not-a-virus:AdWare.Win32.Lollipop.qn (Kaspersky), Gen:Variant.Application.Bundler.DomaIQ.3 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour:
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: fa62aa8779bfbe9a3a135c6427a40c01
SHA1: 010712d3f87d10868a260f40a870f7f0cd5da091
SHA256: dabe2f91804f1cb73d4de85bcde320b33bcb7efb4dccd34a6ee380a89dc31a04
SSDeep: 12288:4MKMxKOU2lU7LXCl8EzBbjEtyYRHQQsfs1vRr:XNB2XX1FwQsfs1V
Size: 502104 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-04-25 20:58:16
Analyzed on: WindowsXP SP3 32-bit
Summary:
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
android.exe:304
android.exe:1556
The Malware injects its code into the following process(es):
%original file name%.exe:1068
File activity
The process android.exe:1556 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (30321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\SQLite.Interop.dll (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\android.exe.config (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\android.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\System.Data.SQLite.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\Newtonsoft.Json.dll (15168 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (0 bytes)
The process %original file name%.exe:1068 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\New_Player[2] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\Dockings.dfe (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin.dmc (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\box.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\android.exe (8656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\welcome.html (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\templateDisplays.dfe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\doma[1].js (73 bytes)
%System%\wbem\Logs\wbemprox.log (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\loading[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\box[1].html (1031 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress_small_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg_app[1].png (4174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\New_Player[1] (1008 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\loading[1].css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\templateStyle.dfe (5160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@images.imagesdownloader[1].txt (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dfs1.tmp (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\base.css (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-vafplayer.png (784 bytes)
Registry activity
The process android.exe:304 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C CA 4E 73 98 48 5A 01 FA 93 66 FA 84 25 88 85"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\anset\com.mobilesoftdroid.videoplayer]
"can" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process android.exe:1556 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 D6 B5 AF 85 E7 E1 B1 62 DC 8D 8E A9 FB 0A BC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1068 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227]
"android.exe" = "android"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1398448696"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 F0 20 BC 37 A9 4B DB 44 92 39 69 F5 01 9C 1F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
56f46da99169a5f7aa239a47b5c9a01f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\android\Newtonsoft.Json.dll |
2f7c03e1030040c8b76c7f1018595eec | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\android\SQLite.Interop.dll |
b18a5f2d68be257d48748b42f20ff1d6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\android\System.Data.SQLite.dll |
f19b37bddd81b527667742e73257ac05 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\android\android.exe |
427739ef23cd55fd0bff302e47fff230 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\android.exe |
8b2376ab901ac90c9d8799f4b454b3de | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\dfs1.tmp |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
android.exe:304
android.exe:1556 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (30321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\SQLite.Interop.dll (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\android.exe.config (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\System.Data.SQLite.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\Newtonsoft.Json.dll (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\New_Player[2] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\Dockings.dfe (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin.dmc (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\box.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\android.exe (8656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\welcome.html (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\templateDisplays.dfe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\doma[1].js (73 bytes)
%System%\wbem\Logs\wbemprox.log (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\loading[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\box[1].html (1031 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress_small_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg_app[1].png (4174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\New_Player[1] (1008 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\loading[1].css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\templateStyle.dfe (5160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@images.imagesdownloader[1].txt (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dfs1.tmp (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\base.css (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-vafplayer.png (784 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 111040 | 111104 | 4.53141 | a2187127065cd8daad8384d86ccb55c3 |
.rdata | 118784 | 42500 | 43008 | 3.51028 | fd4e38eb2d9d9ac009e547b4daa9993b |
.data | 163840 | 25588 | 16896 | 3.96452 | 1c3be92f843fca6b4403c1d0f45bbcb3 |
.rsrc | 192512 | 307216 | 307712 | 4.50324 | e95bab7400346fd9510b94f5f2b1afdf |
.reloc | 503808 | 16560 | 16896 | 2.75723 | 9744f113d2c482da8ecc8b9dd3156811 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 249
2973c273d3e50711e55ac50894ea66a9
b6e486b55cc560d109a826429669207e
b622e88106dadead0d89fbb813ca3bf0
f1a709e60dd4d57b676cb15e79179dec
da62f81a47f4b113d71ebde818f40cd7
9a752f4bbc949a82dc647da9205c0ca3
ab776de4cb2fca47681df90885554acb
cc441eec85a2ef3132833051cca0ede6
90143f82d5c49380ca4e17240cd13d73
8fc71a6655e98dfc0d88c714902baac6
f8ad8dd9f0cae9ad6e326da30cc44ab2
371ec40b606cb3d93064a3cfb6e1b9a8
8a719c547fe8210ae71a0b941aa7d45d
2c75b449da24ea4436218681a0b5f9d5
4b40f0d512e324cf0f726bb3f90e1f84
4502714c66639a4e4e9808466cde7ba1
b174f068a58fde6df828ba67af9244f3
d9ec2e0ac602ba62cc2bacee8b8b40d4
68a8550590b1136238fd7bb0098275e8
a6e1a1d2d9e574229411d32f8f2d3f50
e0e7b9573af88fbaf25626bf11d25816
5b81d6fb885d04964ed99a12f9ca19de
23208ed95a5afe04399f05dda385fa3e
f274b843dd83513d2c355d64de568af6
b1d4a481c78f7d742d358a480eb8cc2d
53f09804957654fc8aad66e1a774005b
Network Activity
URLs
URL | IP |
---|---|
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/apiLoading/737.html | |
hxxp://staticrr.tgusrv.com/Loading/ab3232d7_loading_green/box.html | |
hxxp://staticrr.tgusrv.com/Loading/ab3232d7_loading_green/loading.css | |
hxxp://staticrr.tgusrv.com/sdb/doma.js | |
hxxp://staticrr.tgusrv.com/Loading/ab3232d7_loading_green/images/bg_app.png | |
hxxp://landings-ss-1797368240.us-west-2.elb.amazonaws.com/screenshot/icon/%mapp% | |
hxxp://landings-ss-1797368240.us-west-2.elb.amazonaws.com/screenshot/380x220/%mapp% | |
hxxp://staticrr.tgusrv.com/Loading/ab3232d7_loading_green/images/loading.gif | |
hxxp://landings-ss-1797368240.us-west-2.elb.amazonaws.com/screenshot/icon/New_Player | |
hxxp://landings-ss-1797368240.us-west-2.elb.amazonaws.com/screenshot/380x220/New_Player | |
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/api/151/New_Player/604/737/English/WW.xml | |
hxxp://staticrr.tgusrv.com//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip | |
hxxp://staticrr.tgusrv.com//Displays/Templates/8a204893_Win_A_Banner_DeclineLink.zip | |
hxxp://staticrr.tgusrv.com//Docking/Docking.zip | |
hxxp://staticrr.tgusrv.com/Apps/toolbars/apkSetup4.exe | |
hxxp://awstrack01.tguhost.com/debug/android/9/can/0 | |
staticrr.allfiles134.com | 85.12.8.28 |
api.v2.secdls.com | 54.213.138.138 |
tb.myappupdate.com | 85.12.8.28 |
dtrack.secdls.com | 54.218.7.114 |
staticrr.safetydownload.net | 192.99.46.67 |
staticrr.paleokits.net | 85.12.5.2 |
images.imagesdownloader.com | 54.213.178.50 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic