Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c59998d96f94ef1b5920605694475614
SHA1: 2070cfc7f88a7e515714246abade9f3e12bbf3e3
SHA256: 5f9144c4fcec224eb26161bec6ccf26514a182da3bd83c450874a951aea850d8
SSDeep: 12288:bxpJfslZtuaVd9lpmhwQbift489IVGD4xJFl6Xqb5Kbmkg8Sz:1p9sVuaVdvgVbmgGDijyikg5z
Size: 842992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-07-15 19:29:31
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:764
%original file name%.exe:1484
The Trojan injects its code into the following process(es):
%original file name%.exe:676
Mutexes
The following mutexes were created/opened:
ShimCacheMutexRasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_
File activity
The process %original file name%.exe:676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\url.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\wininet_h.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\DALogo.jpg (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\progress.css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\mod.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\developer_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\install_now_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\compat.lua (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\bit.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\offer_filters.lua (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\back.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\cancel.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\notifyicon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\luaxml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\minimise.gif (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\callbackproxy.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\DALogo2.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\offers.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\options.json (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\api_substitution.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\nsis7z.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\survey_environment.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\ffi.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\acceptGreen2x.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\wintypes.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\close.gif (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\next.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\net_utils.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\step_off.gif (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\headerBG.gif (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\offer_stats.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\decline.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\luacom.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\ftp.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\lua51.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\win32_constants.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\nsisunz.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\DownloadThread.lua (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\stepBG.gif (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\icon_folder.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\eagerinstall.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\conditional_engine.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\defs.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\data_injection.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin.zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\io.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\bundleinstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\browserutils.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\cancel.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\service_registry.lua (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\uninstall.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\vm_details.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\uistate.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\versioninfo.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\ok.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\truste.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\scheduler.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\processfreefile.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB9.tmp (48761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\downloads.lua (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\GuiInit.lua (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\index.html (10225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\step_on.gif (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\packaged_app.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\core.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\async_tracking.lua (799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\env.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\bg4.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\DownloadList.lua (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\__web.xml (129187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\decline_offer_btn.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\AdvancedTests.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\skip_all_offers_btn.gif (337 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\definitions.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\data_stores.lua (703 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\http.lua (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\extension.tlb (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\win32_pipeserver.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\common.js (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\sandbox.lua (8 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nstB8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp (0 bytes)
The process %original file name%.exe:764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB3.tmp (6522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB4.tmp\LuaBridge.dll (1856 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nswB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB4.tmp (0 bytes)
The process %original file name%.exe:1484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nscB6.tmp (6522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB7.tmp\LuaBridge.dll (1856 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB7.tmp\LuaBridge.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB7.tmp (0 bytes)
Registry activity
The process %original file name%.exe:676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B DF 41 76 19 B2 0B D5 93 E2 BD 42 D2 EE 46 E3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-21762" = "Administrative Tools"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 EF 71 32 27 E5 3B 8E 4B B6 7C FA 91 12 51 D3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 0E 61 94 77 6E 70 9D 7E 7D A6 12 38 80 77 1F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshB7.tmp\LuaBridge.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
0f26c6d34d3841e93145dd00d0175651 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\FloatingProgress.dll |
a990de9edf0145ca5b01761978f49432 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\LuaBridge.dll |
4a4845ba1666907f708c9c10a31ec227 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\LuaSocket\mime\core.dll |
4bf7db111acfa7c28ad36606107b3322 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\LuaSocket\socket\core.dll |
7292b642bd958aeb7fd7cfd19e45b068 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\LuaXml_lib.dll |
7e3c808299aa2c405dffa864471ddb7f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\System.dll |
d02a497be5f89c44827f142c4662f591 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\UACInfo.dll |
0a29e1b270ccea61aba7d7cdd10e0388 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\bit.dll |
dd8a05024e825f75d3d151ea84bf414e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\browserutils.dll |
e390287499549de31da007f7f0ae4d10 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\ffi.dll |
fceee0026aafd237afdb4aea4ecd3557 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\lua51.dll |
b991f57d815ca821cdb42d2792db366f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\luacom.dll |
692479f7c07a64a6a632148e382f0e22 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\nsis7z.dll |
5f13dbc378792f23e598079fc1e4422b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\nsisunz.dll |
5694e7daf20c47c8d5e73d4a838c2ee6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\un.package.exe |
ebc5bb904cdac1c67ada3fa733229966 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\versioninfo.dll |
e626f4baffc82488c1efd873c250fb09 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\win32_pipeserver.dll |
a990de9edf0145ca5b01761978f49432 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nshB7.tmp\LuaBridge.dll |
a990de9edf0145ca5b01761978f49432 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsrB4.tmp\LuaBridge.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:764
%original file name%.exe:1484 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\url.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\wininet_h.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\DALogo.jpg (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\progress.css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\mod.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\developer_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\install_now_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\compat.lua (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\bit.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\offer_filters.lua (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\back.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\cancel.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\notifyicon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\luaxml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\minimise.gif (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\callbackproxy.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\DALogo2.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\offers.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\options.json (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\api_substitution.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\nsis7z.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\survey_environment.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\ffi.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\acceptGreen2x.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\wintypes.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\close.gif (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\next.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\net_utils.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\step_off.gif (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\headerBG.gif (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\offer_stats.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\decline.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\luacom.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\ftp.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\lua51.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\win32_constants.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\nsisunz.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\DownloadThread.lua (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\stepBG.gif (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\icon_folder.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\eagerinstall.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\conditional_engine.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\defs.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\data_injection.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin.zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\io.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\bundleinstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\browserutils.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\cancel.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\service_registry.lua (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\uninstall.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\vm_details.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\uistate.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\versioninfo.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\ok.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\truste.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\scheduler.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\processfreefile.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB9.tmp (48761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\downloads.lua (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\GuiInit.lua (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\index.html (10225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\step_on.gif (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\packaged_app.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\core.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\async_tracking.lua (799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\env.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\bg4.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\DownloadList.lua (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\__web.xml (129187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\decline_offer_btn.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\AdvancedTests.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\skip_all_offers_btn.gif (337 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\definitions.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\data_stores.lua (703 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\http.lua (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\extension.tlb (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\win32_pipeserver.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\common.js (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\sandbox.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB3.tmp (6522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB4.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB6.tmp (6522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB7.tmp\LuaBridge.dll (1856 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23306 | 23552 | 4.47645 | 325c988d9f77e7ce27fe1fa6f6fd93f7 |
.rdata | 28672 | 5397 | 5632 | 3.61721 | 64bdba47e612466214b378a9e0d4057c |
.data | 36864 | 109756 | 512 | 0.972488 | c11d691b44d2912a53e6b566fedf2406 |
.ndata | 147456 | 147456 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 294912 | 191960 | 192000 | 2.99591 | 27689cb0ad69a7df7e0617c8c171883d |
.reloc | 487424 | 2682 | 3072 | 0 | d2a70550489de356a2cd6bfc40711204 |
Dropped from:
Downloaded by:
Similar by SSDeep:
74cf799d2b2e3748ac160be2de866024
Similar by Lavasoft Polymorphic Checker:
Total found: 33
74cf799d2b2e3748ac160be2de866024
30203109b1315fe9bdb6f6b3d5798d86
6cfecdd532e5a02fe6e23f48d26b2980
11f91cced7a56680764f7a11daf76102
cd666b37847371d96e5030674e4b54fd
65d015f5fafcba0c41920aabed9b2504
e24bfc473722f931906fd42c00e8aa9f
381df266f0ba75b5865984d2c9227767
0f15db7911bd0e23737fa09025e36876
24955e348ab54a2cd675b4932b8a579b
68ac5f947e533fbc208fa95233856542
3f42474d2bf31d57e6de1bf54469da50
4563c7fd2ecb119eeacdb345d898ca9d
b4d49afac88e07c9c2df6bae4c478fb2
2433df1ac0d6a7f7f2e7fdb23b20d5e9
81723ceb7e4786ce3708bb92828a9c52
5a2a721f44714b0c8f91bd9e9f38bbfb
4dfacaf752758ee251c553223ba627df
9a3ec0b57e818c09a66b3824a662e403
96f9aafdeb4e3795faef3dc087ec9190
ce366baa1b878a9ee4da37f9f6d0d012
13b269b820db3043f6540f6fcf10ad21
7e54275f20d804e6d35b027c78af6ebe
65aba2777ce3eafb06162d83f1025e81
2cfd0d956fbb9a2e8ac21232f98e6eab
Network Activity
URLs
URL | IP |
---|---|
hxxp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true | 50.22.63.138 |
hxxp://a728.g.akamai.net/skins/da/03042014/DownloadAdmin_Google_DevInfo.zip | |
hxxp://service.downloadadmin.com/env?s=ZeroPaid&c=7Zip_ZeroPaid&brand=ZeroPaid.com&pid=ZeroPaid&bc=10090&country=US | 50.22.63.138 |
hxxp://mirror.mirror-files.com/skins/da/03042014/DownloadAdmin_Google_DevInfo.zip | 184.84.243.207 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true
X-Exename: %original file name%.exe
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1513890;pid=676)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 03 Dec 2014 06:56:16 GMT
Age: 0
X-TVAR:
X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<Installer>. <Bundle>. <BrandingText></BrandingText>. <BrandingUrl></BrandingUrl>. <BundleVisibility></BundleVisibility>. <Category></Category>. <CustomCss></CustomCss>. <ComScoreCampaignId></ComScoreCampaignId>. <ComScorePageBanner></ComScorePageBanner>. <ComScorePartnerName></ComScorePartnerName>. <ComScoreQuestionnaire></ComScoreQuestionnaire>. <CustomParameter Name="VerboseErrors">true</CustomParameter>. <LinkBelowEula>false</LinkBelowEula>. <OfflineEula></OfflineEula>. <OptInDefault>false</OptInDefault>. <OptInText></OptInText>. <PlainEula></PlainEula>. <ProductBanner></ProductBanner>. <ProductBinary embed="false" msioptions="" options="/S">hXXp://mirror.mirror-files.com/binstallers/BM2/vlc/exe/vlc-2.0.0-win32.exe</ProductBinary>. <ProductEula comboPrimary="false" embed="false">hXXp://mirror.mirror-files.com/binstallers/BM2/vlc/ipage/vlc-generic-bm25.mht</ProductEula>. <ProductLogo></ProductLogo>. <Primary>true</Primary>. <ProductId>10</ProductId>. <ProductName>VLC Media Player</ProductName>. <RegistryK
<<< skipped >>>
POST /install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true
Content-Type: application/x-www-form-urlencoded
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true
X-Exename: %original file name%.exe
Content-Length: 10
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1513890;pid=676)
Host: service.downloadadmin.com
Connection: Keep-Alive
delta=6469
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 03 Dec 2014 06:56:16 GMT
Age: 0
X-Cache: MISS
0......
GET /env?s=ZeroPaid&c=7Zip_ZeroPaid&brand=ZeroPaid.com&pid=ZeroPaid&bc=10090&country=US HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true
X-Exename: %original file name%.exe
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1513890;pid=676)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 03 Dec 2014 06:56:18 GMT
Age: 0
X-TVAR:
X-Cache: MISS
00884..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Installer><Environment><Entry name="over-threshold:iToolBox (US)">true</Entry><Entry name="over-threshold:EnhanceWeb (US)">true</Entry><Entry name="over-threshold:LookThisUp (US)">true</Entry><Entry name="over-threshold:RocketTab (US)">true</Entry><Entry name="over-threshold:PicColor (US)">true</Entry><Entry name="over-threshold:SystemOptimizerPro (US)">true</Entry><Entry name="over-threshold:ShopForYourCause (US)">true</Entry><Entry name="over-threshold:Social Theme (US)">true</Entry><Entry name="over-threshold:VuuPC (ClickMeIn) (US)">true</Entry><Entry name="over-threshold:Yahoo Smartbar (UK)">true</Entry><Entry name="over-threshold:Yahoo Smartbar (FR)">true</Entry><Entry name="over-threshold:PicRec UK">true</Entry><Entry name="over-threshold:VuuPC (ClickMeIn) (GB)">true</Entry><Entry name="over-threshold:VBates (CA)">true</Entry><Entry name="over-threshold:VuuPC (ClickMeIn) (CA)">true</Entry><Entry name="over-threshold:Registry Helper (SafeApp Software) (INTL)">true</Entry><Entry name="over-threshold:PC Speed Maximizer (FR) (Avanquest)">true</Entry><Entry name="over-threshold:LookThisUp (FR)">true</Entry><Entry name="over-threshold:VuuPC (ClickMeIn) (FR)">true</Entry><Entry name="over-threshold:Yahoo S
<<< skipped >>>
GET /skins/da/03042014/DownloadAdmin_Google_DevInfo.zip HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1513890;pid=676)
Host: mirror.mirror-files.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "1afaa98075fcb4e70a449fb2c68d2f91:1393974846"
Last-Modified: Tue, 04 Mar 2014 23:14:06 GMT
Accept-Ranges: bytes
Content-Length: 84488
Content-Type: application/zip
Date: Wed, 03 Dec 2014 06:56:18 GMT
Connection: keep-alive
PK.........ydD....k...y.......options.json%.;.. ....xf.S.. ]....E...e.z.V....{.'.Y{..>.Br......kr.l.g..hu.2.."((\.".<j...J._..$.' .j......m.G........PK.........ydDj..m............skin/.DS_Store..1..0......M\:2v....!x./....{t%..i..j....oB..P..x..@..................f.t|?MD...>....k<...]...V.y......f...m^.Z........e...".............0..u.....'<.[7n......p..-le.W.."...PK.........ydD../.............skin/acceptGreen2x.gif.U.T....$.:...P.E..$$.$...J ...a.....zS. ...JK@...R...8".t..t. EA......].{....[.....?........oie...........rY.~#...&..\(c..g.c.k.W..!rq'........HHH..d..%F.....#.g.......a...op....,.~.o....3".. )..t.......'..8.u..d....Y..c.#q.;v^.=..Z..F..y..-..2...p........b.7...R.3~.\F]..H..._...xI.G.8.[......S...a...8.F}."../.......c...~".~vS-......P.n...;../.....) .b......CO........t....}.=.....E.-G..l4.z.....<l...M.l.p.s..-G.H].i<.......5.....?.XK.D.U.!....5r..L4....qjur....S8.....GO/....c....9..S....$..{......As....@/P........ C.....t.."...M%D.Q....=.|<0..8#.A.6...G.q.F....c#...=..P.....pe.? !>...?6.?l...Q.:..S..--...~.:..Z'.H......tOiicut.H=.?.... ...3f..../.*{....pxxx.f8J3 .....`~.@"O.#N.G...G...V.......D..P...?d....!...?C.....R......4=.....4..&........9C.......4...%8 4....W.o..=..p...}.u?)..f...~... 3C...MO.'...E.!.:z..ss.........,..f:.Hs..:.7........6.....s.F...L.d..0.0....Z.....{P~r...E.[..4............H..!....4.....v........#=....D..xZ...A.q.X..b....?....3..;.....si...L.U.........1A................._.V?.|Z^..aqa~....4wjrb|ltdx........7=.]...m.._..l~....g.6>.4.?y\W..............
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_764:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
@.reloc
@.reloc
uDSSh
uDSSh
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
RegDeleteKeyExA
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
%s=%s
%s=%s
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
stub_lzma.exe
stub_lzma.exe
dm\LOCALS~1\Temp\nsrB4.tmp\LuaBridge.dll
dm\LOCALS~1\Temp\nsrB4.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsrB4.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsrB4.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsrB4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsrB4.tmp
LuaBridge.dll
LuaBridge.dll
?execFile@LuaBridge@@YA_NPAUnamed_state_t@1@PBD@Z
?execFile@LuaBridge@@YA_NPAUnamed_state_t@1@PBD@Z
?processPipeCommands@LuaBridge@@YAHPAUnamed_state_t@1@PAX_N@Z
?processPipeCommands@LuaBridge@@YAHPAUnamed_state_t@1@PAX_N@Z
_luabridge_exec_file@8
_luabridge_exec_file@8
C:\Programming\GitHome\LuaBridge\Release\LuaBridge.pdb
C:\Programming\GitHome\LuaBridge\Release\LuaBridge.pdb
6%6.676@6
6%6.676@6
242;2]2{2
242;2]2{2
4 4$4(4,4044484
4 4$4(4,4044484
.textbss
.textbss
.idata
.idata
ProxyForUrl
ProxyForUrl
Win32.Job
Win32.Job
Nsis.PluginCall
Nsis.PluginCall
Win32.Handle
Win32.Handle
Error:Unknown /state named %s
Error:Unknown /state named %s
evalResp{args=%x,stateName=%x}
evalResp{args=%x,stateName=%x}
evalLuaFile[state=%x/%s][thread=%d](%s)
evalLuaFile[state=%x/%s][thread=%d](%s)
nsLua.cpp
nsLua.cpp
WM_EXEC_FILE|File=
WM_EXEC_FILE|File=
LuaRemoteLoop[state=%x/%s][thread=%d]
LuaRemoteLoop[state=%x/%s][thread=%d]
com.luabridge.WndProcTable
com.luabridge.WndProcTable
[%s]Error Handling Message(%d,%d,%d,%d):%s
[%s]Error Handling Message(%d,%d,%d,%d):%s
[%s]Calling Global Function(%s)
[%s]Calling Global Function(%s)
checkIsChild:Failed to Get Exe Path(rc=%d)
checkIsChild:Failed to Get Exe Path(rc=%d)
checkIsChild:Failed to SetEnvironmentVariable(rc=%d)
checkIsChild:Failed to SetEnvironmentVariable(rc=%d)
checkIsChild:Failed to Create Shared Data Block(rc=%d)
checkIsChild:Failed to Create Shared Data Block(rc=%d)
checkIsChild:Create process failed(rc=%d)
checkIsChild:Create process failed(rc=%d)
checkIsChild:GetExitCodeProcess failed(rc=%d)
checkIsChild:GetExitCodeProcess failed(rc=%d)
[%s]Error Evaluating %s
[%s]Error Evaluating %s
ERROR:%s
ERROR:%s
PipeName:
PipeName:
evalLuaString[state=%x/%s][thread=%d](%s)
evalLuaString[state=%x/%s][thread=%d](%s)
DBGHELP.DLL
DBGHELP.DLL
Saved dump file to '%s'
Saved dump file to '%s'
Failed to save dump file to '%s' (error %d)
Failed to save dump file to '%s' (error %d)
Failed to create dump file '%s' (error %d)
Failed to create dump file '%s' (error %d)
DBGHELP.DLL too old
DBGHELP.DLL too old
DBGHELP.DLL not found
DBGHELP.DLL not found
Thread named '%s' could not be found
Thread named '%s' could not be found
Expected async state name:%s
Expected async state name:%s
unknown state name '%s'
unknown state name '%s'
evalInState() error; no code passed
evalInState() error; no code passed
ERROR:Cannot post to state[%s] not async and note default
ERROR:Cannot post to state[%s] not async and note default
lua51.dll
lua51.dll
WINMM.dll
WINMM.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
msvcrt.dll
msvcrt.dll
CreatePipe
CreatePipe
ShellExecute
ShellExecute
EnumRegKey
EnumRegKey
create_pipe
create_pipe
nsrB4.tmp
nsrB4.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsrB4.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsrB4.tmp
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswB2.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5334543
5334543
8664755
8664755
8760876
8760876
Nullsoft Install System v5.6.7
Nullsoft Install System v5.6.7
com.build.date
com.build.date
8/27/2014
8/27/2014
com.build.dir
com.build.dir
C:\BundleManager\25\WebTemplates
C:\BundleManager\25\WebTemplates
com.build.id
com.build.id
com.build.machine
com.build.machine
com.build.skin
com.build.skin
com.build.time
com.build.time
com.build.user
com.build.user
$%USER%
$%USER%
%original file name%.exe_676:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
@.reloc
@.reloc
uDSSh
uDSSh
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
RegDeleteKeyExA
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
%s=%s
%s=%s
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
stub_lzma.exe
stub_lzma.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdBA.tmp\LuaBridge.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdBA.tmp\LuaBridge.dll
ss.dll
ss.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdBA.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdBA.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdBA.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdBA.tmp
ns\UrlAssociations\http\UserChoice
ns\UrlAssociations\http\UserChoice
GetProcessHeap
GetProcessHeap
Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb
Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb
C:\Nsis\Browser-%s
C:\Nsis\Browser-%s
nswebForwarder
nswebForwarder
CustomNsWebContainer
CustomNsWebContainer
`'\%D,3
`'\%D,3
WININET.dll
WININET.dll
EnumChildWindows
EnumChildWindows
OLEAUT32.dll
OLEAUT32.dll
customnsWeb.dll
customnsWeb.dll
C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb
C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb
CustomNsWebForwarder
CustomNsWebForwarder
1 1$1(1,10141
1 1$1(1,10141
.reloc
.reloc
#-,.mT:
#-,.mT:
!$"'(!((!$&
!$"'(!((!$&
##-,#1.#0- !%
##-,#1.#0- !%
! .76:76:*),
! .76:76:*),
#" *#1.#1.!#&
#" *#1.#1.!#&
nsdBA.tmp
nsdBA.tmp
-exec
-exec
Paid]],0x00040000) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 1202.2
Paid]],0x00040000) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 1202.2
xe.nsi:Line 1078.2
xe.nsi:Line 1078.2
true;dotnet=4;startTime=1513890;pid=676)]]}) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 980.2
true;dotnet=4;startTime=1513890;pid=676)]]}) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 980.2
Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1513890;pid=676)
Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1513890;pid=676)
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nstB8.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nstB8.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
"%Program Files%\Internet Explorer\iexplore.exe" -nohome
"%Program Files%\Internet Explorer\iexplore.exe" -nohome
plore.exe" -nohome
plore.exe" -nohome
1513890
1513890
5334543
5334543
8664755
8664755
8760876
8760876
Nullsoft Install System v5.6.7
Nullsoft Install System v5.6.7
lorer\iexplore.exe" -nohome
lorer\iexplore.exe" -nohome
com.build.date
com.build.date
8/27/2014
8/27/2014
com.build.dir
com.build.dir
C:\BundleManager\25\WebTemplates
C:\BundleManager\25\WebTemplates
com.build.id
com.build.id
com.build.machine
com.build.machine
com.build.skin
com.build.skin
com.build.time
com.build.time
com.build.user
com.build.user
$%USER%
$%USER%
%original file name%.exe_676_rwx_003E4000_00001000:
callback%d
callback%d
%original file name%.exe_676_rwx_015E1000_0000A000:
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
KWindows
KWindows
GetProcessHeap
GetProcessHeap
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc