dropdowndealssetup.exe

Yontoo Layers

Yontoo Technology, Inc.

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application dropdowndealssetup.exe by Yontoo Technology has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
Yontoo Technology, Inc.  (signed and verified)

Product:
Yontoo Layers

Description:
Installer

Version:
2011.4.13.1648

MD5:
4a8be7cfc5ede2d64f30af6ac511499c

SHA-1:
942d22f24d3cba8847ebd69ee5e8e195fdd812dc

SHA-256:
82b3275e17e43d5077cabd904327b14eef21ae611b86e8be692e784fe923b551

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
12/25/2024 12:12:44 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Yontoo.YontooTechnology.Installer (M)
16.1.28.7

File size:
931.5 KB (953,832 bytes)

Product version:
1.10.01

Copyright:
Copyright © 2011 . All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\dropdowndealssetup.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
9/2/2009 1:41:20 PM

Valid to:
9/2/2012 1:41:20 PM

Subject:
CN="Yontoo Technology, Inc.", OU=Product Development, O="Yontoo Technology, Inc.", L=Carlsbad, S=CA, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
6A08909DDA7B

File PE Metadata
Compilation timestamp:
8/19/2010 7:08:13 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
24576:Cv3CT9HJ8BrH5vZRdEgaXBkdYvi15Ay+onn77A:CQHJ8lZv98Ouvi15Abonn7U

Entry address:
0x1627

Entry point:
55, 8B, EC, 81, EC, 58, 0B, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, A8, F4, FF, FF, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 00, 40, 40, 00, FF, 15, 70, 30, 40, 00, 89, 45, F8, 8D, 85, B8, FC, FF, FF, 50, C7, 85, B8, FC, FF, FF, 14, 01, 00, 00, FF, 15, 6C, 30, 40, 00, 85, C0, 75, 21, FF, 15, 14, 30, 40, 00, 50, 68, 30, 34, 40, 00, E8, 40, FA, FF, FF, 59, C7, 05, 04, 40, 40, 00, FF, 00, 00, 00, E9, C5, 01, 00, 00, 68, 1C, 34, 40, 00, 68, 0C, 34, 40, 00, FF, 15, 68, 30, 40, 00, 50, FF, 15, 64, 30, 40, 00, 3B...
 
[+]

Entropy:
7.9944

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove dropdowndealssetup.exe - Powered by Reason Core Security