Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3f07e801a58a5cfa2f25cfd05a8b9a90
SHA1: 7039b5ca80270b7e9bb87dca6d1833a8684913e6
SHA256: f4ddd9ad2f29a1ab8912af85e5949c0335f722b4b787ce23f6e43ff33ebed4f9
SSDeep: 1536:iCaIoX1oYOcbTMV88TXJLEu42EsCGu3SzRd:iCaZ2Yrb0VTXJYWEsCGuiX
Size: 75696 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-25 07:01:29
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
InstGameInfoHelperMSN.exe:1132
The Trojan injects its code into the following process(es):
MSNGamesSetup.exe:360
%original file name%.exe:856
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process MSNGamesSetup.exe:360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\modern-header.bmp (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\ftdownload.dat (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\ns5.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\InstGameInfoHelperMSN.exe (10092 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\version.txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsExec.dll (6 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\ns5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp (0 bytes)
The process InstGameInfoHelperMSN.exe:1132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HO0TMNCE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WFK0GLOT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\5496759050793581312[1].txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\tn_feat.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\gametitle.txt (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\tn_feat.bmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\tn_feat[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\gm-config[1].xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7B9G7JMX\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\5496759050793581312[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\gm-config[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFF05E.tmp (0 bytes)
The process %original file name%.exe:856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\MSNGamesSetup.exe (269389 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ftdownload.dat (512 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1.tmp (0 bytes)
Registry activity
The process MSNGamesSetup.exe:360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 21 2B 5E 46 C4 23 47 93 15 38 44 ED D6 08 56"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process InstGameInfoHelperMSN.exe:1132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 7E EC 29 5C 87 CE 56 97 FF 4A F6 9B 91 F7 A6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 11 27 A7 F2 6E 4E 7D D4 8C 50 16 15 76 F8 2D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
d06ec234ead38f6cbd0b401fb506a71f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi2.tmp\MSNGamesSetup.exe |
960a5c48e25cf2bca332e74e11d825c9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi2.tmp\System.dll |
a5a4cee2eb89d2687c05ef74299f0dba | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi2.tmp\nsisdl.dll |
0025cd88501fa44e826bc9ed4bdef2fb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy4.tmp\InstGameInfoHelperMSN.exe |
960a5c48e25cf2bca332e74e11d825c9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy4.tmp\System.dll |
51e63a9c5d6d230ef1c421b2eccd45dc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy4.tmp\nsExec.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
InstGameInfoHelperMSN.exe:1132
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\modern-header.bmp (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\ftdownload.dat (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\ns5.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\InstGameInfoHelperMSN.exe (10092 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\version.txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HO0TMNCE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WFK0GLOT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\5496759050793581312[1].txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\tn_feat.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\gametitle.txt (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\tn_feat.bmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\tn_feat[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\gm-config[1].xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7B9G7JMX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\MSNGamesSetup.exe (269389 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ftdownload.dat (512 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23146 | 23552 | 4.44842 | 8781c451557a4626018483faabe438d0 |
.rdata | 28672 | 4558 | 4608 | 3.62903 | 640f709ec19b4ed0455a4c64e5934d5e |
.data | 36864 | 108472 | 1024 | 3.37017 | c9a433d4fe67308d6a5942cfb667cbe7 |
.ndata | 147456 | 32768 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 180224 | 17000 | 17408 | 2.69684 | 654ac01907b168453e2702f516512acd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 126
3d5af80433c098ec5a5279653d721ee6
ca018ed1395a5f4b3187d17d773f64e3
d016004fdd61a8dc31802e98e78f486d
fdd888ba00e902f5ca8609f5d5c21fad
962ffd960be802a2754b5321f3c2b31e
960fe821ac46581824470e46010f0cf9
a1729f723a9d79381fec10743b0d28a9
2f80439bd3eadd6936faa64cb2f0fca6
b30f1a1383e1bef2052244fd45a83aa3
f9c1fca77b6df26cfb5ce8069ef9ebfa
da37947b17a4733c59690eb33576d1cf
226c49801bfd2a952e9dfc31eec2b1c0
3a1e99337440e3c4eee15d62ec470abf
bd3a8eb593f97cb393055f7ca5eb1c7c
6e0ad2cce681ad41e316a21d0e20ceba
b0b0a8c4d9722cca4d87197830a5e480
8de8b8a3ba76d0f2745b188380faa63e
6c42ece50107993a7613007752e54eff
aa8d9982fe88a7c25c18c7c20f1f762e
648812305283df15451d4e774c0c301c
d98cb7418587bf9dca413fda21c2a3f2
232d714169a6042cb34a51254bdc17a3
30834450db655ef0280dd35be11e5a7e
8e51a107ea4c6daf1cdf43ed6929e78a
50351979d2c8b93fb1c0c295b3f28977
edb82428dfd5858c9a6a052deb4609f0
Network Activity
URLs
URL | IP |
---|---|
hxxp://stamp-vpc-aws-iwin-com-1981998893.us-east-1.elb.amazonaws.com/msngames/MSNGamesSetup.exe | |
hxxp://msn-iwin-com-121665791.us-east-1.elb.amazonaws.com/gm-config | |
hxxp://msn-iwin-com-121665791.us-east-1.elb.amazonaws.com/arcade/rawinfo/6577540223622285160/5496759050793581312 | |
hxxp://cdn-vpc-aws-iwin-com-1060965153.us-east-1.elb.amazonaws.com/images/product/6577540223622285160/tn_feat.jpg | |
hxxp://gm-msn.iwin.com/gm-config | 54.165.3.227 |
hxxp://img.iwin.com/images/product/6577540223622285160/tn_feat.jpg | 54.164.100.22 |
hxxp://gm-msn.iwin.com/arcade/rawinfo/6577540223622285160/5496759050793581312 | 54.165.3.227 |
hxxp://dl.iwin.com/msngames/MSNGamesSetup.exe | 52.22.186.107 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /msngames/MSNGamesSetup.exe HTTP/1.0
Host: dl.iwin.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=14400
Content-Type: application/x-msdos-program
Date: Sun, 14 Feb 2016 01:59:25 GMT
Expires: Sun, 14 Feb 2016 05:59:25 GMT
Last-Modified: Tue, 06 Oct 2015 15:44:54 GMT
Server: Apache/2.2.22 (Ubuntu) mod_perl/2.0.5 Perl/v5.14.2
Content-Length: 3532840
Connection: Close
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....f.R.................\...........0.......p....@..........................P......%.6......................................s...........Z............5..............................................................p...............................text...jZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc....Z.......Z...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....6B..H.P.u..u..u....r@..B...SV.5.6B..E.WP.u....r@..e...E..E.P.u....r@..}..e....Lp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Tp@..E...E.P.E.P.u....r@..u....E..9}...w....~X.te.v4..Dp@....E.tU.}.j.W.E......E.......@p@..vXW..Hp@..u..5<p@.W...E..E.h ...Pj.h..B.W...r@..u.W...u....E.P.u...\r@._^3.[.....L$...6B...Si.....VW.T.....tO.q.3.;5.6B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.6B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>
GET /images/product/6577540223622285160/tn_feat.jpg HTTP/1.1
User-Agent: iWin GameInfo Installer Helper
Host: img.iwin.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 0
Cache-Control: max-age=86400, s-maxage=2592000
Content-Type: image/jpeg
Date: Sun, 14 Feb 2016 01:59:36 GMT
ETag: "c62bb046bec8a44f1b559d5011cc06b8"
Last-Modified: Fri, 29 Aug 2014 09:52:51 GMT
Server: AmazonS3
Via: 1.1 img.iwin.com
Via: 1.1 varnish
x-amz-id-2: aTbfNlXDXx1PPpgfgLiL3ceBikE9sSej4t2dE3 lwpKz4s35FZxf78ipNJNwZQcDLOs7cPYYIGI=
x-amz-request-id: 07EFD08E892C0A47
X-Varnish: 1551828762
Content-Length: 1355
Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................................................................................................................................................(.(................................................................................!...1.A.q"2Qa...3.B..#C........................!1..Aa.Qq..."B..r............?.M...7.a.I.....%.....@..J...2k.P.3.k^.j..].r......yg.b...2.S.,.........r.>..t......p!...6K.~Q....~.6.l.fA.....z.2u ....D.|......sA............PV...oZ.A.~..n.{....].b6.|.X....3....e...3&6..u~b..Sp;h..6..n.u..v.!@..Zy...]....f..]...wi[.Y@...............%..<..w..x8........_....@....-|..[..?.a8.C.!Y.YR.8.....Mk...d.......x..I.........q...-w...?>.A.t.._.mJ......2...../..Z.h'.l.OB......8.E/.E.O....Xg......U[..Z......J...O..q.lVz.a.%-..X.a.........S.I]!.......o...>>..r.e..'.p.:..........x4,Kk.n.;g.`... ...'...b8.>..5./f.....I [..#.{/.(>>.e..&]pj....K.\....G..FB..mQ......C....W...j1.H.....?2..S..<....S....Pz....=3-O.F..w..&~7....Xd....C....1I.......OH...Vx...$.T^s........,."3.R..>.~..=p......8.Gs...We..H........P.=.U.K(........\.%..<.[..K.,0...i>.*..h...L...:.....
<<< skipped >>>
GET /gm-config HTTP/1.1
User-Agent: iWin GameInfo Installer Helper
Host: gm-msn.iwin.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 0
Cache-Control: max-age=7200
Content-Type: application/xml;charset=utf-8
Date: Sun, 14 Feb 2016 01:59:35 GMT
Last-Modified: Sun, 17 Aug 292278994 07:12:55 GMT
P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"
Server: nginx/1.1.19
Vary: iWin-App
Via: 1.1 varnish
X-Varnish: 2150204898
Content-Length: 4697
Connection: keep-alive
<?xml version="1.0" encoding="utf-8"?><gm-url-config xmlns="http://VVV.iwin.com/schemas/catalog" xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance"><site-host>msn.iwin.com</site-host><gm-host>gm-msn.iwin.com</gm-host><url-signin>https://gm-msn.iwin.com/Login.do</url-signin><url-about-icoins>http://gm-msn.iwin.com/membership</url-about-icoins><url-my-account>hXXps://gm-msn.iwin.com/account/icoins</url-my-account><url-signout>hXXps://gm-msn.iwin.com/Logout.do</url-signout><url-search>hXXp://gm-msn.iwin.com/search?q=</url-search><url-part-rawInfo>/arcade/rawinfo/</url-part-rawInfo><url-update-arcade>hXXp://gm-msn.iwin.com/dgu?game=ARCD&ver=</url-update-arcade><url-update-game>hXXp://gm-msn.iwin.com/dgu?game=</url-update-game><url-ws-services-slog>hXXp://ws-msn.iwin.com/services/slog?</url-ws-services-slog><url-ws-services-dlog>hXXp://ws-msn.iwin.com/services/dlog?act=</url-ws-services-dlog><url-ws-services-ulog>hXXp://ws-msn.iwin.com/services/ulog?lid=</url-ws-services-ulog><url-ws-icoins>hXXp://gm-msn.iwin.com/account/icoins-safe.xml;jsessionid=%s</url-ws-icoins><url-part-more-game>/calendar/games/new</url-part-more-game><url-part-top-game>hXXp://gm-msn.iwin.com/arcade/home</url-part-top-game><url-part-ad1>/arcade/panel/bottom</url-part-ad1><url-part-ad2>/arcade/panel/right</url-part-a
<<< skipped >>>
GET /arcade/rawinfo/6577540223622285160/5496759050793581312 HTTP/1.1
User-Agent: iWin GameInfo Installer Helper
Host: gm-msn.iwin.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 0
Cache-Control: no-cache, private, max-age=0, s-max-age=0, must-revalidate
Content-Type: text/plain;charset=utf-8
Date: Sun, 14 Feb 2016 01:59:36 GMT
P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"
Server: nginx/1.1.19
Vary: MSN-App
Via: 1.1 varnish
X-Varnish: 1323199687
Content-Length: 1028
Connection: keep-alive
gameid|6577540223622285160|skuid|5496759050793581312|title|Home Makeover 2|tryLink|hXXp://download.iwincdn.com/gg/pf/iwin/6577540223622285160/acd_60m_pogoiwin/iwin/HomeMakeover2Setup.exe|desc|Help Emma save his Uncle's house and decorate it! Home Makeover is back, bigger and much better than before! This amazing Hidden Object game is very easy to follow, gets your attention fast and very addicting! It combines 3 of the most favorite game mechanics: Hidden Object, Time Management and Match 3!Features:-Unlimited Game: Unlimited levels which spans around 15 gorgeous scenes!-Achievements: 9 challenging achievements for you to pursue!-Extra Content: Play 4 different quick-session Hidden Object games!-Decorate: Help Emma save her uncle's house and at the same time, earn money from jumble sale to re-decorate the living room!-Postcard: When you are pleased with your brand new living room, you can take a snapshot and send it as a postcard to your friends!|activation_code||pid||email||price|999|trial_time|60|allaccess|trueHTTP/1.1 200 OK..Accept-Ranges: bytes..Age: 0..Cache-Control: no-cache, private, max-age=0, s-max-age=0, must-revalidate..Content-Type: text/plain;charset=utf-8..Date: Sun, 14 Feb 2016 01:59:36 GMT..P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"..Server: nginx/1.1.19..Vary: MSN-App..Via: 1.1 varnish..X-Varnish: 1323199687..Content-Length: 1028..Connection: keep-alive..gameid|6577540223622285160|skuid|5496759050793581312|title|Home Makeover 2|tryLink|hXXp://download.iwincdn.com/gg/pf/iwin/65775402
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_856:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\nsisdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\nsisdl.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\nsisdl.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\nsisdl.dll
.%U~O
.%U~O
.reloc
.reloc
WSOCK32.dll
WSOCK32.dll
NSISdl.dll
NSISdl.dll
invalid URL
invalid URL
Host: %s
Host: %s
GET %s HTTP/1.0
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
User-Agent: NSISDL/1.2 (Mozilla)
http=
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u hours remaining)
(%u minutes remaining)
(%u minutes remaining)
(%u seconds remaining)
(%u seconds remaining)
Downloading %s
Downloading %s
Execute: C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe
Execute: C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp
MSNGamesSetup.exe
MSNGamesSetup.exe
MSNGAM~1.EXE
MSNGAM~1.EXE
1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe
1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Nullsoft Install System v3.0a2
Nullsoft Install System v3.0a2
%original file name%.exe_856_rwx_10004000_00001000:
callback%d
callback%d
MSNGamesSetup.exe_360:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\tn_feat.bmp
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\tn_feat.bmp
r.bmp
r.bmp
.msn.com.
.msn.com.
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\version.txt
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\version.txt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp
sy4.tmp\ftdownload.dat
sy4.tmp\ftdownload.dat
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\modern-header.bmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\modern-header.bmp
=yt.gN!(
=yt.gN!(
Z%S,4
Z%S,4
A/%sW
A/%sW
ftdownload.dat
ftdownload.dat
FTDOWN~1.DAT
FTDOWN~1.DAT
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe
%Program Files%\MSN Games
%Program Files%\MSN Games
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp
MSNGamesSetup.exe
MSNGamesSetup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
MSN Games Manager powered by iWin is required to launch and play Home Makeover 2 and other games from games.msn.com.
MSN Games Manager powered by iWin is required to launch and play Home Makeover 2 and other games from games.msn.com.
1007289340
1007289340
Nullsoft Install System v3.0a2
Nullsoft Install System v3.0a2
MSNGamesSetup.exe_360_rwx_10004000_00001000:
callback%d
callback%d