Analysis by: Pearl Charlaine Espejo
ALIASES:

PUA.AppGraffiti (Symantec); AppGraffiti (AVware); AppGraffiti (VIPRE)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This potentially unwanted application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It arrives as a component bundled with malware/grayware packages. It may be manually installed by a user.

It requires its main component to successfully perform its intended routine.

  TECHNICAL DETAILS

Tamaño del archivo 1,220,544 bytes
Tipo de archivo EXE
Fecha de recepción de las muestras iniciales 06 Oct 2015

Arrival Details

This potentially unwanted application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It arrives as a component bundled with malware/grayware packages.

It may be manually installed by a user.

Autostart Technique

This potentially unwanted application adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
AppGraffiti = "{malware path and filename}"

Other System Modifications

This potentially unwanted application adds the following registry keys:

HKEY_CURRENT_USER\Software\AppGraffiti

It adds the following registry entries:

HKEY_CURRENT_USER\Software\AppGraffiti
SETTRAY = "1"

HKEY_CURRENT_USER\Software\AppGraffiti
LAST_DAILYHIT = "{hex values"}

Other Details

This potentially unwanted application connects to the following possibly malicious URL:

  • http://www.{BLOCKED}ffiti.com/
  • http://dnl.{BLOCKED}ffiti.com/cr_config.asmx/GetGRAFFXMLENC2014

It requires its main component to successfully perform its intended routine.