do_application_start.exe

Sonny Sun Interactive

The application do_application_start.exe by Sonny Sun Interactive has been detected as a potentially unwanted program by 3 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from intva18.componentsurf.info and multiple other hosts.
Publisher:
Free Light Installation  (signed by Sonny Sun Interactive)

Product:
Free Light Installation

Version:
54.7.1.3804

MD5:
da5aca15b7031ac92734255b4eda795a

SHA-1:
35eeabd82cae2799fa5c8d0e1442bea917282603

SHA-256:
aa97bd0a0ba7703bb5b5f8a55a4021bd76bbd7fa725f44d8cd5f6a11a317dbb3

Scanner detections:
3 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Analysis date:
12/27/2024 5:48:30 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.Vittalia.10519
9.0.1.05190

ESET NOD32
Win32/DownloadAdmin.Q potentially unwanted application
8.0.319.0

Reason Heuristics
PUP.DownloadAdmin.SonnySun.Installer (M)
16.5.18.19

File size:
918.7 KB (940,712 bytes)

Product version:
54.7.1.3804

Copyright:
Copyright (C) 2015

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\do_application_start.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
3/8/2016 4:13:39 PM

Valid to:
3/8/2017 4:13:39 PM

Subject:
CN=Sonny Sun Interactive, O=Sonny Sun Interactive, L=SAN FRANCISCO, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
0093AC568FBE0B686A

File PE Metadata
Compilation timestamp:
4/22/2015 1:07:32 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:YG5XIJamgPQFOcQJPgY2uuqyvagngrlsJGW+RCWeHe/HtUb:vId8Qclb2Lnau0WS8He/H

Entry address:
0x4ABA

Entry point:
E8, 71, 9A, 00, 00, E9, 7D, 93, 00, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, FF, 25, C8, 4A, 45, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 81, EC, 28, 01, 00, 00, 53, 55, 56, 57, B9, 05, 01, 00, 00, 8D, 44, 24, 30, 33, DB, 88, 18, 40, 83, E9, 01, 75, F8, 8D, 44, 24, 30, 50, 68, 04, 01, 00, 00, FF, 15, 04, 01, 41, 00, 8B, 2D, BC, 01, 41, 00, 8B, F8, 89, 7C, 24, 14, C7, 44, 24, 10, 07, 00, 00, 00, 81, FF, 04, 01, 00, 00, 73, 04, 88, 5C, 3C, 30, 33, F6, 83, FE, 14, 7D, 1D, FF, D5, 33, D2, F7, 35...
 
[+]

Entropy:
7.9609  (probably packed)

Code size:
57 KB (58,368 bytes)

The file do_application_start.exe has been seen being distributed by the following 4 URLs.

Remove do_application_start.exe - Powered by Reason Core Security