csrcc.exe

Sapodilla Ltd

The application csrcc.exe by Sapodilla has been detected as adware by 11 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “csrcc”. While running, it connects to the Internet address server-54-192-55-163.jfk6.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Sapodilla Ltd  (signed and verified)

Version:
1.0.0.1

MD5:
0c1b6af0abe56ad3138b3157375f5427

SHA-1:
91fbfeb55d2ccfaf1319f255a554b2735fc8df55

SHA-256:
c26271e30dcacb0e317e4a5144a78754dcb9f4a9fe3ea04aa4142ce59ada0b1d

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
11/25/2024 5:25:16 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Shopperz.A
644

Bitdefender
Adware.Shopperz.A
1.0.20.610

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Shopper.863
9.0.1.0122

Emsisoft Anti-Malware
Adware.Shopperz
8.15.05.02.05

F-Secure
Adware.Shopperz.A
11.2015-02-05_7

G Data
Adware.Shopperz
15.5.25

MicroWorld eScan
Adware.Shopperz.A
16.0.0.366

nProtect
Adware.Shopperz.A
15.04.10.01

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Service.Bitcocktail
15.3.12.7

File size:
1.4 MB (1,446,264 bytes)

Product version:
1.0.0.1

Original file name:
csrcc.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\shopperz\csrcc.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
1/28/2015 5:37:16 AM

Valid to:
1/29/2016 5:37:16 AM

Subject:
CN=Sapodilla Ltd, O=Sapodilla Ltd, L=Hod Hasharon, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
1121449121483F5C10A1D21935F061A75AD5

File PE Metadata
Compilation timestamp:
3/11/2015 5:26:35 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:yJ0KkHjnor9zj5kg6ojrT0kn8qxUTSof5ax3osl0a99vJg+DTn4pqYGV4oSnT1:zxHzor9zFkx1kn8eUTRf5aJOaBTn4pqI

Entry address:
0x39B04

Entry point:
E8, 83, 8B, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 18, F7, 52, 00, E8, 46, 20, 00, 00, E8, 0E, 26, 00, 00, 0F, B7, F0, 6A, 02, E8, 16, 8B, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, D8, 29, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.3879

Code size:
930 KB (952,320 bytes)

Service
Display name:
csrcc

Type:
Win32OwnProcess

Depends on:
RPCSS


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-55-163.jfk6.r.cloudfront.net  (54.192.55.163:80)

TCP (HTTP):
Connects to server-54-192-55-121.jfk6.r.cloudfront.net  (54.192.55.121:80)

TCP (HTTP):
Connects to server-54-192-55-245.jfk6.r.cloudfront.net  (54.192.55.245:80)

TCP (HTTP):
Connects to server-54-192-55-247.jfk6.r.cloudfront.net  (54.192.55.247:80)

TCP (HTTP):
Connects to server-54-192-55-16.jfk6.r.cloudfront.net  (54.192.55.16:80)

TCP (HTTP):
Connects to server-54-192-55-117.jfk6.r.cloudfront.net  (54.192.55.117:80)

TCP (HTTP):
Connects to server-54-192-55-210.jfk6.r.cloudfront.net  (54.192.55.210:80)

TCP (HTTP):
Connects to server-54-192-55-209.jfk6.r.cloudfront.net  (54.192.55.209:80)

TCP (HTTP):
Connects to server-54-192-55-150.jfk6.r.cloudfront.net  (54.192.55.150:80)

TCP (HTTP):
Connects to server-54-192-55-110.jfk6.r.cloudfront.net  (54.192.55.110:80)

TCP (HTTP):
Connects to server-52-85-221-221.cdg50.r.cloudfront.net  (52.85.221.221:80)

TCP (HTTP):
Connects to server-52-85-221-132.cdg50.r.cloudfront.net  (52.85.221.132:80)

TCP (HTTP):
Connects to server-52-85-221-123.cdg50.r.cloudfront.net  (52.85.221.123:80)

TCP (HTTP):
Connects to server-52-84-22-247.sea32.r.cloudfront.net  (52.84.22.247:80)

TCP (HTTP):
Connects to server-52-84-174-48.gru50.r.cloudfront.net  (52.84.174.48:80)

TCP (HTTP):
Connects to server-52-84-174-232.gru50.r.cloudfront.net  (52.84.174.232:80)

TCP (HTTP):
Connects to server-52-84-174-135.gru50.r.cloudfront.net  (52.84.174.135:80)

Remove csrcc.exe - Powered by Reason Core Security