Unpack: https://www.virustotal.com/file/69cb144b6ef526dd88832d6cab68740f563eb6b2fbe2380ecd5cd31980df0629/analysis/1359760543/
Create a registry persistence:
And some other keys..
Search if Internet Explorer is running:
And kill it when found:
Search for "Windows Internet Explorer" on handles
I've not checked what he do when found but probably kill it.
It connect to freetraffcounter.com
• dns: 1 ›› ip: 64.32.14.210 - adresse: FREETRAFFCOUNTER.COM
The source is grabbed and parsed:
To retrieve these urls:
Seem he removed urls for the moment, found before:
var DisplayLink = "http://pornkingworldtube.com"
var AdLink = "http://widget.plugrush.com/pornkingworldtube.com/1lhr"
var AdLink1 = "http://www.toonporn.com/video/11568114/3-d-cgi-babes-cum-over-cocks?aid=673"
var AdLink2 = "http://delivery.trafficbroker.com/direct.php?zoneid=158782"
var AdLink3 = "http://avatraffic.com/in.php?sid=987"
var AdLink = "http://widget.plugrush.com/pornkingworldtube.com/1lhr"
var AdLink1 = "http://www.toonporn.com/video/11568114/3-d-cgi-babes-cum-over-cocks?aid=673"
var AdLink2 = "http://delivery.trafficbroker.com/direct.php?zoneid=158782"
var AdLink3 = "http://avatraffic.com/in.php?sid=987"
Some network used:
And navigate to the urls of the affiliate advertiser:
AC:\Users\Pike.Pike-PC\Desktop\Desktop\Bot Clicker\Project1.vbp
The guys used 11 Timers for this, learn to code dude.
Very interesting, more clickbot reversal!
ReplyDeleteDoesn't it set the "SetWindowsHookEx" hook?Why would it do this under the WH_KEYBOARD?Doesn't look like a keylogger or sth.
ReplyDeletemiam vb6 !
ReplyDeleteOW.ww. really cool! but 11 timers! ahhaha
ReplyDelete