arrow_back
search
close

PUA_PCCare.GA

October 16, 2018
 Analysis by: Arvin Roi Macaraeg
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

4,836,224 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

09 Jul 2018

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application drops the following files:

  • %User Temp%\is-{Random Characters}.tmp\{Malware FileName}.tmp
  • %User Temp%\is-{Random Character}.tmp\_isetup\_shfoldr.dll
  • %User Temp%\is-{Random Character}.tmp\_isetup\_iscrypt.dll
  • %User Temp%\is-{Random Character}.tmp\setup_en.bmp
  • %Program Files%\Smart - PC- Care for {PC Name}\unins000.exe
  • %Program Files%\Smart - PC- Care for {PC Name}\mpr.exe
  • %Program Files%\Smart - PC- Care for {PC Name}\mpr.exe.config
  • %Program Files%\Smart - PC- Care for {PC Name}\gtcmg.dll
  • %Program Files%\Smart - PC- Care for {PC Name}\Microsoft.Win32.TaskScheduler.dll
  • %Program Files%\Smart - PC- Care for {PC Name}\Newtonsoft.Json.dll
  • %Program Files%\Smart - PC- Care for {PC Name}\PaddleCheckoutSDK.dll
  • %Program Files%\Smart - PC- Care for {PC Name}\NAudio.dll
  • %Program Files%\Smart - PC- Care for {PC Name}\TAFactory.IconPack.dll
  • %Program Files%\Smart - PC- Care for {PC Name}\Interop.IWshRuntimeLibrary.dll
  • %Program Files%\Smart - PC- Care for {PC Name}\application.ico
  • %Program Files%\Smart - PC- Care for {PC Name}\x64\SQLite.Interop.dll
  • %Program Files%\Smart - PC- Care for {PC Name}\x86\SQLite.Interop.dll
  • %Program Files%\Smart - PC- Care for {PC Name}\System.Data.SQLite.DLL
  • %Program Files%\Smart - PC- Care for {PC Name}\HtmlRenderer.dll
  • %Program Files%\Smart - PC- Care for {PC Name}\HtmlRenderer.WinForms.dll
  • %ProgramData%\Smart - PC- Care for {PC Name}\mdb.db
  • %ProgramData%\Smart - PC- Care for {PC Name}\pcspstartrepair_en.mp3
  • %Program Files%\Smart - PC- Care for {PC Name}\langs.db
  • %Program Files%\Smart - PC- Care for {PC Name}\english_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\finish_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\French_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\german_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\italian_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\japanese_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\norwegian_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\portuguese_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\russian_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\spanish_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\swedish_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\danish_iss.ini
  • %Program Files%\Smart - PC- Care for {PC Name}\Dutch_iss.ini
  • %Program Files%\Driver Updater\unins000.exe
  • %Program Files%\Driver Updater\aptdu.exe
  • %Program Files%\Driver Updater\aptdu.exe.config
  • %Program Files%\Driver Updater\DUContent.dll
  • %Program Files%\Driver Updater\Microsoft.Win32.TaskScheduler.dll
  • %Program Files%\Driver Updater\TaskScheduler.dll
  • %Program Files%\Driver Updater\NAudio.dll
  • %Program Files%\Driver Updater\TAFactory.IconPack.dll
  • %Program Files%\Driver Updater\Interop.IWshRuntimeLibrary.dll
  • %Program Files%\Driver Updater\System.ServiceModel.dll
  • %Program Files%\Driver Updater\dp\7z.dll
  • %Program Files%\Driver Updater\dp\7z.exe
  • %Program Files%\Driver Updater\dp\difxapi.dll
  • %Program Files%\Driver Updater\dp\difxapi64.dll
  • %Program Files%\Driver Updater\dp\DPInst32.exe
  • %Program Files%\Driver Updater\dp\DPInst64.exe
  • %Program Files%\Driver Updater\dp\DriversPath.exe
  • %Program Files%\Driver Updater\dp\FileValidator.exe
  • %Program Files%\Driver Updater\Delimon.Win32.IO.dll
  • %Program Files%\Driver Updater\Langs\danish_du_da.ini
  • %Program Files%\Driver Updater\Langs\Dutch_du_nl.ini
  • %Program Files%\Driver Updater\Langs\english_du_en.ini
  • %Program Files%\Driver Updater\Langs\finish_du_fi.ini
  • %Program Files%\Driver Updater\Langs\French_du_fr.ini
  • %Program Files%\Driver Updater\Langs\german_du_de.ini
  • %Program Files%\Driver Updater\Langs\italian_du_it.ini
  • %Program Files%\Driver Updater\Langs\japanese_du_ja.ini
  • %Program Files%\Driver Updater\Langs\norwegian_du_no.ini
  • %Program Files%\Driver Updater\Langs\portuguese_du_ptbr.ini
  • %Program Files%\Driver Updater\Langs\russian_du_ru.ini
  • %Program Files%\Driver Updater\Langs\spanish_du_es.ini
  • %Program Files%\Driver Updater\Langs\swedish_du_sv.ini
  • %Program Files%\Driver Updater\danish_iss.ini
  • %Program Files%\Driver Updater\Dutch_iss.ini
  • %Program Files%\Driver Updater\english_iss.ini
  • %Program Files%\Driver Updater\finish_iss.ini
  • %Program Files%\Driver Updater\French_iss.ini
  • %Program Files%\Driver Updater\german_iss.ini
  • %Program Files%\Driver Updater\italian_iss.ini
  • %Program Files%\Driver Updater\japanese_iss.ini
  • %Program Files%\Driver Updater\norwegian_iss.ini
  • %Program Files%\Driver Updater\portuguese_iss.ini
  • %Program Files%\Driver Updater\russian_iss.ini
  • %Program Files%\Driver Updater\spanish_iss.ini
  • %Program Files%\Driver Updater\swedish_iss.ini

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), 7 (32-bit), and 8 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), 7 (64-bit), and 8 (64-bit).. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.)

Other System Modifications

This Potentially Unwanted Application adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000
RegFiles0000 = "%Program Files%\Smart - PC- Care for {PC Name}\mpr.exe, %Program Files%\Smart - PC- Care for {PC Name}\gtcmg.dll, %Program Files%\Smart - PC- Care for {PC Name}\gtcmg.dll, %Program Files%\Smart - PC- Care for {PC Name}\Microsoft.Win32.TaskScheduler.dll, %Program Files%\Smart - PC- Care for {PC Name}\Newtonsoft.Json.dll, %Program Files%\Smart - PC- Care for {PC Name}\PaddleCheckoutSDK.dll, %Program Files%\Smart - PC- Care for {PC Name}\NAudio.dll, %Program Files%\Smart - PC- Care for {PC Name}\TAFactory.IconPack.dll, %Program Files%\Smart - PC- Care for {PC Name}\Interop.IWshRuntimeLibrary.dll, %Program Files%\Smart - PC- Care for {PC Name}\x64\SQLite.Interop.dll, %Program Files%\Smart - PC- Care for {PC Name}\x86\SQLite.Interop.dll, %Program Files%\Smart - PC- Care for {PC Name}\System.Data.SQLite.DLL, %Program Files%\Smart - PC- Care for {PC Name}\HtmlRenderer.dll, %Program Files%\Smart - PC- Care for {PC Name}\HtmlRenderer.WinForms.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO = "({BLOCKED}-0124"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
ISTELNO = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
apst data = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
isshowng = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
issilent = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
affired = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
showwfo = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
ovoffdis = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
playsound = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
wfoset = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
country =

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
ipaddrurl = "http://www.{BLOCKED}v.com/getip/"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
prereg = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
showtn = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
cbkpoff = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
cta = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
showunins = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
isavst = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
isprmjsn = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
runcam = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
runsrc = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
runpixel = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
stdismax = "{BLOCKED}7295"

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
utm_source = "msmsite"

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
utm_campaign = "msmsite"

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
utm_medium =

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
affiliateid =

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
pxl = "msmsite"

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
x-at =

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
x-context =

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_us = "({BLOCKED}-0124"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_uk = "{BLOCKED}1-5066"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_gb = "{BLOCKED}1-5066"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_au = "({BLOCKED}33403"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_fr = "{BLOCKED} 04 06"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_de = "{BLOCKED}22 974"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_at = "+{BLOCKED} 902 309"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_ch = "+{BLOCKED} 508 70 37"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_lu = "{BLOCKED}22 974"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_no = "+{BLOCKED} 01 97"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_dk = "{BLOCKED} 09 26'

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_nl = "{BLOCKED}882839"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_be = "{BLOCKED}5306"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_se = "{BLOCKED}4-10298"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_ja =

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_br = "{BLOCKED}91 4319"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_it = "{BLOCKED}802886"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_es = "{BLOCKED}03 537"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_ar = "{BLOCKED}36 0324"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_fi = "+{BLOCKED}270 4911"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_pt = "{BLOCKED}50 2094"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
pdtm = "30"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
PurchaseURL = "http://store.{BLOCKED}n.site/smpc/price?"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
RenewURL = "http://store.{BLOCKED}n.site/smpc/renewal?"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
WebURL = "http://www.{BLOCKED}n.site/"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
EmailURL =

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
supporturl = "http://www.{BLOCKED}n.site/help/"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
Inno Setup: Setup Version = "5.5.8 (u)"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
Inno Setup: App Path = %Program Files%\Smart - PC- Care for {PC Name}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
InstallLocation = "%Program Files%\Smart - PC- Care for {PC Name}\"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
Inno Setup: Icon Group = "Smart - PC- Care for {PC Name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
Inno Setup = {PC Name}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
Inno Setup: = "en"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
DisplayName = "Smart - PC- Care"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
DisplayIcon = "%Program Files%\Smart - PC- Care for {PC Name}\mpr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
UninstallString = "%Program Files%\Smart - PC- Care for {PC Name}\unins000.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
QuietUninstallString = ""%Program Files%\Smart - PC- Care for {PC Name}\unins000.exe" /SILENT"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
DisplayVersion = "1.0.0.2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
NoRepair = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
InstallDate = {Date Installed}

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
paramurl = "http://trkr.{BLOCKED}iv.com/ipfiles/"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
plurl = "http://pp.{BLOCKED}iv.com/ProductPrice.svc/"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
buybowinapp = "http://store.{BLOCKED}n.site/smpc/plan?"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
x-ccode = {Location}

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
dlllist = "CSITEST.DLL,PSMACHINE.DLL"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
TELNO = "{BLOCKED}-0124"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
ISTELNO = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
issilent = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
affired = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
showwfo = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
pxl = "DUM2865_DUM2798_DUM1440"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
prereg = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
showtn = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
delay = "30"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
bdInst = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
cbkpoff = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
showunins = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
utm_source = "dumsm"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
utm_campaign = "dumsm"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
utm_medium = "dumsm"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
PurchaseURL = "http://driverupdater.{BLOCKED}eshoppe.com/du/price?"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
RenewURL = "http://driverupdater.{BLOCKED}eshoppe.com/du/renewal?"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
WebURL = "http://www.{BLOCKED}details.com/"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
EmailURL = "driverupdater"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
supporturl = "http://www.{BLOCKED}details.com/help/"

Other Details

This Potentially Unwanted Application connects to the following possibly malicious URL:

  • http://www.{BLOCKED}iv.com/getip/
  • http://trkr.{BLOCKED}iv.com/ipfiles/103_5_6_243.txt
  • http://ins.{BLOCKED}iv.com/install/smpc/?utm_source=cccleanersite&utm_campaign=cccleanersite&utm_medium=cccleanersite&utm_pubid=&pxl=cccleanersite&x-context=&x-at=&x-uid=9077819704735265344&sysname=&syslogo=&x-dm=aHR0cDovL3d3dy5wY2NsZWFuLnNpdGUv&x-ccode=ph&x-ip=103_5_6_243&x-fetch=0