PUA:Win32/ExpressDownloader

Installation

This application can be downloaded from websites that offer third-party software downloads. For example, we have seen it downloaded from:

• us.springfile.org
• eu.springfile.org
• eu.simpl-files.com
• f23.spottyfls.com
• us.simpl-files.com

We have seen this application use the following file names:

• YourFile.iso
• YourFile_downloader.exe
• MS_Office_2016_Key_Working_For_Activation.iso
• GTA_San_Andreas_Game_downloader.exe
• Windows_10_Activator_KMSpico.iso
• GTA_San_Andreas_Game.iso
• Minecraft_Indir_Team_Extreme_1.10_Full.iso
• Windows_7_Activator_2016_Free_Download_for_32_bit__downloader.exe
• Minecraft_Indir_Team_Extreme_1.10_Full_downloader.exe

It can be digitally signed by the following vendors:

• Live Commit LLC
• Leader Bull LLC
• Beijing Xingyunwang Technology Co., Ltd
• Gold Definition LLC
• Private Application LTD

We have seen this application using product names such as:

• sparter app
• WorlNation app
• Zurumbia
• TODO: <产品名>
• Grooling app

This application communicates with domains such as:

• www.wetoolow.com
• z13.lucky-browse.org
• d1mxvenloqrqmu.cloudfront.net
• cdnh.masssea.com
• up.spring-files.com

For example:

• www.wetoolow.com/?
• z13.lucky-browse.org/
• d1mxvenloqrqmu.cloudfront.net/everything/up?

Payload

Exhibits suspicious behaviors

We have observed this application exhibit the following potentially unwanted behavior on PCs:

• Installs programs that start automatically when your PC starts
• Installs a driver on your PC
• Injects into other processes on your system
• Changes your browser's default homepage settings
• Changes your browser's default new tab page settings
• Changes your browser's default search provider settings
• Changes your browser's shortcuts - often this can be used to take over your homepage by adding command-line arguments that change how the page is loaded
• Installs extensions into your browsers - often this is used to inject ads, add toolbars, or change how your browser works
• Changes the Google Chrome secure preferences - this behavior is commonly associated with tampering with the default homepage or search provider in Chrome
• Changes your Internet Explorer proxy auto-configuration setting - we often see this used to inject ads in your browser as you browse the web
• Registers a Layered Service Provider (LSP) to intercept network traffic - this is commonly used to inject ads into your browsers
• Injects code into your browsers - this suspicious behavior is often used to bypass firewall settings or to change how your browser works
• Changes your system hosts file - this is used to redirect or disable access to specific websites, and is often abused by suspicious applications to disable competitor websites or apps, security products, or updates
• Modifies your DNS settings - we sometimes see this used to inject ads into your browser as you browse the web
• Tampers with Windows Group Policy settings

Installs other programs

We have seen this application install other software on your PC. Some of these applications might be bundled during the installation process and not intended to be installed. We have seen it installing programs such as:

• PC Speed Up
• Caster
• Max Driver Updater
• System Healer
• AnySend
• Mass Sea
• CleanBrowser
• Body Text Feathering
• SpaceSoundPro

This description was published using automated analysis.