jabs+buh.exe

Awimba LLC

This is the Tuguu DomaIQ download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The file jabs+buh.exe by Awimba has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cp.tuguu.com and multiple other hosts.
Publisher:
Awimba LLC  (signed and verified)

MD5:
8a9f19603e8b1c9ea130a8fe983c5601

SHA-1:
453b40c271cc09f68b576603adde237928805dd3

SHA-256:
851ffd45b32992dae9cb2a27df5bcf12a00f3607dd418ec98c652293c29a2691

Scanner detections:
21 / 68

Status:
Adware

Explanation:
Uses the InstallIQ download installer to bundle various adware offers.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/23/2024 11:01:06 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.DomaIQ
7.1.1

Avira AntiVirus
APPL/DomaIQ.Gen
7.11.105.64

avast!
Win32:DomaIQ-I [PUP]
2014.9-150325

AVG
DomaIQ
2016.0.3160

Comodo Security
UnclassifiedMalware
17028

Dr.Web
Adware.W3i.29
9.0.1.084

ESET NOD32
Win32/DomaIQ
9.9809

Fortinet FortiGate
W32/DomaIQ.D
3/25/2015

F-Prot
W32/DomaIQ.B
v6.4.7.1.166

G Data
Win32.Application.DomalQ
15.3.24

K7 AntiVirus
Riskware
13.172.9737

Malwarebytes
Adware.DomaIQ
v2015.03.25.10

McAfee
Artemis!8A9F19603E8B
5600.6816

NANO AntiVirus
Riskware.Win32.DomaIQ.cudtbt
0.28.0.59911

Reason Heuristics
PUP.Installer.Awimba
15.3.25.10

Rising Antivirus
PE:Trojan.Win32.Generic.14B366F9!347301625
23.00.65.15323

Sophos
DomainIQ pay-per install
4.93

Trend Micro House Call
TROJ_GEN.RCBH1E8
7.2.84

Trend Micro
ADW_IQDOMA
10.465.25

VIPRE Antivirus
DomaIQ
21974

File size:
427.3 KB (437,600 bytes)

Bundler/Installer:
TUGUU DomaIQ Setup (using Nullsoft Install System)

Common path:
C:\users\{user}\appdata\local\temp\jabs+buh.exe.part

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
12/18/2012 9:12:06 AM

Valid to:
12/18/2013 9:12:06 AM

Subject:
CN=Awimba LLC, O=Awimba LLC, L=wilmington, S=DE, C=US

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
0423F035F20DC9

File PE Metadata
Compilation timestamp:
12/5/2009 3:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:sFUPTHx7e8/tHXsDlMOxkuX+cCjVMurkKbCnfc8vy4h:sFUC8/tcJMDNcCjVM7eX86

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9407

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file jabs+buh.exe has been seen being distributed by the following 7 URLs.

http://cp.tuguu.com/pasarela/affp/.../SiteID=123&SiteID2=BcGJEYAwCACwXZgAsBZwmR7vEp67m5AdxvMCwQMkS1nhO1Q9U9qmF2fjhFexY7YyhizaiVGp5ia4Q3N3pM66B62CWfwH&__tc=1367721848.12

http://cp.tuguu.com/pasarela/affp/.../SiteID=123&SiteID2=BcGJEcAgCACwXZiAV6TLeCC6RK-7N6FYjOsFggdouuKEb9HQ3pYdrVp5dMg9R5p2VgZ6DKx2QWfuEK6rzNaEGtvkhlv9&__tc=1367641712.65

Remove jabs+buh.exe - Powered by Reason Core Security