Home / malware Adware:Win32/Peapoon
First posted on 05 August 2015.
Source: MicrosoftAliases :
There are no other names known for Adware:Win32/Peapoon.
Explanation :
Threat behavior
Installation
This threat can be installed on your PC if you run the installer, for example:
This threat can create files and folders on your PC, including:
- %TEMP%\is-reg29.tmp\_isetup\_shfoldr.dll
- %ProgramFiles% \Coupoon
- %ProgramFiles% \Coupoon\SSL
- %ProgramData% \abc
- %ALLUSERSPROFILE% \abc
- %SystemRoot% \end
- %ProgramFiles% \Coupoon\64.ico
- %ProgramFiles% \Coupoon\iiwjljrnpc.exe
- %ProgramFiles% \Coupoon\libeay32.dll
- %ProgramFiles% \Coupoon\nfapi.dll
- %ProgramFiles% \Coupoon\nfregdrv.exe
- %ProgramFiles% \Coupoon\ProtocolFilters.dll
- %ProgramFiles% \Coupoon\ssleay32.dll
- %ProgramFiles% \Coupoon\unins000.dat
- %ProgramFiles% \Coupoon\unins000.exe
- %ProgramFiles% \Coupoon\UpdateCheck.exe
- %ProgramFiles% \abc\17AF54B9
- %ProgramFiles% \abc\4DEDA591
- %ProgramFiles% \abc\6C8E155
- %ProgramFiles% \abc\9721B0CB
- %ProgramFiles% \abc\99E1F920
- %ProgramFiles% \abc\AA012CZ
- %ProgramFiles% \abc\C78F0747
- %ALLUSERSPROFILE% \abc\17AF54B9
- %ALLUSERSPROFILE% \abc\4DEDA591
- %ALLUSERSPROFILE% \abc\6C8E155
- %ALLUSERSPROFILE% \abc\9721B0CB
- %ALLUSERSPROFILE% \abc\99E1F920
- %ALLUSERSPROFILE% \abc\AA012CZ
- %ALLUSERSPROFILE% \abc\C78F0747
- %SystemRoot% \drivers\netfilter.sys
- %SystemRoot% \Temp\3k7f6.exe
- %SystemRoot% \Temp\52scn1h.exe
- %SystemRoot% \Temp\6n8b10y1v.exe
It also creates the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\coupoon
- HKEY_LOCAL_MACHINE\SOFTWARE\coupoon\coupoon
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CoupoonService
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netfilter
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\UpdateCheck
- HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\coupoon
It modifies the registry so that it runs each time you start your PC. For example:
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CoupoonService
Sets value: "iiwjljrnpc.exe"
With data: "%ProgramFiles%\coupoon\iiwjljrnpc.exe"
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netfilter
Sets value: "netfilter.sys"
With data: "%SystemRoot%\drivers\netfilter.sys"
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\UpdateCheck
Sets value: "UpdateCheck.exe"
With data:"%ProgramFiles%\Coupoon\UpdateCheck.exe run"
We have observed this threat contact the following URLs:
- 162.144.110.234
- 54.237.124.140
- 54.167.101.139
- 54.147.189.230
- 54.158.108.201
- 54.83.74.123
- 54.159.19.173
The threat uses code injection to make it harder to detect and remove. It can inject code into running processes.
Payload
Displays ads that you can't control
This program can show you extra ads. These ads can appear:
- In your web browser: such as search helpers, hover links, and banner ads.
- Outside of your web browser: such as pop ups, balloon ads, and toast notifications.
You wouldn't see these advertisements if this program wasn't installed. For example:
It can also display offers that contain the text "brought by coupoon", for example:
Additional information
Creates a mutex
This threat can create one or more mutexes on your PC. For example:
- RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
It might use this mutex as an infection marker to prevent more than one copy of the threat running on your PC.
Analysis by: Kathleen Mae Notario
Symptoms
The following can indicate that you have this threat on your PC:
- You see files similar to:
- %TEMP%\is-reg29.tmp\_isetup\_shfoldr.dll
- %ProgramFiles%\Coupoon
- %ProgramFiles%\Coupoon\SSL
- %ProgramData%\abc
- %ALLUSERSPROFILE%\abc
- %SystemRoot%\end
- %ProgramFiles%\Coupoon\64.ico
- %ProgramFiles%\Coupoon\iiwjljrnpc.exe
- %ProgramFiles%\Coupoon\libeay32.dll
- %ProgramFiles%\Coupoon\nfapi.dll
- %ProgramFiles%\Coupoon\nfregdrv.exe
- %ProgramFiles%\Coupoon\ProtocolFilters.dll
- %ProgramFiles%\Coupoon\ssleay32.dll
- %ProgramFiles%\Coupoon\unins000.dat
- %ProgramFiles%\Coupoon\unins000.exe
- %ProgramFiles%\Coupoon\UpdateCheck.exe
- %ProgramFiles%\abc\17AF54B9
- %ProgramFiles%\abc\4DEDA591
- %ProgramFiles%\abc\6C8E155
- %ProgramFiles%\abc\9721B0CB
- %ProgramFiles%\abc\99E1F920
- %ProgramFiles%\abc\AA012CZ
- %ProgramFiles%\abc\C78F0747
- %ALLUSERSPROFILE%\abc\17AF54B9
- %ALLUSERSPROFILE%\abc\4DEDA591
- %ALLUSERSPROFILE%\abc\6C8E155
- %ALLUSERSPROFILE%\abc\9721B0CB
- %ALLUSERSPROFILE%\abc\99E1F920
- %ALLUSERSPROFILE%\abc\AA012CZ
- %ALLUSERSPROFILE%\abc\C78F0747
- %SystemRoot%\drivers\netfilter.sys
- %SystemRoot%\Temp\3k7f6.exe
- %SystemRoot%\Temp\52scn1h.exe
- %SystemRoot%\Temp\6n8b10y1v.exe
- You see the following mutex:
- RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Last update 05 August 2015