Analysis by: Pearl Charlaine Espejo
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This potentially unwanted application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It connects to certain websites to send and receive information. It gathers information and reports it to its servers.

  TECHNICAL DETAILS

File Size: 808,768 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 13 Oct 2016
Payload: Connects to URLs/IPs

Arrival Details

This potentially unwanted application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This potentially unwanted application drops the following files:

  • %User Temp%\ICReinstall_{malware filename}.exe - copy of itself, deleted afterwards
  • %User Temp%\{random filename}.log
  • %User Temp%\ish{random characters}\css\ie6_main.css
  • %User Temp%\ish{random characters}\css\main.css
  • %User Temp%\ish{random characters}\css\sdk-ui\browse.css
  • %User Temp%\ish{random characters}\css\sdk-ui\button.css
  • %User Temp%\ish{random characters}\css\sdk-ui\checkbox.css
  • %User Temp%\ish{random characters}\css\sdk-ui\images\button-bg.png
  • %User Temp%\ish{random characters}\css\sdk-ui\images\progress-bg-corner.png
  • %User Temp%\ish{random characters}\css\sdk-ui\images\progress-bg.png
  • %User Temp%\ish{random characters}\css\sdk-ui\images\progress-bg2.png
  • %User Temp%\ish{random characters}\css\sdk-ui\progress-bar.css
  • %User Temp%\ish{random characters}\csshover3.htc
  • %User Temp%\ish{random characters}\dat\upd.DAT
  • %User Temp%\ish{random characters}\form.bmp.Mask
  • %User Temp%\ish{random characters}\images\BG.png
  • %User Temp%\ish{random characters}\images\Close.png
  • %User Temp%\ish{random characters}\images\Close_Hover.png
  • %User Temp%\ish{random characters}\images\Color_Button.png
  • %User Temp%\ish{random characters}\images\Color_Button_Hover.png
  • %User Temp%\ish{random characters}\images\Grey_Button.png
  • %User Temp%\ish{random characters}\images\Grey_Button_Hover.png
  • %User Temp%\ish{random characters}\images\Loader.gif
  • %User Temp%\ish{random characters}\images\Logo.png
  • %User Temp%\ish{random characters}\images\Progress.png
  • %User Temp%\ish{random characters}\images\ProgressBar.png
  • %User Temp%\ish{random characters}\images\text-bg.png
  • %User Temp%\ish{random characters}\locale\DE.locale
  • %User Temp%\ish{random characters}\locale\EN.locale
  • %User Temp%\ish{random characters}\locale\ES.locale
  • %User Temp%\ish{random characters}\locale\FR.locale
  • %User Temp%\ish{random characters}\locale\IT.locale
  • %User Temp%\ish{random characters}\locale\PL.locale
  • %User Temp%\ish{random characters}\locale\PT.locale
  • %User Temp%\ish{random characters}\locale\RU.locale
  • %User Temp%\ish{random characters}\locale\UA.locale
  • %User Temp%\ish{random characters}\bootstrap_{random characters}.html
  • %Program Files%\is{random characters}.log
  • %Desktop%\Continue Download Manager Installation.lnk

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

  • %User Temp%\ish{random characters}

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Propagation

This potentially unwanted application does not have any propagation routine.

Backdoor Routine

This potentially unwanted application does not have any backdoor routine.

Download Routine

This potentially unwanted application accesses the following websites to download files:

  • http://s3.{BLOCKED}aws.com/Adlsoft/releases/DownloadManagerV2.exe

It saves the files it downloads using the following names:

  • %User Temp%\is{random characters}\{random characters}_stp.EXE

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Trend Micro detects the dowloaded file as:

  • PUA_MiPony.GA

Other Details

This potentially unwanted application connects to the following website to send and receive information:

  • http://{BLOCKED}s.{BLOCKED}wnload-manager.com/CM_DS/?v={version number}&c={value} {computed/hashed Tick Count}
  • http://{BLOCKED}p.{BLOCKED}wnload-manager.com/?pcrc={computed/hashed Tick Count}
  • http://{BLOCKED}s.{BLOCKED}wnload-manager.com/Aff-AD/?v={version number}&c={computed/hashed Tick Count}

It does the following:

  • It opens its webpage by connecting to:
    • http://www.{BLOCKED}tdownload-manager.com/download-manager/welcome/oc/?&adnm=40400858787&i=s&grid=&lg=ja&cc=JP&clg=ja&c=1&d=0&cid=_707908551&kw=microsoft%E3%83%80%E3%82%A6%E3%83%B3%E3%83%AD%E3%83%BC%E3%83%89%E3%83%9E%E3%83%8D%E3%83%BC%E3%82%B8%E3%83%A3%E3%83%BC&mt=&mn=soft.officelabo.net&ct=&nt=D&expr=&ap=none&dv=c&agid=_72001342821&gclid=CIL7keflvr0CFYOUvQodBoYAGg&iv=0

  • It connects to the following website to get widget:
    • http://{BLOCKED}.{BLOCKED}d.com/widget/render/hash/84d4baf304e47282405d6a04e2a11e84

It gathers the following information and reports it to its servers:

  • Unique Identifier (Mac Address + last 4 characters of Volume Serial Number)
  • OS Version
  • Service Pack
  • OS Language
  • is 64 bit
  • is Administrator
  • Tick Count
  • System Date and Time
  • VM Status (if running in Virtual Machine)
  • Mac Address
  • PE Mode
  • DEP Mode
  • Check Sum of Executable
  • Malware Filename

NOTES:

It does not have rootkit capabilities.

It does not exploit any vulnerability.

  SOLUTION

Minimum Scan Engine: 9.800
SSAPI PATTERN File: 1.779.00
SSAPI PATTERN Date: 20 Oct 2016

Step 1

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 2

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 3

Identify and terminate files detected as PUA_INSTALLCORE.GG

[ Learn More ]
  1. Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 4

Remove malware/grayware files dropped/downloaded by PUA_INSTALLCORE.GG. (Note: Please skip this step if the threats listed below have already been removed.)

     
    • PUA_MiPony.GA

Step 5

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %User Temp%\ish{random characters}

Step 6

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %Program Files%\is{random characters}.log
  • %User Temp%\{random filename}.log
  • %Desktop%\Continue Download Manager Installation.lnk

Step 7

Scan your computer with your Trend Micro product to delete files detected as PUA_INSTALLCORE.GG. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.

Related Malware