3.8.0.122_20140403070800.exe

The KMPlayer

PandoraTV

The application 3.8.0.122_20140403070800.exe, “The KMPlayer Setup/Install” by PandoraTV has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from biblprog.org.ua and multiple other hosts. While running, it connects to the Internet address i0-h0-s2053.p9-jfk.cdngp.net on port 80 using the HTTP protocol.
Publisher:
PandoraTV  (signed and verified)

Product:
The KMPlayer

Description:
The KMPlayer Setup/Install

Version:
3.8.0.122

MD5:
3b892324a1ede092397abeb14f1e0cec

SHA-1:
ac1ce2ef11d4dca8eca186cc9cc5c0ec6ebae48a

SHA-256:
8b6875087b57640ac5a635728b41dd9da5240e34aff5c199617c6fc7b90c6150

Scanner detections:
3 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/26/2024 9:29:16 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
8.9639

Reason Heuristics
PUP.OpenCandy.Installer (L)
16.11.29.15

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.14405

File size:
31.5 MB (33,044,640 bytes)

Product version:
3.8

Copyright:
Copyright PandoraTV 2013.

Trademarks:
Freeware

Original file name:
KMPlayer_3.8.0.122.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\3.8.0.122_20140403070800.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
5/15/2012 3:00:00 AM

Valid to:
6/15/2014 2:59:59 AM

Subject:
CN=PandoraTV, O=PandoraTV, L=Gangnam-gu, S=Seoul, C=KR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
2BF6AC6C0932526A56D17EB4F2C776C5

File PE Metadata
Compilation timestamp:
2/24/2012 9:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
786432:o3m+//mduKt+cmZZmqDK/ddJawRVs0Tk76ljb+gR2s8N0qGK:o3bQnIv8YKvUsVxTZljigRINxGK

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Entropy:
7.9999

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file 3.8.0.122_20140403070800.exe has been seen being distributed by the following 14 URLs.

http://biblprog.org.ua/go.php?site=http://cdn.kmplayer.com/KMP/player/download/.../3.8.0.122_20140403070800.exe

http://www.jsoftj.com/files/.../jsoftj.com_3.8.0.122_20140403070800_jsoftj.com.exe

http://f.sync.hamicloud.net/.../@download?416eb4c6e3fdb7dac58b05c262fce1b4&4fc2c326e5b584bcaa2c982d4bcb3ea6

http://f.sync.hamicloud.net/.../@download?ada567a378fae308d89d0f4eafafaa85&66cd866376fd9891992b035faa09ee04

temp:3.8.0.122_20140403070800.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-229-95-87.eu-west-1.compute.amazonaws.com  (54.229.95.87:80)

TCP (HTTP):
Connects to ec2-52-214-2-242.eu-west-1.compute.amazonaws.com  (52.214.2.242:80)

TCP (HTTP):
Connects to i0-h0-s2132.p9-jfk.cdngp.net  (174.35.76.28:80)

TCP (HTTP):
Connects to i0-h0-s2079.p9-jfk.cdngp.net  (174.35.73.165:80)

TCP (HTTP):
Connects to i0-h0-s2053.p9-jfk.cdngp.net  (174.35.73.139:80)

TCP (HTTP):
Connects to i0-h0-s2036.p9-jfk.cdngp.net  (174.35.73.105:80)

TCP (HTTP):
Connects to i0-h0-s2029.p9-jfk.cdngp.net  (174.35.73.98:80)

TCP (HTTP):
Connects to i0-h0-s2002.p9-jfk.cdngp.net  (174.35.73.71:80)

TCP (HTTP):
Connects to i0-h0-s1133.p6-ord.cdngp.net  (174.35.56.235:80)

TCP (HTTP):
Connects to i0-h0-s1103.p6-ord.cdngp.net  (174.35.56.151:80)

TCP (HTTP):
Connects to i0-h0-s1039.p0-mia.cdngp.net  (174.35.36.72:80)

Remove 3.8.0.122_20140403070800.exe - Powered by Reason Core Security