not-a-virus:AdWare.Win32.SideTab.ay (Kaspersky), Dropped:Generic.Malware.Sdld.BC837EDE (B) (Emsisoft), Dropped:Generic.Malware.Sdld.BC837EDE (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Adware, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8b39c274070bba9a776d868e3336adf7
SHA1: 30a2999bc67a1f0beed3211b4db920c2824d6d23
SHA256: 1a170b67bea8f0b15af6e12abdd63aef8442f7f21cb4d0664f72779dd2532b34
SSDeep: 6144:Qe34aHi7whmJZuS1wFxu75 ZPPfnE2Qyn20UYXiu75 ZPPfnE2Qyn20U:tH2wKZuS2FgF ZPPfnEUnViuF ZPPfnz
Size: 264840 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: NBIZ Corp.
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Dropped creates the following process(es):
regsvr32.exe:540
regsvr32.exe:1648
regsvr32.exe:184
regsvr32.exe:1404
EasyOn.exe:372
EasyOn.exe:1036
%original file name%.exe:312
EOU1008.exe:1316
The Dropped injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process EasyOn.exe:372 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Program Files%\EasyOn\ex.dat (238 bytes)
The process EasyOn.exe:1036 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EOU1008.exe (20594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process %original file name%.exe:312 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\NSISdl.dll (14 bytes)
%Program Files%\EasyOn\EasyOn.dll (4383 bytes)
%Program Files%\EasyOn\Uninstall.exe (2757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\IpConfig.dll (3322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\UAC.dll (13 bytes)
%Program Files%\EasyOn\EasyOn.exe (1568 bytes)
%Program Files%\EasyOn\1 (9 bytes)
The Dropped deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\UAC.dll (0 bytes)
The process EOU1008.exe:1316 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\SelfDel.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (4 bytes)
%Program Files%\EasyOn\EasyOn.dll (3696 bytes)
%Program Files%\EasyOn\Uninstall.exe (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\updat.xxx (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\UAC.dll (13 bytes)
%Program Files%\EasyOn\EasyOn.exe (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\IpConfig.dll (3322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\fct.dll (4 bytes)
The Dropped deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\fct.dll (0 bytes)
Registry activity
The process regsvr32.exe:540 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKCR\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib]
"Version" = "1.0"
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"
[HKCR\EasyOn.SideBand\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"
[HKCR\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\EasyOn.BandHelper\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"
[HKCR\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
"(Default)" = "EasyOn.BandHelper.1"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"
[HKCR\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
"(Default)" = "EasyOn.BandHelper"
[HKCR\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
"(Default)" = "EasyOn.SideBand.1"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"
[HKCR\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\EasyOn.BandHelper]
"(Default)" = "BandHelper Class"
[HKCR\EasyOn.BandHelper.1\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0]
"(Default)" = "EasyOn 1.0 Type Library"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
"(Default)" = "EasyOn.SideBand"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
"(Default)" = "EasyOn"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"
[HKCR\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}]
"(Default)" = "ISideBand"
[HKCR\EasyOn.SideBand]
"(Default)" = "SideBand Class"
[HKCR\EasyOn.SideBand.1]
"(Default)" = "SideBand Class"
[HKCR\EasyOn.BandHelper.1]
"(Default)" = "BandHelper Class"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 63 42 AC 64 60 78 5E C8 77 D1 D3 60 E6 DC FF"
[HKCR\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}]
"(Default)" = "IBandHelper"
[HKCR\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0\win32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"
[HKCR\EasyOn.SideBand.1\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"
[HKCR\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\HELPDIR]
"(Default)" = "%Program Files%\EasyOn\"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"
[HKCR\EasyOn.BandHelper\CurVer]
"(Default)" = "EasyOn.BandHelper.1"
[HKCR\EasyOn.SideBand\CurVer]
"(Default)" = "EasyOn.SideBand.1"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
"(Default)" = "EasyOnHelper"
The Dropped deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum]
The process regsvr32.exe:1648 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKCR\EasyOn.SideBand\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"
[HKCR\EasyOn.BandHelper\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
"(Default)" = "EasyOn.BandHelper.1"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
"(Default)" = "EasyOn.BandHelper"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
"(Default)" = "EasyOn.SideBand.1"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"
[HKCR\EasyOn.BandHelper]
"(Default)" = "BandHelper Class"
[HKCR\EasyOn.BandHelper.1\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
"(Default)" = "EasyOn.SideBand"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
"(Default)" = "EasyOn"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"
[HKCR\EasyOn.SideBand]
"(Default)" = "SideBand Class"
[HKCR\EasyOn.SideBand.1]
"(Default)" = "SideBand Class"
[HKCR\EasyOn.BandHelper.1]
"(Default)" = "BandHelper Class"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 9F 9A CF 97 42 87 50 F4 77 CA C2 B3 10 49 7B"
[HKCR\EasyOn.SideBand.1\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"
[HKCR\EasyOn.BandHelper\CurVer]
"(Default)" = "EasyOn.BandHelper.1"
[HKCR\EasyOn.SideBand\CurVer]
"(Default)" = "EasyOn.SideBand.1"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
"(Default)" = "EasyOnHelper"
The Dropped deletes the following registry key(s):
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\Programmable]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Programmable]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
The process regsvr32.exe:184 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKCR\EasyOn.SideBand\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"
[HKCR\EasyOn.BandHelper\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
"(Default)" = "EasyOn.BandHelper.1"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
"(Default)" = "EasyOn.BandHelper"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
"(Default)" = "EasyOn.SideBand.1"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"
[HKCR\EasyOn.BandHelper]
"(Default)" = "BandHelper Class"
[HKCR\EasyOn.BandHelper.1\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
"(Default)" = "EasyOn.SideBand"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
"(Default)" = "EasyOn"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"
[HKCR\EasyOn.SideBand]
"(Default)" = "SideBand Class"
[HKCR\EasyOn.SideBand.1]
"(Default)" = "SideBand Class"
[HKCR\EasyOn.BandHelper.1]
"(Default)" = "BandHelper Class"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 8E 38 89 11 90 8A FF 5C 90 6A 7F 5C 41 93 6D"
[HKCR\EasyOn.SideBand.1\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"
[HKCR\EasyOn.BandHelper\CurVer]
"(Default)" = "EasyOn.BandHelper.1"
[HKCR\EasyOn.SideBand\CurVer]
"(Default)" = "EasyOn.SideBand.1"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
"(Default)" = "EasyOnHelper"
The Dropped deletes the following registry key(s):
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\Programmable]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Programmable]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
The process regsvr32.exe:1404 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKCR\EasyOn.SideBand\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"
[HKCR\EasyOn.BandHelper\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
"(Default)" = "EasyOn.BandHelper.1"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
"(Default)" = "EasyOn.BandHelper"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
"(Default)" = "EasyOn.SideBand.1"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"
[HKCR\EasyOn.BandHelper]
"(Default)" = "BandHelper Class"
[HKCR\EasyOn.BandHelper.1\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
"(Default)" = "EasyOn.SideBand"
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
"(Default)" = "EasyOn"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"
[HKCR\EasyOn.SideBand]
"(Default)" = "SideBand Class"
[HKCR\EasyOn.SideBand.1]
"(Default)" = "SideBand Class"
[HKCR\EasyOn.BandHelper.1]
"(Default)" = "BandHelper Class"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C CA D7 63 9F 38 ED 9F 6C 7A CF CD D3 39 65 82"
[HKCR\EasyOn.SideBand.1\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"
[HKCR\EasyOn.BandHelper\CurVer]
"(Default)" = "EasyOn.BandHelper.1"
[HKCR\EasyOn.SideBand\CurVer]
"(Default)" = "EasyOn.SideBand.1"
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
"(Default)" = "EasyOnHelper"
The Dropped deletes the following registry key(s):
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\Programmable]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Programmable]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
The process EasyOn.exe:372 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\EasyOn]
"SP" = "20150311070419"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 5B C2 09 8C 73 9B 77 FC 5A A5 29 B4 03 58 30"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyOn" = "%Program Files%\EasyOn\EasyOn.exe"
The Dropped deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process EasyOn.exe:1036 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\EasyOn]
"SP" = "20150311070409"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 8D A9 12 B6 D0 E8 FC 92 ED 74 28 7F 89 23 A2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyOn" = "%Program Files%\EasyOn\EasyOn.exe"
The Dropped deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:312 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 82 8E BE 05 26 89 7F 59 E6 14 90 47 16 AB 95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"NoModify" = "1"
[HKCU\Software\EasyOn]
"ID" = "EO19"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"UninstallString" = "%Program Files%\EasyOn\Uninstall.exe"
"DisplayName" = "EasyOn"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\EasyOn]
"Version" = "1.0.0.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\EasyOn]
"EasyOn.exe" = "EasyOn"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process EOU1008.exe:1316 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 31 4F 1D AE C0 B1 74 30 FC 97 0A C7 61 98 75"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"NoModify" = "1"
[HKCU\Software\EasyOn]
"Version" = "1.0.0.8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"UninstallString" = "%Program Files%\EasyOn\Uninstall.exe"
"DisplayName" = "EasyOn"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 4183f9464080d3aa793fcabcf275430c | c:\Program Files\EasyOn\EasyOn.dll |
| 50745c4bd9ee3ab2897d1ea4d509c804 | c:\Program Files\EasyOn\EasyOn.exe |
| 655e3f72ffe68b32fd814ab424f76ce7 | c:\Program Files\EasyOn\Uninstall.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:540
regsvr32.exe:1648
regsvr32.exe:184
regsvr32.exe:1404
EasyOn.exe:372
EasyOn.exe:1036
%original file name%.exe:312
EOU1008.exe:1316 - Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
%Program Files%\EasyOn\ex.dat (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EOU1008.exe (20594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\NSISdl.dll (14 bytes)
%Program Files%\EasyOn\EasyOn.dll (4383 bytes)
%Program Files%\EasyOn\Uninstall.exe (2757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\IpConfig.dll (3322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\UAC.dll (13 bytes)
%Program Files%\EasyOn\EasyOn.exe (1568 bytes)
%Program Files%\EasyOn\1 (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\SelfDel.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\updat.xxx (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\UAC.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\IpConfig.dll (3322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\fct.dll (4 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyOn" = "%Program Files%\EasyOn\EasyOn.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: NBIZ Corp.
Product Name: EasyOn
Product Version:
Legal Copyright: (c) NBIZ. All rights reserved.
Legal Trademarks:
Original Filename:
Internal Name: EasyOn
File Version: 1.0.0.1
File Description: EasyOn
Comments:
Language: Korean (Korea)
Company Name: NBIZ Corp.Product Name: EasyOnProduct Version: Legal Copyright: (c) NBIZ. All rights reserved.Legal Trademarks: Original Filename: Internal Name: EasyOnFile Version: 1.0.0.1File Description: EasyOnComments: Language: Korean (Korea)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 73728 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 266240 | 5912 | 6144 | 2.99293 | 387a5290a8bcb75f809f379be7531410 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 21
2fb03f46371a9d50f12ce4a713e1eef8
b6b230332f147071b6116be5ef7f0426
7147dce4ef17a9e847811c0a5359e607
8fac142b7d549d4f7f8bb58523c74944
9a9ef113d9596e4081230ebf358a9896
5a805cc408b6fe92d450775f62ea9118
4671f67c8d5b17f8eef4e24bd8516dcb
e4611e132d1c1820be6dc1c4fa3e8e60
ae465e28d9ee01453e4af72a5f6a0bf1
feb9f0c7a06e4bdd9bb121248d96ea39
4060050e71b3f39f81411f8ddb3c4577
43893a33894afb320b7165572517cf90
c742fd59e9c48bc8b9d9f34a84990d3c
9fdccf65054b7b877a82bebda6d78295
2066d86f3fe719b8da77bacf6ac0a7c9
5e216e3949ade0bea4a7529bd03ede66
1965305980904d89329bfd725b40fba4
e862437ae5a36e21693be73d9081ed0c
6f1f6222f4e6871ab2a7aedf6577b8a6
bef4113a159e78b013d624cba2d05de2
e46ab07970386574cb630b60bc6ee9f1
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://easyon.sideon.co.kr/update/EO19/EasyOn.ini | 211.206.126.175 |
| hxxp://easyon.sideon.co.kr/update/EO19/EOU1008.exe | 211.206.126.175 |
| hxxp://easyon.sideon.co.kr/install.asp?version=1.0.0.1&id=EO19&mac=000C298E22D8 | 211.206.126.175 |
| hxxp://easyon.sideon.co.kr/setting.dat | 211.206.126.175 |
| hxxp://easyon.sideon.co.kr/update.asp?version=1.0.0.8&id=EO19&mac=000C298E22D8&oldversion=1.0.0.1 | 211.206.126.175 |
| hxxp://easyon.sideon.co.kr/ex.dat | 211.206.126.175 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /update/EO19/EasyOn.ini HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
Host: easyon.sideon.co.kr
HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:49 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 26 Apr 2012 13:03:54 GMT
ETag: "11204ab-5d-4be949eb5e280"
Accept-Ranges: bytes
Content-Length: 93
Connection: close
Content-Type: text/plain; charset=UTF-8
[version]..version=1.0.0.8..[Files]..file0=hXXp://easyon.sideon.co.kr/update/EO19/EOU1008.exe..
GET /update/EO19/EasyOn.ini HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
Host: easyon.sideon.co.kr
HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:56 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 26 Apr 2012 13:03:54 GMT
ETag: "11204ab-5d-4be949eb5e280"
Accept-Ranges: bytes
Content-Length: 93
Connection: close
Content-Type: text/plain; charset=UTF-8
[version]..version=1.0.0.8..[Files]..file0=hXXp://easyon.sideon.co.kr/update/EO19/EOU1008.exe..
GET /update/EO19/EOU1008.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
Host: easyon.sideon.co.kr
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:49 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 26 Apr 2012 13:03:54 GMT
ETag: "11204aa-3e658-4be949eb5e280"
Accept-Ranges: bytes
Content-Length: 255576
Connection: close
Content-Type: application/octet-stream
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................P... .......(.......0....@..........................P.......".......................................@.......0..................`...........................................................................................UPX0....................................UPX1.....P.......J..................@....rsrc.... ...0.......N..............@......................................................................................................................................................................................................................................................................................................................................................................................................................3.00.UPX!......U..........H......&..-....U....\.}..t .F.E.u..H....h.B..l...H.P.u......Hr@.....uS..}.V.5p..E.WP.L.e...l.1E....P.}.........Dp;....FR.VV..Uu...... M......M....3....Qs.....NU......1....T...PE.3....v.......s.PB..pw.]..E...P...T....7.......9}q.w...B.s.~X.te.v4.5..3t.m....j.W.:.......9..*. )XWKp.ls[.X....h .-....Pj.h`..%Xq......w'.\_....^3.[.._.L$...F..Si.......AVW.T.....tO.q.3.;5..sB......i...D.....G........t.BO..t ....u...3.......9...F.1Ar.t[.......QQ.U...i..... ..3...W?.B.Fc.....^.9M.t.$.B..;..D..?...i.|...B.....,....R#...u(.@..E..
<<< skipped >>>
GET /update.asp?version=1.0.0.8&id=EO19&mac=000C298E22D8&oldversion=1.0.0.1 HTTP/1.0
Host: easyon.sideon.co.kr
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:56 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 9
Connection: close
Content-Type: text/html; charset=utf-8
complete!..
GET /setting.dat HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
Host: easyon.sideon.co.kr
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:53 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 26 Apr 2012 12:38:22 GMT
ETag: "112058d-13e-4be9443656b80"
Accept-Ranges: bytes
Content-Length: 318
Connection: close
Content-Type: text/plain; charset=UTF-8
[setting]..set0=5A43A6E5A9DDD32900316A1D6D8EE7D0D50C114AF4E03F306C26776D62248018900F992D25EB88D1F9B40F3563180937..set1=E3BAFBF650EB2ECF8FE223E9981178B1F4C4EE102F565EC84BC407FBD6B3B4984D9200815DB9217499566769232B4FB9..set2=E78CCA004B4F3FF607BB331B628DF4FF490EAF98DD947606DDDD713B7687DBDC78CF9DC4A5CEF1690D09ABC0ABDFA5B6..
GET /install.asp?version=1.0.0.1&id=EO19&mac=000C298E22D8 HTTP/1.0
Host: easyon.sideon.co.kr
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:50 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 9
Connection: close
Content-Type: text/html; charset=utf-8
complete!..
GET /ex.dat HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
Host: easyon.sideon.co.kr
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:57 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 04 Oct 2012 09:16:15 GMT
ETag: "1120589-ee-4cb38350575c0"
Accept-Ranges: bytes
Content-Length: 238
Connection: close
Content-Type: text/plain; charset=UTF-8
B1584543850A5F6B7F8CE0FB2577E6FD..E4D90776B409CD8359C7AAF0B7965121..C5EDD7FF8202CC81256298E8D66C8BA4..4FBB6A271BB4594BC492B6CFFE96FEB5..7D768105F5AE46ABE8DFCB3DA1AB157F..5D7BB244B5D9D3D1EE8EB835ED1A57A0..54848EC75447EF28805015957DFEBDC5....
Map
The Dropped connects to the servers at the folowing location(s):
Strings from Dumps
EasyOn.exe_372:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
SSSShPa@
SSSShPa@
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
%Y%m%d%H%M%S
%Y%m%d%H%M%S
hXXp://easyon.sideon.co.kr/ex.dat
hXXp://easyon.sideon.co.kr/ex.dat
ex.dat
ex.dat
EasyOn.ini
EasyOn.ini
hXXp://easyon.sideon.co.kr/update/
hXXp://easyon.sideon.co.kr/update/
EasyOn.dll
EasyOn.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
regsvr32 /s "%s"
regsvr32 /s "%s"
WinInet.dll
WinInet.dll
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
1, 0, 0, 8
1, 0, 0, 8
EasyOn.EXE
EasyOn.EXE