{"id":21717,"date":"2024-06-27T11:09:30","date_gmt":"2024-06-27T11:09:30","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=21717"},"modified":"2024-10-18T17:22:22","modified_gmt":"2024-10-18T17:22:22","slug":"pua-win32-presenoker-adware","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/pua-win32-presenoker-adware\/","title":{"rendered":"What is PUA:Win32\/Presenoker?"},"content":{"rendered":"

PUA:Win32\/Presenoker is an adware<\/strong> designed to make money by showing intrusive advertisements and collecting data. This malware can take control of your web browser and send you to advertising pages. The majority of them will be questionable, without even a slight tint of relevance.<\/p>\n

It is often disguised as legitimate cracked software, driver finder, or tweaker. This malware can also steal some information.<\/p>\n

PUA:Win32\/Presenoker Overview<\/h2>\n

PUA:Win32\/Presenoker is adware<\/a> designed to generate revenue through intrusive advertisements. In addition to malvertising, it can steal users’ data, including search history, cookies, and other sensitive information. Although it collects basic system information<\/strong>, it is only about fingerprinting the system; it does not touch passwords or session tokens. Almost all instances of this malware are connected to websites that redirect users to advertising pages. While some pages it advertises are legitimate, others are questionable, significantly degrading the user experience.<\/p>\n

\"PUA:Win32\/Presenoker
PUA:Win32\/Presenoker detection window<\/figcaption><\/figure>\n

PUA:Win32\/Presenoker often spreads under the guise of cracked legitimate software<\/a>, tricking users and infiltrating their devices without their consent. The malware also masquerades as a laptop driver finder or tweaker. However, almost anything downloaded that is not from an official website can lead to Presenoker infection.<\/p>\n

Presenoker Technical Analysis<\/h2>\n

Let’s break down its behavior based on the PUA:Win32\/Presenoker sample analysis<\/a>. As I said above, malware infiltrates the system under the guise of legitimate software. In our case, it is a free but Windows kernel research tool.<\/p>\n

Once on the system, malware seeks persistence. To do so, it performs standard actions\u2014it creates driver files, adds appropriate registry entries, and obtains the necessary permissions<\/strong>. Among the latter is the ability to modify the kernel to execute programs at system startup.<\/p>\n

HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\bajejyicthbeby.sys
\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\bhrzxcfdwsfytp.sys
\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\boalxrinybzftbduk.sys<\/code><\/p>\n

The malware created multiple registry entries for each file to ensure its drivers and services were loaded in “Minimal Safe Mode”, a diagnostic mode of Windows with only essential functions.<\/p>\n

C2 Communication<\/h3>\n

Presenoker takes multiple HTTP requests made to various URLs, including ww1.epoolsoft[.]com and www.epoolsoft[.]com, suggesting communication with a command-and-control (C2) server<\/a>. TCP connections are established to several IP addresses on ports 80 and 443, indicating potential communication with external servers.<\/p>\n

TCP 63.143.32.86:80
\nTCP 64.190.63.136:80
\nUDP a83f:8110:0:0:6076:c7a:e801:0:53<\/code><\/p>\n

The malware probably receives adverts through some channels (opening some of these addresses redirects to the advertised websites).<\/p>\n

Presenoker Advertising<\/h3>\n

As I said before, the primary purpose of this kind of application is advertising. Usually, these ads often promote online scams, unreliable or hazardous software, and malware. When clicked on, some ads can execute scripts to install or download software without the user’s consent.<\/p>\n