Trojan.DownLoader6.53409

Technical Information

Malicious functions:

Creates and executes the following:

%TEMP%\nsb6.tmp\amisid.exe
%TEMP%\nsb6.tmp\InstallerPB.exe /i /Optimize /PTN=amonetize_playbryte_fa_v2
%TEMP%\nsa2.tmp\tmp0002.exe /S /ci=302
%TEMP%\nsa2.tmp\ns3.tmp "%TEMP%\nsa2.tmp\lzma.exe" d %TEMP%\nsa2.tmp\inetc.bin %TEMP%\nsa2.tmp\inetc.dll
%TEMP%\nsa2.tmp\lzma.exe d %TEMP%\nsa2.tmp\inetc.bin %TEMP%\nsa2.tmp\inetc.dll

Executes the following:

<SYSTEM32>\ping.exe 1.1.1.1 -n 1 -w 3000

Modifies file system :

Creates the following files:

%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\FFAboutBlankSearch.txt
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\install.rdf
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\Toolbar.xml
<LS_APPDATA>\Playbryte\GAC\AxSHDocVw.dll
<LS_APPDATA>\Playbryte\GAC\SHDocVw.dll
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome.manifest
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\json.js
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\login.xul
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\menu.xul
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\browserwindow.js
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\browserwindow.xul
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\fileio.js
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\toolbar.js
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\toolbar.xul
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\toolbarsidebarshared.js
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\sidebar.js
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\sidebar.xul
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\Thumbs.db
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\FFAboutBlankSearch.txt
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\install.rdf
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\Toolbar.xml
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\update_status.xul
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\windows.js
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome.manifest
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\share_link.xul
%WINDIR%\assembly\tmp\V4LAV8HU\SHDocVw.dll
%WINDIR%\assembly\tmp\V4LAV8HU\__AssemblyInfo__.ini
%PROGRAM_FILES%\Playbryte\uninstall.exe
%WINDIR%\assembly\tmp\IVKDY7WH\AxSHDocVw.dll
%WINDIR%\assembly\tmp\IVKDY7WH\__AssemblyInfo__.ini
<LS_APPDATA>\fusioncache.dat
<LS_APPDATA>\ApplicationHistory\InstallerPB.exe.62fc8608.ini
%TEMP%\nsb6.tmp\Math.dll
%TEMP%\nsb6.tmp\inetc.dll
<LS_APPDATA>\Playbryte\install.log
%WINDIR%\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch.new
%WINDIR%\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config.cch.new
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\toolbar.js
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\toolbar.xul
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\toolbarsidebarshared.js
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\sidebar.js
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\sidebar.xul
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\Thumbs.db
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\inline\inline.js
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\settingsConfig.js
<LS_APPDATA>\Playbryte\usersettings.xml
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\update_status.xul
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\windows.js
%APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\playbryte@playbryte.com\chrome\content\images\hidden.png
%TEMP%\nsb6.tmp\amisid.exe
%TEMP%\nsb6.tmp\nsisos.dll
%TEMP%\nsb6.tmp\PlayBryte.bmp
%TEMP%\nsb6.tmp\IpConfig.dll
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\iw[1].0&cv=1189&p=294
%TEMP%\nsa2.tmp\tmp0003.tmp
<LS_APPDATA>\Playbryte\Settings\UpdaterSettings.xml
<LS_APPDATA>\Playbryte\AuthorizedURLs.xml
<LS_APPDATA>\Playbryte\BHO.xml
%TEMP%\nsb6.tmp\InstallerPB.exe
%TEMP%\playbryte-fa-amon_playbryte-fa-amon_install.zip
<LS_APPDATA>\Playbryte\Settings\ToolbarPrefs.txt
%TEMP%\nsa2.tmp\System.dll
%TEMP%\nsa2.tmp\Math.dll
%TEMP%\nsa2.tmp\md5dll.dll
%TEMP%\nsa2.tmp\lzma.exe
%TEMP%\nsa2.tmp\inetc.bin
%TEMP%\nsa2.tmp\z000000000.tmp
%TEMP%\nsa2.tmp\tmp0002.exe
%TEMP%\nsg5.tmp
%TEMP%\nsb6.tmp\System.dll
%TEMP%\nsa2.tmp\nsExec.dll
%TEMP%\nsa2.tmp\ns3.tmp
%TEMP%\nsa2.tmp\inetc.dll
<LS_APPDATA>\Playbryte\config.cfg
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\browserwindow.js
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\browserwindow.xul
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\fileio.js
<LS_APPDATA>\Playbryte\Chrome\listenerConfig.json
<LS_APPDATA>\Playbryte\Chrome\manifest.json
<LS_APPDATA>\Playbryte\Chrome\settingsConfig.json
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\login.xul
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\menu.xul
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\share_link.xul
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\images\hidden.png
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\inline\inline.js
<LS_APPDATA>\Playbryte\Firefox\playbryte@playbryte.com\chrome\content\json.js
<LS_APPDATA>\Playbryte\Toolbar.xml
<LS_APPDATA>\Playbryte\version.txt
<LS_APPDATA>\Playbryte\Assemblies\1\BrowserObjects.dll
<LS_APPDATA>\Playbryte\config.json
<LS_APPDATA>\Playbryte\Desktop.xml
<LS_APPDATA>\Playbryte\TabsSearch.txt
<LS_APPDATA>\Playbryte\Chrome\content.js
<LS_APPDATA>\Playbryte\Chrome\inline.js
<LS_APPDATA>\Playbryte\Chrome\inline_content.js
<LS_APPDATA>\Playbryte\Assemblies\1\Inline.dll
<LS_APPDATA>\Playbryte\Chrome\assemblyConfig.json
<LS_APPDATA>\Playbryte\Chrome\bg.html

Deletes the following files:

%TEMP%\nsb6.tmp\amisid.exe
%TEMP%\nsb6.tmp\inetc.dll
%TEMP%\nsb6.tmp\InstallerPB.exe
%WINDIR%\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch.2848.149093
%WINDIR%\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config.cch.2848.149109
%TEMP%\nsb6.tmp\PlayBryte.bmp
%TEMP%\nsb6.tmp\System.dll
%TEMP%\nsb6.tmp\nsisos.dll
%TEMP%\nsb6.tmp\IpConfig.dll
%TEMP%\nsb6.tmp\Math.dll
%TEMP%\playbryte-fa-amon_playbryte-fa-amon_install.zip
%TEMP%\nsa2.tmp\inetc.dll
%TEMP%\nsa2.tmp\lzma.exe
%TEMP%\nsa2.tmp\inetc.bin
%TEMP%\nsa2.tmp\z000000000.tmp
%TEMP%\nsa2.tmp\ns3.tmp
%TEMP%\nsa2.tmp\System.dll
%TEMP%\nsa2.tmp\tmp0003.tmp
%TEMP%\nsa2.tmp\nsExec.dll
%TEMP%\nsa2.tmp\Math.dll
%TEMP%\nsa2.tmp\md5dll.dll

Moves the following system files:

from %WINDIR%\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config.cch to %WINDIR%\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config.cch.2848.149109
from %WINDIR%\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch to %WINDIR%\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch.2848.149093

Network activity:

Connects to:

're#####.amonetize.com':80
'im##############y-1085035873.us-east-1.elb.amazonaws.com':80
'www.in####lwrapper.com':80

TCP:

HTTP GET requests:

im##############y-1085035873.us-east-1.elb.amazonaws.com/impression.do/?ev####################################################################################################################################################################################################################
im##############y-1085035873.us-east-1.elb.amazonaws.com/impression.do/?ev##########################################################################################################################################################################################################
im##############y-1085035873.us-east-1.elb.amazonaws.com/impression.do/?ev#######################################################################################################################################################################################################################
www.in####lwrapper.com/api/iw/?i=############################################################
im##############y-1085035873.us-east-1.elb.amazonaws.com/impression.do/?ev#################################################################################################################################################################################################################

UDP:

DNS ASK re#####.amonetize.com
DNS ASK im##############y-1085035873.us-east-1.elb.amazonaws.com
DNS ASK www.in####lwrapper.com

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial