coccoccrashhandler.exe

CocCoc Update

ITIM TECHNOLOGIES COMPANY LIMITED

The executable coccoccrashhandler.exe has been detected as malware by 6 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘CocCoc Update’. While running, it connects to the Internet address coccoc.com on port 80 using the HTTP protocol.
Publisher:
Itim Technologies Co., Ltd.  (signed by ITIM TECHNOLOGIES COMPANY LIMITED)

Product:
CocCoc Update

Version:
1.3.37.0

MD5:
bc62d521226d95cd6641220c9180d29f

SHA-1:
f9750debc6b5fade44090ab1c1865b6417fb0aa9

Scanner detections:
6 / 68

Status:
Malware

Analysis date:
12/24/2024 4:13:10 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Patched-JI
160917-0

AVG
Win32/Slugin.A
2013.0.4477

Clam AntiVirus
Win.Spyware.59563-2
0.98/23201

Dr.Web
Win32.Wplugin.2
9.0.1.05190

ESET NOD32
Win32/Slugin.A virus
6.3.12010.0

F-Prot
W32/Slugin.B
4.6.5.141

File size:
234.3 KB (239,907 bytes)

Product version:
1.3.37.0

Copyright:
Copyright 2007-2010 Google Inc.

Original file name:
CocCocUpdate.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Application data\coccoc\update\1.3.37.0\coccoccrashhandler.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
8/15/2013 7:00:00 AM

Valid to:
10/15/2014 6:59:59 AM

Subject:
CN=ITIM TECHNOLOGIES COMPANY LIMITED, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=ITIM TECHNOLOGIES COMPANY LIMITED, L=Hanoi, S=Hanoi, C=VN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
73CF60FA0F3669494BA00458C7509E3C

File PE Metadata
Compilation timestamp:
9/23/2013 4:15:10 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x4DF6

Entry point:
60, E8, 00, 00, 00, 00, 5B, 81, EB, D0, 48, AC, 01, 83, EC, 74, 8B, EC, 8B, 83, AB, 4B, AC, 01, 89, 45, 00, 8B, 83, B3, 4B, AC, 01, 03, 45, 00, 89, 45, 2C, 8B, 83, B7, 4B, AC, 01, 03, 45, 00, 89, 45, 30, C7, 45, 14, 00, 00, 00, 00, C7, 45, 18, 00, 00, 00, 00, C7, 45, 1C, 00, 00, 00, 00, 8B, 45, 14, FF, 45, 14, 66, 33, C9, 8A, 8C, 03, FF, 4B, AC, 01, 84, C9, 74, 7A, 8B, 45, 1C, 66, 01, 4D, 1C, 03, C3, 05, 13, 4C, AC, 01, 50, 8B, 45, 2C, FF, 10, 85, C0, 0F, 84, 5E, 02, 00, 00, 89, 45, 10, 8B, 45, 1C, 03, C3...
 
[+]

Entropy:
6.1021

Packer / compiler:
ASPack v1.08.04

Code size:
51.5 KB (52,736 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
CocCoc Update

Command:
"C:\Documents and Settings\{user}\Application data\coccoc\update\coccocupdate.exe" \c


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to coccoc.com  (123.30.175.11:80)

Remove coccoccrashhandler.exe - Powered by Reason Core Security