home

icreinstall_firefox downloader - jalantikus.exe

Application Internet Lite

PT MP Games

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_firefox downloader - jalantikus.exe, “Application Internet Lite Setup ” by PT MP Games has been detected as a potentially unwanted program by 2 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The installer is marketed through download protals and search ads as the free Mozilla Firefox web browser but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
Lite Program   (signed by PT MP Games)

Product:
Application Internet Lite

Description:
Application Internet Lite Setup

MD5:
f0be94837b14cf1629b3e38f67ba2fd1

SHA-1:
ec282b74f87c761ac661cdf7f6fbe7d786b5ad5f

SHA-256:
906d97e9cec67a57084057f27d311743cbd681d538705ad6b37c4553e2da3cb7

Scanner detections:
2 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/15/2024 12:27:41 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/InstallCore.AFF.gen potentially unwanted application
7.0.302.0

Reason Heuristics
PUP.installCore.PTMPGames.Installer (M)
16.2.6.0

File size:
1.1 MB (1,141,224 bytes)

Product version:
2.4

Copyright:
program

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_firefox downloader - jalantikus.exe

Digital Signature
Signed by:
PT MP Games

Authority:
GlobalSign nv-sa

Valid from:
1/20/2016 5:49:25 PM

Valid to:
1/20/2017 5:49:25 PM

Subject:
CN=PT MP Games, O=PT MP Games, S=Jakarta, C=ID

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112196D38C2D01B48C24B0EE5080C33055F9

File PE Metadata
Compilation timestamp:
6/20/1992 5:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:sSiP7OBJnBxNCgm4eXf5unZtUMypKEM2CnHohxy7yW:snP7AVDrPdZhyFCnHYtW

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.6879

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file icreinstall_firefox downloader - jalantikus.exe has been seen being distributed by the following 2 URLs.

http://www.sendbulkfactory.com/c?x=Yv0d9 CmSVjhZpCvm6RJQOLv9qCdhzx4XPDZQuMaxfQ=&c=8Yh8 Th56BuRGsFVdhjOk6SfBIeyF gFsXuQtk0TpTJVnDrcyVlQgq0WsvxgEYWBVeuTv1b8WCu4QvIGhXKT4MjDonNVBFqnCV8OZEEwONn8O2 YAm/rlfixahvjLB/5&downloadAs=Firefox Downloader - JalanTikus.exe&fallback_url=http://files.jalantikus.com/dde/23/.../Firefox_Setup_45.0b2.exe

http://www.downloadsheartdownloads.com/c?x=NMPrD8rYRNW/jJTtdW4tpxvFP7xUmBLsXz6AkUMLwhA=&c=Ubrtko8IgmwRC7jObik kmAuPB6PYTuzYUG3U1FPHLyDes7lVxqtv/5sEWr3YBIr0K hH6OnUGi/dyjU9PCZ4qcRR/P9NJnwb4f3dPZdzPzJRX3TyRA0GCz27C2PLE V&downloadAs=Firefox Downloader - JalanTikus.exe&fallback_url=http://files.jalantikus.com/dde/23/.../Firefox_Setup_45.0b2.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.