PUP-XDW-GW_0c6c480a91
PUP-XDW-GW (McAfee), PUA.Bundler (Ikarus)
Behaviour: PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 0c6c480a91347c1d69d4ab96a19a4f16
SHA1: 0ef77b7e98f4e57b5b8a610b4a1a9f7a711db1ae
SHA256: 4eee48734395839b14b48d9e4c36baebcf2e38153a2b7a1ddd5e5151fb62687c
SSDeep: 49152:0GtKAqHmlVW6KnsTWrS1NzToW6KnsTWrS1NzT:EEVzTKCvozTKCv
Size: 2058752 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2018-01-25 18:13:32
Analyzed on: Windows7 SP1 32-bit
Summary:
PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.
Payload
No specific payload has been found.
Process activity
The PUP creates the following process(es):
%original file name%.exe:2692
The PUP injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:2692 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\normal_bg4[1].png (5564 bytes)
Registry activity
The process %original file name%.exe:2692 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\0c6c480a91347c1d69d4ab96a19a4f16_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\0c6c480a91347c1d69d4ab96a19a4f16_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1516896812"
[HKLM\SOFTWARE\Microsoft\Tracing\0c6c480a91347c1d69d4ab96a19a4f16_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\0c6c480a91347c1d69d4ab96a19a4f16_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"
[HKLM\SOFTWARE\Microsoft\Tracing\0c6c480a91347c1d69d4ab96a19a4f16_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\0c6c480a91347c1d69d4ab96a19a4f16_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\0c6c480a91347c1d69d4ab96a19a4f16_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\0c6c480a91347c1d69d4ab96a19a4f16_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\0c6c480a91347c1d69d4ab96a19a4f16_RASMANCS]
"EnableFileTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The PUP deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 651134 | 651264 | 5.07365 | b156df5eee7af3928fa4a6da3cedb360 |
| .rdata | 655360 | 23148 | 23552 | 3.32851 | 98e2341d27ec2978c7700ddfc06bf644 |
| .data | 679936 | 4872 | 2048 | 1.58133 | a3b0fcae795191a66d5c24e94fa13e45 |
| .gfids | 688128 | 208 | 512 | 1.11946 | d5c97fb6163a79ed387fe87f291b8b8f |
| .rsrc | 692224 | 1380136 | 1380352 | 5.51689 | 7cb9d3e69cffd13bf09ab0e53ea17126 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 171
015094c3630e678862a33852b335344a
68620b246faf20227ec3aa85e9560d32
aab7dc3608cae605c99fbdf1487506e2
3769a71586f4e8c181cd62120d6f66b6
6cf5e01a697262a8a2e4799aa6a48988
8888f60a3ec12c947630e9a8e05a444b
0b06bbcd1d4b147b55b55eb959064f48
d05c022f9cac610d67c6eec5b0e491ed
b4258d9c951a645b7fdffea9a9467dd2
28ce9a02da3a223acc65e438dc2c712d
cfaadfcaf7fe7e61e592ac64d4a661f8
12191e4de56805287d2a31b6107ea680
04fdb52fe4f72f764f00c2e7bd8c395e
656ef87d616925db945479b13c7a4116
a82728e24c3dc3ea1474564eb49c57dd
a0dbfe28dcd2a50392ecc2eda59f9265
cbd475bbfc91c0dc695250b31f404919
c6276fc85b18d6de2cee0c61681d8b79
b79346dc161c2349ce660d323a0ae394
b2becb285674e3bef1af103e3c8cc43f
2b7056b385dbd99529ee7e44b329a8dc
a4aaad540474d947e0212be99a7fa508
7618402e78adb82dfe63c9e32dc20b4c
1b5694eeefeb8b75c1c2c1716ff11624
9029b51753f9a63d47a7a425feeafde7
178d48f9f2a5cdb3e22af627c05fcd5e
URLs
| URL | IP |
|---|---|
| hxxp://lamp.troublerifle.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=18828533&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1335843669&url=http://lamp.troublerifle.bid/offer.php?affId={aff_id}&trackingId=314063080&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&osd=1608&res=1276x846&v=3 |  52.85.17.22 |
| hxxp://lamp.troublerifle.bid/offer.php?affId=1006&trackingId=314063080&instId=11&ho_trackingid=HO5ad4bbbde3ee3&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&osd=1608&res=1276x846&v=3 | 52.85.17.22 |
| hxxp://lip.healthcakes.men/installer.php?affId=1006&instId=11&ho_trackingid=HO5ad4bbbde3ee35ad4bbbe21ee1&trackingId=314063080&cc=UA&untracked=&uac=1&osd=1608&net=4.5.50709&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 | 52.85.17.212 |
| hxxp://kiss.oatmealscene.loan/installer.php?affId=1006&instId=11&ho_trackingid=HO5ad4bbbde3ee35ad4bbbe21ee1&trackingId=314063080&cc=UA&untracked=&uac=1&osd=1608&net=4.5.50709&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 | 54.88.21.193 |
| hxxp://d2adi7hu49xk5t.cloudfront.net/normal_bg4.png | 52.85.17.101 |
| hxxp://kiss.oatmealscene.loan/report.php?typ=sys&affId=1006&instId=11&ho_transId=HO5ad4bbbde3ee35ad4bbbe21ee1&transId=314063080&chk_s_b=VMware-56 4d a7 48 b6 81 1f 90-3f 36 cc ce af 92 9a d2&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:3C:AC:7120:41:53:59:4E:FF&randid=0.6090532423372159 | 54.88.21.193 |
| hxxp://kiss.oatmealscene.loan/report.php?typ=conversion&transId=314063080&affId=1006&instId=11&ho_transId=HO5ad4bbbde3ee35ad4bbbe21ee1&s1=2735&s2=18828533&s3=&s4=LP_DEF&s5=1335843669&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.564595699877096 | 54.88.21.193 |
| hxxp://1jptv.voluumtrk2.com/08e0b779-c1db-404a-b9a2-b4657d709f22 | |
| hxxp://d1g1b9l7554igi.cloudfront.net/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html | |
| hxxp://d1g1b9l7554igi.cloudfront.net/pr/public/css/style.css | |
| hxxp://d1g1b9l7554igi.cloudfront.net/pr/public/js/jquery.min.js | |
| hxxp://d1g1b9l7554igi.cloudfront.net/pr/public/js/detector.js | |
| hxxp://s3-1-w.amazonaws.com/ads.js?stam=err | |
| hxxp://s3-1-w.amazonaws.com/pr/public/js/adframe.js | |
| hxxp://n135adserv.com/ads?key=3a71f57f6d976f956c5f61dbdd4adf7b&ch=&cp.chan=&cp.vtl=&cp.crr=&cp.exld= | |
| hxxp://n135adserv.com/impression.gif?b=120491&p=5103&c=10390&h=d9952535c7b8e2549cc8a742e383a081&l=UA&sh=800&sw=1280&ad.trans.id=48758oljj7jy&cps=Y2hhbg*~dnRs*~Y3Jy*~ZXhsZA*&s=d73a95fdbd7c8b810275541b68551970&t=1523891137677 | |
| hxxp://1049256531.rsc.cdn77.org/files135/65/10390/120491/FB_RU_800_Group1A.jpg | |
| hxxp://d1g1b9l7554igi.cloudfront.net/favicon.ico | |
| ic-dc.s3.amazonaws.com | 52.216.22.11 |
| ic-dc.bundlessafevault.com | 52.85.17.50 |
| www.1-1ads.com | 74.117.182.93 |
| trk.railquince.bid | 52.58.112.6 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET TROJAN Backdoor User-Agent (InstallCapital)
Traffic
Web Traffic was not found.
The PUP connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2692
- Delete the original PUP file.
- Delete or disinfect the following files created/modified by the PUP:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\normal_bg4[1].png (5564 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
