Trojan.Win32.IEDummy_6018f52202

by malwarelabrobot on June 15th, 2016 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.InstallMonster.gen (Kaspersky), Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6018f522029cfa4a5ba5d6e6afb97446
SHA1: 41c0ebd8f89ae40aa7382a7ad5a23f5321c87169
SHA256: a534ec946bf220d97f35df675366f1343bb48b1182a32ae1588cea520dc80299
SSDeep: 98304:xzV5FDvRqbCKApy0vsub uJA507DR1KrFEP54/ZA:xJ7EbC Xy9JvDRYrF4
Size: 3549152 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: Software Bundle Company
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1392

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ProgID]
"(Default)" = "6018f522029cfa4a5ba5d6e6afb97446.DynamicNS"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}]
"(Default)" = "DynamicNS"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\6018f522029cfa4a5ba5d6e6afb97446\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 8C D7 F0 AF 31 7E 59 A5 78 32 52 AD BB CD 7E"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCR\6018f522029cfa4a5ba5d6e6afb97446.DynamicNS\Clsid]
"(Default)" = "{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\6018f522029cfa4a5ba5d6e6afb97446.DynamicNS]
"(Default)" = "DynamicNS"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\6018f522029cfa4a5ba5d6e6afb97446\DEBUG]
"Trace Level"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Software Bundle Company
Product Name:
Product Version: 1.0.0.0
Legal Copyright: Copiright
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: Software Bundle
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 2445312 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 2449408 2220032 2217472 5.47136 76e39e3289dd2401cd6caaf1a60bfbf5
.rsrc 4669440 24576 20992 3.65806 f8ad800ddaef627cd94ca2f6384da75f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 66
e79ce1a194f493d5f153e71549fbd5cd
a5e67ca8da17f69d43df1d19aaed89fa
6ba48876132d70d470a057b8ed1ad0fc
ad1d1f86dbf0a18b79d8484330259b3e
fe4d80742de31ed8cf4b356658c32dc6
2e2586e737b998b9567d5cccb2a4bfa2
42ac44e9f84ed45b61962f15d2052dba
3ea682619471ff3dc72e139b174ea733
e498bf898b69e7d15e6221923ad0997d
ab8e25852ae586c8ea9fb6989c1b70cc
deba8feed59c4351dfb3106b0137c6f5
448fd58eeeb747466654aaecc02342de
1d11272b3ddf400bd62b16104b62133d
9d4f5d7e10bba0a15a863ce35bd03f84
58e1a6d3878b0d145844126bdcefa5a8
570c26fce92bc19b34a992f44e1286f0
17f23fb508c5b7bddbedf9d78cf6aceb
3241db9f0fd67dd30074fa001d30a13c
17d3a0aae0d7762622bbb7d618c4e780
73c5a28f847e17fce2d0d2f02e119f16
ec1c3ac83471a003c19a6e20709eda49
be15113f44a88f53a250e999e3bd44f3
896377ebaad3d95db901f841b7c3758d
d27978ecf9e90048c84bf7447b4a150c
23247a03e576773d518e6d8ff9fd3ae9
697c45d7174e4702684ea69cf4b38cbf

URLs

URL IP
hxxp://bluestacks-club-download.ru/BlueStacks-SplitInstaller.exe 46.30.40.94
hxxp://piroga.space/pages/inmon/im-typ.html
hxxp://piroga.space/pages/inmon/css/style.css
hxxp://piroga.space/pages/inmon/images/icon1-green.png
hxxp://piroga.space/pages/inmon/images/icon2-green.png
hxxp://piroga.space/pages/inmon/images/icon3-green.png
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/scripts/1/adnl.min.js
hxxp://neu-dl-api.cloudapp.net/api/vv/1?callback=cb_1465902533406&ts=1465902533406&sessionId=cxyt&rfr=&siteId=9306&aus=5584,1,0
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg
hxxp://neu-dl-api.cloudapp.net/api/vp/1?clk=rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmMwNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVsQGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUFxefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWbQ_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrTuPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db4OKDDzal8SAHc0&rfr=
hxxp://d.castplatform.com/api/vv/1?callback=cb_1465902533406&ts=1465902533406&sessionId=cxyt&rfr=&siteId=9306&aus=5584,1,0 40.127.174.50
hxxp://d.castplatform.com/api/vp/1?clk=rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmMwNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVsQGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUFxefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWbQ_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrTuPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db4OKDDzal8SAHc0&rfr= 40.127.174.50
hxxp://cdn.castplatform.com/images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg 198.232.124.20
hxxp://cdn.castplatform.com/scripts/1/adnl.min.js 198.232.124.20


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pages/inmon/images/icon1-green.png HTTP/1.1
Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: piroga.space
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE


HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Tue, 14 Jun 2016 11:08:43 GMT
Content-Type: image/png
Content-Length: 3392
Last-Modified: Wed, 12 Aug 2015 13:59:00 GMT
Connection: keep-alive
ETag: "55cb5124-d40"
Accept-Ranges: bytes
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<....IDATx..[{l[W.?..g..fvR.]..2.4.z.N..?jOC......C....IS[....%Y.
...........i][email protected].@.?Hs%.:&.....&..c.............#YIS...;.w.....cB.O.
.....GE.l.3.n7.2Rv..FQ..JF. ...Lt.....?..m.cN...'yK...k..Y..l.........
.j...qO:.?.......n...8K........K7<9X.db.$.....b.............=-.....
...<uhB..2......-/VI.Hzy.$."..?y...<.....-.iF..x.. ...N..ke....)
......!._.mJc..p,a.Z.Gd.x.(...p.......j....~3.. .I..a....~4...S...NN0f
.W..2.I.....t....i`..1d.6....E...^.oKGb$qm.}..;.f...g...h%x..t.K ..'..
.....(X...W.:...]#.p......>.._;.>j..{..V.(k.W...O\....oj..^.....
K.lq>.<.......eJ........?..Yp.`.Ic........F............OV.../...
n.....u.3...F..`... .....oj..b.......7"..;]i.B.. ...K.A{..W.^.g....9..
?}..p....R.M....i..N.D....;......QK..,".....9.....ub>...P.....g:9/.
..:?.y?..a8...L....L.b.s............W...O|.S...w*...3=..J.,...:...3ok.
.mz....W....E.S.F.N...99K.v.S.P.......].!ey:]#C..!.8 .W...D;dq.......&
gt;;...|Y.,3D.Gq.Mg.D..i.|..X.......[[email protected].*cYmj.=.3..2........W.
..vw...fy9^.....z......pEQ. ...Q....T....#.[/..t.0z.h!..>t.....%".B
l.{.<.{.JW.....?.3h.{w...(...DF..p...dV.}X....PJ...n.A.....o. p.(..
........H..3....H...N....F)p8....$.......Y....z:Tn.....W.q....6..D..G.
Ud.f.....C.X....D......N..{..T.j......../."..=...g..)..<(hwX.rf...0
...Z=J..=....1B..n.$U\.P.re.ku.u&8.nC.........W........so..../.O5...G.
....OB#%...x...~..`.;.....^.m."...........q..S]..T.....Fj)>...|.jZ.
..['.....:.s.x..O.m.....[....\$0..{..&.r...^.U...?.o..Y.......ZW].
<<< skipped >>>

GET /pages/inmon/images/icon3-green.png HTTP/1.1


Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: piroga.space
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE


HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Tue, 14 Jun 2016 11:08:43 GMT
Content-Type: image/png
Content-Length: 1519
Last-Modified: Wed, 12 Aug 2015 13:59:00 GMT
Connection: keep-alive
ETag: "55cb5124-5ef"
Accept-Ranges: bytes
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<....IDATx..[.O[u.........(.E....o..............U0...Q`.%...}0..$
..d....%&=<.H.|q.sNZ..R..=7.._/P...Z.....rN.....;..0`.......0`.....
S<q..x.6...8. .....4=A].....Y...L<y~&\".I.G..X.Y,......L\{......
./[email protected]:8.....!...............j..W.h..UvZ...bC.
B....1..j\YZ..9...9....r0..8......V...\..[.HO.y..`.{w..SQ.[.m..L.V.nli
.....L..`..n&...\[email protected].~.f......:.......x.i.g.......s
...>4...J...z .^r.z..3....RO<y.wI.).Z..v......^p.u.y"H....W*6Q..
tX."?..w...'...%. .......f.|o....3.s......:.Zz].2.............|.v..U..
..c..z.b....i........>....q.S .....'k3...6.......>D.qY.E........
....................1e1=.Ff)..o..|_..O...z...P6. ... ....?O.S...=.DtU.
.c.-C....SG.%.Y....*.......#.=y.K.quyM.......g.(....\9y.Y..s\v....!...
....>@..d............I..d{.m...!..zFR..........._#rr9.g....ut~....!
..;....-....*w...Hx.E.C]........}.....c.n"..>.".._.ZQ.C.."....q.j".
..... ......._I....S.g.....f...o3..Q...jpf......s.)...1B].SO..3..$N..]
.g(.z......D.......T...C/......u.a}....`. ":m.-m..W.....4..JJ.}...%.U.
T....-.N.....m."..?YE...q=....|P.....X.H,.......|..J.F.#M.......w.t...
Xrr&..e=;.a......R.e.RN...2....n-....g..8d../;....b......p..).&.0Xm.._
.Gs.T..V.y.mo..3....h...F.-.^HH......k....2i...v..&.......j..s,...~ok.
.....=......n.`.x..1.-.I...G..V...F...,U.K...Hb".;p...A/...s.V/.._....
7q.S.|....&.~81v-..../...!.G.Q.m............\./*.$h...>..*[email protected]~
h1yH..W.E...Wp].a.'{....8r.A,...r.....).hY...?.KE.u.........._...d
<<< skipped >>>


GET /api/vv/1?callback=cb_1465902533406&ts=1465902533406&sessionId=cxyt&rfr=&siteId=9306&aus=5584,1,0 HTTP/1.1
Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.castplatform.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 1076
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
X-Country: UA
P3P: CP='NON UNI COM NAV STA OUR IND'
Set-Cookie: cuuid=1b005f8b-3808-455f-98d8-86cc789ad08c; expires=Sun, 14 Jun 2026 11:08:52 GMT; domain=d.castplatform.com; path=/
X-Elapsed: 187
X-Node: NEU3961D1
Date: Tue, 14 Jun 2016 11:08:51 GMT
cb_1465902533406 && cb_1465902533406({"zones":[{"id":5584,"status":200
,"enabled":true,"template":"Free_Creative_800x440","data":[{"clickTag"
:null,"clk":"rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO
6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmM
wNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVs
QGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUF
xefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWb
Q_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrT
uPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db
4OKDDzal8SAHc0","width":800,"height":440,"cUrl":"hXXp://d.castplatform
.com/api/c/1?clk=%clk%","trackers":[{"type":"Url","content":"hXXp://d.
castplatform.com/api/vp/1?clk=%clk%"}],"category":null,"assets":[{"ass
etDisplayType":1,"width":800,"height":440,"url":"//cdn.castplatform.co
m/images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg","javascript":"","cl
ickTagVar":""}]}],"styles":null,"settings":{"adUnitTitle":""},"display
Type":"Size"}],"ts":187});....


GET /api/vp/1?clk=rKEPfio3b3U5JfBO2MgoCH-COOuZDTmoqwAes30yY9R9SPfweo3rNrLBO6MAbW42B_uI2KOs3rTD-bW1NzKa3rHI7Z_xYJATeVCM1zVHXEEO2mtE7l7euoJl19vODmMwNrG15gE2oTf2Hx1kBMXeyxjUmQR6b02PsfXZzD155g8Sa1iVZsN8ed1VAKCJyKFCP_LVsQGSu1D1ylp4wF5RUaBLqtPY8XVgascWTiIyj1ggcKz3Zyhg6Bm4UiQEqSU4StWKknc5pUFxefx4RngrL9mOOTjDrBIdrb5_tYFc7AlFUd7GvbS5Bj3jhGqo_tHj6Asva6r6NH7KrVjWbQ_O2pHhkp5yvu0eGmnxSmIx1PNCbq1Xf2TLFsiv_iYsMcaf-_iMoaIl7XNdCQsbdziPDrTuPkdWaN0ydDczySEa8ZFv0eNHIJ06lrDKSKxI_H4zfz347ujquOhzqzXFMuFa-0e4mn8Db4OKDDzal8SAHc0&rfr= HTTP/1.1


Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.castplatform.com
Connection: Keep-Alive
Cookie: cuuid=1b005f8b-3808-455f-98d8-86cc789ad08c


HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 43
Content-Type: image/gif
Server: Microsoft-HTTPAPI/2.0
Set-Cookie: cuuid=325e96b9-5242-4408-913f-43e63cc3d2ed; expires=Sun, 14 Jun 2026 11:08:52 GMT; domain=d.castplatform.com; path=/
P3P: CP='NON UNI COM NAV STA OUR IND'
X-Elapsed: 0
Date: Tue, 14 Jun 2016 11:08:51 GMT
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Cont
rol: no-cache..Content-Length: 43..Content-Type: image/gif..Server: Mi
crosoft-HTTPAPI/2.0..Set-Cookie: cuuid=325e96b9-5242-4408-913f-43e63cc
3d2ed; expires=Sun, 14 Jun 2026 11:08:52 GMT; domain=d.castplatform.co
m; path=/..P3P: CP='NON UNI COM NAV STA OUR IND'..X-Elapsed: 0..Date: 
Tue, 14 Jun 2016 11:08:51 GMT..GIF89a.............!.......,...........
L..;..



GET /pages/inmon/im-typ.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: piroga.space
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.10.1
Vary: Accept-Encoding
Content-Type: text/html
Content-Encoding: gzip
Date: Tue, 14 Jun 2016 11:08:42 GMT
Transfer-Encoding: chunked
ETag: W/"5628d116-7b9"
Connection: keep-alive
Set-Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE; path=/
Last-Modified: Thu, 22 Oct 2015 12:05:42 GMT
364.............U.n.0......f..& .4 .4.]L..........18N.;....]..^.!.....
_y...8N.... ..:.s..../.....5l.`....?; .#... .1......a......nL#ICn 7..p
....O..(....>...x.O]R...D9....p1#Nmz3I%#....{.v....Gl .....pL.c.9`D
..@M?&].p..2...bk. ..S.Z..#.a!.#..X,.....U.F......mAx>. .2.t.`z....
M.r....F.P...:Vo...Oj.....#..SC....l..MW,3.hVv..)Q/.....FN....q.y.r...
..k...7kv.P..WX.4..E..LyYc..>......C._.......Y...d...WPz...z....R?.
.q.,}..|.R}..G5.e....K5.6.)$.D.......`...D.:... ..B [email protected].%".'e
.......T..i[..P........z..C..8..:..Y.f.p.;........'.f%#:.{.1t3.{1...`^
.W........[.T...0?0c..~...7.:>s.t.H...k...6.v.wd...T.#...$..u..q..6
.8F...m......ziF.. {...f...\. .h7.[.;7Z....z..]'..._....huvom..e..7],d
....q`.a.7.t..........*...........`]...gqf.......... ....EB.oy...z...3
..`I6.....,...A........j.Ha.,...Pn......I'.~..P.FkQK\...^.^.....K.{..&
."...O.W....r...D'@.vQ.......g.f.~.....i.......0......


GET /pages/inmon/css/style.css HTTP/1.1


Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: piroga.space
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE


HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Tue, 14 Jun 2016 11:08:43 GMT
Content-Type: text/css
Last-Modified: Thu, 22 Oct 2015 12:08:45 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
ETag: W/"5628d1cd-70e"
Content-Encoding: gzip
28e.............U.n.@.}N.b...KA\.lB.....7.00...ah.F.....pYR-U.b..c...E
z.,.%.9."..-.5MSV..%..r2Z2~......XB_.O.(.%.........uY..(.../.H..O7..X^
..TB...U.I9.......H4&.....0.5..`(e..a.B[%...RUDd..L....C.y..Q...z]...h
......5.s...........:..L>..E.=HS...R...b c....C.j...^..%.J.R'..SL`.
[email protected][... x_....1oa...6.~7...4.y..7..3.l.9.....#.
.b!....O..... .v ...e........k..........fB(3S............wX.......y...
,p......I.n..^..tJ.......B..2!aT...B.t=v!.nv[..4L...t ..w..z.q;#...o}N
;U}...|.....C3X....v.../c=.............cl...#..5..^..0.}an.h. .S7.7.~K
Z.6......Y.d.......Y.`.L8...............y...O.l FY. ..#5..A.k.Wm......
..h2.'.....$...Qg...P....9........0......


GET /pages/inmon/images/icon2-green.png HTTP/1.1


Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: piroga.space
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=5B673B9FC730391AFA5DB6CAA00AAEEE


HTTP/1.1 200 OK
Server: nginx/1.10.1
Date: Tue, 14 Jun 2016 11:08:43 GMT
Content-Type: image/png
Content-Length: 3782
Last-Modified: Wed, 12 Aug 2015 13:59:00 GMT
Connection: keep-alive
ETag: "55cb5124-ec6"
Accept-Ranges: bytes
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<...hIDATx..[kl#[email protected]. .}..}P@@.
[email protected]@.".Zg7.$..$q..f..\...c;....(W;.].x.~......;....?.
.....c.|X........B...;D...rv&.M..eE...eZ..1Ts5....E?..{O.x....B.. ..=B
...D...~.,,..p.493...XB.R...2&......1...., .5.....b[.B`ae...oF...p.FZ.
,."..zh......p...yH.l>!4:. .[aXi.3.... |.. ..t.....J...../4...(T.me
L..'9ceC.]R//...FkW.Z...vpb6d..?......=.x..M.RO....P..p[c-..K.p.,v....
....K.|.=......:!..2............<`....j....Mq...C<{*L2j.^05g.q=}
qy`..sy ]3.UK.j.....o.Z.......2&u5{.fw.}6.Oe8cuCO._..<.Jd.9.;......
.[4.2.i....y.K.Z.......q..J.A^..g......1..|.lN.)8............f.q]...4.
...........I..c...=.2..[..2LZ.1rIf....3.....M...2.M.f..R siU..i..0....
.9_.?.'...S.R#.sN.{.s.........@7...%..{........w>....A.V...{?..V9.*
G.....,.......lA.:7.........E.q.C..._W.Dd.k;&D..4..E}3.}..X.c.)`.!.$..
.R.........X.<....^.PH..NO.)...^KM-.......:.8...Q..S7.`. ...V...D.@
.'.<..x!..1.PU.ktr<[email protected]..'d..n.'|v*...R..=.uau0..u
C...S.......G....F............f...h.XN.h..-(..../....l.f..fI..`G.|....
.\...bf..Q*...p....Y..R......w........\[email protected].#.l!
)l(,V....6m.<...E..../.y....P.......y.........O.f....-.....Y....B.(
.s..r....z<jf....m...[Hc...%5.....$..x.Z...u2.....h.........94{....
.9...\.wE.?....!E.\l..S...).....A...2FV.y..Z..d.HEPsy....!.*X.......?s
|.qM..y..U.s.......m....Zi.T......C....m.nB.......4.....Q.........) ..
.Ph..'.~|..nZ'.Fpk..:....3...)_|.~....H..gnM.J?k....$y......-.....
<<< skipped >>>


GET /scripts/1/adnl.min.js HTTP/1.1
Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.castplatform.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 14 Jun 2016 11:08:50 GMT
Content-Type: text/javascript; charset=utf-8
Content-Length: 60114
Connection: keep-alive
Vary: Accept-Encoding
Content-MD5: Y2JFw1mhlW2JqbXKv8rOdw==
Last-Modified: Tue, 26 Apr 2016 08:45:42 GMT
ETag: 0x8D36DAF266AAE18
x-ms-write-protection: false
X-Node: cdn1
Server: NetDNA-cache/2.2
X-Cache: HIT
// CAST Delivery Agent v4.4.29 #8:45.!function(global,undefined){Array
.prototype.indexOf||(Array.prototype.indexOf=function(e,t){if(this===u
ndefined||null===this)throw new TypeError('"this" is null or not defin
ed');var n=this.length>>>0;for(t= t||0,1/0===Math.abs(t)&&(t=
0),0>t&&(t =n,0>t&&(t=0));n>t;t  )if(this[t]===e)return t;ret
urn-1}),"object"!=typeof window.JSON&&(window.JSON={},window.JSON.stri
ngify=function(e){if("[object Array]"===Object.prototype.toString.call
(e)){if(e.length>0){for(var t=e.length,n=[],a=0;t>a;  a)n.push(t
his.stringify(e[a]));return"[" n.join(", ") "]"}return"[]"}if("object"
==typeof e&&null!==e){var n=[];for(a in e)n.push('"' a '": ' this.stri
ngify(e[a]));return"{" n.join(", ") "}"}return"string"==typeof e?'"' e
.replace(/"/g,'\\"') '"':e},window.JSON.parse=function(text,reviver){f
unction walk(e,t){var n,a,i=e[t];if(i&&"object"==typeof i)for(n in i)O
bject.prototype.hasOwnProperty.call(i,n)&&(a=walk(i,n),a!==undefined?i
[n]=a:delete i[n]);return reviver.call(e,t,i)}var cx=/[\u0000\u00ad\u0
600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\uf
eff\ufff0-\uffff]/g,j;if(text=String(text),cx.lastIndex=0,cx.test(text
)&&(text=text.replace(cx,function(e){return"\\u" ("0000" e.charCodeAt(
0).toString(16)).slice(-4)})),/^[\],:{}\s]*$/.test(text.replace(/\\(?:
["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").replace(/"[^"\\\n\r]*"|true|false
|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,"]").replace(/(?:^|:|,)(?:\s
*\[) /g,"")))return j=eval("(" text ")"),"function"==typeof revive
<<< skipped >>>

GET /images/1eaeba30-fae9-4091-b89c-7f1ccf25c528.jpg HTTP/1.1


Accept: */*
Referer: hXXp://piroga.space/pages/inmon/im-typ.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.castplatform.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 14 Jun 2016 11:08:51 GMT
Content-Type: image/jpeg; charset=utf-8
Content-Length: 99940
Connection: keep-alive
Vary: Accept-Encoding
Content-MD5: 84yOv9Fknx6WvATYJ8//sw==
Last-Modified: Sun, 13 Mar 2016 09:05:27 GMT
ETag: 0x8D34B1E9EAC9EFB
x-ms-write-protection: false
X-Node: cdn2
Server: NetDNA-cache/2.2
X-Cache: HIT
......Exif..II*.................Ducky.......8......hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c11
1 79.158325, 2015/09/10-01:10:20        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9d3aa1bc-879e-f34
1-bb50-ccda3be4d297" xmpMM:DocumentID="xmp.did:C9F120E4E8F211E5B83DE63
5D0776361" xmpMM:InstanceID="xmp.iid:C9F120E3E8F211E5B83DE635D0776361"
 xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:Der
ivedFrom stRef:instanceID="xmp.iid:963c8fb8-b4bf-3f44-ba12-95c7f2efc8d
3" stRef:documentID="xmp.did:9d3aa1bc-879e-f341-bb50-ccda3be4d297"/>
; </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xp
acket end="r"?>....Adobe.d.........................................
.......................""""""""""................"""""""""""""""""""""
""""""""""""""""""""""""""""........ .................................
.......................................................!.1...AQ.aq"...
2B.....R#...b.r...3S..U...Cs$u6...c.4DTt%7....d..EeVv'8...5&..........
...........!1..AQ..aq......."2....BRb.r.#..3.....CS............?..V.&.
....u.{f..,6.T.....)*4..#....:.S..g....v.b.u.......u.&. eR....T .1}-..
..r.....Upe7,ztr....1.H....]..D..A..G....W...........Nd.DN\.L=...M
<<< skipped >>>


GET /BlueStacks-SplitInstaller.exe HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: bluestacks-club-download.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Jun 2016 11:08:46 GMT
Content-Type: application/octet-stream
Content-Length: 13469152
Connection: keep-alive
Last-Modified: Mon, 29 Jun 2015 12:25:46 GMT
ETag: "24c177c-cd85e0-519a730696680"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......I"...C}..C}.
.C}.b\v..C}.._s..C}.b\w..C}.b\y..C}..K"..C}..C|..C}..K ..C}.;ev.NC}.b5
...C}.b5...C}..E{..C}.Rich.C}.........PE..L....S.L.................D..
.d......<7.......`....@............................................
.................................x.......(............j...............
................................................`.....................
..........text....C.......D.................. ..`.rdata...<...`...&
gt;...H..............@[email protected]...,)[email protected]
[email protected]...(..........................
.@..@.................................................................
......................................................................
......................................................................
......................................................................
............................................................D.A.;..X.A
.;.U....4....E.SVW...A..$...j.3._..h...W...A...h.....l.....p........W.
M..]..]..]......W.M..]..]..]......W.M..]..]..].........`A.P.M.......E.
..h...P.M..e(...u...)..Y.].W.M..]..]..........A..U...5...M..l....M..).
..hT.A..M..].........E.j.P.M..)........D*...u.....)...u..~)..Y;.Yu4.E.
j.P.M..E.......P.M..-....u..U)..Y.M.......M......W.M..]..]..].......M.
.E.PhX.A..D.A..e.....u.8].u..$.A.3......j.[.%...h..A...0........W.M..]
..]..]......9]...,............T....d.....bA...T....M...T....q ....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_240:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1392

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now