Analysis by: Marcus Ma. Antonio Capistrano
ALIASES:

Gen:Application.Bundler.InstallIQ.1 (BITDEFENDER), PUA/InstallIQ.Gen5 (ANTIVIR), a variant of Win32/InstallIQ potentially unwanted application (NOD32)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may create registry entries under a certain registry key.

  TECHNICAL DETAILS

File Size: 1,607,248 bytes
File Type: EXE
Initial Samples Received Date: 23 Feb 2018
Payload: Connects to URLs/IPs, Drops files

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This Potentially Unwanted Application may create registry entries under the following registry key:

HKEY_LOCAL_MACHINE\Software\InstallIQ
{no value} = {no data}

Dropping Routine

This Potentially Unwanted Application drops the following files:

  • %AppDataLocalLow%\cookieman.exe
  • %User Temp%\pkg_{random string}\stub.log
  • %User Temp%\pkg_{random string}\wrapper.xml
  • %User Temp%\pkg_{random string}\autorun.txt
  • %User Temp%\pkg_{random string}\{PUA file name}.log
  • %User Temp%\pkg_{random string}\timings.txt
  • %User Temp%\pkg_{random string}\detectionrules.dat

(Note: %AppDataLocalLow% is the protected mode folder of Internet Explorer, where it usually is C:\Users\{user name}\AppData\LocalLow on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other Details

This Potentially Unwanted Application connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}liq.com/api/detectionrequest.aspx?keyid=1&shortname=finalmediaplayer&langid=0x0409
  • http://{BLOCKED}.{BLOCKED}liq.com/?sub1=18ef2af0-1dcb-11e8-8ce3-6044c2017a25
  • http://{BLOCKED}.{BLOCKED}liq.com/postback/V1/landing.aspx
  • http://{BLOCKED}-{BLOCKED}.com/