PUA_PCCare.GA

Publish date: 16 de octubre de 2018

Análisis realizado por : Arvin Roi Macaraeg

Plataforma:

Windows

Riesgo general:

Potencial de destrucción:

Potencial de distribución:

Infección divulgada:

Revelación de la información:

Bajo

Medio

High

Crítico

Tipo de malware
Potentially Unwanted Application
Destructivo?
No
Cifrado
In the Wild:
Sí

Resumen y descripción

Detalles técnicos

Tamaño del archivo 4,836,224 bytes

Tipo de archivo EXE

Residente en memoria No

Fecha de recepción de las muestras iniciales 09 de julio de 2018

Instalación

Infiltra los archivos siguientes:

%User Temp%\is-{Random Characters}.tmp\{Malware FileName}.tmp
%User Temp%\is-{Random Character}.tmp\_isetup\_shfoldr.dll
%User Temp%\is-{Random Character}.tmp\_isetup\_iscrypt.dll
%User Temp%\is-{Random Character}.tmp\setup_en.bmp
%Program Files%\Smart - PC- Care for {PC Name}\unins000.exe
%Program Files%\Smart - PC- Care for {PC Name}\mpr.exe
%Program Files%\Smart - PC- Care for {PC Name}\mpr.exe.config
%Program Files%\Smart - PC- Care for {PC Name}\gtcmg.dll
%Program Files%\Smart - PC- Care for {PC Name}\Microsoft.Win32.TaskScheduler.dll
%Program Files%\Smart - PC- Care for {PC Name}\Newtonsoft.Json.dll
%Program Files%\Smart - PC- Care for {PC Name}\PaddleCheckoutSDK.dll
%Program Files%\Smart - PC- Care for {PC Name}\NAudio.dll
%Program Files%\Smart - PC- Care for {PC Name}\TAFactory.IconPack.dll
%Program Files%\Smart - PC- Care for {PC Name}\Interop.IWshRuntimeLibrary.dll
%Program Files%\Smart - PC- Care for {PC Name}\application.ico
%Program Files%\Smart - PC- Care for {PC Name}\x64\SQLite.Interop.dll
%Program Files%\Smart - PC- Care for {PC Name}\x86\SQLite.Interop.dll
%Program Files%\Smart - PC- Care for {PC Name}\System.Data.SQLite.DLL
%Program Files%\Smart - PC- Care for {PC Name}\HtmlRenderer.dll
%Program Files%\Smart - PC- Care for {PC Name}\HtmlRenderer.WinForms.dll
%ProgramData%\Smart - PC- Care for {PC Name}\mdb.db
%ProgramData%\Smart - PC- Care for {PC Name}\pcspstartrepair_en.mp3
%Program Files%\Smart - PC- Care for {PC Name}\langs.db
%Program Files%\Smart - PC- Care for {PC Name}\english_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\finish_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\French_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\german_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\italian_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\japanese_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\norwegian_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\portuguese_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\russian_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\spanish_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\swedish_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\danish_iss.ini
%Program Files%\Smart - PC- Care for {PC Name}\Dutch_iss.ini
%Program Files%\Driver Updater\unins000.exe
%Program Files%\Driver Updater\aptdu.exe
%Program Files%\Driver Updater\aptdu.exe.config
%Program Files%\Driver Updater\DUContent.dll
%Program Files%\Driver Updater\Microsoft.Win32.TaskScheduler.dll
%Program Files%\Driver Updater\TaskScheduler.dll
%Program Files%\Driver Updater\NAudio.dll
%Program Files%\Driver Updater\TAFactory.IconPack.dll
%Program Files%\Driver Updater\Interop.IWshRuntimeLibrary.dll
%Program Files%\Driver Updater\System.ServiceModel.dll
%Program Files%\Driver Updater\dp\7z.dll
%Program Files%\Driver Updater\dp\7z.exe
%Program Files%\Driver Updater\dp\difxapi.dll
%Program Files%\Driver Updater\dp\difxapi64.dll
%Program Files%\Driver Updater\dp\DPInst32.exe
%Program Files%\Driver Updater\dp\DPInst64.exe
%Program Files%\Driver Updater\dp\DriversPath.exe
%Program Files%\Driver Updater\dp\FileValidator.exe
%Program Files%\Driver Updater\Delimon.Win32.IO.dll
%Program Files%\Driver Updater\Langs\danish_du_da.ini
%Program Files%\Driver Updater\Langs\Dutch_du_nl.ini
%Program Files%\Driver Updater\Langs\english_du_en.ini
%Program Files%\Driver Updater\Langs\finish_du_fi.ini
%Program Files%\Driver Updater\Langs\French_du_fr.ini
%Program Files%\Driver Updater\Langs\german_du_de.ini
%Program Files%\Driver Updater\Langs\italian_du_it.ini
%Program Files%\Driver Updater\Langs\japanese_du_ja.ini
%Program Files%\Driver Updater\Langs\norwegian_du_no.ini
%Program Files%\Driver Updater\Langs\portuguese_du_ptbr.ini
%Program Files%\Driver Updater\Langs\russian_du_ru.ini
%Program Files%\Driver Updater\Langs\spanish_du_es.ini
%Program Files%\Driver Updater\Langs\swedish_du_sv.ini
%Program Files%\Driver Updater\danish_iss.ini
%Program Files%\Driver Updater\Dutch_iss.ini
%Program Files%\Driver Updater\english_iss.ini
%Program Files%\Driver Updater\finish_iss.ini
%Program Files%\Driver Updater\French_iss.ini
%Program Files%\Driver Updater\german_iss.ini
%Program Files%\Driver Updater\italian_iss.ini
%Program Files%\Driver Updater\japanese_iss.ini
%Program Files%\Driver Updater\norwegian_iss.ini
%Program Files%\Driver Updater\portuguese_iss.ini
%Program Files%\Driver Updater\russian_iss.ini
%Program Files%\Driver Updater\spanish_iss.ini
%Program Files%\Driver Updater\swedish_iss.ini

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000, XP y Server 2003 suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp).

. %Program Files% es la carpeta Archivos de programa predeterminada, que suele estar en C:\Archivos de programa).

)

Otras modificaciones del sistema

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000
RegFiles0000 = "%Program Files%\Smart - PC- Care for {PC Name}\mpr.exe, %Program Files%\Smart - PC- Care for {PC Name}\gtcmg.dll, %Program Files%\Smart - PC- Care for {PC Name}\gtcmg.dll, %Program Files%\Smart - PC- Care for {PC Name}\Microsoft.Win32.TaskScheduler.dll, %Program Files%\Smart - PC- Care for {PC Name}\Newtonsoft.Json.dll, %Program Files%\Smart - PC- Care for {PC Name}\PaddleCheckoutSDK.dll, %Program Files%\Smart - PC- Care for {PC Name}\NAudio.dll, %Program Files%\Smart - PC- Care for {PC Name}\TAFactory.IconPack.dll, %Program Files%\Smart - PC- Care for {PC Name}\Interop.IWshRuntimeLibrary.dll, %Program Files%\Smart - PC- Care for {PC Name}\x64\SQLite.Interop.dll, %Program Files%\Smart - PC- Care for {PC Name}\x86\SQLite.Interop.dll, %Program Files%\Smart - PC- Care for {PC Name}\System.Data.SQLite.DLL, %Program Files%\Smart - PC- Care for {PC Name}\HtmlRenderer.dll, %Program Files%\Smart - PC- Care for {PC Name}\HtmlRenderer.WinForms.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO = "({BLOCKED}-0124"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
ISTELNO = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
apst data = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
isshowng = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
issilent = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
affired = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
showwfo = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
ovoffdis = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
playsound = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
wfoset = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
country =

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
ipaddrurl = "http://www.{BLOCKED}v.com/getip/"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
prereg = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
showtn = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
cbkpoff = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
cta = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
showunins = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
isavst = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
isprmjsn = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
runcam = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
runsrc = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
runpixel = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
stdismax = "{BLOCKED}7295"

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
utm_source = "msmsite"

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
utm_campaign = "msmsite"

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
utm_medium =

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
affiliateid =

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
pxl = "msmsite"

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
x-at =

HKEY_LOCAL_MACHINE\SOFTWARE\scd-pr
x-context =

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_us = "({BLOCKED}-0124"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_uk = "{BLOCKED}1-5066"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_gb = "{BLOCKED}1-5066"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_au = "({BLOCKED}33403"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_fr = "{BLOCKED} 04 06"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_de = "{BLOCKED}22 974"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_at = "+{BLOCKED} 902 309"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_ch = "+{BLOCKED} 508 70 37"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_lu = "{BLOCKED}22 974"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_no = "+{BLOCKED} 01 97"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_dk = "{BLOCKED} 09 26'

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_nl = "{BLOCKED}882839"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_be = "{BLOCKED}5306"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_se = "{BLOCKED}4-10298"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_ja =

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_br = "{BLOCKED}91 4319"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_it = "{BLOCKED}802886"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_es = "{BLOCKED}03 537"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_ar = "{BLOCKED}36 0324"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_fi = "+{BLOCKED}270 4911"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
TELNO_pt = "{BLOCKED}50 2094"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
pdtm = "30"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
PurchaseURL = "http://store.{BLOCKED}n.site/smpc/price?"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
RenewURL = "http://store.{BLOCKED}n.site/smpc/renewal?"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
WebURL = "http://www.{BLOCKED}n.site/"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
EmailURL =

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
supporturl = "http://www.{BLOCKED}n.site/help/"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
Inno Setup: Setup Version = "5.5.8 (u)"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
Inno Setup: App Path = %Program Files%\Smart - PC- Care for {PC Name}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
InstallLocation = "%Program Files%\Smart - PC- Care for {PC Name}\"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
Inno Setup: Icon Group = "Smart - PC- Care for {PC Name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
Inno Setup = {PC Name}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
Inno Setup: = "en"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
DisplayName = "Smart - PC- Care"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
DisplayIcon = "%Program Files%\Smart - PC- Care for {PC Name}\mpr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
UninstallString = "%Program Files%\Smart - PC- Care for {PC Name}\unins000.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
QuietUninstallString = ""%Program Files%\Smart - PC- Care for {PC Name}\unins000.exe" /SILENT"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
DisplayVersion = "1.0.0.2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
NoRepair = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{GUID}_is1
InstallDate = {Date Installed}

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
paramurl = "http://trkr.{BLOCKED}iv.com/ipfiles/"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
plurl = "http://pp.{BLOCKED}iv.com/ProductPrice.svc/"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
buybowinapp = "http://store.{BLOCKED}n.site/smpc/plan?"

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
x-ccode = {Location}

HKEY_LOCAL_MACHINE\SOFTWARE\Smart - PC- Care For {PC Name}
dlllist = "CSITEST.DLL,PSMACHINE.DLL"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
TELNO = "{BLOCKED}-0124"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
ISTELNO = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
issilent = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
affired = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
showwfo = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
pxl = "DUM2865_DUM2798_DUM1440"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
prereg = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
showtn = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
delay = "30"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
bdInst = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
cbkpoff = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
showunins = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
utm_source = "dumsm"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
utm_campaign = "dumsm"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
utm_medium = "dumsm"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
PurchaseURL = "http://driverupdater.{BLOCKED}eshoppe.com/du/price?"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
RenewURL = "http://driverupdater.{BLOCKED}eshoppe.com/du/renewal?"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
WebURL = "http://www.{BLOCKED}details.com/"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
EmailURL = "driverupdater"

HKEY_LOCAL_MACHINE\SOFTWARE\driverdetails.com\
Driver Updater
supporturl = "http://www.{BLOCKED}details.com/help/"

PUA_PCCare.GA

Resumen y descripción

Detalles técnicos

Recursos

Soporte

Acerca de Trend

Oficina Principal en el País

PUA_PCCare.GA

Resumen y descripción

Detalles técnicos

Recursos

Soporte

Acerca de Trend

Oficina Principal en el País

América

Medio Oriente & África

Europa

Asia & Pacífico