AdWare.D365

Malware Analysis of AdWare.D365

Created files:

%Program Files%\iSafe\lang\lang.xml
%Program Files%\iSafe\lang\startup_lang.xml
%Program Files%\iSafe\libpng.dll
%Program Files%\iSafe\log\iSafeKrnlCall.log
%Program Files%\iSafe\log\iSafeSvc.LOG

Autostart registry keys:

HKLM\System\CurrentControlSet\Services\iSafeKrnl\Instances\iSafeKrnl Instance\Altitude: “325003″
HKLM\System\CurrentControlSet\Services\iSafeKrnl\Instances\iSafeKrnl Instance\Flags: 0×00000000
HKLM\System\CurrentControlSet\Services\iSafeKrnl\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\iSafeKrnl\Parameters\InstallPath: “%Program Files%\iSafe\”
HKLM\System\CurrentControlSet\Services\iSafeKrnl\Instances\DefaultInstance: “iSafeKrnl Instance”
HKLM\System\CurrentControlSet\Services\iSafeKrnl\Type: 0×00000002
HKLM\System\CurrentControlSet\Services\iSafeKrnl\Start: 0×00000003
HKLM\System\CurrentControlSet\Services\iSafeKrnl\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\iSafeKrnl\ImagePath: “\??\%Program Files%\iSafe\iSafeKrnl.sys”
HKLM\System\CurrentControlSet\Services\iSafeKrnl\DisplayName: “iSafeKrnl”
HKLM\System\CurrentControlSet\Services\iSafeKrnl\Group: “FSFilter Activity Monitor”
HKLM\System\CurrentControlSet\Services\iSafeKrnl\DependOnService: ‘FltMgr’
HKLM\System\CurrentControlSet\Services\iSafeKrnl\DependOnGroup: 00
HKLM\System\CurrentControlSet\Services\iSafeKrnl\Tag: 0×00000004
HKLM\System\CurrentControlSet\Services\iSafeKrnl\DebugFlags: 0×00000000
HKLM\System\CurrentControlSet\Services\iSafeKrnl\SupportedFeatures: 0×00000003
HKLM\System\CurrentControlSet\Services\iSafeKrnl\Description: “iSafeKrnl Mini-Filter Driver”
HKLM\System\CurrentControlSet\Services\iSafeNetFilter\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\iSafeNetFilter\Type: 0×00000001
HKLM\System\CurrentControlSet\Services\iSafeNetFilter\Start: 0×00000001
HKLM\System\CurrentControlSet\Services\iSafeNetFilter\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\iSafeNetFilter\ImagePath: “\??\%Program Files%\iSafe\iSafeNetFilter.sys”
HKLM\System\CurrentControlSet\Services\iSafeNetFilter\DisplayName: “iSafeNetFilter”
HKLM\System\CurrentControlSet\Services\iSafeNetFilter\Group: “PNP_TDI”
HKLM\System\CurrentControlSet\Services\iSafeNetFilter\Tag: 0×00000008
HKLM\System\CurrentControlSet\Services\iSafeService\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\iSafeService\Type: 0×00000010
HKLM\System\CurrentControlSet\Services\iSafeService\Start: 0×00000002
HKLM\System\CurrentControlSet\Services\iSafeService\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\iSafeService\ImagePath: “%Program Files%\iSafe\iSafeSvc.exe”
HKLM\System\CurrentControlSet\Services\iSafeService\DisplayName: “iSafeService”
HKLM\System\CurrentControlSet\Services\iSafeService\Group: “Event log”
HKLM\System\CurrentControlSet\Services\iSafeService\ObjectName: “LocalSystem”
HKLM\System\CurrentControlSet\Services\iSafeService\Description: “iSafe Service”
HKLM\Software\Clients\StartMenuInternet\chrome.exe\shell\open\command\: “”c:\documents and settings\administrator\local settings\application data\google\chrome\application\chrome.exe””
HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\: “”c:\program files\mozilla firefox\firefox.exe””
HKLM\Software\Clients\StartMenuInternet\Google Chrome\shell\open\command\: “”c:\program files\google\chrome\application\chrome.exe””
HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: “”c:\program files\internet explorer\iexplore.exe””
HKLM\Software\Clients\StartMenuInternet\OperaNext\shell\open\command\: “”c:\program files\opera next\launcher.exe””
HKLM\Software\Clients\StartMenuInternet\VMWAREHOSTOPEN.EXE\shell\open\command\: “”c:\program files\vmware\vmware tools\vmwarehostopen.exe””

Detected by UnHackMe:

LIBPNG.DLL
Default location: %PROGRAM FILES%\ISAFE\LIBPNG.DLL

Written by 

Malware Hunter.

Leave a Reply

WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera