During our daily log analysis, we recently encountered a sample purporting to power up Skype with different emoticons. The binary, when installed, integrated itself with Skype and sent the following message contacts without further intervention.
The binary in question (SkypEmoticons.exe) can be downloaded from hxxp://skypemoticons.com/.
 |
| Home page of hxxp://skypemoticons.com/ |
After installation it dropped following executable files:
Most of the dropped files are Adware which may lead to some malicious activities.
Here is the VT report for SkypeEmotions.exe.
VT reports of the various dropped samples:
| MD5 | VT Hits |
| aa9af86b02f4e497eb0284872b50af41 | 21/54 |
| e96f6d6257bdcb54c297569d42219e97 | 22/54 |
| 1d283dd3ae2312eee624e8b8c46f6adb | 45/51 |
| 666ab79b63833a2a2502c119f0843b4a | 22/54 |
| 364207a743ff39207667a0c89ff38768 | 20/53 |
| 02861acc8be1b59be2db226947a384b2 | 5/54 |
| 23912df27a61ea0463c5509ba6a97579 | 38/52 |
| cee68ad38668785cd39e37ca069f8b85 | 19/54 |
| b4eb856acc30b0005a44b87566850fb3 | 3/54 |
| 2830932fca42074f17c46c56b4942ac2 | 23/54 |
Contacted sites from which dropped files were downloaded:
- hxxp://homebestmy.info
- hxxp://superstoragemy.com
- hxxp://setepicnew.info
- hxxp://198.7.61.118
- hxxp://54.187.76.32
- hxxp://54.213.103.160
We also observed User-Agent: TixDll being used for downloading the files, which provided a handy mechanism to do some data mining and identify other domains associated with the adware. The following malicious domains were observed to be contacted via this User-Agent:
hxxp://getapplicationmy.info
hxxp://applicationgrabb.com
hxxp://appmegga.info
hxxp://downlloaddatamy.info Other domains identified in our logs contacted by this User-Agent are not currently showing any malicious activity, but may deliver some malicious content in the future:
hxxp://getapplicationmy.info
hxxp://applicationgrabb.com
hxxp://appmegga.info
hxxp://downlloaddatamy.info
hxxp://appussajob.info
hxxp://dirgreatbestepicl.info
hxxp://embededstub.de.drive-files-b.com
hxxp://embededstub.download.dmccint.com
hxxp://fra-7m17-stor06.uploaded.net
hxxp://getdirfrfee.info
hxxp://getgoolld.info
hxxp://getinstaal.info
hxxp://getmeegan.info
hxxp://homebestmy.info
hxxp://setepicnew.info
hxxp://softservers.net
hxxp://superstoragemy.com
hxxp://xml.dljs.org
Use caution when installing any add-on program, especially one that is able to control a powerful communication tool such as Skype. hxxp://dirgreatbestepicl.info
hxxp://embededstub.de.drive-files-b.com
hxxp://embededstub.download.dmccint.com
hxxp://fra-7m17-stor06.uploaded.net
hxxp://getdirfrfee.info
hxxp://getgoolld.info
hxxp://getinstaal.info
hxxp://getmeegan.info
hxxp://homebestmy.info
hxxp://setepicnew.info
hxxp://softservers.net
hxxp://superstoragemy.com
hxxp://xml.dljs.org
