Pay-Per-Install Analysis – Part Two
WorldPays – Euro-Pays – SummerCash
Next on the list we have 3 companies, who are distributing the same executable, so its safe to assume either they are all resellers for a single company, or 2 of them are reselling for the other.
From the above images we can extract some dangerous domains used for spreading the payloads:
super-cool-tube.com
real-antivir-4pc.com
sfree-crack-service.com
great-tube-fest.com
hotcelebsnow.com
datamediaworld.com
anti-vir-protect.com
Euro-Pays rates per install:
Rates GB 0.15$ DE 0.14$ GR 0.07$ ES 0.07$ AT 0.07$ PT 0.01$ BE 0.07$ IT 0.07$ CH 0.14$ DK 0.14$ FR 0.14$ SE 0.14$ NL 0.14$ NO 0.14$
SummerCash rates per install:
0 0.01 US 0.4 GB 0.32 CA 0.16 AU 0.16 NO 0.12 DK 0.12 NZ 0.12 SE 0.12 PR 0.12 DE 0.12 ES 0.1 IT 0.1 FR 0.1 CH 0.08 BE 0.08 NL 0.08 AT 0.08 FI 0.08 ZA 0.08 IS 0.08 IE 0.08 JP 0.03 SG 0.03 CY 0.03 HK 0.03 MU 0.03 GR 0.03 IL 0.03
There was no rates list for WorldPays. As you can see there is quiet a difference for the 2 companies, SummerCash pays double what Euro-Pays does for some countries, for the same executable.
Instead of posting sandbox reports for all 3 companies I will just show you the similarities.
All make connections to:
1 2 3 4 5 6 | Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "216.240.146.119" on port 80 (TCP - HTTP). Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "62.122.75.42" on port 80 (TCP - HTTP). Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "64.20.35.3" on port 80 (TCP - HTTP). Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "69.10.35.253" on port 80 (TCP - HTTP). Internet connection: C:\WINDOWS\Xmitoa.exe Connects to "67.210.170.183" on port 80 (TCP - HTTP). Internet connection: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtl.exe Connects to "64.191.82.25" on port 80 (TCP - HTTP). |
Below there is the IPVoid.com scan reports for the above IP addresses:
216.240.146.119
62.122.75.42
64.20.35.3
69.10.35.253
67.210.170.183
64.191.82.25
All create these files:
1 2 3 | Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtj.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtk.exe Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtl.exe |
All add the same startup key:
1 | Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\M5T8QL3YW3 = C:\Documents and Settings\Administrator\Local Settings\Temp\Xtl.exe |
To be continued…
