Avira Msi

broken image


  1. Avira Msi Missing
  2. Avira Setup Msi
  3. Avira.oe.setup.msi Missing
  4. Avira Antivir Msi

Software Updater manages updates and patches for over 150 programs, including the most popular ones. It scans your system for outdated software and helps you download the right ones with a single click. It's a constant race to identify and close down security loopholes. Avira Software Updater. Avira is the pioneer of the freemium business model, offering free privacy, security, and performance tools for a wide range of platforms. Avira's core belief is that digital privacy and security are fundamental digital rights, so our software is and always will be free. Download an all-in-one free security, privacy, and performance solution for your digital life. Avira Free Security includes VPN, antivirus, tune-up tools, a password manager & more.

AVIRA.OE.SETUP.MSI.MSI process information

Description: avira.oe.setup.msi.msi file from unknown is part of unknown. avira.oe.setup.msi.msi located in C:/programdata/package cache/{9620d4c2-cf5b-4dbe-8103-cc9dab0871c6}v1 .2 .119 .17994/ with file size 4349395 byte, file version unknown, MD5 signature 5c4de4369d2eb89a43ef9631e5d36a3b.

Check processes running in your PC using online security database. You could use any type of scanning to check your PC against Viruses, Trojans, Spywares and other malicious programs
Recommended: * To help you analyze the avira.oe.setup.msi.msi process on your computer, 'Asmwsoft PC optimizer' program have proven to be helpful.

Comments:
No Comments yet! Please be the first one to add comments.
RELATED:

Other Process:

a.cmd{rev 2020;02;02 09;00;33 am}.cmdupdateinstallerv2.exelogwindowplugin.dllmog_controlslibrary.dllmogrevision.dll avira.oe.setup.msi.msi drawpad.exelottiesharp.dllabcommons.extensions.dllhackcheck.exesc64kernel[1].exe [All processes]

Malware

We recently discovered malicious Microsoft Software Installation (MSI) files that download and execute other files, and could bypass traditional security solutions.

Updated as of April 24, 2019 7:39 p.m. PDT to amend technical analysis on Avira-related files and include latest statement from Avira

Windows Installer uses Microsoft Software Installation (MSI) package files to install programs. Every package file has a relational-type database that contains instructions and data required to install or remove programs.

We recently discovered malicious MSI files that download and execute other files and could bypass traditional security solutions. Malicious actors can abuse custom actions in these files to execute malicious scripts and drop malware that are either capable of initiating a system shutdown or targeting financial systems located in certain locations.

Analyzing malicious MSI files

We discovered JScript/VBScript codes within several samples of malicious *.msi files. However, the parts of the script were distributed (and truncated, it seems) to other parts of the file and did not directly execute wscript.exe to run them. (Installer msiexec.exe itself, however, has its interpreter.)

Figure 1. MSI file containing JavaScript that appears to be truncated

We used the tool Orca MSI Editor, which allows a user to look at how and where files may be delivered, to view the tables and find the script in question in the CustomAction table. The CustomAction table permits integration of custom code and data into installations. The source of the executed code can be a stream from within a particular database, an installed file, or an existing executable. The table lists various information such as action, type, source, target, and extended type to provide further details.

Figure 2. From Orca MSI Editor: CustomAction that contains JavaScript

The malicious JS code (detected by Trend Micro as Trojan.JS.MSAIHA.A) accesses the URL hxxps[:]//s3-eu-west-1[.]amazonaws[.]com/{random characters}/image2[.]png to download files. The downloaded file or .txt file will be stored in either of the following folders:

Avira mail
  • %User Startup%
  • %User Profile%Saved Games
  • %User Profile%Contacts
  • %User Profile%Links
  • %User Profile%Music

For downloaded files (.exe, .msi, or dump files from zip), the malware uses the filename jesus or dump. For created .txt files, the filename varies between desktop.txt, desktop, and desktop.ini. The malware can also initiate a system shutdown.

At the time of our analysis, one of the samples related to Trojan.PS1.MSAIHA.A had a URL that was still up. We learned that it won't continue its malicious routine if it finds the file %Application Data%/{yyyyMM}.ini, and will drop the file as an infection marker instead. It also downloads an encrypted .zip file then decrypts it by using XOR with hardcoded 0x29.

Figure 3. Contents of the .zip file saved in the Microsoft folder

Figure 4. The trojan executing context_snapshot.exe

The .zip file contains normal files like iLua.inf, msvcr120.dll, and msvcp120.dll; files digitally signed by Avira; AutoIt-related files; and an encrypted dynamic-link library (DLL). The trojan executes the freeware automation language AutoIt, with parameter of AutoIt script, to: 1) load Jlib.dll (but it seems that it did not decrypt it, so loading was unsuccessful), and 2) to execute context_snapshot.exe (alternately known as Avira.SystrayStartTrigger.exe).

The AutoIt script here (seen in Figure 3 as v8_context_snapshot.src and detected as Trojan.AutoIt.AUTINJECT.AA) is password-protected, so we ran a modified myAut2Exe, a tool for password-guessing and producing pathnames and other information.

Figure 5. Log output of v8_context_snapshot.src

Figure 6. Avira executable is executed by DLL embedded on script

After decrypting the file, it appears that the trojan used the AutoIt script, which we found available online, for loading DLL in memory and modified it for self-use. Additionally, it appended a DLL that it consequently loaded to its memory and called functions from memory to execute context_snapshot.exe Harry potter and the second life. and trick the user into thinking it is executing Avira installer package file/MSI.

We shared our analysis with Avira, which responded with the following: 'To be able to execute malicious code in the context of a legitimate process and bypass security solutions, the malware is using one of our Avira executables out of the context of an Avira regular installation to load malicious code into it. In a regular installation scenario, the Avira process protection does not allow any third-party components to [perform] side-loading if files are not digitally signed by Avira. Avira will analyze and take the necessary steps to make sure Avira processes cannot be misused.'

Other samples related to Trojan.PS1.MSAIHA.A were also seen capable of restarting target machines and using Dropbox links to download the aforementioned .zip file. Some even check for the following folder names (whereby if the paths exist, the malware continues with its routine):

  • %AppDataLocal%Aplicativo Itau (related to a bank in Brazil)
  • %Program Files%AppBrad (related to banking and financial service companies in Brazil)
  • %ProgramFiles%DieboldWarsaw (related to the financial and retail technology company)

Figure 7. A supposed Adobe Acrobat Reader DC pop-up window

Another notable aspect of the malicious MSI files we analyzed is that they also pretended to be legitimate. The files were disguised as Adobe Acrobat Reader DC (as seen in Figure 7) and redirect the user to the site www[.]adobe[.]com/br/, which is in Portuguese.

Figure 8. The MSI files redirect users to this site

Figure 9. Spam containing a .zip file that downloads from a malicious URL

We also found a related spam email during our analysis. The email contains text written in Portuguese and is written concisely, indicating an attachment and asking the recipient to treat it urgently. It contains a .zip file labeled 'Fatur432952-532-674.zip', which downloads from one of the malicious URLs we detected to be part of this campaign. The 'image2.png' in the said URL is, in fact, an archive when downloaded.

Figure 10. Script that downloads the archive

Avira Msi Missing

The archived file contains dump.msi (detected as Trojan.JS.MSAIHA.A), dump.exe (detected as TrojanSpy.Win32.CASBANEIRO.XLB), and ssleay64.dll (detected as TrojanSpy.Win32.CASBANEIRO.XLB).

Figure 11. Malicious routine of the MSI in spammed email

The malicious payload targets Brazil and Portugal by checking country codes in hxxps[:]//www[.]localizaip[.]com[.]br/api/iplocation[.]php. Specific events could be related to banking and financial information, or even keystrokes.

Figure 12. Flowchart of executed dump.exe's routine

Here are some of the decrypted strings in the callback function of the created windows:

AMARELO_PASS_6 AMARELO_PASS_8 AMARELO_PASS_CERT AMARELO_QR AMARELO_CERT_SIMPLES AMARELO_PASS_SIMPLES AMARELO_PASS_QR SICREDI_ASS SICREDO_TOKEN_FISICO SICREDO_TOKEN_MOB SICREDO_PASS_QR SANTA_ASSI_ELECTRO SANTA_TOKEN SANTA_N_SERIE SANTA_PASS_QR SANTA_POS_TABELA CEF_ASS_NUMERO CEF_ASS_NUMER0_LETRAS CEF_PASS_QR NORD_POS_CARTAO NORD_PASS_QR BANESTER_CERTIFICADO BANESTES_COD_ACCESSO
BANESTES_PASS_QR BANRI_SENHA BANRI_SENHA_TECLADO SAFRA_TOKEN_MOB SAFRA_TOKEN_DISPLAY SAFRA_SENHA_TECLADO SAFRA_PASS_QR DESCO_POS_TABELA DESCO_CERT DESCO_TOKEN_6 DESCO_TOKEN_8 DESCO_PASS_QR DESCO_CEL_VISOR DESCO_PISCA BRB_CODIGO BRB_SENHA_TECLADO BRB_PASS_QR ITA_DATA ITA_SENH6 ITA_TOKAPP ITA_TOKCELL ITA_QR

Abusing custom actions in MSI

Outside of standard, built-in actions used to execute installations, there are cases where a developer may need to write a custom action. Microsoft enumerates the following scenarios where custom actions could be necessary:

Avira
  • %User Startup%
  • %User Profile%Saved Games
  • %User Profile%Contacts
  • %User Profile%Links
  • %User Profile%Music

For downloaded files (.exe, .msi, or dump files from zip), the malware uses the filename jesus or dump. For created .txt files, the filename varies between desktop.txt, desktop, and desktop.ini. The malware can also initiate a system shutdown.

At the time of our analysis, one of the samples related to Trojan.PS1.MSAIHA.A had a URL that was still up. We learned that it won't continue its malicious routine if it finds the file %Application Data%/{yyyyMM}.ini, and will drop the file as an infection marker instead. It also downloads an encrypted .zip file then decrypts it by using XOR with hardcoded 0x29.

Figure 3. Contents of the .zip file saved in the Microsoft folder

Figure 4. The trojan executing context_snapshot.exe

The .zip file contains normal files like iLua.inf, msvcr120.dll, and msvcp120.dll; files digitally signed by Avira; AutoIt-related files; and an encrypted dynamic-link library (DLL). The trojan executes the freeware automation language AutoIt, with parameter of AutoIt script, to: 1) load Jlib.dll (but it seems that it did not decrypt it, so loading was unsuccessful), and 2) to execute context_snapshot.exe (alternately known as Avira.SystrayStartTrigger.exe).

The AutoIt script here (seen in Figure 3 as v8_context_snapshot.src and detected as Trojan.AutoIt.AUTINJECT.AA) is password-protected, so we ran a modified myAut2Exe, a tool for password-guessing and producing pathnames and other information.

Figure 5. Log output of v8_context_snapshot.src

Figure 6. Avira executable is executed by DLL embedded on script

After decrypting the file, it appears that the trojan used the AutoIt script, which we found available online, for loading DLL in memory and modified it for self-use. Additionally, it appended a DLL that it consequently loaded to its memory and called functions from memory to execute context_snapshot.exe Harry potter and the second life. and trick the user into thinking it is executing Avira installer package file/MSI.

We shared our analysis with Avira, which responded with the following: 'To be able to execute malicious code in the context of a legitimate process and bypass security solutions, the malware is using one of our Avira executables out of the context of an Avira regular installation to load malicious code into it. In a regular installation scenario, the Avira process protection does not allow any third-party components to [perform] side-loading if files are not digitally signed by Avira. Avira will analyze and take the necessary steps to make sure Avira processes cannot be misused.'

Other samples related to Trojan.PS1.MSAIHA.A were also seen capable of restarting target machines and using Dropbox links to download the aforementioned .zip file. Some even check for the following folder names (whereby if the paths exist, the malware continues with its routine):

  • %AppDataLocal%Aplicativo Itau (related to a bank in Brazil)
  • %Program Files%AppBrad (related to banking and financial service companies in Brazil)
  • %ProgramFiles%DieboldWarsaw (related to the financial and retail technology company)

Figure 7. A supposed Adobe Acrobat Reader DC pop-up window

Another notable aspect of the malicious MSI files we analyzed is that they also pretended to be legitimate. The files were disguised as Adobe Acrobat Reader DC (as seen in Figure 7) and redirect the user to the site www[.]adobe[.]com/br/, which is in Portuguese.

Figure 8. The MSI files redirect users to this site

Figure 9. Spam containing a .zip file that downloads from a malicious URL

We also found a related spam email during our analysis. The email contains text written in Portuguese and is written concisely, indicating an attachment and asking the recipient to treat it urgently. It contains a .zip file labeled 'Fatur432952-532-674.zip', which downloads from one of the malicious URLs we detected to be part of this campaign. The 'image2.png' in the said URL is, in fact, an archive when downloaded.

Figure 10. Script that downloads the archive

Avira Msi Missing

The archived file contains dump.msi (detected as Trojan.JS.MSAIHA.A), dump.exe (detected as TrojanSpy.Win32.CASBANEIRO.XLB), and ssleay64.dll (detected as TrojanSpy.Win32.CASBANEIRO.XLB).

Figure 11. Malicious routine of the MSI in spammed email

The malicious payload targets Brazil and Portugal by checking country codes in hxxps[:]//www[.]localizaip[.]com[.]br/api/iplocation[.]php. Specific events could be related to banking and financial information, or even keystrokes.

Figure 12. Flowchart of executed dump.exe's routine

Here are some of the decrypted strings in the callback function of the created windows:

AMARELO_PASS_6 AMARELO_PASS_8 AMARELO_PASS_CERT AMARELO_QR AMARELO_CERT_SIMPLES AMARELO_PASS_SIMPLES AMARELO_PASS_QR SICREDI_ASS SICREDO_TOKEN_FISICO SICREDO_TOKEN_MOB SICREDO_PASS_QR SANTA_ASSI_ELECTRO SANTA_TOKEN SANTA_N_SERIE SANTA_PASS_QR SANTA_POS_TABELA CEF_ASS_NUMERO CEF_ASS_NUMER0_LETRAS CEF_PASS_QR NORD_POS_CARTAO NORD_PASS_QR BANESTER_CERTIFICADO BANESTES_COD_ACCESSO
BANESTES_PASS_QR BANRI_SENHA BANRI_SENHA_TECLADO SAFRA_TOKEN_MOB SAFRA_TOKEN_DISPLAY SAFRA_SENHA_TECLADO SAFRA_PASS_QR DESCO_POS_TABELA DESCO_CERT DESCO_TOKEN_6 DESCO_TOKEN_8 DESCO_PASS_QR DESCO_CEL_VISOR DESCO_PISCA BRB_CODIGO BRB_SENHA_TECLADO BRB_PASS_QR ITA_DATA ITA_SENH6 ITA_TOKAPP ITA_TOKCELL ITA_QR

Abusing custom actions in MSI

Outside of standard, built-in actions used to execute installations, there are cases where a developer may need to write a custom action. Microsoft enumerates the following scenarios where custom actions could be necessary:

  • An executable installed on the user's machine or being installed with an application has to be launched during the installation process.
  • Special functions defined in a DLL has to be called during the installation process.
  • Functions written in the programming languages Microsoft Visual Basic Scripting Edition or Microsoft JScript literal script text have to be used during the installation process.
  • Some actions have to be deferred until the execution of the installation script.
  • Time and progress information have to be added to a ProgressBar control and a TimeRemaining Text control.

Consequent to these situations, abuse of the first and second scenarios is also not unlikely with sophisticated malware.

Figure 13. From Orca MSI Editor: CustomAction contains VBScript

Avira Setup Msi

After checking another sample containing VBScript (see Figure 13), we could infer that the malware creator used the Advanced Installer application to build the samples, because the sample needs a third-party library such as powershellscriptlauncher.dll to run the PowerShell script for viewing logs and processes.

Figure 14. Advanced Installer with other custom actions

We were able to add to or modify custom actions of the samples, such as executing JS, VBS, and PowerShell scripts, and even loading libraries, with Advanced Installer. This could be favorable to malicious actors looking to abuse the functions so that they can easily modify normal MSI packages and insert malicious scripts.

Figure 15. Custom actions indicating existing and newly created PowerShell scripts

Figure 16. Adding a new custom action to run a PowerShell script

Currently, the malware downloads archives that contain multicomponent (DLL side-loading) malware.

Mitigation and solutions

We have noted that abusing MSI packages for malicious intent is typically done to install potentially unwanted applications (PUAs) and not necessarily to drop malware. Malware installation utilizing MSI packages and custom actions is another mechanism to look out for, as malicious actors may use it to skirt around security software that only detects traditional installation methods.

Avira.oe.setup.msi Missing

The malware creators in this case might be testing different malware arrival methods and focusing on targets located in Brazil and Portugal, based on the language in the spam email, site redirection, and folder paths that we encountered during our analysis. As a first line of defense, we recommend that users avoid installing unknown files and clicking on URLs that may redirect to sites that download malicious files. Users can also practice good security hygiene by updating systems with the latest security patches or by employing solutions that can defend against possible exploits.

Trend Micro™ XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today's purpose-built threats that bypass traditional controls and exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen powers Trend Micro's suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Avira Antivir Msi

The list of indicators of compromise (IoCs) related to this threat can be found in this appendix.





broken image