ADW_WEBCAKE.GA

This adware may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

It does not have any propagation routine.

It does not have any backdoor routine.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This adware may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This adware drops the following files:

• %User Temp%\{Malware Filename}-{4 Random Hex Values}.log -> contains installation log of the non-malicious software
• %User Temp%\{8 Random Hex Values}\v.txt -> contains URL 1st connection status
• %User Temp%\{8 Random Hex Values}\v2.txt -> contains URL 2nd connection status
• %User Temp%\{8 Random Hex Values}\_Setup.dll
• %User Temp%\{8 Random Hex Values}\_Setupx.dll
• %User Temp%\{8 Random Hex Values}\Setup.ico
• %User Temp%\{8 Random Hex Values}\x64\regsvr32.exe
• %User Temp%\{8 Random Hex Values}\x86\regsvr32.exe
• %User Temp%\{Random Hex Values}.dat -> contains strings from the malware, used by the non-malicious file as a substitute to its needed component named, "setup.dat"

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following non-malicious file:

• %User Temp%\{Malware Filename}-{4 Random Hex Values}.exe -> executed by the malware after dropping, uses the main malware as the argument to load the malware

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %User Temp%\{8 Random Hex Values}

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Propagation

This adware does not have any propagation routine.

Backdoor Routine

This adware does not have any backdoor routine.

Other Details

This adware does the following:

• It connects to the following URLs which will then redirect to the URL (http://ww1.{BLOCKED}cake.com ) where the advertisements will be found:
  • http://service.{BLOCKED}cake.com/installer/a?alpha={Base64 Values}
  • http://{BLOCKED}survey.com/

However, as of this writing, the said sites are inaccessible.

NOTES:

The adware displays the following installation window:

The redirected URL with advertisements displays the following page (the said URL can also be accessed by the user manually upon clicking the "Privacy Policy" or "End-User License" on the main window of the adware installation):

It does not have rootkit capabilities.

It does not exploit any vulnerability.