iWill.exe

4842_cmi_mystartsearch

Yuxin WANG

The file iWill.exe by Yuxin WANG has been detected as adware by 11 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
IWill.com  (signed by Yuxin WANG)

Product:
4842_cmi_mystartsearch

Description:
iWill

Version:
6.6.86.1679

MD5:
893d2948e73d83df095d6a756a6e8ca0

SHA-1:
78a5c5b8e3cb64b4cde1e82653d25f46b085e981

SHA-256:
c15009487c0a02c5db42f8a02c22b717928e5b3b4451a2d76007679c764cef42

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
12/25/2024 7:01:24 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Jatif.390
446

Bitdefender
Gen:Variant.Application.Jatif.390
1.0.20.1600

Bkav FE
W32.HfsAdware
1.3.0.7237

Dr.Web
Adware.Mutabaha.706
9.0.1.0320

ESET NOD32
Win32/ELEX.FC potentially unwanted (variant)
9.12260

F-Secure
Gen:Variant.Application.Jatif
11.2015-16-11_2

G Data
Gen:Variant.Application.Jatif.390
15.11.25

herdProtect (fuzzy)
2015.11.16.11

Malwarebytes
PUP.Optional.IStartSurf.ShrtCln
v2015.11.16.11

MicroWorld eScan
Gen:Variant.Application.Jatif.390
16.0.0.960

Reason Heuristics
PUP.ELEX.YuxinWANG (M)
15.9.16.7

File size:
531.7 KB (544,504 bytes)

Product version:
6.6.86.1679

Copyright:
Copyright (C) iWill System Link 2008

Original file name:
iWill.exe

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\nsqe594.tmp

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
9/13/2015 5:00:00 PM

Valid to:
8/12/2017 4:59:59 PM

Subject:
CN=Yuxin WANG, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
418FB18FF89BBDCE65418ACA100A77C1

File PE Metadata
Compilation timestamp:
9/14/2015 7:37:40 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:O9JtMjn0OI+X2e4n0LBmy2d6QAS7MvGjBYRJ:KtGBI+X2eVLBmJ0lSiGw

Entry address:
0x16423

Entry point:
E8, 2E, CE, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 40, E0, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, C0, F8, 46, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, D0, 90, 45, 00...
 
[+]

Entropy:
6.3378

Code size:
350.5 KB (358,912 bytes)

The file iWill.exe has been seen being distributed by the following URL.

Remove iWill.exe - Powered by Reason Core Security