Analysis by: Jaime Benigno Reyes
 Modified by: Cris Nowell Pantanilla

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This adware may arrive bundled with malware packages as a malware component. It may be manually installed by a user.

As of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size: 2,610,688 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 05 May 2015

Arrival Details

This adware may arrive bundled with malware packages as a malware component.

It may be manually installed by a user.

Download Routine

This adware accesses the following websites to download files:

  • http://{BLOCKED}sions-proxy-1085035873.us-east-1.elb.amazonaws.com/impression.do/?user_id=99827062-3b3c-4104-8166-ceb556821a28&event=dotnet_version_4.0&spsource=google_pdfcreator-display-CA-336x280_gif_borders&subid=software&subid2=www.download.hr&traffic_source=google_wisedownloads&offer_id=PDFCreator
  • http://{BLOCKED}ssions-proxy-1085035873.us-east-1.elb.amazonaws.com/impression.do/?user_id=99827062-3b3c-4104-8166-ceb556821a28&event=download_textarea_error&spsource=google_pdfcreator-display-CA-336x280_gif_borders&referrer=http://install2.optimum-installer.com/config/PDFCreator/offers.json?version=1.0&pid=installer&ts=2012-09-24T15:35:25.9486485Z&subid=software&subid2=www.download.hr&traffic_source=google_wisedownloads&offer_id=PDFCreator
  • http://{BLOCKED}sions-proxy-1085035873.us-east-1.elb.amazonaws.com/impression.do/?user_id=99827062-3b3c-4104-8166-ceb556821a28&event=dpi_1&spsource=google_pdfcreator-display-CA-336x280_gif_borders&subid=software&subid2=www.download.hr&traffic_source=google_wisedownloads&offer_id=PDFCreator
  • http://{BLOCKED}essions-proxy-1085035873.us-east-1.elb.amazonaws.com/impression.do/?user_id=99827062-3b3c-4104-8166-ceb556821a28&event=install_bad_config&spsource=google_pdfcreator-display-CA-336x280_gif_borders&referrer=http://install2.optimum-installer.com/config/PDFCreator/offers.json?version=1.0&pid=installer&ts=2012-09-24T15:35:25.9486485Z&subid=software&subid2=www.download.hr&traffic_source=google_wisedownloads&offer_id=PDFCreator
  • http://{BLOCKED}pressions-proxy-1085035873.us-east-1.elb.amazonaws.com/impression.do/?user_id=99827062-3b3c-4104-8166-ceb556821a28&event=json_installer_initialize_5218&spsource=google_pdfcreator-display-CA-336x280_gif_borders&subid=software&subid2=www.download.hr&traffic_source=google_wisedownloads&offer_id=PDFCreator
  • http://{BLOCKED}essions-proxy-1085035873.us-east-1.elb.amazonaws.com/impression.do/?user_id=99827062-3b3c-4104-8166-ceb556821a28&event=offer_0_accepted_&spsource=google_pdfcreator-display-CA-336x280_gif_borders&subid=software&subid2=www.download.hr&traffic_source=google_wisedownloads&offer_id=PDFCreator
  • http://{BLOCKED}sions-proxy-1085035873.us-east-1.elb.amazonaws.com/impression.do/?user_id=99827062-3b3c-4104-8166-ceb556821a28&event=setup_complete&spsource=google_pdfcreator-display-CA-336x280_gif_borders&subid=software&subid2=www.download.hr&traffic_source=google_wisedownloads&offer_id=PDFCreator
  • http://i{BLOCKED}ssions-proxy-1085035873.us-east-1.elb.amazonaws.com/impression.do/?user_id=99827062-3b3c-4104-8166-ceb556821a28&event=setup_run&spsource=google_pdfcreator-display-CA-336x280_gif_borders&subid=software&subid2=www.download.hr&traffic_source=google_wisedownloads&offer_id=PDFCreator
  • http://i{BLOCKED}ll2.optimum-installer.com/config/PDFCreator/offers.json?version=1.0&pid=installer&ts=2012-09-24T15:35:25.9486485Z
  • http://www.{BLOCKED}ownloads.com/Installer/Complete?source=google_pdfcreator-display-CA-336x280_gif_borders&reason=cancel&user_id=99827062-3b3c-4104-8166-ceb556821a28&ask=False

As of this writing, the said sites are inaccessible.

NOTES:
ADW_IBRYTE is an adware program bundled with third-party application installers. It downloads the installers from the mentioned sites and installs them.