Submission Summary:

What's been foundSeverity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Produces outbound traffic.
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

 

Technical Details:

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %CommonAppData%\WeCareReminder\aspca.bmp 6,856 bytes MD5: 0x9B3020D102C80526D832706EE822C8EB
SHA-1: 0x78AFF57A4008ED5D45A1D7CD8581294A63D9DE7B
(not available)
2 %CommonAppData%\WeCareReminder\IEHelperv2.5.0.dll 299,008 bytes MD5: 0x0D9A6F93C5924E7066E3E4E65D2E52ED
SHA-1: 0x1AFC7ACB2E590AE84BA9593A6AA7639701984B42
(not available)
3 %CommonAppData%\WeCareReminder\IEHelperv2.5.0PS.dll 8,704 bytes MD5: 0x66CDDDD95BD9284900FB30CCF7620D1A
SHA-1: 0x53A41B8917279E7F4C11312431899154A5345022
(not available)
4 %CommonAppData%\WeCareReminder\MerchantHash.txt 101,503 bytes MD5: 0x445AB41B8601FF9E3F16549172B3543A
SHA-1: 0xE0F041660C0FCBE0358E9F99396B52B62C37FFFF
(not available)
5 %CommonAppData%\WeCareReminder\ReminderHelper.exe 432,128 bytes MD5: 0xA0E2E9146F53C34221A41C028387BB2A
SHA-1: 0xD7EBD226DC5936729B28A08E95D296A396D02598
(not available)
6 %CommonAppData%\WeCareReminder\WCAutoUpdate.exe 369,664 bytes MD5: 0x37772FD5410F59E3E6A9606949525C2A
SHA-1: 0x405255E8209FF71F520B9F1B6F904DEB0AC186A4
(not available)
7 %CommonAppData%\WeCareReminder\wecarereminder@bryan\chrome\wecarereminder.jar 92,560 bytes MD5: 0xB0AFD1EF2B70EB325C120D1E9B2699DC
SHA-1: 0x7E81067A82210AACAFD713E7F6329453FD5ED4FE
(not available)
8 %CommonAppData%\WeCareReminder\wecarereminder@bryan\chrome.manifest 1,661 bytes MD5: 0xA6A82565234B13C6A6F8DD5FF34C9357
SHA-1: 0x99BF4C0931CFC7427E3895B67829A62C405C5E00
(not available)
9 %CommonAppData%\WeCareReminder\wecarereminder@bryan\components\httpModifyListener.js 20,209 bytes MD5: 0xB347A66669FDD9A79B6C86464CE676AC
SHA-1: 0x7B4E09BB02978AAE7214EE48BAFA0E2C583041C4
(not available)
10 %CommonAppData%\WeCareReminder\wecarereminder@bryan\components\WCR_MerchantHash.idl 497 bytes MD5: 0x1E8EE5C1674EEC89D8FFF4EC4079B036
SHA-1: 0x2224608E488AD6DF7698493BD530ECD381D96A27
(not available)
11 %CommonAppData%\WeCareReminder\wecarereminder@bryan\components\WCR_MerchantHash.js 3,140 bytes MD5: 0xE60C31967306A91DC5F58DBBCF6409D6
SHA-1: 0x520ACD24C59ADC1D28A435F104C1752DE98F4900
(not available)
12 %CommonAppData%\WeCareReminder\wecarereminder@bryan\components\WCR_MerchantHash.xpt 375 bytes MD5: 0x7C7B3B65DBB6628BB9E532490D2FB09E
SHA-1: 0x45070AA9AE4DA0D815CCD7D52A12F72DF2E6CADD
(not available)
13 %CommonAppData%\WeCareReminder\wecarereminder@bryan\components\WCVisitedHash.idl 663 bytes MD5: 0x17757684E3DE55D64A696F5EB24C3CF0
SHA-1: 0x4922E3D57D881E80901FB4559CE5E370D308EC71
(not available)
14 %CommonAppData%\WeCareReminder\wecarereminder@bryan\components\WCVisitedHash.js 7,983 bytes MD5: 0xEDE7CED055A69FF7386109FF9CBCD2CB
SHA-1: 0x62E8F30C1C2D4DB39101FE647012E59E6920B9CC
(not available)
15 %CommonAppData%\WeCareReminder\wecarereminder@bryan\components\WCVisitedHash.xpt 241 bytes MD5: 0x4BFD325334421F683B7C724D0C9FA63D
SHA-1: 0x1F4186843C778222575813EBA9B10468B64138EE
(not available)
16 %CommonAppData%\WeCareReminder\wecarereminder@bryan\defaults\preferences\wecarereminder.js 1,172 bytes MD5: 0x0628505DC4438F625E8440C2259E43E7
SHA-1: 0xDC0BB48F4CE3D81EF580576BB8616D351EB3420F
(not available)
17 %CommonAppData%\WeCareReminder\wecarereminder@bryan\install.rdf 1,315 bytes MD5: 0x5DB18223045E03D46A3A9E2A22DDDF99
SHA-1: 0x7FA6078249C1A2E88B473749EBA3F4E03CDD4F50
(not available)
18 %CommonAppData%\WeCareReminder\wecarereminder@bryan\ltvid.xml 82 bytes MD5: 0x2DA58CF5C08322E4AD8D121A5AA12259
SHA-1: 0x470440F1842FC842CCDE0B50ECF81B305798D8CD
(not available)
19 %CommonAppData%\WeCareReminder\wecarereminder@bryan\MerchHash.txt 69,256 bytes MD5: 0x4EBDB9DAF2A2347ABB66E879C379FFE9
SHA-1: 0x25A0B263876154FC4A6ECAACD3D7F220CA89D1EB
(not available)
20 %CommonAppData%\WeCareReminder\wecarereminder@bryan\META-INF\manifest.mf 1,821 bytes MD5: 0x1CF47A81A6D83CB1F30B2AA469CF396F
SHA-1: 0x88B31BF19F9491FEF663D0F9A1319FD692C9002D
(not available)
21 %CommonAppData%\WeCareReminder\wecarereminder@bryan\META-INF\zigbert.rsa 1,905 bytes MD5: 0x67C5E562B37C80F70434E9561C0A9984
SHA-1: 0x12F6E88BC935178B5FBCAF3B4F27B2ED47CAFD6A
(not available)
22 %CommonAppData%\WeCareReminder\wecarereminder@bryan\META-INF\zigbert.sf 1,929 bytes MD5: 0x9D5BA09B9E9EF9D343A541DC915009F4
SHA-1: 0xAE7FC50FF1A85CCB71258F6D95E839B62DC96164
(not available)
23 %CommonAppData%\WeCareReminder\wecarereminderro.crx 149,657 bytes MD5: 0x12B5FAC40ACFCC51D216709C2E962F70
SHA-1: 0x88000210B40F09AEDA9C523C213BC968CEE1932F
(not available)
24 %CommonDesktopDir%\Preview Nyan Cat Screensaver.lnk 1,861 bytes MD5: 0x9CB6BC26A3B42DA5218FB1B4BB1012A9
SHA-1: 0x3C1477D9AB7A7A7119F0CDF8FA79DBFD75E51849
(not available)
25 %CommonPrograms%\Nyan Cat\Preview Nyan Cat Screensaver.lnk 1,873 bytes MD5: 0xF58C3668971726BDD613B931D0032E23
SHA-1: 0x741993777341026EE315C87F16331C4F37DC36F6
(not available)
26 %CommonPrograms%\Nyan Cat\Uninstall Nyan Cat.lnk 1,733 bytes MD5: 0xEC39396B2803D25894F9380797B1568B
SHA-1: 0xE1B7660A6D23FBF146397F0971C3248B0DAFC1C3
(not available)
27 %DesktopDir%\Install Nyan Cat Screensaver.lnk 981 bytes MD5: 0x3832DCC8FA5091CF6C48EAC7CAFE0A6D
SHA-1: 0x22C87327381D54E6DFEA160C1C96E9F37BDE0024
(not available)
28 %Temp%\ICReinstall\[filename of the sample #1] 463,080 bytes MD5: 0x2FFAF0E364DF89C09730244014C0FDC3
SHA-1: 0x4D8F18DCCFB160331942D2AD006D68DEF99BECA4
packed with UPX [Kaspersky Lab]
29 %Temp%\is1598539481\105672_Setup.DAT
%Temp%\is1598539481\52369_Setup.DAT
%MyDocuments%\Nyan_Cat_Screensaver.exe
8,202,841 bytes MD5: 0x370D99E28D8773E695C2FF115ADF1F9C
SHA-1: 0x2103F1A45F7C739D23285E7B0DC398DD91484D4F
(not available)
30 %Temp%\is1598539481\351303159.cfg 218 bytes MD5: 0xD654521DFC0E20424C1850B88EA7C5A7
SHA-1: 0x39F6D3B000F5A4B3AFFB8B3190F68EEADA126A48
(not available)
31 %Temp%\is1598539481\513800.cfg 218 bytes MD5: 0x0A44AAD860B29B48F628DDBFC8AE9A49
SHA-1: 0x279519BE6B0A5645EECC67915458540AA73EF2CD
(not available)
32 %Temp%\is1598539481\52381_Setup.CIS 1,733,990 bytes MD5: 0x4CC2E2DC4B9C7B7C212ABEB6889E7F75
SHA-1: 0x45A60F979F853EB97DA685E7FF23DC7DEECB592A
(not available)
33 %Temp%\is1598539481\ReadOnlyInstaller.msi 4,411,392 bytes MD5: 0x4905C09876A61D8D2BB787F3F06BB4EE
SHA-1: 0xBEF87F37B825A75663ADDC911557575E222C6F2E
(not available)
34 %Temp%\ish211312\css\buttons.css 1,238 bytes MD5: 0xE10BA3C9C951F5555528C9B291334879
SHA-1: 0xE231BE4624910387AAAE4301D856DAB528F8522C
(not available)
35 %Temp%\ish211312\css\ie6_main.css 475 bytes MD5: 0xEC8BC9B61645C661B1BD3DCC8F781B30
SHA-1: 0x96D9124BF9D0D0F2E343A372ED3460F9F0C2A7CA
(not available)
36 %Temp%\ish211312\css\main.css 4,562 bytes MD5: 0x1D7B7D4B58AE79B4C4CADDE36B409242
SHA-1: 0xE3531BB7B293DD813C4B1A5481E71CB40B0E316A
(not available)
37 %Temp%\ish211312\css\progress-bar.css 508 bytes MD5: 0xE1FCF8B6066AF9A266AE34738ED5C000
SHA-1: 0x4D1079CCDFE311B77177BED54163C7CC73D7D1BE
(not available)
38 %Temp%\ish211312\defaultOffer\ad_html.txt 233 bytes MD5: 0xE321D82C7629CFB1D714779402DD23DD
SHA-1: 0xD8560FE919A0F62DBCA5FAE957654F34E4D2F065
(not available)
39 %Temp%\ish211312\defaultOffer\images\techtracker.jpg 26,693 bytes MD5: 0x199832D24E8AA5EC99AE079E8BB5B1E7
SHA-1: 0x8DE13A46F38035B0D02E27A0656CC1E584787807
(not available)
40 %Temp%\ish211312\defaultOffer\TechTracker\TechTracker_code.txt 2,966 bytes MD5: 0xE695AFF87DE58D140142A47F4F4BA207
SHA-1: 0xE09D03AEE8B62B6AB56C7B7A2F1956A8BDA74CD1
(not available)
41 %Temp%\ish211312\defaultOffer\TechTracker\TechTracker_html.txt 1,021 bytes MD5: 0xD60E47EEE106B761F7D7676CE8E12A2D
SHA-1: 0x2A458683BA295C7DB0A6615E8CDB567B79F2C4FD
(not available)
42 %Temp%\ish211312\images\green_btn.png 485 bytes MD5: 0xB570EA77375823BE8510C0F27768ED62
SHA-1: 0x096ED270C93AD811039738B7FB53E05EAAE7F4BB
(not available)
43 %Temp%\ish211312\images\grey_btn.png 360 bytes MD5: 0x501821D95E958528FED4747E4190B39F
SHA-1: 0x70E3C15D3CE5853A67AA741EC701D3AF307D7BD9
(not available)
44 %Temp%\ish211312\images\loader.gif 7,791 bytes MD5: 0xEDB71146254D3B8EBAE18607E801398C
SHA-1: 0x8775027DA6F6CC19C72D20C7F1615A01112E5D3C
(not available)
45 %Temp%\ish211312\images\main.png 22,145 bytes MD5: 0x1A2AD75C0AF449D5719473655EF5AF04
SHA-1: 0x82C5BA738B9CD2508EA2D69DA7985D586A4F0DCA
(not available)
46 %Temp%\ish211312\images\offer_box2.png 3,024 bytes MD5: 0x61F74251810068CB9EDAEAADA3C50D29
SHA-1: 0x3B779B8E723CA1E1E73AC534A2D415A18FB2DB6E
(not available)
47 %Temp%\ish211312\images\pause_btn.png 982 bytes MD5: 0x14B92CBE22EF5A31A5533D0AB114537E
SHA-1: 0xE428F1B0236F7A85FAF045237A7CD29A305D936C
(not available)
48 %Temp%\ish211312\images\prod-icon.png 4,622 bytes MD5: 0xEF430C7CB8DAD930F9E51941593B2AF2
SHA-1: 0x03CA0848FD18014781B7C1DA5064A761E1F317F8
(not available)
49 %Temp%\ish211312\images\progress_bar.png 456 bytes MD5: 0x26588A39E960E2F5BA70FC082A8F02AF
SHA-1: 0x116B62C07995D60F9BFC492296CC9C5C5A1AD26A
(not available)
50 %Temp%\ish211312\images\resume_btn.png 985 bytes MD5: 0x05E22E0225F53B69A44B443540C20324
SHA-1: 0xAF5EB7EBF4F053B17D19A678EC84C329E632B2DF
(not available)
51 %Temp%\ish211312\images\secure_dwnl.png 2,862 bytes MD5: 0x6F2B1F7689B06EEF2D9C4E5E00B9EE2E
SHA-1: 0xBDB0B30006AF53427194EA79F0615992CB84A99B
(not available)
52 %Temp%\ish211312\images\welcome_prod_box.png 1,593 bytes MD5: 0x93791BDB5453514A501AD84985B69824
SHA-1: 0x4FD167C14DDBC76472082C3C5ADB37052C96D6C0
(not available)
53 %Temp%\ish211312\images\zip_icon.png 943 bytes MD5: 0xA17CADDBEE24EF3FFB3DAA1D12EF3933
SHA-1: 0x728D11A32C5610D0362E9AED32F6F376CAD937DF
(not available)
54 %Temp%\ish211312\locale\EN.locale 2,450 bytes MD5: 0x5128DACAA4884C07897B2A14E924CE2D
SHA-1: 0x383A9A3F9EC01FA528A206802F75518638D79669
(not available)
55 %Temp%\ish211312\mask.bmp.Mask 196 bytes MD5: 0x6A385B06B6108CD109828A9F5F9FBE4C
SHA-1: 0x8003481E740E7E02F32DF1C6866E0809BF59B1A9
(not available)
56 %Temp%\ish211312\sdk\exceptlist.txt 34 bytes MD5: 0xF01863CCE9F2A2E4DCEF02F285E561AF
SHA-1: 0xE2CBA65BE3F487E3760CF8D9247D3F4F73FF8174
(not available)
57 %Temp%\nsf10.tmp\AdvSplash.dll
%Temp%\nsm4.tmp\AdvSplash.dll
6,144 bytes MD5: 0x13CC92F90A299F5B2B2F795D0D2E47DC
SHA-1: 0xAA69EAD8520876D232C6ED96021A4825E79F542F
(not available)
58 %Temp%\nsf10.tmp\inetc.dll 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
(not available)
59 %Temp%\nsf10.tmp\OCSetupHlp.dll
%Temp%\nsm4.tmp\OCSetupHlp.dll
768,328 bytes MD5: 0x1FB4A4A1947E77C2F98C34C47018CAE7
SHA-1: 0x0EF4CF91C83A67C075C6FA5CA8E941EBA7951B39
(not available)
60 %Temp%\nsf10.tmp\System.dll
%Temp%\nsm4.tmp\System.dll
11,264 bytes MD5: 0xC17103AE9072A06DA581DEC998343FC1
SHA-1: 0xB72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
(not available)
61 %Temp%\nsm4.tmp\BrandingURL.dll 4,096 bytes MD5: 0x71C46B663BAA92AD941388D082AF97E7
SHA-1: 0x5A9FCCE065366A526D75CC5DED9AADE7CADD6421
(not available)
62 %Temp%\nsm4.tmp\inetc.dll 24,576 bytes MD5: 0x1EFBBF5A54EB145A1A422046FD8DFB2C
SHA-1: 0xEC4EFD0A95BB72FD4CF47423647E33E5A3FDDF26
(not available)
63 %Temp%\nsm4.tmp\modern-header.bmp 25,818 bytes MD5: 0xD717C961B77315B3D5F9C08F7B30CFA8
SHA-1: 0xB00ED9F90D298F0C54B51498F43C182D252A2E32
(not available)
64 %Temp%\nsm4.tmp\modern-wizard.bmp 154,542 bytes MD5: 0xF71434A4E6D7A3CAD9B0C93F45F7546D
SHA-1: 0x01F7928F6C028AF6A7F2DBB19B9D35FB185A78BB
(not available)
65 %ProgramFiles%\ScreenSaverGift\Nyan Cat\Nyan Cat\Nyan Cat.scr 8,320,080 bytes MD5: 0xBA12FC9B3DFBCC99B0DD2F3AF6BE05DA
SHA-1: 0x799039B0683E0CEDB0D169541479F920ECCE29F5
(not available)
66 %ProgramFiles%\ScreenSaverGift\Nyan Cat\Nyan Cat\screen.ico 136,606 bytes MD5: 0xF153B664965E12FFC0BB49FBBF8AAD7C
SHA-1: 0x506391747EE33B786FC5AF2472740A5C15B75F18
(not available)
67 %ProgramFiles%\ScreenSaverGift\Nyan Cat\Nyan Cat\screensavergift.ico 11,502 bytes MD5: 0x1559FB3269A39E22C31DE910E9D76F51
SHA-1: 0x9B1D4EC5EC45934B120789C81E254DCDC17F9704
(not available)
68 %ProgramFiles%\ScreenSaverGift\Nyan Cat\Nyan Cat\Uninstall Nyan Cat.exe 219,697 bytes MD5: 0x70601BF8A643B167CAC221342D714CCA
SHA-1: 0xF8F461F24C1E6AE9EF78EAB16790FB61E7AC824A
(not available)
69 %ProgramFiles%\ScreenSaverGift\Nyan Cat\Nyan Cat\uninstall.ico 295,887 bytes MD5: 0xD4E07F9FF8AAD1A472443F744D8BBEF2
SHA-1: 0x684CBB5A9D0C503F2D642B0B38ACAFE2844B875E
(not available)
70 %Windir%\Installer\1c68b.msi 3,570,176 bytes MD5: 0xCD7FB6DBFDACB275337171DA55A06C02
SHA-1: 0xB9B104584D020AD5E82CC640EFF5BC97468BC134
(not available)
71 %Windir%\Installer\{1CCF681C-C203-49B3-83F4-A54F0F944416}\icon.ico 894 bytes MD5: 0xFDED327A04EC0F953F086B045BE1DB21
SHA-1: 0xA3E4D62F6B5B0714C1391EA8165BBDFC36FE8620
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
Nyan_Cat_Screensaver.exe%MyDocuments%\nyan_cat_screensaver.exe438,272 bytes
[filename of the sample #1][file and pathname of the sample #1]1,101,824 bytes

Service NameDisplay NameNew StatusService Filename
MSIServerWindows Installer"Running"%System%\msiexec.exe /V

 

Registry Modifications

 

Other details

Russian Federation

Remote HostPort Number
107.20.139.16180
107.22.236.6980
178.236.5.3580
204.232.180.20980
207.171.163.16280
209.18.43.14680
50.17.255.10880
64.30.224.8980
72.21.215.19780
72.247.38.5080

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.