Gen.Variant.Barys.7448_a1c9c1d096 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

a1c9c1d09627949:120
notepad.exe:480
System.exe:752
8BALLRULER 1.1 (WIN).EXE:1448
vbc.exe:552
Install 8BallRuler.exe:812
AIRRuntimeInstaller.exe:388

The Trojan injects its code into the following process(es):

Adobe AIR Installer.exe:1036
Adobe AIR Application Installer.exe:1320

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process notepad.exe:480 makes changes in the file system.

The Trojan deletes the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe (0 bytes)

The process Adobe AIR Installer.exe:1036 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (6204 bytes)

The process 8BALLRULER 1.1 (WIN).EXE:1448 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\signatures.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\8BallRuler.exe (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\test2.swf (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\setup.msi (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\AIR\application.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\16.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\48.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\.launch (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Install 8BallRuler.exe (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\32.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\128.png (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\mimetype (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\AIR\hash (32 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp (0 bytes)

The process vbc.exe:552 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\8BALLRULER 1.1 (WIN).EXE (1652 bytes)
%System%\8BallRuler\System.exe (7547 bytes)

The process Adobe AIR Application Installer.exe:1320 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (6258 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\5CB653B2DAF9459B6E8E3796503DD779BAD8DB50.crl (341 bytes)

The process Install 8BallRuler.exe:812 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIRRuntimeInstaller.exe (132160 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\9C07FA4C8533A07B5EDE782A6F5AFA6A (637 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\9C07FA4C8533A07B5EDE782A6F5AFA6A (148 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\EF87FE2FBAF08DA89A8C148EF56C40E0 (425 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (1843 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\EF87FE2FBAF08DA89A8C148EF56C40E0 (168 bytes)

The process AIRRuntimeInstaller.exe:388 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (1706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll (32275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\digest.s (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll (141488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf (3810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.swf (3831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\Notice WebKit.txt (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\sentinel (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\LGPL License.txt (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\setup.swf (3831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (123239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.msi (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (130 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp (0 bytes)

Registry activity

The process a1c9c1d09627949:120 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 F2 AE DE F6 78 21 21 49 DA 88 39 00 05 B7 7A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process notepad.exe:480 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 AB 58 36 D0 98 1D 66 48 00 1F 25 B2 88 49 4C"

The process System.exe:752 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 59 A0 F8 7F E6 2C 69 A8 9E 4F 82 46 8A 2A 80"

The process Adobe AIR Installer.exe:1036 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 D7 71 2B B5 E1 EB 46 81 DB 8B 25 20 93 06 54"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process 8BALLRULER 1.1 (WIN).EXE:1448 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 87 92 56 C3 58 87 4A 26 E3 B4 1A 33 AF 02 62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR1.tmp]
"Install 8BallRuler.exe" = "Adobe Bootstrapping Utility"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process vbc.exe:552 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 65 7F C4 D2 82 D8 9F A5 83 3A 04 0D C2 02 1E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%\8BallRuler]
"system.exe" = "Visual Basic Command Line Compiler"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"8BallRuler 1.1 (WIN).exe" = "8BALLRULER 1.1 (WIN)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%System%\8BallRuler\System.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"8BallRuler" = "%System%\8BallRuler\System.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process Adobe AIR Application Installer.exe:1320 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 29 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 E8 7E 2A 04 6A AA 97 67 5B 25 DF B7 F1 79 BC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Install 8BallRuler.exe:812 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 31 6C 6C 2A CD 67 FF 6A F1 4C DC 1B F5 A6 23"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process AIRRuntimeInstaller.exe:388 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 16 4C 8E 69 16 31 78 B7 31 2B 29 8C 2D 91 2D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR2.tmp]
"Adobe AIR Installer.exe" = "Adobe AIR Installer"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
4b0fe4b36e5ed0f224bf6f2108ba9e9e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\8BALLRULER 1.1 (WIN).EXE
b03aab94e18308f2d98335205c14096a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR1.tmp\8BallRuler\8BallRuler.exe
5b6bc0f14712a4ccbf59fba43b7be42a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR1.tmp\Install 8BallRuler.exe
c20bc7101d27a7a8a683f1fb90112f90	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe
49f3df5f4ded35ed40dcc8b97018155c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
c0e93f3f5e14da5e9c71a64379f2afe8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll
0f8485c6cf126c41fd8af1d75fc2dc08	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe
7c2813bc3663c9e4795002b25d0a9395	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll
42a9be218f076d756863789e3d5e8e95	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll
862bdd6acc35602f7a0bc9d2f1d20670	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll
e41c4b2066cf1b2b07d90d13bb7b193a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe
67f3e1cf291fd03d8f7b4e87015a8ab8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe
0d5fa353b229b3c0dc6dfac152c38437	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIRRuntimeInstaller.exe
67f5238229333c061092f5a32e8c2ee1	c:\WINDOWS\system32\8BallRuler\System.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
a1c9c1d09627949:120
notepad.exe:480
System.exe:752
8BALLRULER 1.1 (WIN).EXE:1448
vbc.exe:552
Install 8BallRuler.exe:812
AIRRuntimeInstaller.exe:388
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (6204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\signatures.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\8BallRuler.exe (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\test2.swf (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\setup.msi (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\AIR\application.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\16.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\48.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\.launch (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Install 8BallRuler.exe (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\32.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\128.png (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\mimetype (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\AIR\hash (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8BALLRULER 1.1 (WIN).EXE (1652 bytes)
%System%\8BallRuler\System.exe (7547 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\5CB653B2DAF9459B6E8E3796503DD779BAD8DB50.crl (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIRRuntimeInstaller.exe (132160 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\9C07FA4C8533A07B5EDE782A6F5AFA6A (637 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\9C07FA4C8533A07B5EDE782A6F5AFA6A (148 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\EF87FE2FBAF08DA89A8C148EF56C40E0 (425 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\EF87FE2FBAF08DA89A8C148EF56C40E0 (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (1706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll (32275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\digest.s (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll (141488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf (3810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.swf (3831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\Notice WebKit.txt (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\sentinel (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\LGPL License.txt (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\setup.swf (3831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (123239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.msi (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (130 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"8BallRuler" = "%System%\8BallRuler\System.exe"
Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%System%\8BallRuler\System.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: mBLtsgg
Product Name: IQcFYEc
Product Version: 3.6.9.9
Legal Copyright: 2012 tGtrlEB
Legal Trademarks:
Original Filename: 8BallRuler.exe
Internal Name: 8BallRuler.exe
File Version: 3.6.9.9
File Description: kjzprjJ
Comments: lQOwkFv
Language: Language Neutral

Company Name: mBLtsggProduct Name: IQcFYEcProduct Version: 3.6.9.9Legal Copyright: 2012 tGtrlEBLegal Trademarks: Original Filename: 8BallRuler.exeInternal Name: 8BallRuler.exeFile Version: 3.6.9.9File Description: kjzprjJComments: lQOwkFvLanguage: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	1711108	1712128	4.56853	7e6995bd3ab5d814a8290c7502d5dcf0
.rsrc	1720320	68644	69632	2.75487	caa5355367297447b9a0ffdd519d353c
.reloc	1794048	12	4096	0.009099	2620980cdb7a188f88d05c1c104c8c8a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://a1396.d.akamai.net/air/3/nai/windows5.1/x86/installer
hxxp://a1396.d.akamai.net/air/3/nai/windows5.1/x86/installer.p7
hxxp://a1180.g.akamai.net/prodSvce.crl
hxxp://a1180.g.akamai.net/cds.crl
hxxp://crl.adobe.com/prodSvce.crl	87.245.221.107
hxxp://crl.adobe.com/cds.crl	87.245.221.107
hxxp://airdownload.adobe.com/air/3/nai/windows5.1/x86/installer	87.245.221.97
hxxp://airdownload.adobe.com/air/3/nai/windows5.1/x86/installer.p7	87.245.221.97
tss-geotrust-crl.thawte.com	23.43.133.163

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /air/3/nai/windows5.1/x86/installer HTTP/1.1

User-Agent: Adobe AIR Bootstrapper2.0.0.11920

Host: airdownload.adobe.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Tue, 03 Mar 2015 15:13:47 GMT

ETag: "10e66d0-51063c80300c0"

Accept-Ranges: bytes

Content-Length: 17721040

Date: Wed, 01 Apr 2015 06:18:39 GMT

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................$.......5.......#......V................*.......4.......1.....Rich............................PE..L...>..T..........................................@..........................p............@..................................\..d...................0N.......P......................................PW..@...............L............................text...8........................... ..`.rdata...S.......T..................@..@.data....8...p.......P..............@....rsrc................^..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................U..Qh....j..E.P.M.Q.8....E..}..|.h.....U.Rj..E.P.M.Q......E..E...]..............U......E....E.h....j..M.Q.U.R......E..}..|.h.....E.Pj..M.Q.U.R......E..E...]...j.h.YA..-....u...tu.=..A..uCj......Y.e..V.E...Y.E...t.VP.f...YY.E...........}..u7.u...j......Y.Vj..5.|A.....A...u..........L.A.P.......Y........U...=.|A..u.......u......h.....N...YY].jXh YA..v...3..u..E.P..d.A.j._.}..MZ..f9...@.u8.<.@.....@.PE..u'.....f9...@.u...t.@..v.3.9...@.....M....u.3.CS.j...Y..u.j..X...Y.7"....u.j..G...Y......]..n.....}.j.

<<< skipped >>>

GET /air/3/nai/windows5.1/x86/installer.p7 HTTP/1.1

User-Agent: Adobe AIR Bootstrapper2.0.0.11920

Host: airdownload.adobe.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Tue, 03 Mar 2015 15:13:38 GMT

ETag: "f14-51063c779ac80"

Accept-Ranges: bytes

Content-Length: 3860

Date: Wed, 01 Apr 2015 06:18:51 GMT

Connection: keep-alive

0.....*.H..........0......1.0... ......0...*.H.........n0...0..........[.0...*.H........0_1.0...U....US1.0...U....GeoTrust Inc.1.0...U....Adobe Trust Services1.0...U....Product Services0...131028121920Z..230108080000Z0e1.0...U....Adobe AIR1.0...U....Adobe Trust Services1#0!..U....Adobe Systems Incorporated1.0...U....US0..0...*.H............0........&.a.m_.u.qJf5......fG...&h......t9...l......O..y...$D....F..A\..&.N..k<....E..l..b.X.@.*.. ......4 C........H...'9J..a...w.............0...0...U........0...U.%..0...*.H../...02..U... 0)0'.%.#.!hXXp://crl.adobe.com/prodSvce.crl0...U.......0.0....U. ......0..0....*.H../...0..0.... .......0}.{You are not permitted to use this Certificate except as permitted by the license agreement accompanying the Adobe software.0...*.H..............Ff...K..v.q........W......F....R.k......x;.......,:..,y.g.%./ 9/....P*.&3....`}...=h..~...f...e.lvR...f.f"..0...a........;X..<>am....T(....'...u.j.*..Ud..=B..."6.!...Y..yE...HTfu.6..;...Wn..y.U@.se#..w...)iT..0g..........p..a.th..(............._B2.v...t.l0...0..........>..(0...*.H........0i1.0...U....US1#0!..U....Adobe Systems Incorporated1.0...U....Adobe Trust Services1.0...U....Adobe Root CA0...030108233723Z..230109000723Z0i1.0...U....US1#0!..U....Adobe Systems Incorporated1.0...U....Adobe Trust Services1.0...U....Adobe Root CA0.."0...*.H.............0.........OT.....3S.?...k,.Gg~...............i./Y5..l.L..... ...T.. fE?9.8~....".$....5.U.i....7..N..B.j.i.f....Y*..yZ D-..s8.</.C.]....5.)......L.=Y..1<@~..6...\...&.\E..e?

<<< skipped >>>

GET /prodSvce.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.adobe.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Fri, 19 Sep 2014 07:02:54 GMT

ETag: "10b28a7-1a9-50365b0a90380"

Accept-Ranges: bytes

Content-Length: 425

Content-Type: text/plain

Date: Wed, 01 Apr 2015 06:18:52 GMT

Connection: keep-alive

0...0..0...*.H........0_1.0...U....US1.0...U....GeoTrust Inc.1.0...U....Adobe Trust Services1.0...U....Product Services..140919064300Z..150919064300Z0...*.H.............A...7....Z...I.3...\.....A..|..%....".c.f.h..._...(5J..g.KX$.d.{}..{...!w...x#..g .[.......)/.a[..L..$....n....*qJ.Qk.&..^.S......|........9..X...=.QI........i.R....L.=.......b.r..."c....RC..L..7M.bZFt.jk9...*4.L...-m..`....~.............2.............y.-.....

GET /cds.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.adobe.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Fri, 17 Sep 2010 22:42:29 GMT

ETag: "1deb03-27d-4907c47099f40"

Accept-Ranges: bytes

Content-Length: 637

Content-Type: text/plain

Date: Wed, 01 Apr 2015 06:18:52 GMT

Connection: keep-alive

0..y0..a...0...*.H........0i1.0...U....US1#0!..U....Adobe Systems Incorporated1.0...U....Adobe Trust Services1.0...U....Adobe Root CA..100917000000Z..150916235959Z0..0!...........-..1.....100917203246Z0#..>.....040117013929Z0.0...U.......0#..>.....040117010905Z0.0...U.......0#..>.....100107183437Z0.0...U......../0-0...U.#..0.....8J........T.......0...U.......0...*.H...............4.>..v...~.%.....>7. /.....G..:B.Z..e...J....=...g..t.....9.^..p...*...c.Q.d.6.rMy..iQ.a.O...6..V]..F.B........'2.|.R..M....K{..$.....d....zb.R.B.....IA.:....."N0.^...!P#.^r.?..........\z....G.'4.U"....8...<.....5.0... .......v..w.^..d..$....?.b:... ...cHTTP/1.1 200 OK..Server: Apache..Last-Modified: Fri, 17 Sep 2010 22:42:29 GMT..ETag: "1deb03-27d-4907c47099f40"..Accept-Ranges: bytes..Content-Length: 637..Content-Type: text/plain..Date: Wed, 01 Apr 2015 06:18:52 GMT..Connection: keep-alive..0..y0..a...0...*.H........0i1.0...U....US1#0!..U....Adobe Systems Incorporated1.0...U....Adobe Trust Services1.0...U....Adobe Root CA..100917000000Z..150916235959Z0..0!...........-..1.....100917203246Z0#..>.....040117013929Z0.0...U.......0#..>.....040117010905Z0.0...U.......0#..>.....100107183437Z0.0...U......../0-0...U.#..0.....8J........T.......0...U.......0...*.H...............4.>..v...~.%.....>7. /.....G..:B.Z..e...J....=...g..t.....9.^..p...*...c.Q.d.6.rMy..iQ.a.O...6..V]..F.B........'2.|.R..M....K{..$.....d....zb.R.B.....IA.:....."N0.^...!P#.^r.?..........\z....G.'4.U"....8...<.....5.0... .......v..w.^..d..

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

8BALLRULER 1.1 (WIN).EXE_1448:

.text

`.rdata

@.data

.rsrc

@.reloc

FTPQ

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

1.2.3

g:\Acro_root_apams\Main\code\build\win\results\Release\info\sea.pdb

SHLWAPI.dll

SHFileOperationW

ShellExecuteExW

SHELL32.dll

GetProcessHeap

GetCPInfo

KERNEL32.dll

USER32.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\8BALLRULER 1.1 (WIN).EXE

) ) ) ) ) )

!$!$!$!$!$!$!$!$!

!$!$!$!$!$!

!$!$!$!$!

' ' ' ' ' ' ' ' '

' '!'!'!'!'!'!'!'!'!'!

!'!'!'!'!'!'

'!'!'!'!'!

!'!'!'!'!

'!'!'!'

'!'!' '

!'!'!' '

5555555

555555555

)&&)$!

5555555555555

555555555555555

,,('"'"'"'"'"

O@.wd

%c"8H

1*2024282

:!:%:):-:

mscoree.dll

KERNEL32.DLL

kernel32.dll

Adobe AIR Installer.exe

.launch

Install 8BallRuler.exe_812:

.text

`.rdata

@.data

.rsrc

@.reloc

SSSSh

PWSSSh

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

hXXp://airdownload.adobe.com/air/3/nai/%s%d.%d/%s/%s

windows

\Versions\1.0\Adobe AIR.dll

[M-d-d:d:d:d]

2.0.0.11920

1.2.840.113583.1.1.12

Begin runtime download ("%s%s")

Begin signature download ("%s%s")

Adobe AIR Bootstrapper2.0.0.11920

HTTP/1.0

Begin cert chain validation

Cert revocation found

Cert chain validation succeeded

Cert chain validation failed

Begin CRL download ("%s")

2.5.4.6

2.5.4.3

2.5.4.10

2.5.4.11

2.5.29.37

Launching runtime installer: %s

Runtime installer failure (%d)

Bootstrapper begin (%s:version %s)

Could not locate native install directory ("%s")

Installed runtime located (%d.%d.%d.%d)

Bootstrapper failure (%d)

Launching application installer: %s

Application installer failure (%d)

g:\Acro_root_apams\Main\code\build\win\results\Release\info\naib.pdb

GetProcessHeap

KERNEL32.dll

ShellExecuteW

SHELL32.dll

VERSION.dll

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

UrlGetPartA

SHLWAPI.dll

msi.dll

USER32.dll

HttpQueryInfoW

HttpOpenRequestA

HttpSendRequestA

WININET.dll

CryptGetMessageCertificates

CertCreateCertificateContext

CertGetNameStringW

CertVerifyCRLRevocation

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CertVerifySubjectCertificateContext

CertDuplicateCertificateContext

CRYPT32.dll

CryptGetObjectUrl

CryptRetrieveObjectByUrlW

CRYPTNET.dll

GetCPInfo

GetConsoleOutputCP

=!?-?3?8?>?

> ?%?,?1?8?=?

mscoree.dll

KERNEL32.DLL

n{DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E}

\Versions\1.0\Adobe AIR Application Installer.exe

${@{language}.LABEL_INSTALLING}

in sistem gereksinimlerini inceleyip sisteminizde gerekli g

hXXp://VVV.adobe.com/go/getair_tr

hXXp://VVV.adobe.com/go/getair_tr adresinden en son Adobe AIR s

hXXp://VVV.adobe.com/go/getair_tr adresinden

s systemkraven f

hXXp://VVV.adobe.com/go/getair_se

hXXp://VVV.adobe.com/go/getair_se och f

pna dla tego systemu. Przejrzyj wymagania systemowe

hXXp://VVV.adobe.com/go/getair_pl

hXXp://VVV.adobe.com/go/getair_pl i pon

Deze toepassing vereist een update van Adobe AIR, maar het downloaden van deze update naar uw systeem wordt niet toegestaan door uw beheerder. Neem contact op met de beheerder.

Deze toepassing vereist een update van Adobe AIR die niet beschikbaar is voor uw systeem. Bekijk de systeemvereisten voor Adobe AIR en werk uw systeem bij.

hXXp://VVV.adobe.com/go/getair_nl

en probeer deze toepassing opnieuw te installeren.

Er is iets misgegaan tijdens een poging deze toepassing te installeren.

hXXp://VVV.adobe.com/go/getair_nl en probeer het opnieuw.

Deze toepassing vereist een versie van Adobe AIR die niet is gevonden.

hXXp://VVV.adobe.com/go/getair_nl

of neem contact op met de schrijver van de toepassing voor een bijgewerkte versie.

m syst

Nainstalujte z webu

hXXp://VVV.adobe.com/go/getair_cz

hXXp://VVV.adobe.com/go/getair_cz a potom opakujte akci.

hXXp://VVV.adobe.com/go/getair_tw

hXXp://VVV.adobe.com/go/getair_tw)

hXXp://VVV.adobe.com/go/getair

hXXp://VVV.adobe.com/go/getair_cn

hXXp://VVV.adobe.com/go/getair_ru,

hXXp://VVV.adobe.com/go/getair_ru ,

hXXp://VVV.adobe.com/go/getair_ru

vel para o seu sistema. Consulte os requisitos de sistema do Adobe AIR e atualize seu sistema de acordo.

hXXp://VVV.adobe.com/go/getair_br

hXXp://VVV.adobe.com/go/getair_br e tente novamente.

o mais recente do tempo de execu

hXXp://VVV.adobe.com/go/getair_kr

hXXp://VVV.adobe.com/go/getair_jp

disponibile per il sistema in uso. Consultate i requisiti di sistema per Adobe AIR e aggiornate il sistema di conseguenza.

hXXp://VVV.adobe.com/go/getair_it,

hXXp://VVV.adobe.com/go/getair_it, quindi riprovate.

hXXp://VVV.adobe.com/go/getair_it

me. Veuillez consulter la configuration syst

hXXp://VVV.adobe.com/go/getair_fr,

hXXp://VVV.adobe.com/go/getair_fr, puis essayez

hXXp://VVV.adobe.com/go/getair_fr

n de Adobe AIR que no se encuentra disponible para el sistema. Consulte los requisitos del sistema para Adobe AIR y actualice el sistema seg

hXXp://VVV.adobe.com/go/getair_es

hXXp://VVV.adobe.com/go/getair_es y vuelva a intentarlo.

hXXp://VVV.adobe.com/go/getair_es,

This application requires an update to Adobe AIR that is not available for your system. Please view the system requirements for Adobe AIR and update your system accordingly.

hXXp://VVV.adobe.com/go/getair,

hXXp://VVV.adobe.com/go/getair and then try again.

ber die Systemanforderungen f

hXXp://VVV.adobe.com/go/getair_de

hXXp://VVV.adobe.com/go/getair_de zur Verf

AIRRuntimeInstaller.exe

.launch

"Adobe AIR Application Installer.exe"

@riched20.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR1.tmp\Install 8BallRuler.exe

naib.exe

AIRRuntimeInstaller.exe_388:

.text

`.rdata

@.data

.rsrc

@.reloc

FTPQ

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

1.2.5

E:\r\ws\St_Make\code\build\win\int\SelfExtractor.build\Release\info\sea.pdb

SHLWAPI.dll

SHFileOperationW

ShellExecuteExW

SHELL32.dll

GetProcessHeap

GetCPInfo

KERNEL32.dll

USER32.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIRRuntimeInstaller.exe

.XkDkD&^&^&^&^&

&rN.N.XK&K&KDKDkDkDk^&^&

]

8E8%F>->->-

;u.oE

2*232`2{2

.04080

> >$>(>,>

mscoree.dll

KERNEL32.DLL

kernel32.dll

.launch

Adobe AIR Installer.exe

17.0.0.124

Adobe AIR Installer.exe_1036:

.text

`.rdata

@.data

.rsrc

@.reloc

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

E:\r\ws\St_Make\code\build\win\results\Release\info\Adobe AIR Installer.pdb

GetProcessHeap

KERNEL32.dll

USER32.dll

SHLWAPI.dll

SHELL32.dll

GetCPInfo

msi.dll

GetConsoleOutputCP

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR2.tmp\Adobe AIR Installer.exe

.XkDkD&^&^&^&^&

&rN.N.XK&K&KDKDkDkDk^&^&

]

8E8%F>->->-

;u.oE

2.34383

3 3@3\3`3

mscoree.dll

KERNEL32.DLL

{DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E}

hXXp://VVV.adobe.com/go/getair_tr adresinden

hXXp://VVV.adobe.com/go/getair_se

hXXp://VVV.adobe.com/go/getair_pl

Deze toepassing vereist een versie van Adobe AIR die niet is gevonden.

hXXp://VVV.adobe.com/go/getair_nl

of neem contact op met de schrijver van de toepassing voor een bijgewerkte versie.

hXXp://VVV.adobe.com/go/getair_cz

hXXp://VVV.adobe.com/go/getair

hXXp://VVV.adobe.com/go/getair_cn

hXXp://VVV.adobe.com/go/getair_ru

o mais recente do tempo de execu

hXXp://VVV.adobe.com/go/getair_br

hXXp://VVV.adobe.com/go/getair_kr

hXXp://VVV.adobe.com/go/getair_jp

hXXp://VVV.adobe.com/go/getair_it

hXXp://VVV.adobe.com/go/getair_fr

hXXp://VVV.adobe.com/go/getair_es,

hXXp://VVV.adobe.com/go/getair,

hXXp://VVV.adobe.com/go/getair_de

\Adobe AIR\Versions\1.0\Adobe AIR.dll

from hXXp://VVV.adobe.com/go/getair.

\Versions\1.0\Adobe AIR.dll

kernel32.dll

17.0.0.124

setup.exe

Adobe AIR Application Installer.exe_1320:

.text

`.rdata

@.data

.rsrc

@.reloc

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

E:\r\ws\St_Make\code\build\win\results\Release\info\Adobe AIR Application Installer.pdb

GetProcessHeap

KERNEL32.dll

USER32.dll

SHLWAPI.dll

SHELL32.dll

GetCPInfo

msi.dll

GetConsoleOutputCP

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

.5qqqq.CZZZZ

xyyyyyyyyyyyyyyy.qqqqqqqqqqqqq.CCCCCZZZZZ

ff! ....../!!!!77&..gNNN

G......Mfff!!!&qe!!7777Nyyy#8WWWW

----@@@@

)C%%YYYY%%C

l.dU`

%FÃ¼6

%f[f f[

0URllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll

:$:$:$:$:$:$:

4 4

hXXp://VVV.adobe.com/go/getair_tr adresinden

hXXp://VVV.adobe.com/go/getair_se

hXXp://VVV.adobe.com/go/getair_pl

Deze toepassing vereist een versie van Adobe AIR die niet is gevonden.

hXXp://VVV.adobe.com/go/getair_nl

of neem contact op met de schrijver van de toepassing voor een bijgewerkte versie.

hXXp://VVV.adobe.com/go/getair_cz

hXXp://VVV.adobe.com/go/getair

hXXp://VVV.adobe.com/go/getair_cn

hXXp://VVV.adobe.com/go/getair_ru

o mais recente do tempo de execu

hXXp://VVV.adobe.com/go/getair_br

hXXp://VVV.adobe.com/go/getair_kr

hXXp://VVV.adobe.com/go/getair_jp

hXXp://VVV.adobe.com/go/getair_it

hXXp://VVV.adobe.com/go/getair_fr

hXXp://VVV.adobe.com/go/getair_es,

hXXp://VVV.adobe.com/go/getair,

hXXp://VVV.adobe.com/go/getair_de

from hXXp://VVV.adobe.com/go/getair.

\Versions\1.0\Adobe AIR.dll

runtimes\air\win\Adobe AIR\Versions\1.0\Adobe AIR.dll

runtimeSDK\Adobe AIR\Versions\1.0\Adobe AIR.dll

\Adobe AIR\Versions\1.0\Adobe AIR.dll

kernel32.dll

mscoree.dll

KERNEL32.DLL

{DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E}

17.0.0.124

Adobe AIR Application Installer.exe

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps