home

f_000234

AppWork GmbH

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The file f_000234 by AppWork GmbH has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the installCore installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from dl.jdcdn.org and multiple other hosts.
Publisher:
AppWork GmbH  (signed and verified)

MD5:
71632f12b79c2237d6948d7184775e45

SHA-1:
953e59618097a8b551aa4af12135a7e321c9d380

SHA-256:
5a1c6336e8c292844a64767e79d03e48208371b4ad531d513e8d399b7f526ecc

Scanner detections:
3 / 68

Status:
Potentially unwanted

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/28/2024 2:03:57 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2015.0.3343

Reason Heuristics
PUP.AppWorkGmbH.I
14.9.23.5

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.3

File size:
161.1 KB (164,992 bytes)

Bundler/Installer:
installCore (using Nullsoft Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\temp\webkit\cache\f_000234

Digital Signature
Signed by:
AppWork GmbH

Authority:
GlobalSign nv-sa

Valid from:
1/31/2014 3:51:29 AM

Valid to:
4/1/2015 4:00:41 AM

Subject:
E=e-mail@appwork.org, CN=AppWork GmbH, O=AppWork GmbH, L=Fuerth, S=Bayern, C=DE

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11218C489DBD3BC8AF35CDB519BA450DC59A

File PE Metadata
Compilation timestamp:
5/11/2014 10:03:42 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:24URpNUUX6z/DBXJfg7BtNy9OF/mvvlz9pGJI6pXOp42JTLNRA92ajWHDuZE:24SUjhto7Ny9rGJI6YCMTU8ZjZ

Entry address:
0x30E2

Entry point:
81, EC, 84, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 90, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, 1C, 71, 40, 00, 53, FF, 15, 8C, 72, 40, 00, 6A, 08, A3, 58, E4, 42, 00, E8, 95, 2D, 00, 00, A3, A4, E3, 42, 00, 53, 8D, 44, 24, 38, 68, 60, 01, 00, 00, 50, 53, 68, E0, 87, 42, 00, FF, 15, 64, 71, 40, 00, 68, 80, 91, 40, 00, 68, A0, DB, 42, 00, E8, 3F, 2A, 00, 00, FF, 15, 20, 71, 40, 00, BD, 00, 40, 43, 00, 50, 55, E8, 2D, 2A...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file f_000234 has been seen being distributed by the following 8 URLs.

http://dl.jdcdn.org/132668064618398629641045121718.php?l=6&t=1411176504&v=1&e=1411176519&s=MJ5qypv64GVWUp4Q4gOW2WyCRzk

http://dl.jdcdn.org/103705206914760736951729890817.php?l=5&t=1411176504&v=1&e=1411176519&s=cq7pXkTqZMpTzS93Vx4lmU-HSJA

http://dl.jdcdn.org/11383433010928601141277062512.php?l=4&t=1411176503&v=1&e=1411176518&s=NqCj5cTNio0zjy7xcTNll9psgho

http://dl.jdcdn.org/15140110051816187968940178162.php?l=3&t=1411176503&v=1&e=1411176518&s=Sdsv6EIiCsqgnAtNlFGtyThfl_A

http://dl.jdcdn.org/1705901233969428896571909967.php?l=2&t=1411176502&v=1&e=1411176517&s=Ww1qAMsgs2FtphgB2pnQD_ojVAg

http://dl.jdcdn.org/1601817708160808924423252448.php?l=1&t=1411176501&v=1&e=1411176516&s=sLxaH1TDFQiuqRxSOq6a-aZifog

http://dl.jdcdn.org/1104478741334138999977095114.php?l=0&t=1411176501&v=1&e=1411176516&s=KudDg8A_kfw_CX0zLwLUi1TACck

http://jdownloader.org/.../dl.php?v=1

Remove f_000234 - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.