[en] PUPs by Cracks/Keygen

Sometimes ago, i notice some SEO poisonning leading to Cracks/Keygen websites created to offer PUPs installer.
All theses fake crack/keygen website lead to differents PUPs affiliate programs :

at the end two differents installers :

malekalmorte@Mak-tux:/tmp/mal$ ls -l|sort -k +5
total 10792
-rw-r--r-- 1 malekalmorte malekalmorte 1510928 mars 27 16:58 norton trial reset_10924_i47381854_il345.exe
-rw-r--r-- 1 malekalmorte malekalmorte 1510928 mars 27 17:00 Crack norton 2008 cn_10924_i47382273_il345.exe
-rw-r--r-- 1 malekalmorte malekalmorte 1537040 mars 27 17:02 Keygen norton exe_10924_i47382972_il345.exe
-rw-r--r-- 1 malekalmorte malekalmorte 1537040 mars 27 17:12 Singer number fa featherweight serial_10924_i47385459_il345.exe
-rw-r--r-- 1 malekalmorte malekalmorte 1592848 mars 27 17:44 Adobe Flash CS3 Portable EN_10924_i47393017_il345.exe
-rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 16:56 Hack Tool 2015 Downloader.exe
-rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 16:57 NORTON INTERNET SECURITY HACK Downloader.exe
-rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 17:01 Norton Internet Security 2015 Downloader.exe
-rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 17:13 G Data Antivirus 2015 Crack With Key Updated.exe
-rw-r--r-- 1 malekalmorte malekalmorte 477696 mars 27 17:53 G Data Antivirus 2015 Crack With Key Updated (1).exe
-rw-r--r-- 1 malekalmorte malekalmorte 478208 mars 27 17:03 FL Studio Mobile 2.0.1 Apk Data For Android download.exe
-rw-r--r-- 1 malekalmorte malekalmorte 478208 mars 27 17:03 Spybot search and Destroy 2.4 Key Crack Download Full.exe

ADWARE/MultiPlug :

https://www.virustotal.com/fr/file/992007bdce345a2fe692ad1d1120fb79793167051d49b8c4c3b3c6349c26b627/analysis/
https://www.virustotal.com/fr/file/36921c7953f71f44527cfd13e5a9472d6d5264e20fd5d150627b61ebf4fc0ebd/analysis/1427476495/

and Adware.Mikey / Trojan.Amonetize :

https://www.virustotal.com/fr/file/966754b49121fb7338da1122f69f1e12ad827e2c96d641d67c4e3fbbf2ea7ef4/analysis/1427476595/
https://www.virustotal.com/fr/file/992007bdce345a2fe692ad1d1120fb79793167051d49b8c4c3b3c6349c26b627/analysis/1427476593/

Installer example :

Some campaigns….

Fake Crack/keygen Websites

A lot of fake crack/keygen websites created to make SEO Poisonning.
Some :

cracksfull.com -- 104.24.100.63 104.24.101.63
www.software-free.net -- software-free.net. 104.27.189.195 104.27.188.195
softwarespatch.com -- 142.4.217.51
www.savvyeat.com -- 208.97.174.235
cracksnew.com -- 104.24.114.101 104.24.115.101
pcsoftwarespro.com -- 104.18.46.134 104.18.47.134
apkappspro.co -- 104.27.146.245 104.27.147.245
onhax.net -- 104.28.14.60 104.28.15.60
softwaresnew.org -- 31.22.4.60
crackserialpro.com -- 216.245.193.82
realcracked.com -- 64.37.59.147
crackserialpro.com -- 216.245.193.82
mhktricks.net -- 104.28.6.43 104.28.7.43
allactivators.com -- 142.4.217.51

they are able to reach around ~40k at Alexa :
http://www.alexa.com/siteinfo/cracksfull.com
http://www.alexa.com/siteinfo/freecrackfilesdownload.blogspot.com
http://www.alexa.com/siteinfo/www.software-free.net

and sometimes a lot :

some of theses IPs are also used for Phishing and others malicious activities :

All the redirector and PUP Afffiliate programs websites are hosted on Amazon & they like .xyz TLD.

Hacked websites

As usual, some hacked websites are hacked to host malicious contents.
The goal is to use the ranking of the website to be on the top of the research engine.

I notice differents campaigns that target WordPress websites.
An old one, with a specific pattern, already use to push PUPs & Browlock Ransomware – see :
https://www.malekal.com/2014/10/14/en-another-seo-poisoning-lead-to-pups/
https://www.malekal.com/2014/09/12/en-browlock-also-by-hacked-websites/