» 20150320170947_jd2u_win86.exe
Overview
Analysis
File Details
Network (4)

20150320170947_jd2u_win86.exe

JDownloader

Appwork GmbH

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application 20150320170947_jd2u_win86.exe by Appwork GmbH has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the installCore installer. While running, it connects to the Internet address static.18.68.251.148.clients.your-server.de on port 80 using the HTTP protocol.

File name:

Publisher:

Appwork GmbH (signed and verified)

Product:

JDownloader

Version:

2.0

MD5:

a66625787cf61e7a574ff3bc3a67d6bb

SHA-1:

84d4e7fe07e4c9faf009d82cbf2686470117f638

SHA-256:

0109915a974c879f1ce837f6b5573a6af2c6d5846908679cb42f366256774799

Scanner detections:

3 / 68

Status:

Potentially unwanted

Description:

This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:

12/26/2024 6:34:48 AM UTC (today)

Scan engine

Detection

Engine version

herdProtect (fuzzy)

variant of 0b65b4e5_stp.exe (PUP)

2015.7.21.7

Panda Antivirus

PUP/Multitoolbar

15.07.21.07

Reason Heuristics

PUP.Bundler.installCore

15.4.19.17

File size:

31.5 MB (33,058,040 bytes)

Product version:

2.0

AppWork GmbH

Original file name:

JD2Setup_x86_09to2.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

installCore

Language:

Language Neutral

Common path:

C:\Program Files\jdownloader\tmp\20150320170947_jd2u_win86.exe

Digital Signature

Signed by:

Appwork GmbH

Authority:

thawte, Inc.

Valid from:

1/28/2015 2:00:00 AM

Valid to:

1/29/2016 1:59:59 AM

Subject:

CN=Appwork GmbH, O=Appwork GmbH, L=Fürth, S=Bayern, C=DE

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

5CA15B949EC0CBCECEB7C57981B033A8

File PE Metadata

Compilation timestamp:

9/24/2014 11:15:38 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

786432:n6CF2BErqYdr8u4aM7ziDgx+LlHXukXa6uaIdTa7k7ceoov6dt74:H2OrhMaM7zDx+LlzFg07XHov

Entry address:

0x1AA54

Entry point:

E8, BB, AB, 00, 00, E9, 78, FE, FF, FF, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A4, 01, 00, 00, 81, F9, 00, 01, 00, 00, 72, 1F, 83, 3D, 94, E3, 44, 00, 00, 74, 16, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 08, 5E, 5F, 5D, E9, 18, 49, 00, 00, F7, C7, 03, 00, 00, 00, 75, 15, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 2A, F3, A5, FF, 24, 95, D4, AB, 41, 00, 90, 8B, C7, BA, 03, 00, 00, 00, 83, E9, 04, 72, 0C, 83, E0, 03, 03... 
[+]

Entropy:

7.9934 (probably packed)

Code size:

179 KB (183,296 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to static.18.68.251.148.clients.your-server.de (148.251.68.18:80)

TCP (HTTP):

Connects to mail.appwork.org (176.9.43.113:80)

TCP (HTTP):

Connects to cdn4.appwork.org (176.9.34.43:80)

Remove 20150320170947_jd2u_win86.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.