SearchProtectToolbar_pcap_4187459c7e – Adaware

Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 4187459c7ebd96538cb8b3138de6f16e

SHA1: f2dab5181b365f1e5534e9f9e4c3fda045a44f70

SHA256: eedf50c9e6cc3a08f87c9511f158731c4383f6464c2dd99adee985c4c08f055f

SSDeep: 12288:NxpJgJzNGqv7K8sobvmEenOnseuE6FkhGS3piBNY:/p23jDK8R7enOnb3GBY

Size: 810784 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-06-22 21:07:51

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:312

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:312 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\downloads.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\service_registry.lua (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\bit.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\win32_constants.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\version.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\core.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\bundleinstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\AdvancedTests.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsis7z.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\wintypes.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\packaged_app.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\__web.xml (239548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\DownloadList.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\notifyicon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\main.css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\DownloadThread.lua (581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skipall.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\GuiInit.lua (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\uistate.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\sandbox.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\compat.lua (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\definitions.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\cancel.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\extension.tlb (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\ftp.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\decline.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\luaxml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\default_logo.png (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\common.js (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\browserutils.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp (46579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsisunz.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skin.png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\http.lua (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\run.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\eagerinstall.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin.zip (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\save.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\env.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\wininet_h.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\scheduler.lua (7 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\processfreefile.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\minify.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\luacom.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\url.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\lua51.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skin.psd (42457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\callbackproxy.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\ffi.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\options.json (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_off.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\defs.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (0 bytes)

Registry activity

The process %original file name%.exe:312 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 12 4A 38 4C 59 6E 76 C9 35 FA BE 5E DD DE B8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
0f26c6d34d3841e93145dd00d0175651	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\FloatingProgress.dll
ff60d18a83e7f2ad04a3c2260af6d4f3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\LuaBridge.dll
4a4845ba1666907f708c9c10a31ec227	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\LuaSocket\mime\core.dll
4bf7db111acfa7c28ad36606107b3322	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\LuaSocket\socket\core.dll
7292b642bd958aeb7fd7cfd19e45b068	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\LuaXml_lib.dll
7e3c808299aa2c405dffa864471ddb7f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\System.dll
d02a497be5f89c44827f142c4662f591	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\UACInfo.dll
0a29e1b270ccea61aba7d7cdd10e0388	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\bit.dll
dd8a05024e825f75d3d151ea84bf414e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\browserutils.dll
e390287499549de31da007f7f0ae4d10	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\ffi.dll
ae78815c8dbfcd6bd86b62fdd68665b4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\lua51.dll
b991f57d815ca821cdb42d2792db366f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\luacom.dll
692479f7c07a64a6a632148e382f0e22	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\nsis7z.dll
5f13dbc378792f23e598079fc1e4422b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\nsisunz.dll
5694e7daf20c47c8d5e73d4a838c2ee6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\un.package.exe
ebc5bb904cdac1c67ada3fa733229966	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\version.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\downloads.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\service_registry.lua (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\bit.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\win32_constants.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\version.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\core.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\bundleinstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\AdvancedTests.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsis7z.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\wintypes.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\packaged_app.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\__web.xml (239548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\DownloadList.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\notifyicon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\main.css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\DownloadThread.lua (581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skipall.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\GuiInit.lua (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\uistate.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\sandbox.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\compat.lua (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\definitions.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\cancel.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\extension.tlb (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\ftp.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\decline.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\luaxml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\default_logo.png (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\common.js (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\browserutils.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp (46579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsisunz.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skin.png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\http.lua (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\run.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\eagerinstall.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin.zip (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\save.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\env.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\wininet_h.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\scheduler.lua (7 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\processfreefile.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\minify.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\luacom.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\url.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\lua51.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skin.psd (42457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\callbackproxy.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\ffi.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\options.json (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_off.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\defs.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23294	23552	4.47651	ad2ebf079e89cd95e3fda4bd0b869620
.rdata	28672	5272	5632	3.56156	45097a769b809e006a7e5c1f08e7cba2
.data	36864	109756	512	0.972488	4b5dfd97899e385b2193064eb045da6b
.ndata	147456	180224	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	327680	191864	192000	2.99247	554a7d3d339145a1303886e702c5b27f
.reloc	520192	2680	3072	0	d2a70550489de356a2cd6bfc40711204

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3128
6d3bbc565043d7929cd81a783602d884
90f04d8a51a0a3cdaff2a1f01d170cea
f30fc68ea9b4207c57c40d1965c5d702
2b93d36a95572e6965417e69e2464aa2
5ad05374c6610e5e4de4c2eba890a698
ae7cb79aecb54b2657ca96f385c1303f
9f5393496bb859ffc62ba5f9ec41ff69
798f68ebbc1488920db5eb37a62ea275
43ae1b0f05f57be0a99b1bcbe09ea63f
d7c9e333ec76b5c3cb3707f5d6e170fe
0f2dd2191e4863808f98790ef12a8e29
626b14c1fbbe3b2bbe11637cbc84f8c1
05c7d3c65047e2edcb0f6f49ebbfa6e5
259751cc9ee204a11452457d493793fd
97b19a1388f29328c27e17e96628e08d
f0dacacd5bd1347585ab2121138aad20
22cd201e43874c6ca1c900aebb413b3a
2bf2d68ae31577408d0e67b3edf440df
70199aa4565daef1bce8c399e92d0927
b4040f3fe7b175431b2fc0c656cd41dc
e468120633e2cf06f7889d91b99149a1
9a460acdce056fc4ed8c2da9fdef919d
10f37cfe5b57d6d96f53f68ddbfcee8b
682eb825d517008b6f68f39d81133883
03d0ef32e833b01440a5aece008d6609

Network Activity

URLs

URL	IP
hxxp://service.downloadadmin.com/install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US	50.22.63.140
hxxp://a728.g.akamai.net/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip
hxxp://service.downloadadmin.com/env?productKey=&s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=UA	50.22.63.140
hxxp://mirror.downloadnet1210.com/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip	212.30.134.158

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /skins/da/11122015/megazord_darkskin_nondlm_cancel.zip HTTP/1.1

User-Agent: Tightrope Bundle Manager(ref=[592c855766057b95c4f77fda29f2cd1a2c183dc4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=519437;pid=312)

Host: mirror.downloadnet1210.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "398d4b8eeb1f419a51f5c199a58139a2:1447358884"

Last-Modified: Thu, 12 Nov 2015 20:08:04 GMT

Accept-Ranges: bytes

Content-Length: 73310

Content-Type: application/zip

Date: Sun, 03 Apr 2016 09:15:08 GMT

Connection: keep-alive

PK........,nkG].\.............options.json].... .D.~......... .e..-4........t.o.&...=b.r.%s..Z..F0.....Qi.....t..Q...";..i..)..l{.E...v....O.F..s gsHK..P...of.v........}$G......:.;G.....PK.........`.Dj..m............assets/.DS_Store..1..0......M\:2v....!x./....{t%..i..j....oB..P..x..@..................f.t|?MD...>....k<...]...V.y......f...m^.Z........e...".............0..u.....'<.[7n......p..-le.W.."...PK........8d.D3.......%.......assets/accept.png.VwXSg......2d.....$.D.BB$@...A!$7.F.$.$ .Ph..V....`.2.Z.2..(.....".Td....._....?........9.y...7....[.4. ....5.^.g.^..r2i`..H...Z...@.P.....6..@.....=.dK......<..."ta..X.?.......@V...8.....P/.$.G......r.d.3..f.P.o.u..p.9....e..0s3...$3....P...O@..a..%.. .(..O../..WP...P....x.....`.........8...`Qh.C@`p$<..5.~j0.7>.C...>....0o.0..B.D".....O.0D"q.....i ....)F............. ..2gz.AB2..z......a..S.d)C...(.....G.j............e... >Kv......w...,..!>Wv)L?*....xB:.... .\6...YQ... .........[P.8#*.K....Wm...J..).cc.....X..X.pT,.m.AcM.F..X:O d.X.*...,._.$..`.A.#...V.aoP.....(.......c."....|...s..6...C../............@.2^97.K36..hh......a....'g(Y0..)..%Y...?..l..<.O.....Q#......t....{.........u....rHE.Q...J.l.w[$.X5N...3...G3>...)N.w7h.^...I.>.../Us2.}.l..........>R...B..fA|8.!^I....J....k.....oo.....1!M9.}.._|.,k.bj.&B.g...D.......g_....T.S3 .G.7.5...v..5...........n.&hy.u=1..h..K1...D...}.|.../.x....R.}..r..W..u53...x...(A.hy.s^..S..f....l.P...."......k.v............R^V....9...=..&../...o.w.p....t'=]96.G.!W...........;~.<@..". .-......*.6l

<<< skipped >>>

GET /install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US HTTP/1.1

X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US

X-Exename: %original file name%.exe

X-WebInstallUrl: hXXp://service.downloadadmin.com/install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US

User-Agent: Tightrope Bundle Manager(ref=[592c855766057b95c4f77fda29f2cd1a2c183dc4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=519437;pid=312)

Host: service.downloadadmin.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Sun, 03 Apr 2016 09:15:02 GMT

Age: 0

X-Cache: MISS

008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<Installer>. <Bundle>. <LinkBelowEula>false</LinkBelowEula>. <OptInDefault>false</OptInDefault>. <ProductBinary embed="false" msioptions="" options="">hXXp://mirror.ramtransmission.info/binstallers/BM2/blank/exe/blank.upx.exe</ProductBinary>. <ProductEula comboPrimary="false" embed="false">hXXp://mirror.downloadnet1210.com/binstallers/BM2/winstat/ipage/browser_628.mht</ProductEula>. <Primary>true</Primary>. <ProductId>961486</ProductId>. <ProductName>Browser Update</ProductName>. <Scramble>false</Scramble>. </Bundle>. <Bundle>. <Category>toolbar, search, home</Category>. <CustomParameter Name="advertisername">Findwide</CustomParameter>. <If>. <Or>. <Not>. <Env property="custom.invm" op="=" value="true"/>. </Not>. <Env property="custom.partner" op="=" value="test"/>. </Or>. <Or>. <Env property="custom.region" op="=" value="US"/>. <Env property="custom.region" op="=" value="us"/>. </Or>. <Not>. <Env property="custom.browserName" op="=" value="Chrome"/>. </Not>.

<<< skipped >>>

GET /env?productKey=&s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=UA HTTP/1.1

X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US

X-Exename: %original file name%.exe

X-WebInstallUrl: hXXp://service.downloadadmin.com/install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US

User-Agent: Tightrope Bundle Manager(ref=[592c855766057b95c4f77fda29f2cd1a2c183dc4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=519437;pid=312)

Host: service.downloadadmin.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Expires: 0

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Sun, 03 Apr 2016 09:15:09 GMT

Age: 0

X-Cache: MISS

00d3c..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Installer><Environment><Entry name="over-threshold:SearchProtect (US) (Master) (Regkey)">true</Entry><Entry name="over-threshold:GeekBuddy (US)">true</Entry><Entry name="over-threshold:Wajam (US)">true</Entry><Entry name="over-threshold:Super Optimizer (US)">true</Entry><Entry name="over-threshold:Cassiopesa (CA)">true</Entry><Entry name="over-threshold:Cassiopesa (FR)">true</Entry><Entry name="over-threshold:CrimeWatch (CA)">true</Entry><Entry name="over-threshold:PremierOpinion (FR)">true</Entry><Entry name="over-threshold:WebDiscover (FR)">true</Entry><Entry name="over-threshold:Web Bar (FR)">true</Entry><Entry name="over-threshold:Lolliscan (FR)">true</Entry><Entry name="over-threshold:Cassiopesa (DE)">true</Entry><Entry name="over-threshold:SafeFinder (DE)">true</Entry><Entry name="over-threshold:SafeFinder (CA)">true</Entry><Entry name="over-threshold:Cassiopesa (IT)">true</Entry><Entry name="over-threshold:Cassiopesa (ES)">true</Entry><Entry name="over-threshold:SafeFinder (UA)">true</Entry><Entry name="over-threshold:SafeFinder (BR)">true</Entry><Entry name="over-threshold:SafeFinder (VN)">true</Entry><Entry name="over-threshold:SafeFinder (RU)">true</Entry><Entry name="over-threshold:

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_312:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

uDSSh

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

*?|/":

%s=%s

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegDeleteKeyA

RegCloseKey

RegEnumKeyA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\LuaBridge.dll

ss.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\LuaBridge.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp

ns\UrlAssociations\http\UserChoice

C:\Nsis\Browser-%s

nswebForwarder

CustomNsWebContainer

`'\%D,3

WININET.dll

GetProcessHeap

EnumChildWindows

OLEAUT32.dll

customnsWeb.dll

C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb

CustomNsWebForwarder

1 1$1(1,10141

.reloc

Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb

#-,.mT:

!$"'(!((!$&

##-,#1.#0- !%

! .76:76:*),

#" *#1.#1.!#&

nst3.tmp

-exec

pdate]],0x00040000) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/ComboScreen/setup.exe.nsi:Line 1221.2

xe.nsi:Line 1096.2

tartTime=519437;pid=312)]]}) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/ComboScreen/setup.exe.nsi:Line 999.2

Tightrope Bundle Manager(ref=[592c855766057b95c4f77fda29f2cd1a2c183dc4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=519437;pid=312)

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

5334543

8664755

8760876

Nullsoft Install System vtightrope

com.build.date

2/4/2014

com.build.dir

C:\BM\2.5\WebTemplates

com.build.id

com.build.machine

com.build.skin

com.build.time

com.build.user

$%USER%

%original file name%.exe_312_rwx_10004000_00001000:

callback%d