andy_v29.exe

ANDY OS

Search Safer Inc

The application andy_v29.exe by Search Safer Inc has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from store.jt.iq and multiple other hosts. While running, it connects to the Internet address server-52-84-174-198.gru50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
andyroid.net  (signed by Search Safer Inc)

Product:
ANDY OS

Description:
ANDY setup

Version:
1.1

MD5:
f7f6b2f12a89a75b55efa69d61535590

SHA-1:
8f308660783a2e969abab0762be6479310bcddb5

SHA-256:
7fac3c17b3f2f87a8173882323d14d625b037252f0438981b94f818589557c9b

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 3:54:49 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Installer.SearchSafer.L
14.7.27.14

File size:
328.7 KB (336,584 bytes)

Copyright:
© andyroid.net (ANDY_BL_Standard_ANDY)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Digital Signature
Authority:
COMODO CA Limited

Valid from:
6/6/2014 1:00:00 AM

Valid to:
6/7/2015 12:59:59 AM

Subject:
CN=Search Safer Inc, OU=Search Safer Inc, O=Search Safer Inc, STREET=665 3rd street Suite 150, L=San Francisco, S=California, PostalCode=94107, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00E26E98DAA7AAA5703565127BF095EFBE

File PE Metadata
Compilation timestamp:
12/5/2009 10:52:06 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:ZSuksYWQvuJw9PizstRQobDX3FNXDst7veKllmyqvR+2OddqkBznZgKKmvO:5ksYWQmJ0ApiDFNnKylv1a99Km2

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 6F, 44, 00, E8, 09, 2C, 00, 00, A3, A4, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 2E, 44, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file andy_v29.exe has been seen being distributed by the following 23 URLs.

http://store.jt.iq:8080/index.php?do=download&id=45900

http://andyroid.softonic.com/download-tracker?th=8yS3 KGEYLiw7GKMHzA/trmsvRChbxdrflJq3ZIylWuurWoI 1oJzhhhkKoDUKPQZeXHECtacR7jIiLbTW1Gdb8DaqCb/.../SHHWkuJyb

http://gsf-cf.softonic.com/8f3/086/.../file?SD_used=0&channel=WEB&fdh=no&id_file=69689722&instance=softonic_br&type=PROGRAM&Expires=1421881714&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&Signature=DAuU-eL9L5v4gYX8qgr9oc7STUO8ZjK2qKuAUh8ObpJlWSqjdBeVwziEjowXtlVLEyeJNnIdZPZUrM-xbVWWyxuSyS4pnbZLt-iUjbs~t~7uT6OzxDjnOTfHgKqXtU1rplPYLsOc2RGqBEAH~C3HXz-6es-zCJYYidMXRAdzYGk_&filename=Andy_v29.exe

http://gsf-cf.softonic.com/8f3/086/.../file?SD_used=0&channel=WEB&fdh=no&id_file=69689722&instance=softonic_es&type=PROGRAM&Expires=1423977692&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&Signature=iiQFWUwps2vpFjK02zn4Qgu7qkO7oZBTAnWoa737msvg97xBdH960nJuD4X8rShgPyIF~cUTve6KA9EIK17mnzEJS6E2BZaTld6p50tM~6dsMeKGZ2K3YYmf1wYRjTGlupv6WfOXcv2BO~B2PQD7xzsXBZh0r86AdW7HX86YlbI_&filename=Andy_v29.exe

http://s6859.chomikuj.pl/File.aspx?e=ZPQS7AcSGfHazSKIOuTaPlNvRu0rH6_fmvgA0rK0s5u3Pdvasgsj9simykFRZdz4QaKBHdIdQ__lr-QkGiVUYWfisehI9ieplXV5MTtcSUZI685t3moYj-UZyoZvwh2nONZSrbljZn0qJIBrdyj8cg&pv=2

http://s6859.chomikuj.pl/File.aspx?e=ZPQS7AcSGfHazSKIOuTaPlNvRu0rH6_fmvgA0rK0s5tBOg4bqHegF4TGVudle5VDLp14TbNpZf9U4TQlxJ9H86-SYk3oSJ53AzjJP49DWCPWU-ccoszWGqQO5pew1f9GdbZrx6IvJOS_g5EGcLJdiA&pv=2

http://s6859.chomikuj.pl/File.aspx?e=ZPQS7AcSGfHazSKIOuTaPlNvRu0rH6_fmvgA0rK0s5sr5-ugJdDceM1Gw2pVr1UyF3QX7S-ZV5vYTNMCEdJhgbg3lhT8WujGAVSoYJYWzmirKIQD9buMLD3aOqFpvb8OcG1XeTdSi0j7T1ZmtMYF7A&pv=2

http://www.toofile.com/files/2/.../Andy_v29.exe

http://s6859.chomikuj.pl/File.aspx?e=ZPQS7AcSGfHazSKIOuTaPo37smzjOYhTgsWBWLbZObnSRCX7o2DNpKd5xcRp7j4R3_H3G5_m_QA3kjk7ugoHiZkiyAd2KOkDuvF6EsbIgBf35E4jHPzL5wm6iL1ZFLTfRk4Hc9FZXSm1Wo2FLUXxtw&pv=2

q=http://bit.ly/getAndy&redir_token=xNX6LAqkgA9uDmteMAxqik1U79V8MTQxMzQyMDI4MkAxNDEzMzMzODgy

q=http://bit.ly/getAndy&redir_token=40WofJiTFRSBrAWiXPWkgWbssth8MTQxMzQxNDczNUAxNDEzMzI4MzM1

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-19-57.iad12.r.cloudfront.net  (54.192.19.57:80)

TCP (HTTP):
Connects to server-54-240-166-183.lhr5.r.cloudfront.net  (54.240.166.183:80)

TCP (HTTP):
Connects to server-54-239-168-74.fra50.r.cloudfront.net  (54.239.168.74:80)

TCP (HTTP):
Connects to server-54-239-164-252.lhr50.r.cloudfront.net  (54.239.164.252:80)

TCP (HTTP):
Connects to server-54-230-95-56.fra2.r.cloudfront.net  (54.230.95.56:80)

TCP (HTTP):
Connects to server-54-230-30-40.dub2.r.cloudfront.net  (54.230.30.40:80)

TCP (HTTP):
Connects to server-54-230-218-155.mrs50.r.cloudfront.net  (54.230.218.155:80)

TCP (HTTP):
Connects to server-54-230-159-143.sin3.r.cloudfront.net  (54.230.159.143:80)

TCP (HTTP):
Connects to server-54-230-129-248.ams50.r.cloudfront.net  (54.230.129.248:80)

TCP (HTTP):
Connects to server-54-192-19-217.iad12.r.cloudfront.net  (54.192.19.217:80)

TCP (HTTP):
Connects to server-52-85-63-11.lhr50.r.cloudfront.net  (52.85.63.11:80)

TCP (HTTP):
Connects to server-52-85-173-53.fra6.r.cloudfront.net  (52.85.173.53:80)

TCP (HTTP):
Connects to server-52-84-203-106.tpe50.r.cloudfront.net  (52.84.203.106:80)

TCP (HTTP):
Connects to server-52-84-174-198.gru50.r.cloudfront.net  (52.84.174.198:80)

TCP (HTTP):
Connects to host-213.158.175.26.tedata.net  (213.158.175.26:80)

TCP (HTTP):
Connects to a95-101-34-42.deploy.akamaitechnologies.com  (95.101.34.42:80)

TCP (HTTP):
Connects to a2-16-216-186.deploy.akamaitechnologies.com  (2.16.216.186:80)

Remove andy_v29.exe - Powered by Reason Core Security