install_flash_player-oc-jd.exe

Sevas-S LLC

The application install_flash_player-oc-jd.exe by Sevas-S has been detected as adware by 14 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
Sevas-S LLC  (signed and verified)

MD5:
dfed8aab4410f2f516012615b51d94fa

SHA-1:
501d16f924c7f560a0dc85d03709ac3ecb24c8b2

SHA-256:
0a6e07b5704aa45cc9a7bcb2fc7a3293471ecd7ff8c722f322f8695a530dcccd

Scanner detections:
14 / 68

Status:
Adware

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/24/2024 11:09:35 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/Downloader.Gen
8.3.1.6

AVG
OpenCandy
2016.0.3076

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Downware.1446
9.0.1.05190

ESET NOD32
Win32/JoyDownloader.D potentially unwanted application
7.0.302.0

F-Prot
W32/OpenCandy.A2.gen
v6.4.7.1.166

G Data
Win32.Adware.OpenCandy
15.6.25

K7 AntiVirus
Unwanted-Program
13.205.16270

Malwarebytes
PUP.Optional.OpenCandy
v2015.06.17.08

NANO AntiVirus
Riskware.Win32.OpenCandy.dqxwfk
0.30.24.2086

Reason Heuristics
PUP.Installer.SevasS
15.6.17.8

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.15615

Sophos
PUA 'OpenCandy'
5.15

VIPRE Antivirus
Threat.4847482
40786

File size:
588.8 KB (602,912 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\install_flash_player-oc-jd.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/23/2013 7:00:00 AM

Valid to:
2/23/2014 6:59:59 AM

Subject:
CN=Sevas-S LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Sevas-S LLC, L=Kyiv, S=Kyivska oblast, C=UA

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
527471E53862E2F90AB45ED4ACB8F4C2

File PE Metadata
Compilation timestamp:
5/20/2013 6:52:54 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:8aC5MyhxZ5Sdt0Y+vS9OIfuXdVr/GHyO+ISNBQj9AT11Yno:6Oybyz5mOYGSbIM+9ATbYo

Entry address:
0x31B1

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, 34, 71, 40, 00, 55, FF, 15, AC, 72, 40, 00, 6A, 08, A3, 58, 92, 42, 00, E8, 90, 2E, 00, 00, A3, A4, 91, 42, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, 58, 06, 42, 00, FF, 15, 7C, 71, 40, 00, 68, C0, 92, 40, 00, 68, A0, 81, 42, 00, E8, FB, 2A, 00, 00, FF, 15, 38, 71, 40, 00, BB, 00, 40, 43, 00, 50, 53, E8, E9, 2A, 00, 00...
 
[+]

Entropy:
7.6088

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-23-21-66-175.compute-1.amazonaws.com  (23.21.66.175:80)

TCP (HTTP):
Connects to ec2-23-21-241-197.compute-1.amazonaws.com  (23.21.241.197:80)

Remove install_flash_player-oc-jd.exe - Powered by Reason Core Security