bouncing_balls.exe

Tibaco internet media B.V.

The application bouncing_balls.exe by Tibaco internet media B.V has been detected as a potentially unwanted program by 6 anti-malware scanners. Additionally, the file is typically installed by a number of programs including FunnyGames - Mahjong 1 by FunnyGames and FunnyGames - Shanghai Dynasty by FunnyGames. The file has been seen being downloaded from webgameplayer.tibaco.net and multiple other hosts. While running, it connects to the Internet address 63.01.acb8.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
Tibaco internet media B.V.  (signed and verified)

MD5:
6c4fdc0f3961ae21af2485dbd4813827

SHA-1:
cda83671244b0d98f5153ff73b6f9789ce705059

SHA-256:
70e81bf2cb6b1650e7d2e39f78737d193576312b6840a71e71c913bfb83d1267

Scanner detections:
6 / 68

Status:
Potentially unwanted

Analysis date:
11/16/2024 1:35:52 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.Clodfe6.Trojan
1.3.0.6185

Dr.Web
Adware.GameVance.130
9.0.1.078

herdProtect (fuzzy)
2015.6.24.21

Malwarebytes
PUP.Optional.Tibaco
v2015.04.09.11

Reason Heuristics
PUP.GameVance
15.4.11.23

Trend Micro House Call
HV_ZYX_CA0838A1.TOMC
7.2.78

File size:
213.1 KB (218,168 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\bouncing_balls.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
10/11/2011 5:00:00 PM

Valid to:
11/10/2012 3:59:59 PM

Subject:
CN=Tibaco internet media B.V., O=Tibaco internet media B.V., L=Eindhoven, S=Noord-Brabant, C=NL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
4424B13DB47435EE567C0BD7B189D979

File PE Metadata
Compilation timestamp:
3/6/2012 12:49:51 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.21

CTPH (ssdeep):
6144:2LL+7nszWx1bRtYFCT2SGrsYITje+K/2O/q52F2fouEP3hNy46bi2:hnsSx1NtYFCT2SGrsYITje+K+O/q5029

Entry address:
0x12B0

Entry point:
55, 89, E5, 83, EC, 18, C7, 04, 24, 02, 00, 00, 00, FF, 15, 74, 95, 42, 00, E8, 38, FD, FF, FF, 90, 8D, B4, 26, 00, 00, 00, 00, 55, 89, E5, 83, EC, 08, A1, A4, 95, 42, 00, C9, FF, E0, 66, 90, 55, 89, E5, 83, EC, 08, A1, 8C, 95, 42, 00, C9, FF, E0, 90, 90, 55, 89, E5, 83, EC, 08, C6, 05, 5F, 40, 42, 00, 01, 83, 3D, 60, 40, 42, 00, 00, 74, 10, A1, 60, 40, 42, 00, 89, 04, 24, E8, 5D, 4D, 01, 00, 83, EC, 04, 83, 3D, 64, 40, 42, 00, 00, 74, 10, A1, 64, 40, 42, 00, 89, 04, 24, E8, 44, 4D, 01, 00, 83, EC, 04, 83...
 
[+]

Entropy:
7.0027

Code size:
115 KB (117,760 bytes)

The file bouncing_balls.exe has been discovered within the following programs.

This is a casual video game for the PC distributed through the FunnyGames portal at funnygames.us from Tibaco International.
www.funnygames.biz
About 5% of users remove it
About 3% of users remove it
www.funnygames.fr
About 9% of users remove it
Crescent Solitaire is a casual video game for the PC distributed through the FunnyGames portal at funnygames.us from Tibaco International.
About 8% of users remove it
FunnyGames - Doyu 8 Ball  by FunnyGames
About 4% of users remove it
FunnyGames - Flipflash  by FunnyGames
About 5% of users remove it
FunnyGames - Happy Wheels  by FunnyGames
Happy Wheels is a casual video game for the PC distributed through the FunnyGames portal at funnygames.us from Tibaco International.
www.funnygames.us
About 2% of users remove it
About 6% of users remove it
FunnyGames - Mahjong 1  by FunnyGames
Mahjong 1 is a casual video game for the PC distributed through the FunnyGames portal at funnygames.us from Tibaco International.
About 5% of users remove it
About 5% of users remove it
 
Latest 20 of 13 programs
Powered by Should I Remove It?

The file bouncing_balls.exe has been seen being distributed by the following 13 URLs.

http://webgameplayer.tibaco.net/110/.../bubble_buster.exe

http://webgameplayer.tibaco.net/110/.../hidden_objects_house.exe

http://webgameplayer.tibaco.net/110/.../strike_force_heroes_1.exe

http://webgameplayer.tibaco.net/110/.../epic_battle_fantasy_3.exe

http://webgameplayer.tibaco.net/110/.../world_cup_2010_penalty.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 63.01.acb8.ip4.static.sl-reverse.com  (184.172.1.99:80)

Remove bouncing_balls.exe - Powered by Reason Core Security