cmi_mystartsearch.exe

4934_cmi_mystartsearch

Thinknice Co., Limited

The application cmi_mystartsearch.exe by Thinknice Co., Limited has been detected as adware by 5 anti-malware scanners. This is a setup program which is used to install the application. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from 113.171.224.178 and multiple other hosts. While running, it connects to the Internet address server-54-192-218-254.mrs50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
IWill.com  (signed by Thinknice Co., Limited)

Product:
4934_cmi_mystartsearch

Description:
iWill

Version:
6.6.86.1684

MD5:
e7f3e2412fd91fe4cc8041e6b54ec21c

SHA-1:
40eb79fd0cd500dc37c35a8e0606a15c15ce257f

SHA-256:
7221a75e213aca2ad935018b76294226e0d0f14c91936f5f3a9aed3087d02a1b

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:
12/25/2024 6:56:08 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

ESET NOD32
Win32/ELEX.FC potentially unwanted (variant)
9.12398

Malwarebytes
PUP.Optional.MyStartSearch.ShrtCln
v2015.10.13.10

Reason Heuristics
PUP.Thinknice.ThinkniceCo (M)
15.10.13.10

VIPRE Antivirus
Elex Installer
44514

File size:
745.6 KB (763,512 bytes)

Product version:
6.6.86.1684

Copyright:
Copyright (C) iWill System Link 2008

Original file name:
iWill.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\cmi_mystartsearch.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
10/13/2015 11:25:22 AM

Valid to:
10/21/2015 10:26:52 AM

Subject:
CN="Thinknice Co., Limited", O="Thinknice Co., Limited", L=香港, S=香港, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121948AE7CDF399F225331BCCDB2A49702C

File PE Metadata
Compilation timestamp:
10/7/2015 8:04:29 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:l0fwB7mhU+xXcWQZfuUcFPpmzONIIrh92QAXn3OQTvkBWYGROie4AIH6qNSATTZB:K4HyPpm6NI092Qan3OQQBWYGQte60HTX

Entry address:
0x2EDC6

Entry point:
E8, 19, D6, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 0D, DE, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 00, 40, 4A, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, D0, A0, 48, 00...
 
[+]

Code size:
546.5 KB (559,616 bytes)

The file cmi_mystartsearch.exe has been seen being distributed by the following 3 URLs.

http://113.171.224.178/.../cmi_mystartsearch.exe

http://113.171.224.206/.../cmi_mystartsearch.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-218-33.mrs50.r.cloudfront.net  (54.192.218.33:80)

TCP (HTTP):
Connects to server-54-192-218-254.mrs50.r.cloudfront.net  (54.192.218.254:80)

Remove cmi_mystartsearch.exe - Powered by Reason Core Security