Gen:Variant.Adware.Graftor.153852 (B) (Emsisoft), Gen:Variant.Adware.Graftor.153852 (AdAware), PUPAirInstaller.YR (Lavasoft MAS)Behaviour: Installer, PUP, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6e07c3041dd88f2818a362703796850c
SHA1: 768e3435276e368d723b8df06e72b8bd9f353844
SHA256: b365e1ac88c19e2f003800aa531a7c1eb8650125029a0f584b3f338e4adf3afe
SSDeep: 24576:OOvwGqD8p bmfe0LBcZEtEl/D9sJePRw4a:tyW 0exlb9sJePW5
Size: 929688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Install Manager
Created at: 2014-08-30 01:54:13
Analyzed on: WindowsXP SP3 32-bit
Summary: Installer. An installation package.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Installer creates the following process(es):
%original file name%.exe:1552
The Installer injects its code into the following process(es):
setup.exe:264
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process setup.exe:264 makes changes in the file system.
The Installer creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process %original file name%.exe:1552 makes changes in the file system.
The Installer creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe (7345 bytes)
The Installer deletes the following file(s):
C:\%original file name%.exe (0 bytes)
Registry activity
The process setup.exe:264 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 14 08 E4 A7 E0 24 36 A9 9F 08 F9 73 4D 1B 18"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Installer deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1552 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 67 AB BA 04 0C 64 F6 59 05 7C 69 16 91 C1 A0"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1552
- Delete the original Installer file.
- Delete or disinfect the following files created/modified by the Installer:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup.exe (7345 bytes) - Reboot the computer.
Static Analysis
VersionInfo
Company Name: Install Manager
Product Name: Download Manager
Product Version: 2.0.66.0
Legal Copyright: (c) Install Manager
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 2.0.66.0
File Description: Download Manager
Comments:
Language: English (United States)
Company Name: Install Manager Product Name: Download Manager Product Version: 2.0.66.0Legal Copyright: (c) Install Manager Legal Trademarks: Original Filename: setup.exeInternal Name: setup.exeFile Version: 2.0.66.0File Description: Download ManagerComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 1888256 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 1892352 | 864256 | 862208 | 5.49421 | 52d136d6f5c5d3d5445c6b0134d9d33f |
| .rsrc | 2756608 | 65536 | 64000 | 3.60973 | 1e03c7cc29a7241fa53c2be3e99dfb53 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 226
01687b82e003e54cdcf7e227a62928a1
8e12b9a457b1c73287426c799c5ae0a6
020269fc981552d6d314487df6c1acad
ff83757c9f8b23299c6dc9073e757617
8ac232e8c803cf9994b79d623337aac8
60888bf7bb4c2bb74d2cfc605be97019
dac3061d4ec78ec1d6924fe2a7d3a377
2c0e2cef9fabbf17b96affa61440f478
93dbaa899f4fbf1aaa8a233f6b51a36d
882e6b8a06246f99720fc34f4ec948f3
0d7b202eedba55687de1f31be38a839e
de38de7d2e6b3bf877f6fdbb81a5a6f3
109c7b6805e04284540529b036b8ed89
692935f295561f9c3baa5709a91d3411
041984c562cabea6d2e18de32f49861c
5ee8f3dfa6194bac4eb18bf98e1d83fa
34170675f4bea8cd0ed3e388604f7c05
c2ba2a4ae310845605ae555ab094b226
e5a26e91dde9ce541a7b4d04c99d8c12
cc6e3c92c6a5703b5797bb75095aa756
c4f341d3647db4cdc80687420cc85e90
39ccdb0a8e9fd4531761ad28f22cf525
9bd82d6eda07f9012c2ec0816f0e0c1d
68e141edba56a1957db5d75eab1176dc
f97aaf76bba26082d839d5b86643681d
8dae9a9ca27d52c64e623ac54f306360
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Installer connects to the servers at the folowing location(s):
Strings from Dumps
setup.exe_264:
`.rsrc
`.rsrc
G SSh
G SSh
SSSSSSh
SSSSSSh
f;T$.uBf
f;T$.uBf
QSShXc_
QSShXc_
tFHt:Ht.Ht"Hu`
tFHt:Ht.Ht"Hu`
j%XtL9E
j%XtL9E
SSSSh
SSSSh
t'SShl
t'SShl
u$SShe
u$SShe
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
FTCP
FTCP
u.PhD6]
u.PhD6]
tAHt.HHt
tAHt.HHt
FtPW
FtPW
SSh@B
SSh@B
s%j.Zf
s%j.Zf
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
CCmdTarget
CCmdTarget
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
CNotSupportedException
CNotSupportedException
CHttpConnection
CHttpConnection
CHttpFile
CHttpFile
RegDeleteKeyExW
RegDeleteKeyExW
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
CMDIFrameWndEx
CMDIFrameWndEx
TaskDialogIndirect
TaskDialogIndirect
CMDIChildWnd
CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
cmd.exe
cmd.exe
GetProcessWindowStation
GetProcessWindowStation
operator
operator
portuguese-brazilian
portuguese-brazilian
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
taskkill /f /im iexplore.exe
taskkill /f /im iexplore.exe
taskkill /f /im chrome.exe
taskkill /f /im chrome.exe
taskkill /F /IM firefox.exe
taskkill /F /IM firefox.exe
Keys
Keys
urlmon
urlmon
RegOpenKeyTransactedW
RegOpenKeyTransactedW
Â| EULA | Privacy Policy |
| EULA | Privacy Policy |