daemonupd.exe

The executable daemonupd.exe has been detected as malware by 7 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘NvUpdService’.
MD5:
4dfba34cb266322c7018fa17755883d0

SHA-1:
c52a810dc4cd50447366b44edebbe16a3741e49c

SHA-256:
52ca33763b09e69bb55b69ea63c531a87b302588f3f0b2fd4bd3067c5825f391

Scanner detections:
7 / 68

Status:
Malware

Analysis date:
12/28/2024 4:17:00 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Evo-gen [Susp]
160326-0

Dr.Web
Trojan.Siggen6.57572
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Zusy.84513
11.5.0.6191

ESET NOD32
Win32/Glupteba.AF trojan
7.0.302.0

F-Secure
Variant.Zusy.84513
5.15.96

Microsoft Security Essentials
Threat.Undefined
1.217.399.0

Norman
Gen:Variant.Zusy.84513
29.03.2016 06:29:16

File size:
45 KB (46,080 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Application data\nvidia corporation\update\daemonupd.exe

File PE Metadata
Compilation timestamp:
4/2/2016 4:02:03 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.23

CTPH (ssdeep):
192:xqjUycEWI6VY8ASbknxLeb5YzHeEk8BF9ylVUXpHvPctpdJ3kh/DNc5Ef77r:nycEWmwknqkeEsYvU/dA/DNc5273

Entry address:
0x12A0

Entry point:
83, EC, 1C, C7, 04, 24, 02, 00, 00, 00, FF, 15, 8C, F1, 40, 00, E8, 4B, FD, FF, FF, 8D, 74, 26, 00, 8D, BC, 27, 00, 00, 00, 00, A1, C8, F1, 40, 00, FF, E0, 89, F6, 8D, BC, 27, 00, 00, 00, 00, A1, A8, F1, 40, 00, FF, E0, 90, 90, 90, 90, 90, 90, 90, 90, 90, A1, 4C, B7, 40, 00, 85, C0, 74, 41, 55, 89, E5, 83, EC, 18, C7, 04, 24, 00, C0, 40, 00, E8, 85, 09, 00, 00, BA, 00, 00, 00, 00, 83, EC, 04, 85, C0, 74, 15, C7, 44, 24, 04, 0E, C0, 40, 00, 89, 04, 24, E8, 71, 09, 00, 00, 83, EC, 08, 89, C2, 85, D2, 74, 09...
 
[+]

Entropy:
2.9141

Code size:
12.5 KB (12,800 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
NvUpdService

Command:
C:\Documents and Settings\{user}\Application data\nvidia corporation\update\daemonupd.exe \app 1e52067fd323bbc57c5f894594285433


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to ip-static-94-242-252-42.server.lu  (94.242.252.42:444)

TCP:
Connects to ns342617.ip-176-31-106.eu  (176.31.106.23:444)

TCP:
Connects to malta1752.dedicatedpanel.com  (85.25.210.136:444)

TCP (HTTP):
Connects to sunfire.netground.nl  (87.250.129.151:80)

TCP (HTTP):
Connects to static.213.80.243.136.clients.your-server.de  (136.243.80.213:80)

TCP (HTTP):
Connects to sonnjoch.ispgateway.de  (134.119.253.42:80)

TCP (HTTP):
Connects to s15913167.onlinehome-server.com  (216.250.115.140:80)

TCP (HTTP):
Connects to ns.elekon.ru  (195.208.156.250:80)

TCP (HTTP):
Connects to l2top.ru  (91.121.37.31:80)

TCP:
Connects to k016.khaki.myloc.de  (93.186.196.16:444)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-fra3.fbcdn.net  (31.13.93.52:443)

TCP (HTTP SSL):
Connects to ec2-54-152-188-51.compute-1.amazonaws.com  (54.152.188.51:443)

TCP:
Connects to awm.com  (185.31.161.100:444)

TCP (HTTP SSL):
Connects to auth.my.com  (185.30.179.7:443)

TCP (HTTP SSL):
Connects to a23-38-3-235.deploy.static.akamaitechnologies.com  (23.38.3.235:443)

TCP:
Connects to 240.24.155.213.hosting.ua  (213.155.24.240:444)

TCP (SMTP):
Connects to www1686.sakura.ne.jp  (219.94.192.96:25)

TCP (HTTP):
Connects to video-edge-c55c38.fra02.hls.ttvnw.net  (52.223.196.58:80)

TCP (HTTP SSL):
Connects to server-54-230-15-242.ams1.r.cloudfront.net  (54.230.15.242:443)

TCP (HTTP):
Connects to radaris.com  (69.90.124.140:80)

Remove daemonupd.exe - Powered by Reason Core Security