During the log analysis, our malware researcher spotted a virus detection where an URL getting blocked as malware. Let us analyse this case:
We visited the URL in control environment which is dedicated to malware analysis. It downloads a PE file as Update.msi. Meanwhile, we checked in the VirusTotal for the URL scan results and if any downloading of the file gets cross verified by VirusTotal.
We traversed to the detection rate for the downloaded file which is flagged as a potentially unwanted application (PUA). ESET detection as CrossRider which is PUA variant.
When we checked the relationship tab on the VirusTotal page, it shows another archive file which gets flagged many antimalware engines listed on the VirusTotal page. They all detect the sample as Adware.Googupdate.
The file is a potentially unwanted application. It falls under the family of Googupdate variants and crossrider variants.
It will target the web browsers and change the settings so that it can perform start page hijack, search page hijack in that infected systems.
Dissecting of that given binary in controlled environment:
We found following things:
It looks for the browser:
000000004F30 000010006930 0 %ProgramFiles%\Google\Chrome\Application\%BROWSNAMEC%.exe
000000004FA8 0000100069A8 0 %ProgramW6432%\Google\Chrome\Application\%BROWSNAMEC%.exe
000000005020 000010006A20 0 %LOCALAPPDATA%\Google\Chrome\Application\%BROWSNAMEC%.exe
000000005098 000010006A98 0 %LOCALAPPDATA%\Chrome\Application\%BROWSNAMEC%.exe
000000005100 000010006B00 0 Google Chrome
00000000511C 000010006B1C 0 Chrome
00000000512C 000010006B2C 0 %s\chrome.exe
000000005148 000010006B48 0 select * from win32_process where executablepath like "%%BROWSNAMEC%.exe"
0000000051DC 000010006BDC 0 executablepath
0000000051FC 000010006BFC 0 Mozilla Firefox
This file checks for the following information:
000000005240 000010006C40 0 SOFTWARE\Microsoft\Windows NT\CurrentVersion
00000000529C 000010006C9C 0 CurrentMajorVersionNumber
0000000052D0 000010006CD0 0 CurrentMinorVersionNumber
000000005304 000010006D04 0 CurrentVersion
000000005324 000010006D24 0 ProgramW6432
000000005340 000010006D40 0 %d--%d--%d
000000005358 000010006D58 0 username
000000005370 000010006D70 0 select * from win32_computersystem
0000000053BC 000010006DBC 0 serialNumber
0000000053D8 000010006DD8 0 select * from win32_volume
000000005410 000010006E10 0 filesystem
000000005428 000010006E28 0 version
000000005438 000010006E38 0 select * from win32_bios
00000000546C 000010006E6C 0 serialnumber
000000005488 000010006E88 0 select * from win32_physicalmedia
0000000054E8 000010006EE8 0 BINRES
0000000054F8 000010006EF8 0 explorer.exe
000000005518 000010006F18 0 %s %s %s "%s" "%s" "%s" %d "%s" %s
000000005560 000010006F60 0 Software\CLASSES\CLSID\{9563BC59-9556-4805-8CD4-886781779D8D}
These are the sites found in the memory:
000000006800 000010009000 0 http://b.wehelptoyou.com
000000006A58 000010009258 0 v3u5r5i9.ssl.hwcdn.net
000000006BE8 0000100093E8 0 d1mib3adbtgkgp.cloudfront.net
Identification:
-Check whether any weird behaviour in the web browser settings i.e. changes in the web browser settings.
-Any changes in the start page (homepage) instead of your favourite home page or default browser page.
-Check for more kind of popup ads.
Recommended actions:
-Don't open popup ads, since it may lead to the installation of this sort of PUA files in your system.
-Use recommended adware cleaner. But, most of the AV products will remove these stuff. A proper update is important.
