Trojan.NSIS.StartPage_caeefb1c98

by malwarelabrobot on April 26th, 2017 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.Generic (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: caeefb1c98ca62a1a61370b9c8888f7d
SHA1: 6c410e5d614fd87bb426dde5f2774195dd1327f0
SHA256: 4cb00c12849d7b2b3a243f2dbd6c3dcdfe695ba73f4e83095940096eda21c1c2
SSDeep: 196608:RxPy2jc1rJpCHQlb5TTqXWRGIFig ufkPEZbn70DtlU6G:Dyd1rJpsk6XWHkPin70Dg
Size: 6700492 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-12-27 07:38:55
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3684

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\check[1].xml (543 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\BrandingURL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\modern-header.bmp (1358 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\INetC.dll (46 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Mars_Installer[1].exe (18984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\check.xml (543 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\modern-wizard.bmp (8323 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\Facebook.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\IMarsInstaller.exe (20504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\XML.dll (2127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\GetVersion.dll (14 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFC87.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp (0 bytes)

Registry activity

The process %original file name%.exe:3684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\caeefb1c98ca62a1a61370b9c8888f7d_RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\caeefb1c98ca62a1a61370b9c8888f7d_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\caeefb1c98ca62a1a61370b9c8888f7d_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\caeefb1c98ca62a1a61370b9c8888f7d_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\caeefb1c98ca62a1a61370b9c8888f7d_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\caeefb1c98ca62a1a61370b9c8888f7d_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\caeefb1c98ca62a1a61370b9c8888f7d_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
e63fa30e0be4b995129f0f6fd2ac323a c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Mars_Installer[1].exe
71c46b663baa92ad941388d082af97e7 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\BrandingURL.dll
dc9562578490df8bc464071f125bfc19 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\GetVersion.dll
e63fa30e0be4b995129f0f6fd2ac323a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\IMarsInstaller.exe
92ec4dd8c0ddd8c4305ae1684ab65fb0 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\INetC.dll
0ff5120f1afd0f295c2baa0f7192d3f8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\System.dll
42df1fbaa87567adf2b4050805a1a545 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\XML.dll
c4be29cd82d2d02fabadb153c8a54846 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\nsDialogs.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ScreenSaverGift.com
Product Name: Flowers 1 Screensaver
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2017 ScreenSaverGift.com
Legal Trademarks: Copyright (c) 2017 ScreenSaverGift.com
Original Filename: Flowers 1 Screensaver.exe
Internal Name: Flowers 1 Screensaver.exe
File Version: 1.0.0.0
File Description: Flowers 1 Screensaver
Comments: ScreenSaverGift.com
Language: Russian (Russia)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 24124 24576 4.45853 1a13b408c917b27c9106545148d3b8d3
.rdata 28672 4714 5120 3.46982 921acf8cb0aea87c0603fa899765fcc2
.data 36864 154936 1536 2.97482 797517c6ef57aa95d53df2cf07568953
.ndata 192512 122880 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 315392 115720 116224 3.90744 04e6e2ca76e4a69ab71e63ebf3000724

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.screensavergift.com/wp-content/data/check.php 5.9.51.208
hxxp://www.screensavergift.com/wp-content/data/check.xml 5.9.51.208
hxxp://dlmars.com/offers.php?9/eQ 8eZqLA=
hxxp://dlmars.com/Mars_Installer.exe
hxxp://www.dlmars.com/offers.php?9/eQ 8eZqLA= 34.197.156.205
hxxp://www.dlmars.com/Mars_Installer.exe 34.197.156.205


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /wp-content/data/check.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.screensavergift.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Date: Tue, 25 Apr 2017 09:14:02 GMT
Server: Apache
Location: hXXp://VVV.screensavergift.com/wp-content/data/check.xml
X-Powered-By: PleskLin
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
....


GET /wp-content/data/check.xml HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.screensavergift.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 25 Apr 2017 09:14:02 GMT
Server: Apache
Last-Modified: Wed, 15 Mar 2017 23:06:28 GMT
ETag: "340125-21f-54accfe8e5afe"
Accept-Ranges: bytes
Content-Length: 543
X-Powered-By: PleskLin
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/xml
<?xml version="1.0" encoding="utf-8"?>.<Sponsors>.<Mode
 Type="Multi">.</Mode>.<IMs>.<Data Active="Yes" Url1
="hXXp://VVV.dlmars.com/offers.php?9/eQ 8eZqLA=" CMD="/cbid=9/eQ 8eZqL
A="></Data>.</IMs>.<IMP>.<Data Active="No" Url
1="-" Url2="-" Url3="-"></Data>.</IMP>.<SaveSense>
;.<Data Active="Yes"></Data>.</SaveSense>.<Opti&g
t;.<Status Active="Yes"></Status>.</Opti>.<Extra&
gt;.<Data Active="No" Url="-"></Data>.</Extra>.<L
andingFinish>.<Data Active="Yes" Url="hXXp://VVV.screensavergift
.com/installation-finished/"></Data>.</LandingFinish>.&
lt;/Sponsors>.HTTP/1.1 200 OK..Date: Tue, 25 Apr 2017 09:14:02 GMT.
.Server: Apache..Last-Modified: Wed, 15 Mar 2017 23:06:28 GMT..ETag: "
340125-21f-54accfe8e5afe"..Accept-Ranges: bytes..Content-Length: 543..
X-Powered-By: PleskLin..Keep-Alive: timeout=5, max=99..Connection: Kee
p-Alive..Content-Type: application/xml..<?xml version="1.0" encodin
g="utf-8"?>.<Sponsors>.<Mode Type="Multi">.</Mode>
;.<IMs>.<Data Active="Yes" Url1="hXXp://VVV.dlmars.com/offers
.php?9/eQ 8eZqLA=" CMD="/cbid=9/eQ 8eZqLA="></Data>.</IMs&
gt;.<IMP>.<Data Active="No" Url1="-" Url2="-" Url3="-"><
;/Data>.</IMP>.<SaveSense>.<Data Active="Yes"><
;/Data>.</SaveSense>.<Opti>.<Status Active="Yes">
</Status>.</Opti>.<Extra>.<Data Active="No" U
<<< skipped >>>


GET /Mars_Installer.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.dlmars.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 25 Apr 2017 09:14:28 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Mon, 24 Apr 2017 08:22:09 GMT
ETag: "194802e-4a10e-54de54da40e40"
Accept-Ranges: bytes
Content-Length: 303374
Connection: close
Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........(...F...F.
..F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F...................
......PE..L...<.MX.................b...|.......1............@......
.................................@.................................4..
..........A...........................................................
................................................text...q`.......b.....
............. ..`.rdata..R............f..............@..@.data....T...
........z..............@....ndata...................................rs
rc....A.......B..................@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
......B..H.P.u..u..u.....@..B...SV.5..B..E.WP.u.....@..e...E..E.P.u...
..@..}..e....\.@........FR..VV..U... M.......M....3.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...d.@..E...E.P.E.P.u.....@
..u....E..9}...w....~X.te.v4..T.@....E.tU.}.j.W.E......E.......P.@..vX
W..X.@..u..5L.@.W...E..E.h ...Pj.h..B.W....@..u.W...u....E.P.u...l.@._
^3.[.....L$..(.B...Si.....VW.T.....tO.q.3.;5,.B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5,.B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>


GET /offers.php?9/eQ 8eZqLA= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.dlmars.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Found
Date: Tue, 25 Apr 2017 09:14:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3
Cache-Control: no-cache, must-revalidate
Content-Disposition: attachment; filename="Imars.exe"
Location: hXXp://VVV.dlmars.com/Mars_Installer.exe
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_3684:




.text
`.rdata
@.data
.ndata
.rsrc
Vj%SSS
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
%s%s.dll
ers\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp
t.com
@.reloc
GetProcessHeap
comdlg32.dll
nsDialogs.dll
All Files|*.*
u"z%u
:.VMt
A.lLf
d3.Rdb
Setup Flowers 1 Screensaver - VVV.ScreenSaverGift.com
check.xml
26942312
om/offers.php?9/eQ 8eZqLA=
c:\%original file name%.exe
%Program Files%\ScreenSaverGift\
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsdFC87.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
1114502
1443498517
1573458
1180132
1180264
772082183
923404676
1114550
hXXp://VVV.dlmars.com/offers.php?9/eQ 8eZqLA=
hXXp://VVV.screensavergift.com/installation-finished/
sss%xyy]vww_rrrIttt#xzzAsssUqqq
/,&_,*#?*'!!
;7.[96-;84 #72 
vww!tuu%stt=tuu%uvv7tuu/xyy
;7.]:6-384 
:6.[:6.-95-
_*&!3,)#
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.50</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
ScreenSaverGift.com
1.0.0.0
Flowers 1 Screensaver.exe
Copyright (c) 2017 ScreenSaverGift.com

%original file name%.exe_3684_rwx_10004000_00001000:




callback%d






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\check[1].xml (543 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\BrandingURL.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\modern-header.bmp (1358 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\INetC.dll (46 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\System.dll (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Mars_Installer[1].exe (18984 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\check.xml (543 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\modern-wizard.bmp (8323 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\Facebook.bmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\IMarsInstaller.exe (20504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\nsDialogs.dll (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\XML.dll (2127 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB6.tmp\GetVersion.dll (14 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now