Installation
We have seen this threat downloaded by exploits, such as the Fiesta exploit kit.
This threat installs itself in one of the following locations:
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: <random file name>.exe
With data: "%APPDATA%\<random file name>.exe" opt, for example "%APPDATA%\iQ3w793.exe" opt
If the malware detects it is running in a sandbox or test environment it will either terminate or remain running in memory without doing anything. It avoids running in environments specific to:
- Anubis
- CWSandbox
- JoeBox
- VMWare
It does this to avoid analysis and detection.
It might not install if any of the following antivirus researcher-related processes are running:
-
Aircrack-ng Gui.exe
-
apis32.exe
-
avp.exe
-
CamRecorder.exe
-
CamtasiaStudio.exe
-
cv.exe
-
DrvLoader.exe
-
dumpcap.exe
-
ERDNT.exe
-
ERUNT.exe
-
EtherD.exe
-
HookExplorer.exe
-
idag.exe
-
irise.exe
-
IrisSvc.exe
-
observer.exe
-
ollydbg.exe
-
EBrowseDbg.exe
-
proc_analyzer.exe
-
Regshot.exe
-
SandboxieDcomLaunch.exe
-
SandboxieRpcSs.exe
-
SbieCtrl.exe
-
SbieSvc.exe
-
sckTool.exe
-
sniff_hit.exe
-
Sniffer.exe
-
SUPERAntiSpyware.exe
-
SymRecv.exe
-
sysAnalyzer.exe
-
Syser.exe
-
tcpdump.exe
-
BoxService.exe
-
VBoxTray.exe
-
windbg.exe
-
WinDump.exe
-
wireshark.exe
-
wspass.exe
-
ZxSniffer.exe
It also checks for the following test environment-related registry entries:
-
AppEvents\Schemes\Apps\Bopup Observer
-
SOFTWARE\APIS32
-
SOFTWARE\B Labs\Bopup Observer
-
Software\Classes\*\shell\sandbox
-
Software\Classes\Folder\shell\sandbox
-
SOFTWARE\Classes\PEBrowseDotNETProfiler.DotNETProfiler
-
SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
-
Software\CommView
-
SOFTWARE\Cygwin
-
Software\eEye Digital Security
-
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
-
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32
-
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)
-
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
-
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1
-
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
-
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
-
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1
-
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
-
SOFTWARE\SUPERAntiSpyware.com
-
Software\Syser Soft
-
Software\Win Sniffer
-
SOFTWARE\ZxSniffer
-
SYSTEM\CurrentControlSet\Services\IRIS5
-
SYSTEM\CurrentControlSet\Services\SbieDrv
-
SYSTEM\CurrentControlSet\Services\SDbgMsg
-
SYSTEM\CurrentControlSet\Services\VBoxGuest
Payload
Redirects your search results
The malware adds entries to the hosts file to redirect popular search websites, such as Bing, Google and Facebook. When you use one of these legitimate websites to search, the malware will redirect to its own domain. We have seen this threat redirect searches to the following IP addresses:
-
85.17.81.55
-
107.181.187.40
-
146.0.75.27
If Mozilla Firefox is installed on your PC this threat can create its own MozSearch plugin. It then sets this plugin as the default Mozilla browser toolbar search. When the toolbar search box is used the modified hosts file will redirect it from a legitimate search engine to a malware domain.
Downloads other malware
This threat can connect to a remote host to upload information about your PC.
It also receives configuration data, including URLs to connect to and download files, including other malware. The downloaded files are written to the
%TEMP% folder.
We have seen this threat connect to the following domains:
- 79.142.66.239
-
5.149.248.152
Analysis by Jayronn Christian Bucu
