Analysis of Potentially Unwanted Application

During the log analysis, our malware researcher spotted a virus detection where an URL getting blocked as malware. Let us analyse this case:

Blocked URL: 

Malicious URL
We visited the URL in control environment which is dedicated to malware analysis. It downloads a PE file as Update.msi. Meanwhile, we checked in the VirusTotal for the URL scan results and if any downloading of the file gets cross verified by VirusTotal. 

VT result for the malicious URL

We traversed to the detection rate for the downloaded file which is flagged as a potentially unwanted application (PUA). ESET detection as CrossRider which is PUA variant. 

File Hash- VT result

When we checked the relationship tab on the VirusTotal page, it shows another archive file which gets flagged many antimalware engines listed on the VirusTotal page. They all detect the sample as Adware.Googupdate. 

Related File in the VirusTotal

VirusTotal Links for the reader's reference:

URL Detection:

Downloaded File:

Related File:

Analysis of the Malware file:

The file is a potentially unwanted application. It falls under the family of Googupdate variants and crossrider variants.
It will target the web browsers and change the settings so that it can perform start page hijack, search page hijack in that infected systems.

Dissecting of that given binary in controlled environment:
We found following things:

It looks for the browser:
000000004F30   000010006930      0   %ProgramFiles%\Google\Chrome\Application\%BROWSNAMEC%.exe
000000004FA8   0000100069A8      0   %ProgramW6432%\Google\Chrome\Application\%BROWSNAMEC%.exe
000000005020   000010006A20      0   %LOCALAPPDATA%\Google\Chrome\Application\%BROWSNAMEC%.exe
000000005098   000010006A98      0   %LOCALAPPDATA%\Chrome\Application\%BROWSNAMEC%.exe
000000005100   000010006B00      0   Google Chrome
00000000511C   000010006B1C      0   Chrome
00000000512C   000010006B2C      0   %s\chrome.exe
000000005148   000010006B48      0   select * from win32_process where executablepath like "%%BROWSNAMEC%.exe"
0000000051DC   000010006BDC      0   executablepath
0000000051FC   000010006BFC      0   Mozilla Firefox

This file checks for the following information:

000000005240   000010006C40      0   SOFTWARE\Microsoft\Windows NT\CurrentVersion
00000000529C   000010006C9C      0   CurrentMajorVersionNumber
0000000052D0   000010006CD0      0   CurrentMinorVersionNumber
000000005304   000010006D04      0   CurrentVersion
000000005324   000010006D24      0   ProgramW6432
000000005340   000010006D40      0   %d--%d--%d
000000005358   000010006D58      0   username
000000005370   000010006D70      0   select * from win32_computersystem
0000000053BC   000010006DBC      0   serialNumber
0000000053D8   000010006DD8      0   select * from win32_volume
000000005410   000010006E10      0   filesystem
000000005428   000010006E28      0   version
000000005438   000010006E38      0   select * from win32_bios
00000000546C   000010006E6C      0   serialnumber
000000005488   000010006E88      0   select * from win32_physicalmedia
0000000054E8   000010006EE8      0   BINRES
0000000054F8   000010006EF8      0   explorer.exe
000000005518   000010006F18      0   %s %s %s "%s" "%s" "%s" %d "%s" %s
000000005560   000010006F60      0   Software\CLASSES\CLSID\{9563BC59-9556-4805-8CD4-886781779D8D}

These are the sites found in the memory:

000000006800   000010009000      0
000000006A58   000010009258      0
000000006BE8   0000100093E8      0


-Check whether any weird behaviour in the web browser settings i.e. changes in the web browser settings.
-Any changes in the start page (homepage) instead of your favourite home page or default browser page.
-Check for more kind of popup ads.

Recommended actions: 

-Don't open popup ads, since it may lead to the installation of this sort of PUA files in your system.
-Use recommended adware cleaner. But, most of the AV products will remove these stuff. A proper update is important.


Google Plus:

Popular Posts

Chitika Ads