dam_ay.exe

Beijing Caiyunshidai Technology Co., Ltd.

The application dam_ay.exe by Beijing Caiyunshidai Technology Co. has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from d3g1g0k0wwnjag.cloudfront.net. While running, it connects to the Internet address server-54-192-19-38.iad12.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:

MD5:
86aa09be7ffc4a51a3fb0044135128e5

SHA-1:
b235c299ad4ae0e812500f9f78f5a549e9906cf2

SHA-256:
fde02ff306fe9cbdd0d2a1cb899a399b77f75e0456a773a8d37353978f5af27a

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 3:46:30 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.ELEX.SpeedSearch (M)
17.2.11.11

File size:
400.2 KB (409,832 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\dam_ay.exe

Digital Signature
Authority:
thawte, Inc.

Valid from:
1/23/2017 7:00:00 AM

Valid to:
3/4/2017 6:59:59 AM

Subject:
CN="Beijing Caiyunshidai Technology Co., Ltd.", O="Beijing Caiyunshidai Technology Co., Ltd.", L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
011AE675B36A4BE7F940903CF54E8522

File PE Metadata
Compilation timestamp:
2/9/2017 5:53:37 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x8893

Entry point:
E8, 5F, FF, FF, FF, E9, C8, 32, 00, 00, 55, 8B, EC, 81, EC, FC, 01, 00, 00, A1, 00, 10, 46, 00, 33, C5, 89, 45, FC, 56, 8B, 75, 08, 57, 56, E8, 3F, 05, 00, 00, 8B, F8, 59, 85, FF, 0F, 84, 79, 01, 00, 00, 53, 6A, 03, E8, 18, FD, FF, FF, 59, 83, F8, 01, 0F, 84, 0F, 01, 00, 00, 6A, 03, E8, 07, FD, FF, FF, 59, 85, C0, 75, 0D, 83, 3D, 10, 26, 46, 00, 01, 0F, 84, F6, 00, 00, 00, 81, FE, FC, 00, 00, 00, 0F, 84, 41, 01, 00, 00, 68, 68, BC, 45, 00, 68, 14, 03, 00, 00, 68, 18, 26, 46, 00, E8, F5, C1, FF, FF, 83, C4...
 
[+]

Entropy:
7.8091  (probably packed)

Code size:
359.5 KB (368,128 bytes)

The file dam_ay.exe has been seen being distributed by the following URL.

http://d3g1g0k0wwnjag.cloudfront.net/.../dam_ay.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-55-93.jfk6.r.cloudfront.net  (54.192.55.93:80)

TCP (HTTP):
Connects to server-54-192-19-46.iad12.r.cloudfront.net  (54.192.19.46:80)

TCP (HTTP):
Connects to server-52-84-246-150.sfo20.r.cloudfront.net  (52.84.246.150:80)

TCP (HTTP):
Connects to server-54-192-19-56.iad12.r.cloudfront.net  (54.192.19.56:80)

TCP (HTTP):
Connects to server-54-192-19-38.iad12.r.cloudfront.net  (54.192.19.38:80)

TCP (HTTP):
Connects to server-52-85-63-75.lhr50.r.cloudfront.net  (52.85.63.75:80)

TCP (HTTP):
Connects to server-52-85-63-114.lhr50.r.cloudfront.net  (52.85.63.114:80)

TCP (HTTP):
Connects to server-52-84-246-26.sfo20.r.cloudfront.net  (52.84.246.26:80)

TCP (HTTP):
Connects to server-52-84-246-149.sfo20.r.cloudfront.net  (52.84.246.149:80)

TCP (HTTP):
Connects to server-54-240-186-51.mad50.r.cloudfront.net  (54.240.186.51:80)

TCP (HTTP):
Connects to server-54-240-186-96.mad50.r.cloudfront.net  (54.240.186.96:80)

TCP (HTTP):
Connects to server-54-240-186-66.mad50.r.cloudfront.net  (54.240.186.66:80)

Remove dam_ay.exe - Powered by Reason Core Security