238c0c13_stp.exe

JDownloader

Appwork GmbH

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application 238c0c13_stp.exe by Appwork GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from installer.jdownloader.org and multiple other hosts. While running, it connects to the Internet address static.18.68.251.148.clients.your-server.de on port 80 using the HTTP protocol.
Publisher:
Appwork GmbH  (signed and verified)

Product:
JDownloader

Version:
2.0

MD5:
d14e892fe0f82244f2eeeaf75d58a3ab

SHA-1:
233b634cd78f1868a7925ca3a0e0e30badfa2600

SHA-256:
d5ec2f7413f5494f829dc126a6076bb9e8765db4f5b0d64545649de67017df9b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/2/2024 1:42:42 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Bundler.installCore
15.3.23.11

File size:
34.7 MB (36,403,448 bytes)

Product version:
2.0

Copyright:
AppWork GmbH

Original file name:
JD2SilentSetup_x64.exe

File type:
Executable application (Win64 EXE)

Bundler/Installer:
installCore

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\238c0c13_stp.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
1/28/2015 12:00:00 AM

Valid to:
1/28/2016 11:59:59 PM

Subject:
CN=Appwork GmbH, O=Appwork GmbH, L=Fürth, S=Bayern, C=DE

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
5CA15B949EC0CBCECEB7C57981B033A8

File PE Metadata
Compilation timestamp:
9/24/2014 9:16:39 AM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
786432:zCzdYAaamLZwKRPxAZAiJvTn8NSK4pvvtovaHuTaJdt74z:mAcZ9JvTvpvtovaHuT

Entry address:
0x1F290

Entry point:
48, 83, EC, 28, E8, E7, B2, 00, 00, 48, 83, C4, 28, E9, 12, FE, FF, FF, CC, CC, 40, 53, 48, 83, EC, 30, 48, 85, C9, 74, 0D, 48, 85, D2, 74, 08, 4D, 85, C0, 75, 2C, 44, 88, 01, E8, 6B, FD, FF, FF, BB, 16, 00, 00, 00, 48, 83, 64, 24, 20, 00, 45, 33, C9, 45, 33, C0, 33, D2, 33, C9, 89, 18, E8, E3, B3, FF, FF, 8B, C3, 48, 83, C4, 30, 5B, C3, 4C, 8B, C9, 41, 8A, 00, 49, FF, C0, 41, 88, 01, 49, FF, C1, 84, C0, 74, 06, 48, 83, EA, 01, 75, EA, 48, 85, D2, 75, 0E, 88, 11, E8, 22, FD, FF, FF, BB, 22, 00, 00, 00, EB...
 
[+]

Entropy:
7.9938  (probably packed)

Code size:
206 KB (210,944 bytes)

The file 238c0c13_stp.exe has been seen being distributed by the following 3 URLs.

http://installer.jdownloader.org/version_686/.../JD2SilentSetup_x64.exe

https://mega.nz/temporary/.../2sknXB4I

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static.17.63.9.176.clients.your-server.de  (176.9.63.17:80)

TCP (HTTP):
Connects to cdn4.appwork.org  (176.9.34.43:80)

TCP (HTTP):
Connects to static.139.123.201.138.clients.your-server.de  (138.201.123.139:80)

TCP (HTTP):
Connects to cdn9.appwork.org  (88.99.115.62:80)

TCP (HTTP):
Connects to static.18.68.251.148.clients.your-server.de  (148.251.68.18:80)

TCP (HTTP):
Connects to mail.appwork.org  (176.9.43.113:80)

TCP (HTTP):
Connects to cdn5.appwork.org  (46.4.126.3:80)

TCP (HTTP):
Connects to cdn8.appwork.org  (85.131.130.147:80)

TCP (HTTP):
Connects to static.41.138.99.88.clients.your-server.de  (88.99.138.41:80)

TCP (HTTP):
Connects to 95.193.28.185.gransy.com  (185.28.193.95:8080)

Remove 238c0c13_stp.exe - Powered by Reason Core Security