&s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=UA HTTP/1.1
connection: close, TE
x-exename: %original file name%.exe
x-webinstallurl: hXXp://service.downloadadmin.com/install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US
user-agent: Tightrope Bundle Manager(ref=[96c8658e7f7668f62e0bd317273129bbf93be52b];windows=5.1;uac=false;elevated=true;dotnet=4;startTime=1188421)
x-webinstallcode: complete url:hXXp://service.downloadadmin.com/install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US
te: trailers
host: service.downloadadmin.com
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Sun, 17 Apr 2016 10:35:19 GMT
Age: 0
Connection: close
X-Cache: MISS
001820..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Installer><Environment><Entry name="over-threshold:Taplika (GB)">true</Entry><Entry name="over-threshold:Yahoo Smartbar (UK)">true</Entry><Entry name="over-threshold:SearchProtect (GB) (Conduit Direct)">true</Entry><Entry name="over-threshold:SearchProtect (CA) (Conduit Direct)">true</Entry><Entry name="over-threshold:Snapdo (CA)">true</Entry><Entry name="over-threshold:Taplika (FR)">true</Entry><Entry name="over-threshold:Yahoo Smartbar (FR)">true</Entry><Entry name="over-threshold:CrimeWatch (GB)">true</Entry><Entry name="over-threshold:BubbleDock (GB)">true</Entry><Entry name="over-threshold:VuuPC (ClickMeIn) (GB)">true</Entry><Entry name="over-threshold:Wordproser (GB)">true</Entry><Entry name="over-threshold:PicRec UK">true</Entry><Entry name="over-threshold:DesktopDock (GB) (Verti)">true</Entry><Entry name="over-threshold:Optimizer Pro (UK)">true</Entry><Entry name="over-threshold:SystemOptimizerPro (GB)">true</Entry><Entry name="over-threshold:Fixila (GB)">true</Entry><Entry name="over-threshold:Registry Helper (SafeApp Software) (INTL)">true</Entry><Entry name="over-threshold:PCFixSpeed (GB)">true</Entry><Entry name="over-threshold:PremierOpinion (UK)">true</Entry><Entry name="over-threshold:Desk
<<< skipped >>>
GET /install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US HTTP/1.1
connection: close, TE
x-exename: %original file name%.exe
x-webinstallurl: hXXp://service.downloadadmin.com/install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US
user-agent: Tightrope Bundle Manager(ref=[96c8658e7f7668f62e0bd317273129bbf93be52b];windows=5.1;uac=false;elevated=true;dotnet=4;startTime=1188421)
x-webinstallcode: complete url:hXXp://service.downloadadmin.com/install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US
te: trailers
host: service.downloadadmin.com
HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Sun, 17 Apr 2016 10:35:13 GMT
Age: 0
Connection: close
X-TVAR:
X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<Installer>. <Bundle>. <LinkBelowEula>false</LinkBelowEula>. <OptInDefault>false</OptInDefault>. <ProductBinary embed="false" msioptions="" options="/S">hXXp://download.mytopfreegames.net/da/latest</ProductBinary>. <ProductEula comboPrimary="false" embed="false">http://mirror.downloadnet1210.com/products/BM2/628/kitara/mtfg/mtfg_628.mht</ProductEula>. <Primary>true</Primary>. <ProductId>463831</ProductId>. <ProductName>MyTopFreeGames</ProductName>. <Scramble>false</Scramble>. </Bundle>. <Bundle>. <Category>search, home</Category>. <CustomParameter Name="advertisername">SearchProtect</CustomParameter>. <If>. <Or>. <Env property="custom.region" op="=" value="US"/>. <Env property="custom.region" op="=" value="us"/>. </Or>. </If>. <Feature InitialState="checked" Name="TreasureAds" Options="-carrier_type=ctid -carrier_id=CT3328455 -platform=all -startpage=true -defaultsearch=true -locale=en-us -detection">. <If>. <Env property="custom.partner" op="=" value="treasureads"/>. </If>. </Feature>. <Feature InitialState="checked" Name="Not Treasu
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1380:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
@.reloc
@.reloc
uDSSh
uDSSh
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
RegDeleteKeyExA
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
%s=%s
%s=%s
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LuaBridge.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LuaBridge.dll
ss.dll
ss.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp
ns\UrlAssociations\http\UserChoice
ns\UrlAssociations\http\UserChoice
:hHÌ
:hHÌ
].uA;
].uA;
..jjK
..jjK
b0.zE
b0.zE
`'\%D,3
`'\%D,3
WININET.dll
WININET.dll
GetProcessHeap
GetProcessHeap
EnumChildWindows
EnumChildWindows
OLEAUT32.dll
OLEAUT32.dll
customnsWeb.dll
customnsWeb.dll
C:\Programming\GitHome\bm-core.git\25\Custom\Nsweb\Release\nsWeb.pdb
C:\Programming\GitHome\bm-core.git\25\Custom\Nsweb\Release\nsWeb.pdb
CustomNsWebForwarder
CustomNsWebForwarder
1 1$1(1,10141
1 1$1(1,10141
All Files|*.*
All Files|*.*
COMDLG32.dll
COMDLG32.dll
nsDialogs.dll
nsDialogs.dll
.reloc
.reloc
ButtonEvent.dll
ButtonEvent.dll
C:\Nsis\Browser-%s
C:\Nsis\Browser-%s
nswebForwarder
nswebForwarder
CustomNsWebContainer
CustomNsWebContainer
Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb
Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb
#-,.mT:
#-,.mT:
!$"'(!((!$&
!$"'(!((!$&
##-,#1.#0- !%
##-,#1.#0- !%
! .76:76:*),
! .76:76:*),
#" *#1.#1.!#&
#" *#1.#1.!#&
nsg3.tmp
nsg3.tmp
-exec
-exec
Games]],0x00040000) -- C:/BM/2.5/BINARIES/Bullet/Icy-AD/production/setup.exe.nsi:Line 1083.2
Games]],0x00040000) -- C:/BM/2.5/BINARIES/Bullet/Icy-AD/production/setup.exe.nsi:Line 1083.2
ction/setup.exe.nsi:Line 974.2
ction/setup.exe.nsi:Line 974.2
ction/setup.exe.nsi:Line 915.2
ction/setup.exe.nsi:Line 915.2
Tightrope Bundle Manager(ref=[96c8658e7f7668f62e0bd317273129bbf93be52b];windows=5.1;uac=false;elevated=true;dotnet=4;startTime=1188421)
Tightrope Bundle Manager(ref=[96c8658e7f7668f62e0bd317273129bbf93be52b];windows=5.1;uac=false;elevated=true;dotnet=4;startTime=1188421)
1179892
1179892
1769724
1769724
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\bullet
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\bullet
1187593
1187593
5334543
5334543
8664755
8664755
8760876
8760876
Nullsoft Install System vtightrope
Nullsoft Install System vtightrope
com.build.date
com.build.date
2/28/2013
2/28/2013
com.build.dir
com.build.dir
C:\BM\2.5-Static\WebTemplates
C:\BM\2.5-Static\WebTemplates
com.build.id
com.build.id
com.build.machine
com.build.machine
com.build.time
com.build.time
com.build.user
com.build.user
$%USER%
$%USER%
%original file name%.exe_1380_rwx_10004000_00001000:
callback%d
callback%d