do_application_start.exe

Sonny Sun Interactive

The application do_application_start.exe by Sonny Sun Interactive has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from intva18.componentsurf.info and multiple other hosts.
Publisher:
Quick Authenticated Installer Setup  (signed by Sonny Sun Interactive)

Product:
Quick Authenticated Installer Setup

Version:
10.1.1.7732

MD5:
aaca78a61782a4578036c1ae211ba034

SHA-1:
4887cf6287c9464a3bc99c2090211f486851e77d

SHA-256:
240bfc2aa9796e5f11e777a7afc26f2c16a17a9c471751cfb1eba3baac5431f5

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/27/2024 5:21:26 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.DownloadAdmin.SonnySun.Installer (M)
16.5.29.22

File size:
915 KB (937,000 bytes)

Product version:
10.1.1.7732

Copyright:
Copyright (C) 2015

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\do_application_start.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
3/8/2016 5:13:39 PM

Valid to:
3/8/2017 5:13:39 PM

Subject:
CN=Sonny Sun Interactive, O=Sonny Sun Interactive, L=SAN FRANCISCO, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
0093AC568FBE0B686A

File PE Metadata
Compilation timestamp:
6/13/2015 3:07:40 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:47TqGYjNS0Ts+8OpwOZVqTTRlDUpxMQYh:JjNS0FWTTRlgpxMQY

Entry address:
0x39A6

Entry point:
E8, 45, AB, 00, 00, E9, 47, A4, 00, 00, 57, 8B, 7C, 24, 08, B8, 8C, A7, 48, 00, E8, 31, 75, 00, 00, A1, 54, A7, 48, 00, 50, 57, E8, 45, F8, FF, FF, B8, BC, A7, 48, 00, E8, 1B, 75, 00, 00, 8B, 0D, 6C, A7, 48, 00, 51, 6A, FE, 57, E8, CC, 17, 00, 00, 8B, 15, 64, A7, 48, 00, 52, 57, E8, 1F, F8, FF, FF, B8, CC, A7, 48, 00, E8, F5, 74, 00, 00, A1, 6C, A7, 48, 00, 50, 6A, FE, 57, E8, A7, 17, 00, 00, 6A, FD, 57, E8, 9F, 0D, 00, 00, 83, C4, 30, B8, 01, 00, 00, 00, 5F, C3, CC, CC, CC, CC, CC, A1, E8, C7, 49, 00, 23...
 
[+]

Entropy:
7.9607  (probably packed)

Code size:
56.5 KB (57,856 bytes)

The file do_application_start.exe has been seen being distributed by the following 3 URLs.

http://intva18.componentsurf.info/dl-pure?&usefilename=true&hashstring=jbaril41216&signature_id=399&_action_=getbin&filename=battleshipfleetcommand-setup-119884523 (1).exe&checksum=118429

Remove do_application_start.exe - Powered by Reason Core Security