Translate

11/18/2013

Category MALICIOUS IP: 46.165.228.246
(Interception of a Rogue ad Campaign) with Thanks to Dancho Danchev

Another rogue ad campaign (Not to be confused with Advertising campaign) has been intercepted, attempting to trick users into installing the EzDownloaderpro PUA (Potentially Unwanted Application). Primarily relying on that catchy attitude “Play Instantly, Download Now” banners, the visual social engineering tactic of this campaign is similar to other PUA related campaigns that had previously profiled. Let’s take a look at this new rogue ad campaign, and provide relevant threat intelligence on the infrastructure behind it.



Domain  surveillance of some specific Redirects: 

Location Data: San Francisco
------------------------------------
superfilesdocumentsy.asia/v944/?a=1
  • https://www.virustotal.com/de/url/062d123c7599a52d5cd1c42edc8a6971c91ddfe2f336b1bac72860611b8f2702/analysis/1384701938/
PUA: not-a-virus:Downloader.Win32.AdLoad.fwz
  • https://www.virustotal.com/de/file/8567bc9279ca8e7c2be23bfb513eb285d662233bd8528416afb509faef14b389/analysis/1384701943/
IPs:
141.101.117.252 (Cloudflare)
  • https://www.virustotal.com/de/url/89163a510d694d5717eb5dcb88036e7366c96620f36aec26e62e879efeddbc9e/analysis/1384702693/
  • https://www.virustotal.com/de/ip-address/141.101.117.252/information/
141.101.116.252 (Cloudflare)
  • https://www.virustotal.com/de/url/5df0642b589152b807eeb5910b26fe8e9c8c2bf4415f9e3a437d8f5ad4836c37/analysis/1384703661/

------------------------------------------------------------------------------------------------------------------------

applicationscenterforally.asia/v944/?INm
  • https://www.virustotal.com/de/url/110f167f8b1a5c45cfa1531db3226a1b1bd00f191529b3a3e8c222b992a82df9/analysis/1384704601/
Application.Win32.InstalleRex.LL
  • https://www.virustotal.com/de/file/242c3638ad824d612d6ed91823671aaefb503a83f744d6d472d402595d720aac/analysis/1384704604/
  • http://urlquery.net/report.php?id=7774362
  • http://app.webinspector.com/public/reports/18450113
IPs:
108.162.197.34 (Cloudflare)
  • https://www.virustotal.com/de/url/43ee0d2d8d7a39dc1791a85ded58b26f566d60f704069ebeadd465d2ce13a6e7/analysis/1384705270/
  • https://www.virustotal.com/de/ip-address/108.162.197.34/information/
108.162.196.34 (Cloudflare)
  • https://www.virustotal.com/de/url/9f497a74dc2bd7ea5c115c98199212d5bbdbaa625b7e612d17144191b5cec29a/analysis/1384707723/
  • https://www.virustotal.com/de/ip-address/108.162.196.34/information/

------------------------------------------------------------------------------------------------------------------------ 

op.applicationscenterforally.asia/sspcQA/ssa/
  • https://www.virustotal.com/de/url/5311fc57b109651eb8e1a49d70a580881a9e23e7de21e5676f20c6c4df0cd92d/analysis/1384708370/
ADWARE/InstallRex.Gen
  • https://www.virustotal.com/de/file/18a813f5bc905194c727424a17e9b2578d7ee8d76d23804799934b3d76001436/analysis/1384708600/

 ------------------------------------------------------------------------------------------------------------------------ 

Other Domains connecting to the same IP 46.165.228.246 :

• amu.downurfiles.info
• downloadkeeper.info
• driveridentifier-download.com
• ezdownloadpro.info
• iframe.applicationsforentirey.asia
• iframe.applicationsforeveryy.asia
• iframe.filesaredirecty.asia
• iframe.filesareonliney.asia
• iframe.superfilesdatay.asia
• lp.ezdownloadpro.info
• lp.livetrafficall.info
• op.alllinuxapplicationsy.asia
• op.applicationsforcompletey.asia
• op.applicationsforentirey.asia
• op.applicationsforeveryy.asia
• op.bestfilesarey.asia
• op.bestfilesdatay.asia
• op.documentsguidey.asia
• op.documentssitey.asia

Domains who responded to 141.101.117.252:

• 2upl.com
• amu.domainforcompany.info
• andyrohr.com
• bookmarkspiral.com
• filecm.net
• hackstore.net
• happysky.heartbrea.kr
• icephoenixbot.com
• krazywap.ws
• octavis.net

Malicious Message Digest Algorithm 5s known to have been downloaded from 141.101.117.252:

MD5: fd4195ef1af7fb49a673633ed57b87ab
MD5: c0d9713acfc46c2a466a9de77292636d
MD5: d3119ed48cb5896d41aeae4b51f2667a
MD5: c6799f5425fbe038778c4c4a22b35a41
MD5: 840fa1e6c0f81f6da1a347ecb3b2db2e
MD5: c27d4537d24aa55df9837479da2ae111
MD5: c77fc69c7b96c53ce762b87c98831327
MD5: dce1c89d7a267b2a4ae925b5a387e5cd
MD5: a868964e1fe66e4a7638f46ba7844b52
MD5: 2acc54f86694e8d7674e8e1afff86aa1
MD5: 5f078de83a9ce3ee2d9d2fe174cd234c
MD5: 0426e6c1fe2aa8681c683428bb3d2dd7
MD5: efcd92d3be23e624bca2db8515f0df20
MD5: 30ac6dd3290ab3c9281e81c2cba2097e
MD5: 9b35dcacd42e6ba1c596a8bc0425d646

Domains who responded to 108.162.197.34:

• 4agent.info
• advancedchirocenter.com
• albertomolteni.altervista.org
• applicationscenterforally.asia
• asoiaf.westeros.org
• br.singlesfind.us
• buker.ru
• chaochui88.com
• client.ferocitybooter.net
• habbokekos.net
• hentaimate.com
• horny-locals.com
• img.b2bage.com
• onvideogames.net
• op.applicationscenterforally.asia
• papermashup.com
• pdiva.ro
• pinoyhideout.com.ph
• prestamosdinerolosangeles.com
• sdx.cc

 -------------------------------------------------------------------------------



The following File has been downloaded from 108.162.197.34 :
Download.exe 

REFERENCE & Regards to Dancho


Kommentare:

  1. I know it's an old post, but there's actually a plethora more domains associated with InstallRex than are listed here.

    I've pulled the records from my database for you;

    http://temp.it-mate.co.uk/MM_-_InstallRex-10022014.xlsx

    AntwortenLöschen
  2. Thx MyteryFMC, i will take a look at it.

    AntwortenLöschen