Sample: https://www.virustotal.com/file/9a3fb37aae8e5784a0a968c974a148b7cff875b92fd8917d840accc7e0c8066b/analysis/
Unpack: https://www.virustotal.com/file/69cb144b6ef526dd88832d6cab68740f563eb6b2fbe2380ecd5cd31980df0629/analysis/1359760543/
Create a registry persistence:
![]()
![]()
![]()
![]()
And some other keys..
Search if Internet Explorer is running:
![]()
![]()
And kill it when found:
![]()
![]()
Search for "Windows Internet Explorer" on handles
![]()
![]()
I've not checked what he do when found but probably kill it.
It connect to freetraffcounter.com
• dns: 1 ›› ip: 64.32.14.210 - adresse: FREETRAFFCOUNTER.COM
![]()
The source is grabbed and parsed:
![]()
![]()
To retrieve these urls:
![]()
Seem he removed urls for the moment, found before:
Some network used:
![]()
![]()
And navigate to the urls of the affiliate advertiser:
![]()
![]()
![]()
Unpack: https://www.virustotal.com/file/69cb144b6ef526dd88832d6cab68740f563eb6b2fbe2380ecd5cd31980df0629/analysis/1359760543/
Create a registry persistence:
Search if Internet Explorer is running:
And kill it when found:
Search for "Windows Internet Explorer" on handles
It connect to freetraffcounter.com
• dns: 1 ›› ip: 64.32.14.210 - adresse: FREETRAFFCOUNTER.COM
The source is grabbed and parsed:
To retrieve these urls:
Seem he removed urls for the moment, found before:
var DisplayLink = "http://pornkingworldtube.com"
var AdLink = "http://widget.plugrush.com/pornkingworldtube.com/1lhr"
var AdLink1 = "http://www.toonporn.com/video/11568114/3-d-cgi-babes-cum-over-cocks?aid=673"
var AdLink2 = "http://delivery.trafficbroker.com/direct.php?zoneid=158782"
var AdLink3 = "http://avatraffic.com/in.php?sid=987"
var AdLink = "http://widget.plugrush.com/pornkingworldtube.com/1lhr"
var AdLink1 = "http://www.toonporn.com/video/11568114/3-d-cgi-babes-cum-over-cocks?aid=673"
var AdLink2 = "http://delivery.trafficbroker.com/direct.php?zoneid=158782"
var AdLink3 = "http://avatraffic.com/in.php?sid=987"
Some network used:
And navigate to the urls of the affiliate advertiser:
AC:\Users\Pike.Pike-PC\Desktop\Desktop\Bot Clicker\Project1.vbp
The guys used 11 Timers for this, learn to code dude.