PUA_APPGRAFFITI.GA

 Analysis by: Pearl Charlaine Espejo

 ALIASES:

PUA.AppGraffiti (Symantec); AppGraffiti (AVware); AppGraffiti (VIPRE)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This potentially unwanted application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It arrives as a component bundled with malware/grayware packages. It may be manually installed by a user.

It requires its main component to successfully perform its intended routine.

  TECHNICAL DETAILS

File Size:

1,220,544 bytes

File Type:

EXE

Initial Samples Received Date:

06 Oct 2015

Arrival Details

This potentially unwanted application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It arrives as a component bundled with malware/grayware packages.

It may be manually installed by a user.

Autostart Technique

This potentially unwanted application adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
AppGraffiti = "{malware path and filename}"

Other System Modifications

This potentially unwanted application adds the following registry keys:

HKEY_CURRENT_USER\Software\AppGraffiti

It adds the following registry entries:

HKEY_CURRENT_USER\Software\AppGraffiti
SETTRAY = "1"

HKEY_CURRENT_USER\Software\AppGraffiti
LAST_DAILYHIT = "{hex values"}

Other Details

This potentially unwanted application connects to the following possibly malicious URL:

  • http://www.{BLOCKED}ffiti.com/
  • http://dnl.{BLOCKED}ffiti.com/cr_config.asmx/GetGRAFFXMLENC2014

It requires its main component to successfully perform its intended routine.