Home / malwarePDF  

PUA:Win32/ExpressDownloader


First posted on 23 June 2016.
Source: Microsoft

Aliases :

There are no other names known for PUA:Win32/ExpressDownloader.

Explanation :

Installation

This application can be downloaded from websites that offer third-party software downloads. For example, we have seen it downloaded from:

  • us.springfile.org
  • eu.springfile.org
  • f23.spottyfls.com
  • www.tucows.com
  • mirror.warer.com


We have seen this application use the following file names:
  • YourFile.iso
  • YourFile_downloader.exe
  • MS_Office_2016_Key_Working_For_Activation.iso
  • Game.of.Thrones.S06E05.HDTV.x264-KILLERSettv.iso
  • Plugin.iso
  • EFinstaller.exe
  • Full_Video_Clip.iso
  • game.of.thrones.season.6.episode.05.s06e05.1080p.750mb.iso
  • Game.Of.Thrones.Season.6.Episode.05.S06E05.-.720p.-.450mb.iso
  • game.of.thrones.s06e06.720p.hdtv.x264.avs.rartv.iso


It can be digitally signed by the following vendors:
  • Parrot Life LLC
  • Blue Lights LLC
  • Follow Me Home Inc.
  • Linquer Down LLC
  • World Runner Low LLC


We have seen this application using product names such as:
  • JollyMorly app
  • WorlNation app
  • Grooling app
  • YourFile Downloader
  • Installer


This application communicates with domains such as:
  • z13.lucky-browse.org
  • kickass.to
  • up.spring-files.com
  • kat.ph


For example:
  • z13.lucky-browse.org/
  • up.spring-files.com/blacklist.php?
  • feed.magnetfinder.org/feed.php?


Payload

Exhibits suspicious behaviors

We have observed this application exhibit the following potentially unwanted behavior on PCs:
  • Installs programs that start automatically when your PC starts
  • Installs a driver on your PC
  • Injects into other processes on your system
  • Changes your browser's default homepage settings
  • Changes your browser's default new tab page settings
  • Changes your browser's default search provider settings
  • Changes your browser's shortcuts - often this can be used to take over your homepage by adding command-line arguments that change how the page is loaded
  • Installs extensions into your browsers - often this is used to inject ads, add toolbars, or change how your browser works
  • Changes the Google Chrome secure preferences - this behavior is commonly associated with tampering with the default homepage or search provider in Chrome
  • Changes your Internet Explorer proxy auto-configuration setting - we often see this used to inject ads in your browser as you browse the web
  • Registers a Layered Service Provider (LSP) to intercept network traffic - this is commonly used to inject ads into your browsers
  • Injects code into your browsers - this suspicious behavior is often used to bypass firewall settings or to change how your browser works
  • Installs a trusted root certificate authority on your PC - this is a dangerous behavior that can undermine the security of your PC and web browsing. Most commonly we see this being used by ad-injection applications that insert ads in your browser as you browse the web
  • Changes your system hosts file - this is used to redirect or disable access to specific websites, and is often abused by suspicious applications to disable competitor websites or apps, security products, or updates
  • Modifies your DNS settings - we sometimes see this used to inject ads into your browser as you browse the web


Installs other programs

We have seen this application install other software on your PC. Some of these applications might be bundled during the installation process and not intended to be installed. We have seen it installing programs such as:
  • Caster
  • Max Driver Updater
  • AnySend
  • System Healer
  • TechAgent
  • SpaceSoundPro
  • Search module
  • CleanBrowser
  • Bubble Dock
  • SrpnFiles


This description was published using automated analysis.

Last update 23 June 2016

 

TOP

Malware :