Pay-Per-Install Analysis – Part Two

Posted by on Wednesday, June 30th, 2010  |  8,111 views

WorldPays – Euro-Pays – SummerCash

Next on the list we have 3 companies, who are distributing the same executable, so its safe to assume either they are all resellers for a single company, or 2 of them are reselling for the other.

Image

Image

Image

From the above images we can extract some dangerous domains used for spreading the payloads:

super-cool-tube.com
real-antivir-4pc.com
sfree-crack-service.com
great-tube-fest.com
hotcelebsnow.com
datamediaworld.com
anti-vir-protect.com

Euro-Pays rates per install:

Rates
GB	0.15$
DE	0.14$
GR	0.07$
ES	0.07$
AT	0.07$
PT	0.01$
BE	0.07$
IT	0.07$
CH	0.14$
DK	0.14$
FR	0.14$
SE	0.14$
NL	0.14$
NO	0.14$

SummerCash rates per install:

0	0.01
US	0.4
GB	0.32
CA	0.16
AU	0.16
NO	0.12
DK	0.12
NZ	0.12
SE	0.12
PR	0.12
DE	0.12
ES	0.1
IT	0.1
FR	0.1
CH	0.08
BE	0.08
NL	0.08
AT	0.08
FI	0.08
ZA	0.08
IS	0.08
IE	0.08
JP	0.03
SG	0.03
CY	0.03
HK	0.03
MU	0.03
GR	0.03
IL	0.03

There was no rates list for WorldPays. As you can see there is quiet a difference for the 2 companies, SummerCash pays double what Euro-Pays does for some countries, for the same executable.

Instead of posting sandbox reports for all 3 companies I will just show you the similarities.

All make connections to:

1
2
3
4
5
6

Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "216.240.146.119" on port 80 (TCP - HTTP).
Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "62.122.75.42" on port 80 (TCP - HTTP).
Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "64.20.35.3" on port 80 (TCP - HTTP).
Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "69.10.35.253" on port 80 (TCP - HTTP).
Internet connection: C:\WINDOWS\Xmitoa.exe Connects to "67.210.170.183" on port 80 (TCP - HTTP).
Internet connection: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtl.exe Connects to "64.191.82.25" on port 80 (TCP - HTTP).

Below there is the IPVoid.com scan reports for the above IP addresses:

216.240.146.119
62.122.75.42
64.20.35.3
69.10.35.253
67.210.170.183
64.191.82.25

All create these files:

1
2
3

Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtj.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtk.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtl.exe

All add the same startup key:

1

Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\M5T8QL3YW3 = C:\Documents and Settings\Administrator\Local Settings\Temp\Xtl.exe

To be continued…

Pay-Per-Install Analysis – Part One

Posted by on Wednesday, June 30th, 2010 at 2:31 pm and filed under Malware Analysis, Security News with tags . You can skip to the end and leave a response. Pinging is currently not allowed.

Random Posts

Previous Posts