HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Symmi.5363 (B) (Emsisoft), Gen:Variant.Symmi.5363 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f4d056f12ec2e405a27b4c7226248f7e
SHA1: acdd87ff378b5f2e0d505d331ace59f14d06f51d
SHA256: 2b355c0a3f75c50b90076f8d7a1ab22424a94c2506ae86f3288c7ddb47519a47
SSDeep: 1536:dBOQugTGG3VaO2u8Z68vvWfhoBQ3Ob4lhlwLkgpYEtDLonouy8:/OQuIGG3Qy8Z68vvMTheLkg9DMout
Size: 1080832 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2011-07-26 08:31:19
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
No files have been created.
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| fd8bd221f53eeed97073a68b37a16e6d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe |
| 7805e5fd154a06c713fe9c6e3d4f02c9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{018045A8-6104-43FF-B749-0E3F8766D8CA}\fpb.tmp |
| 87a49bdb8cc20c34e735f2383d55ba8e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{5E929924-F22A-4960-A0EE-FC487A6C136C}\InstallFlashPlayer.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 23831 bytes in size. The following strings are added to the hosts file listed below:
| 184.168.105.79 | viabcp.com |
| 184.168.105.79 | www.viabcp.com |
| 184.168.105.79 | bcpzonasegura.viabcp.com |
| 184.168.105.79 | bn.com.pe |
| 184.168.105.79 | www.bn.com.pe |
| 184.168.105.79 | zonasegura1.bn.com.pe |
| 184.168.105.79 | bbvabancocontinental.com |
| 184.168.105.79 | www.bbvabancocontinental.com |
| 184.168.105.79 | peb1.bbvanetlatam.com |
| 184.168.105.79 | www.peb1.bbvanetlatam.com |
| 184.168.105.79 | scotiabank.com.pe |
| 184.168.105.79 | www.scotiabank.com.pe |
| 184.168.105.79 | scotiaenlinea.scotiabank.com.pe |
| 74.63.223.176 | www.colmena.com.co |
| 74.63.223.176 | colmena.com.co |
| 74.63.223.176 | www.bancocajasocial.com.co |
| 74.63.223.176 | bancocajasocial.com.co |
| 74.63.223.176 | www.colpatria.com |
| 74.63.223.176 | colpatria.com |
| 74.63.237.36 | www.citibank.com.pe |
| 74.63.237.36 | citibank.com.pe |
| 204.197.241.82 | bancoguayaquil.com |
| 204.197.241.82 | www.bancoguayaquil.com |
| 204.197.241.82 | www.personas.santanderrio.com.ar |
| 204.197.241.82 | personas.santanderrio.com.ar |
| 204.197.241.82 | www.santanderrio.com.ar |
| 204.197.241.82 | santanderrio.com.ar |
| 204.197.241.82 | www.mibanco.com.pe |
| 204.197.241.82 | mibanco.com.pe |
| 5.239.183.28 | iniciorapido.info |
| 237.191.3.54 | www.iniciorapido.info |
| 226.224.161.94 | buscalo.in |
| 228.82.144.214 | www.buscalo.in |
| 123.209.139.159 | buscafacil.com |
| 31.228.216.186 | www.buscafacil.com |
| 20.5.117.225 | emsisoft.com |
| 90.119.100.157 | ahnlab.com |
| 173.246.95.103 | antivir.es |
| 149.198.172.61 | antiy.net |
| 138.230.74.168 | authentium.com |
| 140.88.244.33 | avast.com |
| 35.27.52.234 | avg.com |
| 199.235.128.192 | bitdefender.com |
| 188.12.30.43 | quickheal.com |
| 2.125.200.164 | clamav.net |
| 86.252.8.109 | comodo.com |
| 250.16.84.135 | drweb.com |
| 239.49.242.175 | aladdin.com |
| 53.163.157.39 | ca.com |
| 204.34.220.240 | f-prot.com |
| 112.241.41.11 | f-secure.com |
| 101.86.198.50 | fortinet.com |
| 171.132.113.170 | gdata.es |
| 254.71.176.116 | ikarus.at |
| 162.23.253.142 | jiangmin.com |
| 151.55.155.181 | kaspersky.com |
| 221.169.69.114 | mcafee.com |
| 116.108.133.247 | microsoft.com |
| 24.60.209.17 | eset.es |
| 13.93.111.124 | norman.com |
| 83.206.25.245 | nprotect.com |
| 166.77.89.190 | pandasecurity.com |
| 75.97.165.148 | pctools.com |
| 64.130.255.0 | prevx.com |
| 134.176.238.120 | rising-global.com |
| 217.115.233.65 | sophos.com |
| 193.66.122.92 | sunbeltsoftware.com |
| 182.99.211.131 | symantec.com |
| 184.213.194.251 | hacksoft.com.pe |
| 79.152.189.197 | trendmicro.com |
| 243.104.78.223 | anti-virus.by |
| 232.136.168.6 | hauri.net |
| 46.250.150.127 | virusbuster.hu |
| 129.121.146.72 | www.emsisoft.com |
| 105.141.222.98 | www.ahnlab.com |
| 94.174.124.137 | www.antivir.es |
| 96.219.106.2 | www.antiy.net |
| 247.158.102.203 | www.authentium.com |
| 156.110.178.229 | www.avast.com |
| 145.143.80.81 | www.avg.com |
| 215.1.63.201 | www.bitdefender.com |
| 42.196.58.146 | www.quickheal.com |
| 206.147.135.105 | www.clamav.net |
| 195.180.36.212 | www.comodo.com |
| 9.38.19.76 | www.drweb.com |
| 160.165.14.22 | www.aladdin.com |
| 68.185.91.236 | www.ca.com |
| 57.217.249.87 | www.f-prot.com |
| 127.75.231.208 | www.f-secure.com |
| 210.202.227.153 | www.fortinet.com |
| 118.154.47.179 | www.gdata.es |
| 107.187.205.218 | www.ikarus.at |
| 177.44.187.83 | www.jiangmin.com |
| 5.239.183.28 | www.kaspersky.com |
| 237.191.3.54 | www.mcafee.com |
| 226.224.161.94 | www.microsoft.com |
| 228.82.144.214 | www.eset.es |
| 123.209.139.159 | www.norman.com |
| 31.228.216.186 | www.nprotect.com |
| 20.5.117.225 | www.pandasecurity.com |
| 90.119.100.157 | www.pctools.com |
| 173.246.95.103 | www.prevx.com |
| 149.198.172.61 | www.rising-global.com |
| 138.230.74.168 | www.sophos.com |
| 140.88.244.33 | www.sunbeltsoftware.com |
| 35.27.52.234 | www.symantec.com |
| 199.235.128.192 | www.hacksoft.com.pe |
| 188.12.30.43 | www.trendmicro.com |
| 2.125.200.164 | www.anti-virus.by |
| 86.252.8.109 | www.hauri.net |
| 250.16.84.135 | www.virusbuster.hu |
| 239.49.242.175 | www.emsisoft.com |
| 53.163.157.39 | www.anti-trojan.net |
| 204.34.220.240 | malwarescan.emsisoft.com |
| 112.241.41.11 | forum.emsisoft.com |
| 101.86.198.50 | www.emsisoft.net |
| 171.132.113.170 | www.emsisoft.it |
| 254.71.176.116 | www.emsisoft.de |
| 162.23.253.142 | www.anti-trojan-software.net |
| 151.55.155.181 | mamutu.com |
| 221.169.69.114 | www.emsisoft.es |
| 84.76.101.215 | malwarescan.emsisoft.de |
| 248.28.177.241 | ww.emsisoft.com |
| 237.61.79.93 | www.emsisoft.fr |
| 52.175.249.213 | www.emsisoft.nl |
| 135.45.57.158 | onlinecheck.emsisoft.com |
| 43.65.134.116 | onlinecheck.emsisoft.de |
| 32.98.223.224 | www.emsisoft.org |
| 102.144.206.88 | scan.anti-trojan.net |
| 185.83.201.33 | www.trojaner.info |
| 161.34.90.60 | onlinecheck.emsisoft.org |
| 150.67.179.99 | onlinecheck.emsisoft.net |
| 152.181.162.219 | blitzblank.com |
| 47.120.158.165 | www.emsisoft.at |
| 211.72.46.191 | www.emsisoft.jp |
| 200.105.136.230 | www.mamutu.com |
| 14.218.118.95 | malwarescan.emsisoft.es |
| 97.89.114.40 | www.mamutu.de |
| 73.109.190.66 | download5.emsisoft.com |
| 62.142.92.106 | download1.emsisoft.com |
| 65.188.74.226 | download4.emsisoft.com |
| 216.126.70.171 | global.ahnlab.com |
| 124.78.147.197 | www.hackshields.com |
| 113.111.48.49 | www.internationalservicecheck.com |
| 183.225.31.169 | www.irangoals.com |
| 10.164.26.114 | ixomodels.com |
| 174.115.103.73 | www.indielisboa.com |
| 163.148.4.180 | www.latin-mass-society.org |
| 233.6.243.44 | www.arpia.be |
| 128.133.238.246 | www.owen.org |
| 36.153.59.204 | www.prdouglas.co.uk |
| 25.186.217.55 | www.zarya.info |
| 95.43.199.176 | www.willsee.com |
| 178.170.195.121 | halmapr.com |
| 86.122.15.147 | karuna-shechen.org |
| 75.155.173.187 | www.barder.com |
| 146.13.155.51 | www.antivir.es |
| 229.207.151.252 | www.buraka.tv |
| 205.159.228.22 | www.dr-bull.com |
| 194.192.129.62 | www.manchester-offices.co.uk |
| 196.50.112.182 | saverssite.com |
| 91.177.107.127 | canada.karuna-shechen.org |
| 255.196.184.154 | developmentdrums.org |
| 244.229.85.193 | www.imddomains.co.uk |
| 58.87.68.125 | cutlines.org |
| 141.214.63.71 | elblogdemanu.com |
| 117.166.140.29 | ruben.bzin.net |
| 106.199.42.136 | welkam.co.jp |
| 108.56.212.1 | www.cambridge-steiner-school.co.uk |
| 3.251.20.202 | naturesimages.net |
| 167.203.96.160 | www.1stavenuelimousines.co.uk |
| 156.236.254.12 | www.mtr-design.com |
| 227.94.168.132 | dev.depeuter.org |
| 54.220.232.77 | www.emeraldclassic.co.uk |
| 218.240.53.103 | www.peterhearnwaste.co.uk |
| 207.17.210.143 | etrr.co.uk |
| 21.131.125.7 | www.avoncourt.com |
| 172.2.188.208 | sarahmcconnellphotography.net |
| 80.209.9.235 | www.ixomodels.com |
| 69.54.166.18 | natsko.com |
| 139.100.81.138 | www.nottinghampoetryseries.com |
| 222.39.144.84 | www.sheffieldmind.co.uk |
| 130.247.221.110 | ixostore.ixomodels.com |
| 119.24.123.149 | www.flairweddings.co.uk |
| 189.137.37.82 | www.fimasys.com |
| 84.76.101.215 | cohartuk.com |
| 248.28.177.241 | qqjkw.net |
| 237.61.79.93 | vivo-austin.com |
| 52.175.249.213 | www.freeality.com |
| 135.45.57.158 | bestofewan.com |
| 43.65.134.116 | www.handwritingforkids.com |
| 127.194.63.64 | cowsmo.com |
| 197.240.45.184 | www.2xlgames.com |
| 25.178.41.129 | kimzimmer.net |
| 1.130.186.155 | basetendencies.com |
| 246.163.19.195 | trackingtheworld.com |
| 248.21.2.59 | www.reviewsofbooks.com |
| 143.216.253.4 | www.collectedcurios.com |
| 51.167.142.31 | www.renningers.com |
| 40.200.231.70 | ccslaughterspdx.com |
| 110.58.214.190 | www.briarhurst.com |
| 193.185.209.136 | www.smf.org |
| 169.205.30.162 | ribbonwarehouse.com |
| 158.237.188.201 | www.garryowen.com |
| 160.27.170.66 | 45pounds.com |
| 55.222.166.11 | isotopecomics.com |
| 219.174.242.37 | roysephotos.com |
| 208.207.144.145 | www.stadiumpage.com |
| 22.65.126.9 | www.elvis-express.com |
| 106.3.122.210 | www.tomorrowsedge.net |
| 14.211.199.168 | www.beautybar.com |
| 3.244.100.20 | pineleafboys.com |
| 73.102.83.140 | www.mountainlakeslodge.com |
| 4.9.114.121 | pvtc.org |
| 168.28.191.80 | bhsbees.com |
| 157.61.92.187 | baristamagazine.com |
| 227.175.75.51 | www.gokidding.com |
| 54.46.71.253 | defalcos.com |
| 218.254.147.23 | www.celticmerchant.com |
| 207.31.49.62 | www.hxproduction.com |
| 21.144.31.183 | www.wellgousa.com |
| 104.83.27.128 | blog.titanium-jewelry.com |
| 80.35.103.154 | www.brightoctober.com |
| 70.68.5.194 | hishomeforchildren.com |
| 72.182.243.58 | www.phoenixtrikeworks.com |
| 223.52.239.3 | www.professorbeyer.com |
| 131.72.60.30 | www.secondchanceboxer.com |
| 120.105.217.69 | www.residentphotography.com |
| 190.219.200.1 | woottonfootball.com |
| 17.90.195.202 | www.deborahshelton.net |
| 249.42.16.161 | bobbondart.com |
| 238.74.173.12 | www.authentium.com |
| 240.188.88.132 | asap.authentium.com |
| 135.127.152.78 | www.authentium.com.au |
| 43.79.228.36 | avast.com |
| 32.112.130.143 | www.avast.com |
| 102.225.44.8 | files.avast.com |
| 185.96.108.209 | download535.avast.com |
| 93.116.184.235 | avg.com |
| 83.149.86.19 | www.avg.com |
| 153.7.0.139 | grisoft.com |
| 48.133.64.84 | www.grisoft.com |
| 212.85.141.111 | antivirus-tools.com |
| 201.186.42.150 | archive.bitdefender.com |
| 15.232.213.14 | avx.rob-have.net |
| 98.171.20.215 | b-have.orgbitdefender-ar.com |
| 6.123.97.242 | bitdefender.com |
| 251.155.254.25 | bitdefender.org |
| 65.13.169.213 | bitdefenderchina.com |
| 216.208.233.91 | bitdefenderguatemala.com |
| 124.160.53.117 | bitdefendermalaysia.com |
| 113.193.211.224 | bitdefendertaiwan.com |
| 183.50.125.89 | bitdefenderuruguay.com |
| 10.177.189.34 | bitdefenderusa.com |
| 174.197.9.248 | buy.bitdefender-es.com |
| 164.230.99.100 | buy.bitdefender.com |
| 234.20.81.220 | buy.bitdefender.de |
| 61.214.77.165 | de.bitdefender.com |
| 37.166.222.192 | fr.bitdefender.com |
| 26.199.55.231 | futurenow.bitdefender.com |
| 28.57.38.95 | it.bitdefender.com |
| 179.252.33.40 | jobs.bitdefender.com |
| 87.203.178.67 | kb.bitdefender.com |
| 76.236.11.106 | kb.bitdefender.de |
| 146.94.250.226 | kb.bitdefender.us |
| 229.221.246.172 | latin.bitdefender.com |
| 205.241.66.198 | linux.bitdefender.com |
| 194.18.224.237 | malwarecity.com |
| 196.63.206.102 | malwarecity.netmalwarecity.org |
| 91.2.202.47 | malwarepedia.com |
| 255.210.22.73 | neunet.orgnews.bitdefender.com |
| 245.243.180.181 | nl.bitdefender.com |
| 59.101.162.45 | renewals.bitdefender.com |
| 142.39.158.246 | sales.bitdefender.com |
| 50.247.235.205 | square.bitdefender.com |
| 39.24.136.56 | store.bitdefender.com |
| 109.138.119.176 | store.de.bitdefender.com |
| 4.9.114.121 | us.bitdefender.com |
| 168.28.191.80 | virusscanonline.net |
| 157.61.92.187 | wedoantivirus.com |
| 227.175.75.51 | www.antivirus-tools.com |
| 54.46.71.253 | www.avx.ro |
| 218.254.147.23 | www.bit-defender.de |
| 207.31.49.62 | www.bitdefende.de |
| 21.144.31.183 | www.bitdefender-es.com |
| 104.83.27.128 | www.bitdefender.be |
| 80.35.103.154 | www.bitdefender.cl |
| 70.68.5.194 | www.bitdefender.co.uk |
| 72.182.243.58 | www.bitdefender.com |
| 223.52.239.3 | www.bitdefender.com.au |
| 131.72.60.30 | www.bitdefender.com.sg |
| 120.105.217.69 | www.bitdefender.com.tw |
| 190.219.200.1 | www.bitdefender.com.vn |
| 17.90.195.202 | www.bitdefender.de |
| 249.42.16.161 | www.bitdefender.es |
| 238.74.173.12 | www.bitdefender.fr |
| 240.188.88.132 | www.bitdefender.hk |
| 135.127.152.78 | www.bitdefender.us |
| 43.79.228.36 | www.bitdefenderme.com |
| 32.112.130.143 | www.malwarecity.com |
| 102.225.44.8 | www.malwarecity.fr |
| 185.96.108.209 | quickheal.com |
| 120.143.211.6 | www.quickheal.com |
| 110.176.113.46 | www.clamav.net |
| 180.34.27.166 | cgi.clamav.net |
| 75.160.91.111 | lurker.clamav.net |
| 239.112.168.138 | wwws.clamav.net |
| 228.213.69.177 | lists.clamav.net |
| 42.3.240.41 | bugs.clamav.net |
| 125.198.47.242 | system-cleaner.comodo.com |
| 33.149.124.13 | backup.comodo.com |
| 22.182.25.52 | www.comodoantispam.com |
| 92.40.196.240 | easy-vpn.comodo.com |
| 243.235.4.118 | www.trustlogo.com |
| 151.187.80.144 | ztl.comodo.com |
| 140.220.238.251 | www.livepcsupport.com |
| 210.77.152.116 | www.whichssl.com |
| 37.204.216.61 | www.trustix.com |
| 201.224.36.19 | disk-encryption.comodo.com |
| 190.1.126.127 | speedtest.comodo.com |
| 5.47.108.247 | www.contentverification.com |
| 88.241.104.192 | idauthority.com |
| 64.193.249.219 | www.comodo.tv |
| 53.226.82.2 | online-backup.comodo.com |
| 55.84.65.122 | www.testmypcsecurity.com |
| 206.23.60.67 | www.ccssforum.org |
| 114.230.173.62 | i-vault.comodo.com |
| 71.231.7.101 | internetsecurity.comodo.com |
| 141.89.245.221 | www.comodopartners.com |
| 224.216.241.167 | timestamp.comodoca.com |
| 200.236.61.193 | secure-email.comodo.com |
| 189.13.219.232 | timestamp.wosign.com |
| 191.58.201.97 | rover800.gaima.co.uk |
| 86.253.197.42 | www.nsclean.com |
| 251.205.17.68 | www.contentverification.com |
| 240.238.175.176 | new-estore.drweb.com |
| 54.96.158.40 | support.drweb.com |
| 137.35.153.241 | pda.drweb.com |
| 45.242.230.200 | updates.drweb.com |
| 34.19.131.51 | drweb.com |
| 104.133.114.171 | vms.drweb.com |
| 255.4.109.117 | solutions.drweb.com |
| 163.24.186.75 | news.drweb.com |
| 152.56.87.182 | my.drweb.com |
| 222.170.70.46 | buy.drweb.com |
| 49.41.66.248 | products.drweb.com |
| 213.249.142.18 | new-support.drweb.com |
| 202.26.44.57 | promotions.drweb.com |
| 16.139.26.178 | network.drweb.com |
| 99.78.22.123 | customers.drweb.com |
| 76.30.98.149 | store.drweb.com |
| 65.63.0.189 | company.drweb.com |
| 67.177.239.53 | training.drweb.com |
| 218.48.234.254 | license.drweb.com |
| 221.163.150.120 | cureit.ru |
| 211.196.52.160 | free.drweb.com |
| 25.54.35.92 | info.drweb.com |
| 108.180.30.37 | new-partners.drweb.com |
| 84.132.107.252 | drweb.net |
| 73.165.8.103 | new-company.drweb.com |
| 75.23.179.223 | new-beta.drweb.com |
| 226.218.242.169 | new-forum.drweb.com |
| 134.170.63.127 | secure.av-desk.com |
| 123.202.220.234 | www.av-desk.com |
| 193.60.135.98 | new-solutions.drweb.com |
| 20.187.199.44 | new-www.drweb.com |
| 184.207.19.70 | www.freedrweb.ru |
| 173.240.177.109 | daniloff.net |
| 243.97.91.230 | drweb-inside.com |
| 138.224.155.175 | drwebinside.com |
| 46.176.231.201 | aladdin.com |
| 36.21.133.241 | alladdin.ru |
| 106.67.48.105 | chickensroamfree.com |
| 157.230.79.18 | ealaddin.net |
| 65.181.156.45 | ealaddin.orgeshop.aladdin.com |
| 54.214.57.84 | secureme.com |
| 124.72.228.16 | www.aks.com |
| 19.11.35.150 | www.aladdin.com |
| 183.219.112.176 | www.ealaddin.com |
| 172.251.14.27 | www.ealaddin.com |
| 242.109.184.148 | auwww.ealaddin.nl |
| 69.236.248.93 | www.esafe.com |
| 233.0.68.51 | www.hasp.se |
| 222.33.158.158 | www.safenet-inc.com |
| 36.79.140.23 | www3.safenet-inc.com |
| 216.114.232.65 | www.ca.com |
| 192.66.121.91 | cacomvip.ca.com |
| 181.98.211.130 | www.netegrity.com |
| 183.212.193.251 | search.ca.com |
| 78.151.189.196 | cai.com |
| 242.103.77.222 | www.f-prot.com |
| 231.136.167.5 | frisk-software.com |
| 45.249.149.126 | www.frisk.is |
| 97.88.113.39 | www.frisk-software.com |
| 73.108.190.65 | f-secure.com |
| 62.141.91.105 | f-secure.frf-secure.hk |
| 64.187.74.225 | f-secure.nlfsecure.com |
| 215.126.69.170 | fsecure.nlwebyard.com |
| 123.77.146.197 | www.f-secure.com |
| 112.110.47.48 | www.fsecure.com |
| 182.224.30.168 | www.virus.fi |
| 9.163.25.114 | fortihero.com |
| 173.115.102.72 | fortilog.com |
| 162.148.4.19 | fortinet.co.at |
| 72.101.82.139 | fortinet.com |
| 223.228.77.85 | fortiprotect.com |
| 131.248.154.43 | fortiwifi.com |
| 120.24.56.150 | www.apsecure.com |
| 190.138.38.15 | www.fortifed.com |
| 17.9.34.216 | www.fortiid.com |
| 181.217.110.242 | www.fortimail.com |
| 170.250.12.26 | www.fortinet-apac.com |
| 21.144.30.182 | www.fortinet.ch |
| 104.82.26.127 | www.fortinet.co.il |
| 80.34.103.154 | www.fortinet.com |
| 69.67.4.193 | www.fortinet.com |
| 71.181.243.57 | arwww.fortinet.cz |
| 222.52.238.2 | www.fortinet.net |
| 130.71.59.29 | www.fortinet.nl |
| 119.104.216.68 | www.fortinet.sg |
| 189.218.199.0 | www.fortinetuk.com |
| 16.89.195.202 | www.secure-elements.com |
| 248.41.15.160 | gdata.es |
| 237.74.173.11 | www.gdata.es |
| 13.217.117.162 | ikarus.at |
| 164.156.181.107 | www.ikarus.at |
| 72.108.1.65 | global.jiangmin.com |
| 61.141.159.173 | jiangmin.com.cn |
| 132.255.73.37 | jiangmin.com |
| 215.125.137.238 | www.jiangmin.com.cn |
| 123.145.214.9 | www.kaspersky.com |
| 112.178.115.48 | forum.kaspersky.com |
| 150.4.254.136 | support.kaspersky.co |
| 45.131.61.82 | usa.kaspersky.com |
| 209.83.138.108 | brazil.kaspersky.com |
| 198.183.39.147 | latam.kaspersky.com |
| 12.229.210.11 | kaspersky.com |
| 95.168.18.213 | me.kaspersky.com |
| 3.120.94.239 | images.kaspersky.com |
| 248.153.252.22 | www.mcafee.com |
| 62.10.166.211 | support.mcafee.com |
| 213.205.230.88 | msr.mcafee.com |
| 122.157.50.114 | home.mcafee.com |
| 111.190.48.61 | networkassociates.com |
| 20.143.218.182 | us.mcafee.com |
| 103.14.26.127 | tr.mcafee.com |
| 11.34.102.85 | au.mcafee.com |
| 1.67.192.193 | mx.mcafee.com |
| 71.113.175.57 | networkassociates.nai.com |
| 154.51.170.2 | go.mcafee.com |
| 130.3.59.253 | fr.mcafee.com |
| 87.4.116.36 | uk.mcafee.com |
| 89.118.99.156 | de.mcafee.com |
| 240.57.94.102 | obscgi.mcafee.com |
| 148.9.239.128 | nai.com |
| 137.41.73.167 | www.entercept.com |
| 207.155.55.32 | jp.mcafee.com |
| 34.26.51.233 | mcafeeb2b.com |
| 10.46.127.3 | cn.mcafee.com |
| 255.79.29.42 | service.mcafee.com |
| 1.125.11.163 | br.mcafee.com |
| 153.63.7.108 | www.mcafee.at |
| 61.15.84.134 | mcafeeretail.com |
| 146.144.82.82 | it.mcafee.com |
| 216.2.64.203 | tw.mcafee.com |
| 43.197.60.148 | privacy.microsoft.com |
| 207.149.136.106 | tempuri.org |
| 196.182.38.213 | schemas.xmlsoap.org |
| 10.39.20.78 | www.microsoft.com |
| 161.166.16.247 | specs.xmlsoap.org |
| 38.154.61.205 | www.eugrantsadvisor.ie |
| 27.187.218.57 | schemas.microsoft.com |
| 97.45.201.177 | encarta.msn.com |
| 180.172.196.122 | www.sysinternals.com |
| 88.123.17.149 | grv.microsoft.com |
| 77.156.174.188 | www.xmlsoap.org |
| 147.14.157.52 | www.eugrantsadvisor.se |
| 230.209.152.254 | www.eugrantsadvisor.com |
| 206.161.229.24 | research.microsoft.com |
| 195.194.226.159 | www.engyro.com |
| 37.147.209.23 | www.exchangeyourcareer.com |
| 188.18.204.225 | www.eugrantsadvisor.de |
| 96.38.25.251 | exchangeyourcareer.net |
| 85.70.183.34 | eugrantsadvisor.de |
| 155.184.165.223 | eugrantsadvisor.cz |
| 238.55.161.168 | www.eset.es |
| 214.7.237.126 | demos.eset.es |
| 240.76.175.14 | descargas.eset.es |
| 242.190.89.134 | blogs.protegerse.com |
| 137.128.153.79 | eos.eset.es |
| 45.80.230.38 | pedidos.protegerse.com |
| 34.113.131.145 | reg-int.nod32-es.com |
| 104.227.46.9 | reg.eset.es |
| 187.98.109.210 | vicentevirtual.com |
| 95.117.186.237 | cou85.com |
| 84.150.87.20 | www.norman.com |
| 154.8.2.140 | fsc.norman.com |
| 49.135.66.86 | nprobeta.norman.com |
| 213.87.142.112 | register.norman.com |
| 202.188.44.151 | webadmin.norman.no |
| 16.233.214.16 | sandbox.norman.com |
| 99.172.22.217 | www.nprotect.com |
| 7.124.98.243 | global.nprotect.com |
| 253.157.0.27 | www.nprotect.co.kr |
| 67.15.170.215 | www.npin.co.kr |
| 218.209.234.92 | siren24.nprotect.com |
| 126.161.55.119 | 15660808.co.kr |
| 115.194.212.226 | biz.nprotect.com |
| 212.79.154.117 | nprotect.net |
| 39.206.217.62 | www.nprotect.com.br |
| 203.225.38.21 | liveprotect.net |
| 192.2.127.128 | nprotect.seoul.go.kr |
| 6.48.110.248 | chollian.nprotect.co.kr |
| 89.243.106.194 | www.pandasecurity.com |
| 65.195.250.220 | research.pandasecurity.com |
| 54.228.84.3 | support.pandasecurity.com |
| 56.85.66.124 | pandalabs.pandasecurity.com |
| 207.24.62.69 | pandasecurity.com |
| 115.232.206.95 | mop.pandasecurity.com |
| 104.9.40.135 | timeforyourbusi.pandasecurity.com |
| 175.123.22.255 | cybercrime.pandasecurity.com |
| 2.249.18.200 | free.pandasecurity.com |
| 234.13.95.227 | cloudprotection.pandasecurity.com |
| 223.46.252.10 | shop.pandasecurity.com |
| 225.92.235.130 | soporte.pandasecurity.com |
| 120.31.230.75 | together.pctools.com |
| 28.238.51.102 | www.prevx.com |
| 17.15.208.209 | info.prevx.com |
| 87.129.191.73 | free.prevx.com |
| 170.68.187.19 | spywarefiles.prevx.com |
| 78.20.7.233 | spywaredlls.prevx.com |
| 35.21.133.52 | shield.prevx.com |
| 105.134.115.173 | www.prevx1.com |
| 0.5.111.118 | howsafeismypc.com |
| 165.25.187.76 | www.retento.com |
| 154.58.89.184 | www.freerav.com |
| 224.172.72.48 | www.rising-global.com |
| 51.43.67.249 | www.risingav.com.au |
| 215.250.144.20 | support.rising-global.com |
| 204.27.45.59 | superboy2010.com.au |
| 18.141.28.179 | www.sophos.com |
| 101.80.23.125 | feeds.sophos.com |
| 77.32.100.151 | esp.sophos.com |
| 66.64.1.190 | cn.sophos.com |
| 68.178.240.54 | tw.sophos.com |
| 219.49.236.0 | kr.sophos.com |
| 127.69.56.26 | sophos.com |
| 116.102.214.65 | podcasts.sophos.com |
| 186.215.196.254 | www.sunbeltsoftware.com |
| 13.86.192.199 | go.sunbeltsoftware.com |
| 246.38.12.157 | oem.sunbeltsoftware.com |
| 235.71.170.9 | antispam.sunbeltsoftware.com |
| 237.185.85.129 | antispyware.sunbeltsoftware.com |
| 132.124.148.74 | antivirus.sunbeltsoftware.com |
| 40.75.225.33 | sunbeltsoftware.com |
| 29.108.126.140 | shop.sunbeltsoftware.com |
| 99.222.41.4 | live.sunbeltsoftware.com |
| 182.93.104.206 | firewall.sunbeltsoftware.com |
| 90.113.181.232 | www.symantec.com |
| 79.145.82.15 | security.symantec.com |
| 149.3.253.135 | securityrespons.symantec.com |
| 44.130.61.81 | service1.symantec.com |
| 48.178.233.203 | enterprisesecur.symantec.com |
| 37.22.134.242 | eval.symantec.com |
| 107.68.49.106 | symantec.com |
| 190.7.113.52 | definitions.symantec.com |
| 98.215.189.78 | investor.symantec.com |
| 87.248.91.117 | et.symantec.com |
| 157.105.5.50 | sfdoccentral.symantec.com |
| 52.44.69.183 | servicenews.symantec.com |
| 216.252.145.209 | securityrespons.symantec.com |
| 206.29.47.61 | sea.symantec.com |
| 20.143.218.181 | go.symantec.com |
| 103.13.25.126 | dell.symantec.com |
| 11.33.102.85 | sun.symantec.com |
| 0.66.191.192 | marian.symantec.com |
| 70.112.174.56 | tms.symantec.com |
| 153.51.169.2 | securitycheck.symantec.com |
| 129.3.58.28 | smallbiz.symantec.com |
| 118.35.147.67 | www.symantec.com |
| 120.149.130.187 | visualtracking.symantec.com |
| 15.88.126.133 | search.symantec.com |
| 179.40.14.159 | liveupdate.symantec.com |
| 168.73.104.198 | sitedirector.symantec.com |
| 238.186.86.63 | edm.symantec.com |
| 65.57.82.8 | hostedmailsecur.symantec.com |
| 41.77.158.34 | www4.symantec.com |
| 255.78.28.42 | education.symantec.com |
| 1.124.11.162 | vos.symantec.com |
| 152.63.6.107 | www.hacksoft.com.pe |
| 60.14.83.134 | hacksoft.pe |
| 49.47.240.241 | www.hacksoft.pe |
| 119.161.223.105 | housecall.trendmicro.com |
| 202.100.218.51 | www.trendmicro.com |
| 110.52.39.9 | housecall65.trendmicro.com |
| 99.84.197.116 | us.trendmicro.com |
| 169.198.179.237 | blog.trendmicro.com |
| 64.69.175.182 | emea.trendmicro.com |
| 228.89.251.140 | housecall60.trendmicro.com |
| 217.122.153.247 | jp.trendmicro.com |
| 31.236.135.112 | de.trendmicro.com |
| 115.106.131.57 | it.trendmicro.com |
| 23.58.207.83 | itw.trendmicro.com |
| 108.187.206.219 | esupport.trendmicro.com |
| 178.45.188.84 | es.trendmicro.com |
| 5.240.184.29 | br.trendmicro.com |
| 237.192.4.55 | tw.trendmicro.com |
| 226.225.162.94 | la.trendmicro.com |
| 228.82.144.215 | uk.trendmicro.com |
| 123.209.140.160 | ru.trendmicro.com |
| 32.229.216.186 | smbstore.trendmicro.com |
| 21.6.118.226 | apac.trendmicro.com |
| 91.120.101.158 | store.trendmicro.com |
| 174.247.96.103 | training.trendmicro.com |
| 150.198.173.62 | trial.trendmicro.com |
| 139.231.74.169 | ushousecall02.trendmicro.com |
| 141.89.245.33 | subwiz.trendmicro.com |
| 36.28.52.235 | go.trendmicro.com |
| 200.236.129.193 | feeds.trendmicro.com |
| 189.12.31.44 | channelpartner.trendmicro.com |
| 3.126.201.165 | wtc.trendmicro.com |
| 86.253.9.110 | shop.trendmicro.com |
| 250.17.85.136 | fr.trendmicro.com |
| 239.50.243.175 | threatinfo.trendmicro.com |
| 53.163.157.40 | newsletters.trendmicro.com |
| 204.34.221.241 | www.anti-virus.by |
| 113.242.41.11 | bg.virusblokada.com |
| 102.87.199.51 | www.vba.com.by |
| 172.133.114.171 | beta.anti-virus.by |
| 255.72.177.116 | www.bg.virusblokada.com |
| 163.23.254.143 | www.hauri.net |
| 152.56.155.150 | www.hauri.co.kr |
| 190.138.38.82 | company.hauri.net |
| 85.77.101.216 | www.globalhauri.com |
| 249.29.178.242 | shop.hauri.co.kr |
| 238.62.80.93 | hauri.co.kr |
| 52.175.250.214 | pg.hauri.net |
| 135.46.58.159 | esecurity.livecall.co.kr |
| 43.66.134.117 | mall.hauri.co.kr |
| 32.99.224.225 | company.hauri.co.kr |
| 103.145.206.89 | haurijapan.com |
| 186.83.202.34 | virobot.co.kr |
| 162.35.91.60 | www.virusbuster.hu |
| 246.164.20.196 | virusbuster.hu |
| 249.22.2.60 | scanner.novirusthanks.org |
| 144.216.254.5 | scanner2.novirusthanks.or |
| 52.168.143.31 | novirusthanks.org |
| 41.201.232.71 | www.novirusthanks.org |
| 111.59.215.191 | virustotal.com |
| 194.186.210.136 | www.virustotal.com |
| 170.205.31.163 | virscan.org |
| 159.238.188.202 | www.virscan.org |
| 161.28.171.66 | virusscan.jotti.org |
| 56.223.166.12 | jotti.org |
| 220.175.243.38 | www.jotti.org |
| 209.207.145.145 | viruschief.com |
| 23.65.127.10 | www.viruschief.com |
| 106.4.123.211 | scanner.virus.org |
| 14.212.199.169 | virus.org |
| 3.245.101.21 | www.virus.org |
| 110.139.119.177 | scan4you.net |
| 5.9.115.122 | www.scan4you.net |
| 169.29.192.81 | avhide.com |
| 158.62.93.188 | www.avhide.com |
| 228.176.76.52 | anubis.iseclab.org |
| 55.47.71.253 | iseclab.org |
| 219.255.148.24 | www.iseclab.org |
| 208.31.49.63 | threatexpert.com |
| 22.145.32.183 | www.threatexpert.com |
| 105.84.28.129 | forospyware.com |
| 81.36.104.155 | www.forospyware.com |
| 70.69.6.194 | in.answers.yahoo.com |
| 96.206.12.83 | es.answers.yahoo.com |
| 247.77.8.28 | kioskea.net |
| 155.97.84.54 | www.kioskea.net |
| 144.130.242.94 | es.kioskea.net |
| 215.244.224.26 | mygeekside.com |
| 42.114.220.227 | www.mygeekside.com |
| 18.66.41.186 | www.tecniservicioslys.com |
| 7.99.198.37 | tecniservicioslys.com |
| 9.213.113.157 | virusfreezone.info |
| 160.152.176.102 | www.virusfreezone.info |
| 68.103.253.61 | intranet.cidiroax.ipn.mx |
| 57.136.154.168 | spycheck.es |
| 127.250.69.32 | www.spycheck.es |
| 210.121.133.234 | antivirus.hispavista.com |
| 118.141.209.4 | computing.net |
| 107.174.111.43 | www.computing.net |
| 177.31.25.164 | spycheck.co.uk |
| 40.126.57.77 | www.spycheck.co.uk |
| 205.78.133.103 | midescargas.com |
| 194.179.35.143 | www.midescargas.com |
| 8.225.206.7 | static.yoreparo.com |
| 91.164.13.208 | softfaq.com |
| 255.115.90.235 | www.softfaq.com |
| 244.148.247.18 | configurarequipos.com |
| 58.6.162.206 | www.configurarequipos.com |
| 209.201.225.84 | seasonsecurity.com |
| 117.153.46.110 | www.seasonsecurity.com |
| 106.185.203.217 | removetrojanvirus.org |
| 176.43.118.81 | www.removetrojanvirus.org |
| 99.10.21.123 | ibusca.me |
| 7.30.98.81 | www.ibusca.me |
| 252.62.187.188 | busco.in |
| 66.108.170.52 | www.busco.in |
| 149.47.166.254 | inicioid.com |
| 125.255.54.24 | www.inicioid.com |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Delete the original Trojan file.
- Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| 4096 | 200704 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e | |
| 204800 | 77824 | 74240 | 5.5353 | d2cef4d41f4f9dd2a9429f5018e34d1a | |
| 282624 | 4096 | 512 | 2.44574 | 15635006b89365a5a6fc7ac61f19d3c3 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 637
94b4fdbf29e0f8472d11604ca95455c6
4be1a3488fc85a44abdcf8bdb0f58ca2
5971a956598ed43e808e6b336c9f55c7
1567b96a6bc432d19192862d6235511f
6e7494ad1e335a2310e75ff0051e4ce8
2a5ecbf9deb640531a73d088f04a3a0c
e30b8a72d74876ace102eea06185625d
87a235f68f169eea463fa65a763d83a2
ce1e121b286f0915d608e495176f066b
aecbe789e4f0459490eb37f4bd89261d
a26e008fdc8590851a4ad5e30a8a38a2
eb1bd68322332dc1d3196144691f15fd
4f3f6ce7266634ae15529fa088e7497d
ceaf11c9d10291b97314aaff8238eb5f
2151c7eade1087765c716e1c94355773
8fc90024e949008f2c0681ac2246aa6d
ce23eb259f220c9bd4a0fe79c5669ae5
850e58b9ab90172d0d0acc1962d7dd79
a3cf4be1526752d8591859f15733b789
352453eaffb440e084c9b20b19ffee85
6fc9d34ffb3abda4a7d1a82c6b8edf70
0c6be81adddc312409820354979b8b69
0c5aaea1dd8c09fc9a80fa1f2d92d69a
3a115f585549f0c79fa62e514aa7efee
2bb0ac0568540041a3993893028e538e
b78c447744c0bc6e72cb45d49985e7fe
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.kuigames.com/templates/indigo/images/main_background.png | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Liberate-the-Angels.jpg | 141.101.118.57 |
| hxxp:///iframe3?ndFKGzVsXgBZJ6gBAAAAADAAdgAAAAAAAwAAAAAAAAAAAP8AAAAFF3UhkgAAAAAARJMsAAAAAAAzy5EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvjhwAAAAAAAICAwAAgD8AAAAAAAAAAAAAADjQPaGYPwAAAAAAAAAAAAA40D2hqD8AAAAAAAAAAAAA.Po0HLI.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACGvptneApSELj9ucrBKETiiMMhk7L8E0CZ69oyAAAAAA==,,http://ads.kuigames.us/pop.html,B=10&H=&M=5&Z=0x0&_salt=2038240574&r=0&s=6188085&y=28,ffa248e4-34a7-11e4-8fe7-3cd92bff92de,1409885688096 | |
| hxxp://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250§ion=6188085&pub_url=${PUB_URL} | 98.138.49.43 |
| hxxp://www.kuigames.com/games/images/Catchem-2.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/CycloManiacs-2.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Red-Fluxion.jpg | 141.101.118.57 |
| hxxp://sstatic1.histats.com/0.gif?1568213&101 | 208.43.241.181 |
| hxxp://www.kuigames.com/games/images/Starcom.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Crabs-Hunt.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/templates/indigo/forums/images/topic_search_button.png | 141.101.118.57 |
| hxxp://sstatic1.histats.com/0.gif?1568494&101 | 208.43.241.181 |
| hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab | 207.108.220.195 |
| hxxp://594275355.qseach.com/redir.php | 192.121.167.58 |
| hxxp://www.kuigames.com/games/images/Zoe-Hand-Doctor.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Platform-Racing-2.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Polar-PWND-2.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/templates/indigo/images/main_menu.png | 141.101.118.57 |
| hxxp://584q2ap5o892pv8r7wm64zo363pc8i.ipgreat.com/ | 192.121.167.58 |
| hxxp://ads.yahoo.com/st?ad_type=iframe&ad_size=160x600§ion=6188085&pub_url=${PUB_URL} | 98.138.49.43 |
| hxxp://www.kuigames.com/games/images/Sofia-And-Newborn-Sister.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Orb-Avoidance-2.jpg | 141.101.118.57 |
| hxxp://ads.kuigames.us/160x600.html | 104.28.6.118 |
| hxxp://www.kuigames.com/templates/indigo/images/module_heart.png | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/CycloManiacs.jpg | 141.101.118.57 |
| hxxp://ads.yahoo.com/rw?title=&qs=iframe3?ndFKGzVsXgBZJ6gBAAAAADAAdgAAAAAAAwAAAAAAAAAAAP8AAAAFF3UhkgAAAAAARJMsAAAAAAAzy5EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvjhwAAAAAAAICAwAAgD8AAAAAAAAAAAAAADjQPaGYPwAAAAAAAAAAAAA40D2hqD8AAAAAAAAAAAAA.Po0HLI.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACGvptneApSELj9ucrBKETiiMMhk7L8E0CZ69oyAAAAAA==,,http%3A%2F%2Fads.kuigames.us%2Fpop.html,B%3D10%26H%3D%26M%3D5%26Z%3D0x0%26_salt%3D2038240574%26r%3D0%26s%3D6188085%26y%3D28,ffa248e4-34a7-11e4-8fe7-3cd92bff92de,1409885688096 | 98.138.49.43 |
| hxxp://evcs-crl.ws.symantec.com/evcs.crl | 23.9.117.163 |
| hxxp://www.kuigames.com/games/images/GhostBall.jpg | 141.101.118.57 |
| hxxp://ads.yahoo.com/imp?Z=160x600&s=6188085&T=3&_salt=1796922812&B=10&H=http://ads.kuigames.us/160x600.html&u=http://ads.kuigames.us/160x600.html&M=4&r=0 | 98.138.49.43 |
| hxxp://www.kuigames.com/games/images/Gravitex-2.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Warlords-Call-to-Arms.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/templates/indigo/images/module_header.png | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Galaxy-Wars-For-the-Sake-Of-the-Universe.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Fruits-Couple-Dress-Up.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/templates/indigo/blank.gif | 141.101.118.57 |
| hxxp://www.kuigames.com/templates/indigo/images/module_user.png | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Zoes-Messy-House.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Zodiac-Reactor.jpg | 141.101.118.57 |
| hxxp://ads.yahoo.com/imp?Z=468x60&s=6188085&T=3&_salt=4054896393&B=10&H=http://ads.kuigames.us/468x60.html&u=http://ads.kuigames.us/468x60.html&M=4&r=0 | 98.138.49.43 |
| hxxp://www.kuigames.com/templates/indigo/images/module_popular.png | 141.101.118.57 |
| hxxp://ads.kuigames.us/300x250.html | 104.28.6.118 |
| hxxp://www.kuigames.com/games/images/The-Endless-Drop.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Drift-Runners-2.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/templates/indigo/images/module_star.png | 141.101.118.57 |
| hxxp://www.kuigames.com/templates/indigo/images/home_cat_header.png | 141.101.118.57 |
| hxxp://252709031.qseach.com/redir.php | 192.121.167.58 |
| hxxp://c.statcounter.com/7040553/0/edbb565e/1/ | 67.215.253.140 |
| hxxp://www.kuigames.com/templates/indigo/images/searchbox.png | 141.101.118.57 |
| hxxp://www.kuigames.com/templates/indigo/images/logo.png | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Inner-Demon.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/uploads/avatars/default.png | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Enigmata-2-Genus-Revenge.jpg | 141.101.118.57 |
| hxxp://ads.yahoo.com/imp?Z=120x600&s=6188085&T=3&_salt=1166147371&B=10&H=http://ads.kuigames.us/120x600.html&u=http://ads.kuigames.us/120x600.html&M=4&r=0 | 98.138.49.43 |
| hxxp://www.kuigames.com/templates/hightek/images/anon.png | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Pyro.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Super-Fishing.jpg | 141.101.118.57 |
| hxxp://content.yieldmanager.com/ak/p.gif | 199.117.103.59 |
| hxxp://www.kuigames.com/games/images/Monkey-Talent.jpg | 141.101.118.57 |
| hxxp://content.yieldmanager.edgesuite.net/atoms/38/3b/c3/5a/383bc35a07d9cef4d21a25cb8636c781.swf?clickTag=http://ads.yahoo.com/clk?3,eJyljdFuwjAMRb-Gt6pKY7cLqvaQAqkQtBtSmBbe2mQkrGSb1LKOff0KVPzAjizfK.tajiDVQMDUCSRIqz3saRohQ6h1HKEOSJqmFAEfWDyNpsGHEav896V9tbN4lX9m.MKiUbXlN666uflndulCwNY1456emRyTzqDm.-D73fWjXXI-WDtnw7OcbYjN7ql855XkUPptv5YFUVJ3hRTHckbwSWZ-LTXupGkKqc7lfElUf798DALXdV8T4BMqhqpMGzang638Wxue2mGCCftJSOg6f.wDgolc6g==, | 23.67.244.10 |
| hxxp://www.kuigames.com/games/images/Bubblequod-2.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Sprout.jpg | 141.101.118.57 |
| hxxp://ads.yahoo.com/get-user-id?ver=2&s=6188085&ts=1409885688&sig=f649a3b6311803b2 | 98.138.49.43 |
| hxxp://www.kuigames.com/games/images/Reincarnation--A-Taste-Of-Evil.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Conquerium.jpg | 141.101.118.57 |
| hxxp://ads.kuigames.us/120x600.html | 104.28.6.118 |
| hxxp://ads.yahoo.com/get-user-id?ver=2&s=6188085&ts=1409885687&sig=61cb7a3de0b4d59d | 98.138.49.43 |
| hxxp://ads.yahoo.com/st?ad_type=iframe&ad_size=468x60§ion=6188085&pub_url=${PUB_URL} | 98.138.49.43 |
| hxxp://www.kuigames.com/games/images/Deadly-Neighbours.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Captain-Steelbounce.jpg | 141.101.118.57 |
| hxxp://ads.yahoo.com/imp?Z=728x90&s=6188085&T=3&_salt=2368955277&B=10&H=http://ads.kuigames.us/728x90.html&u=http://ads.kuigames.us/728x90.html&M=4&r=0 | 98.138.49.43 |
| hxxp://www.kuigames.com/ | 141.101.118.57 |
| hxxp://c.statcounter.com/7040548/0/9a85091e/1/ | 67.215.253.140 |
| hxxp://www.kuigames.com/games/images/Blocked-Out.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/templates/indigo/images/pages_menu_item_border.png | 141.101.118.57 |
| hxxp://crl.verisign.com/pca3-g5.crl | 23.7.69.163 |
| hxxp://content.yieldmanager.edgesuite.net/atoms/71/ca/f5/7e/71caf57efe61cc3184a879d13e20aca3.swf?clickTag=http://ads.yahoo.com/clk?3,eJyljWFPwjAQhn8N3-ZypWW0afzQASWTbagpU.nGOumwVElaxPjr3TKiP8Anl8uTuzd3CPOaJGzP9jqZIEZZPeWIUIJrPQHQEXDOxwhNGSEM4ei9kavld-WfTRrIyqaiZ52WjREDF7EQ4mPwe9p3KfGmtdf9413hB5vF-SkT.-Dzrb1cNev.CjOnAhY39AFM-ptabl3pKreebyBXBbwoHQolj-UMHUqX4VxpslWNLVSXeaps-Xf.NoraEE4jLEZj2dWu8bE9H8zOvfr47LsJSuArAYjb4I4.23hdAQ==, | 23.67.244.10 |
| hxxp://www.kuigames.com/games/images/Sproing-Reloaded.jpg | 141.101.118.57 |
| hxxp://www.directorio-w.com/ | 192.121.167.58 |
| hxxp://www.kuigames.com/games/images/Cardinal-Quest.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/P.O.D..jpg | 141.101.118.57 |
| hxxp://content.yieldmanager.edgesuite.net/atoms/5e/5e/48/47/5e5e48471469e5535a6811552a398d35.swf?clickTag=http://ads.yahoo.com/clk?3,eJyljd1ugkAQhZ.GO0pmf6RLNr0A6xKVXWuDtnoHbl0UtjFZLLZPXyjGF-jJ5OTLzJwcRLjOdUGDAtEOWIBDjiijpNjTA0UecM4xC9kjA8RC71OLRfKzce8mdnRRxVGvZay0iQa1vU0HfmG9C0HWZXW7v86lG2jip-dZ9A99ncr2hrO.XvPc9cEDW4GJ71.Jzqpkd1RWQppJ2Gb7RmaiVhMYK7yp00ydVDIdS7sm6k1-b9t78snzyqY5j0g0wqKbXDu.uhxNbj-cf3HdBmG4BgB-2dj6Fz08XPw=, | 23.67.244.10 |
| hxxp://ads.yahoo.com/imp?Z=0x0&y=28&s=6188085&_salt=2038240574&B=10&H=&u=http://ads.kuigames.us/pop.html&M=5&r=0 | 98.138.49.43 |
| hxxp://ads.kuigames.us/468x60.html | 104.28.6.118 |
| hxxp://ads.yahoo.com/imp?Z=300x250&s=6188085&T=3&_salt=4003166706&B=10&H=http://ads.kuigames.us/300x250.html&u=http://ads.kuigames.us/300x250.html&M=4&r=0 | 98.138.49.43 |
| hxxp://180730105.qseach.com/redir.php | 192.121.167.58 |
| hxxp://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90§ion=6188085&pub_url=${PUB_URL} | 98.138.49.43 |
| hxxp://www.kuigames.com/templates/indigo/images/left_arrow.png | 141.101.118.57 |
| hxxp://kuigames.com/ | 141.101.118.56 |
| hxxp://www.kuigames.com/templates/indigo/style.css | 141.101.118.57 |
| hxxp://3e36y22v93d34l85tj4vs012m5r884.ipcheker.com/ | 192.121.167.58 |
| hxxp://www.kuigames.com/games/images/Epic-War-Saga.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Legend-of-the-Void.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Zoe-Animals-Doctor.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Indiana-Jones.jpg | 141.101.118.57 |
| hxxp://content.yieldmanager.edgesuite.net/atoms/b6/11/29/55/b6112955568fc2e8d1197b57b15f6a43.swf?clickTag=http://ads.yahoo.com/clk?3,eJydjd1ugkAQRp.GO0L2j7LNpheDiCEq1HSlwp0suOC6bROwLX36YrA-QE8mky8n32QwFbViStW-V.oVV0f1IDDjjJbKQwo7SAhBKPN8TJFHnLcqWi1.sm6vIdsTFsCVeJGWXzChYQGQT.mZX3cU0V1j9KTIwOWt-dK-3-T.-Dw1f09jgDHqkEON53yLdHBvLQubhmbIbXFayw3Kpeo3Mjonc9wWr.GwlpVNwhilMjNJGJh8e798cpym7z9mFGYkGudQda65tPpg6869dKPxCf9-RG7T2.MvjvleIA==, | 23.67.244.10 |
| hxxp://ads.yahoo.com/st?ad_type=iframe&ad_size=120x600§ion=6188085&pub_url=${PUB_URL} | 98.138.49.43 |
| hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab | 96.17.227.191 |
| hxxp://www.kuigames.com/games/images/Sam-Bike-Accident.jpg | 141.101.118.57 |
| hxxp://content.yieldmanager.edgesuite.net/flash_activate.js | 23.67.244.10 |
| hxxp://www.kuigames.com/games/images/Shameless-Clone-2.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Distopix.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Amberial-Nebulosa-Realms.jpg | 141.101.118.57 |
| hxxp://ads.yahoo.com/imp?Z=300x250&s=6188085&T=3&_salt=3230503250&B=10&H=http://ads.kuigames.us/300x250.html&u=http://ads.kuigames.us/300x250.html&M=4&r=0 | 98.138.49.43 |
| hxxp://ads.yahoo.com/st?ad_type=pop&ad_size=0x0§ion=6188085&banned_pop_types=28&pop_times=1&pop_frequency=21600&pub_url=${PUB_URL} | 98.138.49.43 |
| hxxp://www.kuigames.com/games/images/Wigman-Big-Run.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Planet-Juicer.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/includes/jquery-1.8.2.js | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Pirate-tresaure.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Wheel-of-Misfortune.jpg | 141.101.118.57 |
| hxxp://fpdownload.macromedia.com/get/flashplayer/update/current/install/install_all_win_cab_ax_sgn.z | 23.194.155.238 |
| hxxp://ads.kuigames.us/728x90.html | 104.28.6.118 |
| hxxp://ads.kuigames.us/pop.html | 104.28.6.118 |
| hxxp://www.kuigames.com/games/images/Heat-Rush-USA.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/includes/avarcade.js | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Dungeon-Defender.jpg | 141.101.118.57 |
| hxxp://content.yieldmanager.edgesuite.net/atoms/6c/0e/12/64/6c0e1264dba660d9b65103bbe5ec3ce6.png | 23.67.244.10 |
| hxxp://www.kuigames.com/games/images/Baby-Elsa-Skin-Allergy.jpg | 141.101.118.57 |
| hxxp://www.kuigames.com/games/images/Bubble-Harm.png | 141.101.118.57 |
| hxxp://www.kuigames.com/templates/indigo/images/right_arrow.png | 141.101.118.57 |
| hxxp://www.kuigames.com/images/overlay.png | 141.101.118.57 |
| 30324460.qseach.com | 192.121.167.58 |
| y1263nz903ui77u71n67v05swp4jah.ipcheker.com | 192.121.167.58 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):