Analysis by: Jay Garcia
ALIASES:

AdWare.Win32.Funshion.go (Kaspersky); FusionCore. (NAI)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 3,974,758 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 17 Oct 2019

Arrival Details

This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Adware drops the following files:

  • {Install Directory}\ImgBurn
  • {Install Directory}\ImgBurn\ImgBurn.exe
  • {Install Directory}\ImgBurn\ImgBurnPreview.exe
  • {Install Directory}\ImgBurn\ReadMe.txt
  • {Install Directory}\ImgBurn\Sounds\Success.wav
  • {Install Directory}\ImgBurn\Sounds\Error.wav
  • {Install Directory}\ImgBurn\uninstall.exe
  • %Common Programs%\ImgBurn.lnk
  • %Common Programs%\ImgBurn\Uninstall.lnk
  • %Common Programs%\ImgBurn\ImgBurn.lnk
  • %Common Programs%\ImgBurn\ImgBurn Read Me.lnk
  • %Desktop%\ImgBurn.lnk

(Note: %Common Programs% is the folder that contains common program groups for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs on Windows Vista, 7, and 8.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Adware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\DefaultIcon

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\shell

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\shell\open

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\shell\open\
command

It adds the following registry entries:

HKEY_CURRENT_USER\Software\ImgBurn
EVENTS_CheckForProgramUpdate = 2

HKEY_CURRENT_USER\Software\ImgBurn
InstallDirectory = {Install Directory}\ImgBurn

HKEY_CURRENT_USER\Software\ImgBurn
VersionMajor = 2

HKEY_CURRENT_USER\Software\ImgBurn
VersionMinor = 5

HKEY_CURRENT_USER\Software\ImgBurn
VersionRevision = 8

HKEY_CURRENT_USER\Software\ImgBurn
VersionBuild = 0

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_StartMenuShortcuts = 1

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_DesktopIcon = 1

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_QuickLaunchIcon = 1

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_InstallAllUsers = 1

HKEY_LOCAL_MACHINE\SOFTWARE\ImgBurn
EVENTS_CheckForProgramUpdate = 2

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_EnableSPTIAccessAllUsers = 0

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_EnableSPTIAccessRemoteSessions = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}
FriendlyTypeName = Disc Image File

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\DefaultIcon

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\shell\open

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\shell\open\
command

Other Details

This Adware connects to the following possibly malicious URL:

  • http://rp.{BLOCKED}g.com/
  • http://www.{BLOCKED}n.com/css/default.css

  SOLUTION

Minimum Scan Engine: 9.850
SSAPI PATTERN File: 2.228.00
SSAPI PATTERN Date: 24 Oct 2019

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

     TROJ.Win32.TRX.XXPE50FLM008

Step 2

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 3

Remove Adware.Win32.Instacore.AC by using its own Uninstall option

[ Learn More ]
To uninstall the grayware process

Step 4

Scan your computer with your Trend Micro product to delete files detected as Adware.Win32.Instacore.AC. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.