ADWARE_PUP PC App Store Client Installation in Progress

rampage · May 23, 2025, 9:17pm

Hi, Friends!

Tria.ge allowed me to capture the install traffic from this PUP even though it employs some anti-analysis.

alert http $HOME_NET any -> $EXTERNAL_NET any \
(msg:"ET ADWARE_PUP PC App Store Client Installation in Progress"; \
http.method; bsize:3; content:"GET"; \
http.uri; \
content:"/pixel.gif?"; startswith; \
content:"evt|5f|src|3d|fa|5f|installer"; distance:0; fast_pattern; \
content:"evt|5f|action|3d|installing"; distance:0; \
http.host; bsize:11; content:"pcapp|2e|store"; \
http.user_agent; \
content:"NSIS|5f|Inetc|20 28|Mozilla|29|"; startswith; \
reference:url,tria.ge/250521-sekkxsyjz3/behavioral1; \
reference:md5,5a275498e42aa511bc9146b6ad44eba5; \
classtype:pup-activity; \
sid:7979; rev:1; \
metadata:affected_product Microsoft_Windows, \
attack_target Client_Endpoint, \
tls_state TLSDecrypt, \
created_at 2025_05_21, \
deployment Perimeter, deployment SSLDecrypt, \
confidence High, \
signature_severity Major, \
tag Adware, \
mitre_tactic_id TA0009, mitre_tactic_name Collection, \
mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)

Topic	Replies	Views
Ruleset Update Summary - 2024/12/12 - v10799 Ruleset Updates	134	December 12, 2024
Ruleset Update Summary - 2024/12/05 - v10790 Ruleset Updates	87	December 5, 2024
Ruleset Update Summary - 2025/01/03 - v10827 Ruleset Updates	66	January 3, 2025
Ruleset Update Summary - 2024/03/13 - v10551 Ruleset Updates	352	March 13, 2024
Ruleset Update Summary - 2023/09/29 - v10429 Ruleset Updates	331	September 29, 2023

ADWARE_PUP PC App Store Client Installation in Progress

Related topics