Home / malwarePDF  

Adware:Win32/Peapoon


First posted on 05 August 2015.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/Peapoon.

Explanation :

Threat behavior

Installation

This threat can be installed on your PC if you run the installer, for example:



This threat can create files and folders on your PC, including:

  • %TEMP%\is-reg29.tmp\_isetup\_shfoldr.dll
  • %ProgramFiles% \Coupoon
  • %ProgramFiles% \Coupoon\SSL
  • %ProgramData% \abc
  • %ALLUSERSPROFILE% \abc
  • %SystemRoot% \end
  • %ProgramFiles% \Coupoon\64.ico
  • %ProgramFiles% \Coupoon\iiwjljrnpc.exe
  • %ProgramFiles% \Coupoon\libeay32.dll
  • %ProgramFiles% \Coupoon\nfapi.dll
  • %ProgramFiles% \Coupoon\nfregdrv.exe
  • %ProgramFiles% \Coupoon\ProtocolFilters.dll
  • %ProgramFiles% \Coupoon\ssleay32.dll
  • %ProgramFiles% \Coupoon\unins000.dat
  • %ProgramFiles% \Coupoon\unins000.exe
  • %ProgramFiles% \Coupoon\UpdateCheck.exe
  • %ProgramFiles% \abc\17AF54B9
  • %ProgramFiles% \abc\4DEDA591
  • %ProgramFiles% \abc\6C8E155
  • %ProgramFiles% \abc\9721B0CB
  • %ProgramFiles% \abc\99E1F920
  • %ProgramFiles% \abc\AA012CZ
  • %ProgramFiles% \abc\C78F0747
  • %ALLUSERSPROFILE% \abc\17AF54B9
  • %ALLUSERSPROFILE% \abc\4DEDA591
  • %ALLUSERSPROFILE% \abc\6C8E155
  • %ALLUSERSPROFILE% \abc\9721B0CB
  • %ALLUSERSPROFILE% \abc\99E1F920
  • %ALLUSERSPROFILE% \abc\AA012CZ
  • %ALLUSERSPROFILE% \abc\C78F0747
  • %SystemRoot% \drivers\netfilter.sys
  • %SystemRoot% \Temp\3k7f6.exe
  • %SystemRoot% \Temp\52scn1h.exe
  • %SystemRoot% \Temp\6n8b10y1v.exe


It also creates the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\coupoon
  • HKEY_LOCAL_MACHINE\SOFTWARE\coupoon\coupoon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CoupoonService
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netfilter
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\UpdateCheck
  • HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\coupoon


It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CoupoonService
Sets value: "iiwjljrnpc.exe"
With data: "%ProgramFiles%\coupoon\iiwjljrnpc.exe"

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netfilter
Sets value: "netfilter.sys"
With data: "%SystemRoot%\drivers\netfilter.sys"

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\UpdateCheck
Sets value: "UpdateCheck.exe"
With data:"%ProgramFiles%\Coupoon\UpdateCheck.exe run"

We have observed this threat contact the following URLs:

  • 162.144.110.234
  • 54.237.124.140
  • 54.167.101.139
  • 54.147.189.230
  • 54.158.108.201
  • 54.83.74.123
  • 54.159.19.173


The threat uses code injection to make it harder to detect and remove. It can inject code into running processes.



Payload
Displays ads that you can't control


This program can show you extra ads. These ads can appear:

  • In your web browser: such as search helpers, hover links, and banner ads.
  • Outside of your web browser: such as pop ups, balloon ads, and toast notifications.


You wouldn't see these advertisements if this program wasn't installed. For example:





It can also display offers that contain the text "brought by coupoon", for example:



Additional information

Creates a mutex

This threat can create one or more mutexes on your PC. For example:

  • RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
  • RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000


It might use this mutex as an infection marker to prevent more than one copy of the threat running on your PC.



Analysis by: Kathleen Mae Notario

Symptoms

The following can indicate that you have this threat on your PC:

  • You see files similar to:
    • %TEMP%\is-reg29.tmp\_isetup\_shfoldr.dll
    • %ProgramFiles%\Coupoon
    • %ProgramFiles%\Coupoon\SSL
    • %ProgramData%\abc
    • %ALLUSERSPROFILE%\abc
    • %SystemRoot%\end
    • %ProgramFiles%\Coupoon\64.ico
    • %ProgramFiles%\Coupoon\iiwjljrnpc.exe
    • %ProgramFiles%\Coupoon\libeay32.dll
    • %ProgramFiles%\Coupoon\nfapi.dll
    • %ProgramFiles%\Coupoon\nfregdrv.exe
    • %ProgramFiles%\Coupoon\ProtocolFilters.dll
    • %ProgramFiles%\Coupoon\ssleay32.dll
    • %ProgramFiles%\Coupoon\unins000.dat
    • %ProgramFiles%\Coupoon\unins000.exe
    • %ProgramFiles%\Coupoon\UpdateCheck.exe
    • %ProgramFiles%\abc\17AF54B9
    • %ProgramFiles%\abc\4DEDA591
    • %ProgramFiles%\abc\6C8E155
    • %ProgramFiles%\abc\9721B0CB
    • %ProgramFiles%\abc\99E1F920
    • %ProgramFiles%\abc\AA012CZ
    • %ProgramFiles%\abc\C78F0747
    • %ALLUSERSPROFILE%\abc\17AF54B9
    • %ALLUSERSPROFILE%\abc\4DEDA591
    • %ALLUSERSPROFILE%\abc\6C8E155
    • %ALLUSERSPROFILE%\abc\9721B0CB
    • %ALLUSERSPROFILE%\abc\99E1F920
    • %ALLUSERSPROFILE%\abc\AA012CZ
    • %ALLUSERSPROFILE%\abc\C78F0747
    • %SystemRoot%\drivers\netfilter.sys
    • %SystemRoot%\Temp\3k7f6.exe
    • %SystemRoot%\Temp\52scn1h.exe
    • %SystemRoot%\Temp\6n8b10y1v.exe
  • You see the following mutex:
    • RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
    • RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000

Last update 05 August 2015

 

TOP