Results 1 to 8 of 8

Thread: [ TECHNICAL TEAR DOWN : DIGICOUPPOAN (PUP/ADWARE) ]

  1. #1

    [ TECHNICAL TEAR DOWN : DIGICOUPPOAN (PUP/ADWARE) ]

    Recently while i was trying to troubleshoot my relative’s home network.
    I happened to notice that their Chrome browser is infected with a PUP/Adware.

    PUP stands for Potentially Unwanted Programs. The one that i’ve come across is DIgiCOuppOan.
    I suspect that machine was infected when one of them went to some p0rn sites.

    DIgiCOuppOan is classified as a potentially unwanted adware. DIgiCOuppOan claims to enhance your web browsing experiences and save your time and money by providing discounts and other bonuses and deals. DIgiCOuppOan program is compatible with the majority of the top retailers online.

    DIgiCOuppOan program will display their ads with a pop up box which contains various ads according to yous queries when you browsing online. Currently DIgiCOuppOan adware program displays at least four basic types of advertising including sponsored links, coupons, video related ads and banner ads, “pop-unders” or interstitial ads.

    Instead of writing what is it about. I’ll be doing my own technical tear-down of this PUP/Adware.
    I’ve attached the link to the file here for anyone interested to try analysing it themselves.
    bkkdkcifjmepenkhibomliiocmpiejlj.zip
    The password to the attachment is “infected29A

    [ Sample used in the analysis ]
    MD5: 3e77ff05e942fd87964f5588b6274623
    SHA1: a2f3a6af0a6f2e757e1e19694c1db614d11b464b

    [ How it starts ]
    Since it’s an Chrome Extension Adware, let’s check the permissions of this Adware and further dissect it.
    Let’s try to understand how Chrome Extension works.
    Chrome’s Extension will always require a manifest file, a background.html and possibly some JavaScript files as documented by Google here.

    The manifest file, called manifest.json, gives information about the extension, such as the most important files and the capabilities that the extension might use.
    For this particular Adware, we can see what sort of permissions did manifest.json request for below.
    PHP Code:
    {
      
    "name""DIgiCOuppOan",
      
    "version""5.3",
      
    "description""",
      
    "manifest_version"2,
      
    "background": {"page""background.html"},
      
    "content_scripts": [
        {
            
    "all_frames"true,
            
    "matches": ["http://*/*","https://*/*"],
            
    "js": ["content.js"],
            
    "run_at":"document_end"
        
    }
      ],
      
      
    "permissions": [
        
    "http://*/*",
        
    "https://*/*",
        
    "tabs",
        
    "cookies",
        
    "management",
        
    "notifications",
        
    "contextMenus",
        
    "management",
        
    "storage"
      
    ]

    From the above manifest.json and the documentation from here.
    We can see that it will inject content.js at the end of all webpages visited by user(s).
    Once this Chrome extension started, it will start “background.html”.

    From the “permissions”, we can also see the permissions that it require.
    For a better understanding of the permissions and what each individual permission mean, the following will be a good reference.
    https://developer.chrome.com/extensions/declare_permissions

    [ Dissecting Background.html ]
    Let’s take a look at “background.html” and we can see that once it’s loaded, it will start 2 other JavaScripts, “L7Y9.js” & “lsdb.js

    Name:  DIgiCOuppOan.01.png
Views: 4857
Size:  8.5 KB

    [ Dissecting L7Y9.js ]
    Let’s take a look at L7Y9.js and we can see that there is a decode function.
    Even though on first glance, the string looks like it’s base64 encoded but in reality it is not.

    Now let’s write a decode function without running the actual script. Below is a simple decoding script.
    PHP Code:
    <html>
    </
    body>
        <
    script>
            var 
    xlat "abcdwxyzstuvrqponmijklefghABCDWXYZSTUVMNOPQRIJKLEFGH9876543210+/";
            function 
    _utf8_decode(a) {
                for (var 
    ""0a.length;) {
                    var 
    a.charCodeAt(c);
                    if (
    128 d+= String.fromCharCode(d),
                        
    c++;
                    else if (
    191 && 224 d) var a.charCodeAt(1),
                        
    String.fromCharCode((31) << 63),
                        
    2;
                    else var 
    a.charCodeAt(1),
                        
    a.charCodeAt(2),
                        
    String.fromCharCode((15) << 12 | (63) << 63),
                        
    3
                
    }
                return 
    b;
            }
            
            function 
    decode(a) {
                for (var 
    a.replace(/[^A-Za-z0-9\+\/]/g""), ""0a.length;) {
                    var 
    this.xlat.indexOf(a.charAt(c++)),
                        
    this.xlat.indexOf(a.charAt(c++)),
                        
    this.xlat.indexOf(a.charAt(c++)),
                        
    this.xlat.indexOf(a.charAt(c++)),
                        
    = (15) << >> 2,
                        
    = (3) << g,
                        
    String.fromCharCode(<< >> 4);
                    
    64 != && && (+= String.fromCharCode(h));
                    
    64 != && && (+= String.fromCharCode(i))
                }
                return 
    this._utf8_decode(b);
            }
            
            var 
    url decode("Azm9CdOLv6qEWfqPBfbIhePLgS4PBMhLv6q4BMrLo6w0AyhApe0MgUFbhMJqn6Vele0Qgk8NqHa5nU4Jm8DQpyPJm7ZzAylwle0QD9ZGANqsCMmZm6tUBTVGg7ZnnU8KrzxsCTDEAMw8CMmRiztPAwZdq75ECymdmNxQgkZEAVlsClmRmfxkA9hGANr5CeqOq7ZMCHbEAeZrnHDele0Qh9lGAeZonelKrzxsCUZEhzqzCUZhq6tQDHDFAVVyCkZKmftjAxPOjeCECVqOk9qspkg2Azm9CdOLv7DVDzVLDftMAeFVC6bLDc4TB79LC6VKgG1/Cj8OhVO4B7hSjwxMA98dWlhlB7PZjeC6rdZcjM8zl7O5AM8zAwDOhkmlB7P6iztQC9ZGhyxzCMmKpftTAxbcje5ECkZGq6bQgjlGhyJsCMVOiwr6BTbEhwqyCePZizbQlkZFlyJxClmRmNtQCHZFg7Y6AyhHrzbPAwFdq8hlB7PNmftPAw0bhe5ECkZGizbUC9DGixU6CMP6q6xQekhFiy4xCVqOeMZqhHbGk7Zjn9Y4mTJODzmEpS1Lh7l9hMVIhe4LDG4TBG4PBc0HWe4TvH0FoeZMeTVLhMtrnehRjkq4lVlLAMxqhHCEpwtpBkDfATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtqBTbFizs6CyPZqftUA9ZGAeZsnHDKrzbUn9hFAMxsCyPlizxkA9lFlyJyCMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbFiztsCymHm6tsejDGANC6CePhmNxsBUlGk7ZAAw8NrztjAxqdidVyp7Z9Dza3vG0ShyxIgeFZA7hPBylHvMqLBi0HWe4TvH0FoeZMeTVLhMtrnehRjkq4lVlLAMxqhHCEpwtpBkDfATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtqBTbFizs6CyPZqftUA9ZGAeZsnHDKrzbUn9hFAMxsCyPlizxkA9lFlyJyCMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbFiztsCymHm6tsejDGANC6CePhmNxsBUlGk7ZAAw8NrztjAxqdidVyp7Z9Dza3vG0HWe4TANbPvMqLvMVIv6q4BMrLo6w0AyhApe0MgUFbhMJqn6Vele0Qgk8NqHa5nU4Jm8DQpyPJm7ZzAylwle0QD9ZGANqsCMmZm6tUBTVGg7ZnnU8KrzxsCTDEAMw8CMmRiztPAwZdq75ECymdmNxQgkZEAVlsClmRmfxkA9hGANr5CeqOq7ZMCHbEAeZrnHDele0Qh9lGAeZonelKrzxsCUZEhzqzCUZhq6tQDHDFAVVyCkZKmftjAxPOjeCECVqOk9qspkg2Azm9CdOLv7FPDMlHAe8EBylQB7sKAe4MBG0HWe4TvH0FoeZMeTVLhMtrnehRjkq4lVlLAMxqhHCEpwtpBkDfATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtqBTbFizs6CyPZqftUA9ZGAeZsnHDKrzbUn9hFAMxsCyPlizxkA9lFlyJyCMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbFiztsCymHm6tsejDGANC6CePhmNxsBUlGk7ZAAw8NrztjAxqdidVyp7Z9Dza3vG0NCM08Czq8CylGC7l9vMVKhM1LC6VKgG1/Cj8OhVO4B7hSjwxMA98dWlhlB7PZjeC6rdZcjM8zl7O5AM8zAwDOhkmlB7P6iztQC9ZGhyxzCMmKpftTAxbcje5ECkZGq6bQgjlGhyJsCMVOiwr6BTbEhwqyCePZizbQlkZFlyJxClmRmNtQCHZFg7Y6AyhHrzbPAwFdq8hlB7PNmftPAw0bhe5ECkZGizbUC9DGixU6CMP6q6xQekhFiy4xCVqOeMZqhHbGk7Zjn9Y4mTJODzmEpS1LhMVIhfqLBMFPBMlOhftVvMqLBi0HWe4TvH0FoeZMeTVLhMtrnehRjkq4lVlLAMxqhHCEpwtpBkDfATZQBkDOm7ZVmxlLANDsCMPHiztUgkDGhy54CMqOkwtqBTbFizs6CyPZqftUA9ZGAeZsnHDKrzbUn9hFAMxsCyPlizxkA9lFlyJyCMPHpzxTAdDOhNrECyVOjwr6lVlLAMDxCMVOj9xVBTbFiztsCymHm6tsejDGANC6CePhmNxsBUlGk7ZAAw8NrztjAxqdidVyp7Z9Dza3vG0MAeFVhylHA7hLCNVLDi4TB79LC6VKgG1/Cj8OhVO4B7hSjwxMA98dWlhlB7PZjeC6rdZcjM8zl7O5AM8zAwDOhkmlB7P6iztQC9ZGhyxzCMmKpftTAxbcje5ECkZGq6bQgjlGhyJsCMVOiwr6BTbEhwqyCePZizbQlkZFlyJxClmRmNtQCHZFg7Y6AyhHrzbPAwFdq8hlB7PNmftPAw0bhe5ECkZGizbUC9DGixU6CMP6q6xQekhFiy4xCVqOeMZqhHbGk7Zjn9Y4mY==");
            
    console.log(url);
        
    </script>
    </body>
    </html> 
    After decoding had been done. The decoded message or URL(s) in this case are
    PHP Code:
    h--p://spysimplejob.info/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://getyourfilespot.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://getfilenow.co.il/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://bdalalakfiles.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://syncjpi.co.il/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://livesimplejob.info/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://groupsuperset.info/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://filesonlinehere.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F;h--p://filedeskforyou.com/sync/?q=hfZ9ofbLAfkMCyVUojaMg708BNmGWj8jmGhGheDUojwHrjsHrdaGrdn9rchPBMn0qHr7pja5rdkHrihHC7n0pdCFqjaHpjUHqTkEqTkFrjs8qch7hfs0pihLC7VUojgErihOAen0qHrHpdsGrHY7rjw7qjYFqHnErShZhMg0rShSCH9F 
    From first glance, it’s probably those links that will be injected into the webpages that the user(s) visits.
    It is persistently writing data to the Local Storage as we saw that it requested “Storage” permission in the manifest.json file.

    [ Conclusion ]
    While this is not one of the state of the art Chrome Extension Malware, but it’s probably one of the many PUP/Adware out there.

    I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse Chrome Extension PUP/Adware or even Chrome Extension malware on their own.

    BR,
    [ Gunther ]

  2. #2
    Nice quick how to Gunther. Thanks.
    It's funny how many computers I have removed this from.
    Since I dont have the time to play with them, I always wondered
    how they performed.

    In the last 2-3 years I have taken to writing a .txt file on each computer
    I fix with 10 simple rules of what not to do.
    I make that screen display at start up every time the computer starts.

    Woodmann
    Learn Or Die.

  3. #3
    Would love to see that txt file.
    Blame Microsoft, get l337 !!

  4. #4
    Condemned geezer
    Join Date
    Oct 2001
    Location
    Ankara, Turkey
    Posts
    138
    Quote Originally Posted by Aimless View Post
    Would love to see that txt file.
    Most probably, it would be something like the attached one below.
    Attached Files Attached Files

  5. #5
    No, I dont have a problem with porn sites.

    Perhaps later, if I have the ambition I will post it.

    'Tis very lame that you have to tell people not to do these things.

    Woodmann

    10 comp commandments.txt
    Learn Or Die.

  6. #6
    Condemned geezer
    Join Date
    Oct 2001
    Location
    Ankara, Turkey
    Posts
    138
    That 10 comp commandments, it is hilarious.

    As for porn, those which I healed had almost all the very same symptoms which could be traced back to porn. Anyway, that's not surprising, since we're a bunch of geezers living on those blue pills.

  7. #7
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    1. is "big ration of shit" flavored?
    2.
    YOU WILL BE RIDICULED AND BELITTLED BY ME AND EVERYONE ELSE
    mazo: please, more, more RIDICULE AND BELITTLE me..

  8. #8
    1) Oh, you dont want to know the flavor. After I fix it the 2nd time I tell them "dont dare come back to me again".
    2) Only one has come back a third time. I dont see him anymore

    Woodmann
    Learn Or Die.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •