MD5: ebb3b412e20c450ce922434b2e26c104 SHA1: 1ca3bc5a871fb0604f5ea0f45d514f5466911992 SHA256: 83636bcab9f817215f3dc24d9a509ce3b2158b16a44ca92c3bf76e96d94627a6 SSDeep: 24576:oStrUAbM6M/KN9b hGb1u7SYXj2OgOVwluBuNhlD9MPjgL5vr:oStrUAI6Mu9qhGb1uxjFwSu1DomZr Size: 1322432 bytes File type: EXE Platform: WIN32 Entropy: Packed PEID: UPolyXv05_v6 Company: ArcadeFrontier Created at: 2014-03-04 11:28:35 Analyzed on: WindowsXP SP3 32-bit

Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

mscorsvw.exe:1912
nsp81.exe:240
SPIdentifier.exe:1392
%original file name%.exe:1440

The Malware injects its code into the following process(es): No processes have been created.

Mutexes

The following mutexes were created/opened:

ShimCacheMutex {B34AAD8A-B699-4A45-8665-2B59F5AAD82B}

File activity

The process nsp81.exe:240 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso83.tmp\SPtool.dll (49229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso83.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso83.tmp\System.dll (11 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso83.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso83.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso83.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd82.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso83.tmp\inetc.dll (0 bytes)

The process SPIdentifier.exe:1392 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf80.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp7F.tmp (2820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp81.exe (64797 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp81.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf80.tmp\inetc.dll (0 bytes)

The process %original file name%.exe:1440 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect (0 bytes)
%Program Files%\SearchProtect\Main (0 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs (0 bytes)
%Program Files%\SearchProtect\Main\rep (0 bytes)
%Program Files%\SearchProtect (0 bytes)

Registry activity

The process mscorsvw.exe:1912 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process nsp81.exe:240 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 49 D9 1B 43 C9 53 CB 7B 49 BF 39 81 9E B1 4E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process SPIdentifier.exe:1392 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf80.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D B7 AF C4 34 62 71 77 66 61 F1 CE D9 13 FC 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1440 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 AC 22 44 1C 8A 0D BE 8E 62 71 19 13 C6 AD 72"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

MD5	File path
73554f3944811c0c4b393826943be2ca	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SPIdentifier.exe
9fb9d49c2db7edd1084ab765d619f5c6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\sp-downloader.exe
3c28060fcffe2b17afa3ec9eabaf5adc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll
d96290ac80c0696023d8a2378bd89efa	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ArcadeFrontier Product Name: ArcadeFrontier Product Version: 1.0.0.1 Legal Copyright: Copyright (C) 2013 Legal Trademarks: Original Filename: SetupGUI.exe Internal Name: SetupGUI.exe File Version: 1.0.0.1 File Description: ArcadeFrontier Installer Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	198400	198656	4.5562	5794edb184cc1655228892923cdd0fd4
.rdata	204800	78890	79360	3.13435	b68fb5653461199641f47d6ab78640e9
.data	286720	20384	9216	3.18602	e853efea4ae2be64530d1c184773b128
.rsrc	307200	1005432	1005568	5.51625	ab7de3fc354a034360692874cb479c8b
.reloc	1314816	23464	23552	3.25769	9e60931ebc074700654d77d68f1c7831

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 266 f93baf6557e104cc2520e63e51beeed9 d8227b13fcf2e9b7d513261f600e2a6b dd28686e2ae2b2c6077b634434667c6c 7d4eda03a6846d67fb141c16f42121d5 9cec46391e24f11be34895f3f78e89e2 4c7b64db66baff7a94d397f95bbd0f62 3741c8648c63e5349c1ccd9f43c49ce5 08596917f28a797c91f3cb197286ef28 3119cd3d5114e9d380ce7f7e3197baa9 973d9451be5089995a4274cdf2f074a7 5f510b5a060ae7bfa8f5351c9eb4483a ff5c0abc1f9e460ca68f0dc73ff1f1da c7c7ebfe8f218b15010adfee098f796d 64ebea4671f933787a6eed266660fae4 523be9d38cdfd8ffae58908bf230ccba 27a0e4add6a9e0b8b918eded93aa5581 f6bc68e680a24fe5cde28bd02e02efda 7ed5fcb505b1833baad9e47d84054a38 f37f08f1c9438d9c7ec37a0c642b3ee4 a74f03c68e479e4b030cbf58728874bf a05f98ea1a0e257c2ca92129f2a8fdaa 995f782c3df4594bb5e4119a9e9f6b20 b20db45fbf1125a1a61d2e030e397779 b1e592994fd233d2f906b2e2c42d323e 59483eef58910cff57e188c7b0ff7be0

URLs

URL	IP
hxxp://e6337.g.akamaiedge.net/spidentifier/SPIdentifierImpl.exe
hxxp://sp-storage.conduit-services.com/spidentifier/SPIdentifierImpl.exe	23.209.38.93

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

Web Traffic was not found.

The Malware connects to the servers at the folowing location(s):

Strings from Dumps were not found.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   mscorsvw.exe:1912
   nsp81.exe:240
   SPIdentifier.exe:1392
   %original file name%.exe:1440

2. Delete the original Malware file.
   
3. Delete or disinfect the following files created/modified by the Malware:

   %Documents and Settings%\%current user%\Local Settings\Temp\nso83.tmp\SPtool.dll (49229 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso83.tmp\inetc.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso83.tmp\System.dll (11 bytes)
   %Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsf80.tmp\inetc.dll (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe (64797 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsp7F.tmp (2820 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsp81.exe (64797 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\{A2718E3B-EA2D-4520-8609-77AE8A8DE75B}\OCSetupHlp.dll (25824 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.