Typically, malware will be installed through the use of exploit kits, spam e-mails, gifs laced with executables, torrents and so on. That being said, there is a fairly commonly downloaded software package known as “System Healer” being downloaded on the interwebs which claims to speed up your PC and optimize it. Are Sethealer.net/iSystemHealer.com/MagicPro.org serving up Adware or Malware or both? Where is the line between ADWARE and MALWARE really set? Typically they remain as Possibly unwanted Programs (PUPs) until further information emerges.
They are using .com/.net and other easily seizable domain names by the FBI. I am dubbing this Kamikazeware as an “infected” or “effected” individual installed this package manually infecting themselves without crimeware perpetrators having to exploit vulnerabilities or lift a finger to take control, you gave it to them.After I installed the package, I was able to kill it from the taskmgr, disable it from autostarting and uninstall it, after immediately doing this all traffic did stop on next reboot – maybe laying dormant? I’ll have to rip apart and debug the binary further and update this post.
Software shown below:
This package has been observed being downloaded as a drive-by-download, I found it browsing a torrent site and a popunder launched asking me if I wanted to speed up my PC (my VM reflex kicked in) and I grabbed a sample of the package. When browsing to the site hosted at isystemhealer[.]com with the crafted advertising URI I was prompted for a download which I download and ran, surprisingly the installation was that of typical adware which required my permission to install the software and accept the user agreement which basically attempted to legalize or legitimize the installation of malware, Kamikazeware, Adware on crack or whatever you want to call it. Once installed the System Healer software will start collecting information on optimizing your PC while acting as an Adware Downloader or Malware Downloader, it will download software using the very commonly used adware installer package Nullsoft Scriptable Install System (NSIS_INETC) User-Agent. After about an hour had passed, close to 30 separate executables were downloaded by my PC installing Adware/Malware/PUPs – virtually everything installed would be considered “RISKWARE” by the industry. Multiple anti-virus programs I utilized did not even blink at the installation and utilization of System Healer.
Here is a sample of what the traffic looked like after downloading the initial executable:
2016-05-11 21:55:00.267437 IP 192.168.1.107.60930 > 104.31.87.37.80: Flags [P.], seq 0:312, ack 1, win 256, length 312: HTTP: GET /351002513/SystemHealer.exe HTTP/1.1
E..`Y….._$…kh.W%…P…]..q.P…O’..GET /351002513/SystemHealer.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: da.systemhealerhost[.]net
Connection: Keep-Alive
2016-05-11 21:55:14.132105 IP 192.168.1.107.60938 > 104.16.93.188.80: Flags [P.], seq 0:197, ack 1, win 256, length 197: HTTP: GET /COMODORSACodeSigningCA.crl HTTP/1.1
E…
_………kh.]..
.P.`..((.\P…@…GET /COMODORSACodeSigningCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.comodoca[.]com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
2016-05-11 21:55:22.293977 IP 192.168.1.107.60939 > 104.27.172.72.80: Flags [P.], seq 0:247, ack 1, win 256, length 247: HTTP: GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&hid=d93625a4c3271e540f699bb2e10a9
05e30ab1da2&os=5.1&tr=351002513-US-263&a=NA&adm=1&x64=0&sil=0&st=201604131&e=200 HTTP/1.1
E…C …. B…kh..H…P.r.43.*AP…LP..GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&hid=d93625a4c3271e540f699bb2e10a905e30ab1da2&os=5.1&tr=351002513-US-263&a=NA&adm=1&x64=0&sil=0&st=201604131&e=200 HTTP/1
.1
User-Agent: BI/0.1
Host: isystemhealer[.]com
Cache-Control: no-cache
2016-05-11 21:55:22.440974 IP 192.168.1.107.60939 > 104.27.172.72.80: Flags [.], ack 330, win 255, length 0
E..(C!….!8…kh..H…P.r.+3.+.P…f………
2016-05-11 21:55:22.464772 IP 192.168.1.107.60939 > 104.27.172.72.80: Flags [P.], seq 247:453, ack 330, win 255, length 206: HTTP: GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&e=210 HTTP/1.1
E…C”…. i…kh..H…P.r.+3.+.P…o$..GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&e=210 HTTP/1.1
User-Agent: BI/0.1
Host: isystemhealer[.]com
Cache-Control: no-cache
Cookie: __cfduid=d80d2ae57f7dbe30dc7f86ac9c2c035771463018102
2016-05-11 21:55:31.227008 IP 192.168.1.107.60944 > 199.180.184.220.80: Flags [P.], seq 0:129, ack 1, win 256, length 129: HTTP: HEAD / HTTP/1.1
E…3……|…k…….P..
[email protected]…AK..HEAD / HTTP/1.1
Host: dyn[.]com
Connection: close
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2)
2016-05-11 21:55:32.539860 IP 192.168.1.107.60947 > 185.17.184.11.80: Flags [S], seq 4217015879, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.f@….-…k…….P.Z.G…… ……………..
2016-05-11 21:55:32.540076 IP 192.168.1.107.60946 > 185.17.184.11.80: Flags [P.], seq 0:1460, ack 1, win 256, length 1460: HTTP: HEAD /u/?a=qxWTS_llgtS7G1TYGxSzASkn3QtHt_N6AxwfRwBezvcwoJfGmmmyR4Sfqj4xbfja5PqAy1kpTXxE3sHcAWOlj2fklVybBeJreNI5HrZ6bZjlD4-lbRANsHFZeZF5J010FxOSMmOEMkq-QkaNlBPmYUfg7BSioKJst1JnT1H1stqKZh2WeuW5OKfwNpV10daJYgI34wuUfCwTV-uef0gzvzrpeQP4qiBo0Fp_f88PdDOXndhA8QKTBDkX4JkWkVD8ApvSeWjufLRQww0l8psJGSqrsNbt_j_gnwhkBUppKmEqbTvN0R1GpjxEFW32omeEnguytO9VerujsdLwQoMyNYZVIn_5I8YojmKol_MrBZ6E2m9EtXLoaTWjbJ86vBD-iMBhMtGCdXH2IF2h6WBw7DVKZ0kMOwbODPt0R9Stfl6MI5Zmkk4c-_ARCkFNd8VdrqlOKEOD2byp4e_ppGsWJoNWWXss25XqYtxSQT4DeP-Bd5h1yjcAI_uR3MMRhgBCNpC7NDGA3DXgKh4tOfDtv-5ZhqHZ8ayMoIdhQ55ffJ8HuUh9KZpRQpT7oMzHjgwzv8b5_5rR5dglkDybKzlEuVey9_ugHxTwHy3NAPp9rBI0L8NC9wanZF1PsNf2LFWFxQelfh8_xxWr575L55FOgpvS7ZuLOkJTdzzpD4UnM2lCvjJy1J1LQxPx5NFCa3mF5U9JxwyAMdDX6VnHyY3rdrdqxEdAP4EAIVJBqCruuz_P-YRKZvbhMQhI1QXTF_hQxsEHKtZxSyXWfnc9X83Cj6U3HeQ2_s_pAnixFvcuI6sXntZxHUtMRUYZicECjxa5nM8IfumrOBTM-gbLIQGMcQ7aikGC2fOJ2uLTYUWSNYW0Q0OehB57wmb-DUwJGElehbiQWpJyanBwRdSIQH7XNUV53eblTucMzfdLDQjPJFvVjbERaZPLNxLAdhro7RT-xmr08D-bRedtgz2XfGfFHWELnCI9aij3BXQV9KBN74N7TXXuVGvhz4WyP5L9L3vTKwTuvyKEML6RKzauvwDO0X8xZLfMkYrzgZq0dMVjYed2RgIVEchXUuMiTte61ajGf1sS8AscJogEz4D1pc82OVQKavGA&c=qAWxpc6VBUkXTNC1ZQaEy6V864dakTFHeXdl7gMQe_P0ffk4ovlDWQXpttHcfYzpkgpik_aj3I1D4dIo7GVwK6n9AXqJl0TL5DLm5XGsE-Ap1D901XnnFUbJmvInA6tAl66rk4-RFWo01_sYIHfJz3qJWjl_Kq-VvIbIjlNXF5lIl0R-Z1dp8t76gF2wMOIUadELU1a3pT2dfIHIuV9toWv6W_0al2xTrrQJsRCiY32D38HT2qmfIro6K0NwfFIZ2_vJtv4guiZJnVcC-CDYmUTXEicco_BqUT_6lhHaOajWnKi3IfJcU8S6BGR5piKURMGGmA-ChG[!http]
E….g………k…….P……n.P…G…HEAD /u/?a=qxWTS_llgtS7G1TYGxSzASkn3QtHt_N6AxwfRwBezvcwoJfGmmmyR4Sfqj4xbfja5PqAy1kpTXxE3sHcAWOlj2fklVybBeJreNI5HrZ6bZjlD4-lbRANsHFZeZF5J010FxOSMmOEMkq-QkaNlBPmYUfg7BSioKJst1JnT1H1stqKZh2WeuW5OKfwNpV10daJYgI34wuUfCwTV-uef0gzvzrpeQP4qiBo0Fp_f88PdDOXndhA8QKTBDkX4JkWkVD8ApvSeWjufLRQww0l8psJGSqrsNbt_j_gnwhkBUppKmEqbTvN0R1GpjxEFW32omeEnguytO9VerujsdLwQoMyNYZVIn_5I8YojmKol_MrBZ6E2m9EtXLoaTWjbJ86vBD-iMBhMtGCdXH2IF2h6WBw7DVKZ0kMOwbODPt0R9Stfl6MI5Zmkk4c-_ARCkFNd8VdrqlOKEOD2byp4e_ppGsWJoNWWXss25XqYtxSQT4DeP-Bd5h1yjcAI_uR3MMRhgBCNpC7NDGA3DXgKh4tOfDtv-5ZhqHZ8ayMoIdhQ55ffJ8HuUh9KZpRQpT7oMzHjgwzv8b5_5rR5dglkDybKzlEuVey9_ugHxTwHy3NAPp9rBI0L8NC9wanZF1PsNf2LFWFxQelfh8_xxWr575L55FOgpvS7ZuLOkJTdzzpD4UnM2lCvjJy1J1LQxPx5NFCa3mF5U9JxwyAMdDX6VnHyY3rdrdqxEdAP4EAIVJBqCruuz_P-YRKZvbhMQhI1QXTF_hQxsEHKtZxSyXWfnc9X83Cj6U3HeQ2_s_pAnixFvcuI6sXntZxHUtMRUYZicECjxa5nM8IfumrOBTM-gbLIQGMcQ7aikGC2fOJ2uLTYUWSNYW0Q0OehB57wmb-DUwJGElehbiQWpJyanBwRdSIQH7XNUV53eblTucMzfdLDQjPJFvVjbERaZPLNxLAdhro7RT-xmr08D-bRedtgz2XfGfFHWELnCI9aij3BXQV9KBN74N7TXXuVGvhz4WyP5L9L3vTKwTuvyKEML6RKzauvwDO0X8xZLfMkYrzgZq0dMVjYed2RgIVEchXUuMiTte61ajGf1sS8AscJogEz4D1pc82OVQKavGA&c=qAWxpc6VBUkXTNC1ZQaEy6V864dakTFHeXdl7gMQe_P0ffk4ovlDWQXpttHcfYzpkgpik_aj3I1D4dIo7GVwK6n9AXqJl0TL5DLm5XGsE-Ap1D901XnnFUbJmvInA6tAl66rk4-RFWo01_sYIHfJz3qJWjl_Kq-VvIbIjlNXF5lIl0R-Z1dp8t76gF2wMOIUadELU1a3pT2dfIHIuV9toWv6W_0al2xTrrQJsRCiY32D38HT2qmfIro6K0NwfFIZ2_vJtv4guiZJnVcC-CDYmUTXEicco_BqUT_6lhHaOajWnKi3IfJcU8S6BGR5piKURMGGmA-ChG
2016-05-11 21:55:32.665771 IP 192.168.1.107.60946 > 185.17.184.11.80: Flags [P.], seq 1460:2250, ack 1, win 256, length 790: HTTP
E..>.h…..!…k…….P…e..n.P…….J8FJETkMDqjbP721bLZqPku3KssNMajH3UL_efjj0i6vdTqPqZGFI5Ggxf1ws8_8-3p0wOj4dKfPfh8cdgBq4YGT7CA1SLqZ10XdyirL0TVb3L54vUbDKZq8FkokCRc7PyaM8yzDK5KcWT7GHrmz4XdOeiP4wfs_Wx_vvBnTNjaUBKwSRVXOYjHeqg8ynAkZZ_qgUOr5_surDSkKezvKaNkofgzYCgPBIx_4m1PRVn_dyTllsdt40q8lnJLUn2HZnyTvR8dekgZjqKLZ-nrYEo06tY2SWKbGKc_l59vhzfh0AbJ1_k_MjbDDCl-TjJEeNYjl0FpIR-rNGbuAEm_4whl5lY3Lkapfb7TfuJSg066H3jhVYSHNcHynDo_fumoy3qKiJzwKshUmRgXODakMmJMajKwcew_mwLsAFjztiAEXvo2tymLla1AP7z8e5ra9VfqF7Vpt8cCzz7-s6pG1f3HHR20jZzVlM98SFkoUVnkGrj72HPsxrCITksCZuPA-Cc0Ajc9TVgkJVSCBpmxy3pOOEsQ5xasjJzIqH2FKW7Jk9H37_zWyt7sT7xcrJ2Xci9Q3sipLW6Ncg&r=792735003519943452 HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2)
Pragma: no-cache
Host: sethealer[.]net
Connection: Keep-Alive
2016-05-11 21:55:32.680833 IP 192.168.1.107.60947 > 185.17.184.11.80: Flags [.], ack 2827879072, win 64240, length 0
E..(.i…..6…k…….P.Z.H….P…^}……..
2016-05-11 21:55:32.681570 IP 192.168.1.107.60947 > 185.17.184.11.80: Flags [P.], seq 0:1460, ack 1, win 64240, length 1460: HTTP: HEAD /u/?a=2RySj4iFJzp6WKBCamF80A5rm2mBu2k-zqqxSq1jBd-YIikJ_Vb-LifvY94weA9GsgMOh_hlhJotpT-MDAaAyokWvOcyg36TXHbwsG4luKjlQuiJ66As2Esz1M08zjrNbCEt5OQl3ch4bxNww33ML3EKSRau09EOmWXcWLmtZMgC4YCQvc2Jw8ilOTcrrc4UGca0ysFDmCABvht1TCUyBAMmoWCBSW48Y69HYF6PhBlKZr7RuPJYmANckOFCbXKtM2wXL7FO9eSbnkWwUXS3yuxEGuaJb2Lo2eOq1e8n8BdACVmoL1ChHzIgVgCxAH-d00cIS4JqYEbq32IXLXSIvilFMjrikgPmzmY95_QmbteU7DLyQ_UzUXGXr0UyCKa_O2azpHyu9ozmrQ7ed3kpMSR4W3C2WQ6Tfnf9E8n_XnFgCzUgK617TvFVM5rayR4ZhHnfmZIsnShr0TFKWZzqTbfr67wJh66fnX7nhTbCNxE32isIzvErTpGPA7I7Y5CohL2bJWwTeumfi3MdwSW9WdYrK13BmAa9Q9Ts746xFklxFDW6DduKCqZpl_8d2wRzkJrTHjiJyRrFEEg_VN7cDqn0uak70SrN_kZ3G9W1Ofi5PdTcLE8R28TeG3GlhtL0dbmTjzx1CozjAqn-JJV2tTyxsM41SbUYAOA3uXQ6zrFe9N44jcbWy4h5nYhD93sMHnPgsw5Mvtbgpxfk6x3Ze4lkh1i2-JCS135ih5j4U_jnw7n0xvfpnf-dYAo3HZ44KEMHsa2mYKWPJAIbKOVgo3w3_oavJYEkr-YpPAg2qVMEGGU8DebjGocXn5gum5BMUkuWx3qLxeb_OCjvM5igvQHe72-YgAHEderraz2dqCd40OJPY4SXo1JQMik5Lh6luDUvUMaPsqgAyBZE5o6nhLYCgOv1g3hWHOJmip_aMyiUxD8wXLM1neqllhTU-_J61DPIJzXAAxhDZnZ_htuZ_MregaODRg06k9F-WoRHIskD9LXCc3TISfuN3C4HUbpseh5Qvgom_Ef-J8ZqGN6xpT2cxY_K6D3mLPwfLCKk12f0juIu3o2KmcitGsH64VnaNBy8jdMMnJZBe9Jk1yIvP_mSzz7jtm-nr9q&c=Ps8iX6-91_xE-aJFHzC391RC1YEKzdV4ghwDYmL1qGXS8ZtCY-ZsfuFxRvRKG09e1-mQyzgQmjIO8LcJNl_PEAwaRr-KEThONaUtmSHcpuWZbJGDvOGs2FGTbhmG2aHaebl_8lZjBpXdkEfkhqt1nTs4QEyTJX5lBUSGinWzBKw8miLdl18b78x7QnYMxL5VM0RGZqer0gWTB-j_eXavUMjUJsn2IhN9s4Cx1eFlpOpbPvCpnusD2zcT0KqOU3zGbZcg1Nx9jEtN8l2sgc12qhCfXrmnuqpBXqt2HYhJ3GwBI_rWGf-l5KseSETaGKf9WAe[!http]
E….j………k…….P.Z.H….P…….HEAD /u/?a=2RySj4iFJzp6WKBCamF80A5rm2mBu2k-zqqxSq1jBd-YIikJ_Vb-LifvY94weA9GsgMOh_hlhJotpT-MDAaAyokWvOcyg36TXHbwsG4luKjlQuiJ66As2Esz1M08zjrNbCEt5OQl3ch4bxNww33ML3EKSRau09EOmWXcWLmtZMgC4YCQvc2Jw8ilOTcrrc4UGca0ysFDmCABvht1TCUyBAMmoWCBSW48Y69HYF6PhBlKZr7RuPJYmANckOFCbXKtM2wXL7FO9eSbnkWwUXS3yuxEGuaJb2Lo2eOq1e8n8BdACVmoL1ChHzIgVgCxAH-d00cIS4JqYEbq32IXLXSIvilFMjrikgPmzmY95_QmbteU7DLyQ_UzUXGXr0UyCKa_O2azpHyu9ozmrQ7ed3kpMSR4W3C2WQ6Tfnf9E8n_XnFgCzUgK617TvFVM5rayR4ZhHnfmZIsnShr0TFKWZzqTbfr67wJh66fnX7nhTbCNxE32isIzvErTpGPA7I7Y5CohL2bJWwTeumfi3MdwSW9WdYrK13BmAa9Q9Ts746xFklxFDW6DduKCqZpl_8d2wRzkJrTHjiJyRrFEEg_VN7cDqn0uak70SrN_kZ3G9W1Ofi5PdTcLE8R28TeG3GlhtL0dbmTjzx1CozjAqn-JJV2tTyxsM41SbUYAOA3uXQ6zrFe9N44jcbWy4h5nYhD93sMHnPgsw5Mvtbgpxfk6x3Ze4lkh1i2-JCS135ih5j4U_jnw7n0xvfpnf-dYAo3HZ44KEMHsa2mYKWPJAIbKOVgo3w3_oavJYEkr-YpPAg2qVMEGGU8DebjGocXn5gum5BMUkuWx3qLxeb_OCjvM5igvQHe72-YgAHEderraz2dqCd40OJPY4SXo1JQMik5Lh6luDUvUMaPsqgAyBZE5o6nhLYCgOv1g3hWHOJmip_aMyiUxD8wXLM1neqllhTU-_J61DPIJzXAAxhDZnZ_htuZ_MregaODRg06k9F-WoRHIskD9LXCc3TISfuN3C4HUbpseh5Qvgom_Ef-J8ZqGN6xpT2cxY_K6D3mLPwfLCKk12f0juIu3o2KmcitGsH64VnaNBy8jdMMnJZBe9Jk1yIvP_mSzz7jtm-nr9q&c=Ps8iX6-91_xE-aJFHzC391RC1YEKzdV4ghwDYmL1qGXS8ZtCY-ZsfuFxRvRKG09e1-mQyzgQmjIO8LcJNl_PEAwaRr-KEThONaUtmSHcpuWZbJGDvOGs2FGTbhmG2aHaebl_8lZjBpXdkEfkhqt1nTs4QEyTJX5lBUSGinWzBKw8miLdl18b78x7QnYMxL5VM0RGZqer0gWTB-j_eXavUMjUJsn2IhN9s4Cx1eFlpOpbPvCpnusD2zcT0KqOU3zGbZcg1Nx9jEtN8l2sgc12qhCfXrmnuqpBXqt2HYhJ3GwBI_rWGf-l5KseSETaGKf9WAe
2016-05-11 21:55:32.813485 IP 192.168.1.107.60947 > 185.17.184.11.80: Flags [P.], seq 1460:2258, ack 1, win 64240, length 798: HTTP
E..F.m………k…….P.Z……P…}…QOyyO94LX_krToiT0V5kI4Gsp2wyyJ48—w80ZzKQ6Re-0LTdbI2h9qIWIJYxaSZGQaOIkSt5_sAgAFHjOtIsHh_vW2wYseobwTu6gcyVdiL0Zr8Q4BcisNcWE7PrPtUffJce_UWy7i8QpTLNUU3wUuHj5HRzC9XOdGCcPg-y3p8ULPgVYv7JWct2J56b8PbZ7TDMSEWnCijGeIeHjVnbbfNc5ja879ZcclXr4FbAJf9iUCc7wWriIG6d6-7qKSIuK7wnnEEfdK1SLxN8VANjLRHsMGRPVdDOgPRFVljsr3kl6OwbWK811_keSk5LxMJTTjW4yeqSHz35h7lJX2mn6g7b9LcOlr7EifBdkxszIUOzhIqJzfdomDipTUwzh-8lhyjV-5MBt8EZ_14Me5maV7524fzZkoDLIFhFESIw0GzsYfu-eE5or-nvC8WXD3azkNp4p56r63bn-aGocvrXXLhCMvyhZqdTwiW96c1M4udLTHtE9obCk8fNWclwCqf-oSXCZaEtH9gF4jPdTF1fBpijs-kbci6VVMr4EiqUA76pdQp4DeuGllvhLzzUocPxuwAF9VZzol3fwsnKmP&r=4331930647698152838 HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2)
Pragma: no-cache
Host: sethealer[.]com
Connection: Keep-Alive
2016-05-11 21:55:34.086546 IP 192.168.1.107.60948 > 185.17.184.11.80: Flags [P.], seq 0:209, ack 1, win 256, length 209: HTTP: POST /u/ HTTP/1.1
E….r…..\…k…….P..v]…vP….g..POST /u/ HTTP/1.1
Host: zipoffice[.]info
Connection: close
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Content-Length: 2093
Content-Type: application/x-www-form-urlencoded
2016-05-11 21:55:34.086580 IP 192.168.1.107.60948 > 185.17.184.11.80: Flags [P.], seq 209:1669, ack 1, win 256, length 1460: HTTP
E….s…..x…k…….P..w….vP…#…a=w4alrcxsYHZixanusZ9sNjl08URmJVkHsVcEa3oasFZJyvcbjI1Jh_1oJEJHNN1RD6SHD0yuuUXTXXrPvI98WrXarh_ikl68f0L5CKu7f55fvaGVQMFDRowOTocePvWGSwbp_xx12UPlPEwD415IP6a23yCCFpmjnKKvdHv-8xOcMejvRerNMM7FoK_eHIoNq_YTEVYCeAeAlwge6E8LtXFC31ukQpBwFhjVzfR1qQzmBIhwi5PJDCwWfpqfNqklrYf0CYDO7gURtyk_AhylwH_4HQVFCm3pJH354BXQ08WexNlBizERAybc8dFeEwgxOM7mnv54MBcPweOtM9nrUIohThsc-nAQGxM7Fk55rXqZUAnXHeErrMOD2csufa4-j5R8NYFqVbOJtTitYFs_rKzQjm02LgrnWiNlhPVagNMpeXC69v3yVbjKccjKJQ1XnXOOu02DjxQI63ZCx0F-xP1Qhs0O214m7K2IuaqegaP0Ho2GzbmC2jaORJCI9-DUg94mfmCz-HJ2WdK5CIiMAHqJRIwbspKBmpVBmQEvxT1nb28Ri9xoPa-cZ82BCna_PQmskpZ2gv0–Gj4RuYpdmFGIm6F5pENUDpcY4TqiXEFKWh1a-Ch5wy-Ta0vwZPbW83sOitCQrFNTmbhjitBhD3zx5iwyRhkA0SxkUIk1_zC7M7y5Bej4wT9TAorn6LDv75ZE_79YOge62qP0OXlFGVkrKVnp87FHFITfjx_R0xLENnIGHAJNVbPChbmpU9ZtxrCGV5bb0dEF4CNVlKp3EotLBRna96XnnXD1MnppSrVVJ4AcmbEvEVdzVkfSQBPyOTN-HDp6Kb-WE-DRL_wZ-8ocUDM4QatX2IDfDxgLvT9-719KhGZblalXZ86bzlevYdV3CcUC4zG0GRwQSOElg7_jaLuQDb8d13eazFE8ElS7w1RLL2i-S9wcmI0dIqzEodSUjel4D5rPIAG9tIgA_tmopQ25hjme43c_0PcwSUmcj2l7GG0vuul1DXxqvXWfG-8MiNGvfuu0QWgi-LHJq1j7Gu0B4Mo66TaYYapw_SH-HVvuLh1ujFcWFNEyBn_UJ5M9CEexmaV&c=x0onH5I5qsGBrCNjkobe3X3XFJV02vyIoTKAqKpgXyNfGyrOV4e2nl17-52_FCVMbHWBlrqUKbu08upuc94Zk6qLw0hTklNbD8jlTxK7Fd0wrbvCj50DC0ZR-7M8f_r6vT3I_ywFamHsDmRYZG4URnWpSK9Fn2hLHBDDv3ONRiDnulxldF0EiWLqIVG_eupnuFHO9BiCqM5pTQKkk-Z0Dcv0QZUu7sGTrpGQQzh8TsoF4ligvwAemZdg8NgXrWfvpktJvQz5AgnfFUU3WBuD5Zz9WEH2Mk73qXyyTAiLl39Za4m_lFlHi5KW1DJFjR_DxhAwI9d0tPd8r-fd7AIHIpNKf3jUJ9j-bu9
2016-05-11 21:55:34.230572 IP 192.168.1.107.60948 > 185.17.184.11.80: Flags [P.], seq 1669:2302, ack 1, win 256, length 633: HTTP
E….t………k…….P..|….vP…….zATBMxdGYDAoEOkplK0NAMkI3-S74UYx9dRLcn5EFkVhDf4C1yOXgSSoZvJcmcji4XdfLpM78CBEDZzwucIO3IabQUOWw8j25Dw7D_yAo1eRrwtNb9tcvcigDd0Kt6jEPZaemgzbfuxMJfofnouiVI9sW-fjPgEY2sdKFVWjwX5AbYMuipMcOQMLhow2vknQjWmjF-AipDLRI4Vl49KMB3IJ3GdkNEtk8kCcx6XG44R_-z3GmRMic6WWSiYKeCayYbeucWrfwmpn-HZCvps7s_0KIaQaQQfkFDIQm5A2EZ1YBbXtwauRxqeBB2GdMuTPALwB71ifos0oL5qmYdnh-zZ0zK5reTUkYvARsWAsG1lEF9JwlXeT_624d9FHdmILhbz5xcAHuntDutZ4s8bHFGRRNP-xBiWlKI67KkOQ74aPbo9IC6Ogofxz_UCo9C3FaElctTsSbVr7Xqp1InDghpBS3PmFAuKd64cseBHfs9dgpFKI4_uyZcioz_ZBXdMI931tlApNXDLXzp4W7JlJNviNcIR-oyYHv3loKwmJ3ZNlctVdmCXx&h=cQ5YlgOfn61tZo8IEirioecEzVKcwERMtmLP5670P_eg&r=5634697514542173977
2016-05-11 21:55:34.375051 IP 192.168.1.107.60948 > 185.17.184.11.80: Flags [.], ack 155, win 256, length 0
E..(.u…..*…k…….P…[….P………….
2016-05-11 21:55:34.375697 IP 192.168.1.107.60948 > 185.17.184.11.80: Flags [F.], seq 2302, ack 155, win 256, length 0
E..(.v…..)…k…….P…[….P………….
2016-05-11 21:55:55.078478 IP 192.168.1.107.60930 > 104.31.87.37.80: Flags [.], ack 5045813, win 1112, length 0
E..(`…..X….kh.W%…P……p.P..X&………
2016-05-11 21:55:58.841290 IP 192.168.1.107.60930 > 104.31.87.37.80: Flags [F.], seq 312, ack 5045813, win 1112, length 0
E..(`…..X….kh.W%…P……p.P..X&………
2016-05-11 21:56:00.186514 IP 192.168.1.107.60938 > 104.16.93.188.80: Flags [.], ack 99441, win 256, length 0
E..(
2016-05-11 21:56:13.080690 IP 192.168.1.107.60960 > 104.31.87.37.80: Flags [P.], seq 0:357, ack 1, win 256, length 357: HTTP: GET /t/i/sh?sid=351002513-US-263&dt=1463018139&gid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&mi=d93625a4c3271e540f699bb2e10a905e30ab1da2&tz=-5&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&crg=0&os=5.1&f=506455860 HTTP/1.1
E…`…..W….kh.W%. .Pb…..e[P…….GET /t/i/sh?sid=351002513-US-263&dt=1463018139&gid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&mi=d93625a4c3271e540f699bb2e10a905e30ab1da2&tz=-5&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&crg=0&os=5.1&f=506455860 HTTP/1.1
User-Agent: System Healer
Host: ba.systemhealerhost[.]net
Cache-Control: no-cache
Cookie: __cfduid=dea6c4c57171fde2b0220bd19fe6b807d1463018080
2016-05-11 21:56:13.343002 IP 192.168.1.107.60961 > 104.27.172.72.80: Flags [P.], seq 0:215, ack 1, win 256, length 215: HTTP: GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&du=51984&e=400 HTTP/1.1
E…C(…. Z…kh..H.!.P……f.P…….GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&du=51984&e=400 HTTP/1.1
User-Agent: BI/0.1
Host: isystemhealer[.]com
Cache-Control: no-cache
Cookie: __cfduid=d80d2ae57f7dbe30dc7f86ac9c2c035771463018102
2016-05-11 21:56:13.343002 IP 192.168.1.107.60961 > 104.27.172.72.80: Flags [P.], seq 0:215, ack 1, win 256, length 215: HTTP: GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&du=51984&e=400 HTTP/1.1
E…C(…. Z…kh..H.!.P……f.P…….GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&du=51984&e=400 HTTP/1.1
User-Agent: BI/0.1
Host: isystemhealer[.]com
Cache-Control: no-cache
Cookie: __cfduid=d80d2ae57f7dbe30dc7f86ac9c2c035771463018102
Open source information:
https://www.hybrid-analysis.com/sample/0b1026c619699a8a3b925a7a4c741d959a6a4b30e1e2603492b842ba3ea8d33a?environmentId=1
https://malwr.com/analysis/OGQ1YWU4YzJlNmE0NGE3ZjlkZjAzZmRmM2NiNmFhZjU/
http://blogs.cisco.com/security/dnschanger-outbreak-linked-to-adware-install-base
This post first appeared on Computer Security.org - CyberSecurity News, Inform, please read the originial post: here
