java.exe

Payments Interactive SL

This is the Tuguu DomaIQ download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application java.exe by Payments Interactive SL has been detected as adware by 29 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. With this installer, users are expecting to download the free Oracle Java Runtime but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
Payments Interactive SL  (signed and verified)

MD5:
b24af637cec3015eeecc0d7e0002c09e

SHA-1:
d86863ef39dcc8ebcbd07042b8b4274ceeead433

SHA-256:
1b6960f752686a3558b780badde4d508c973781640347bb4d47fdc5be5f9eb16

Scanner detections:
29 / 68

Status:
Adware

Explanation:
Uses the DomainIQ download manager to bundle additional potentially unwanted software without adequate consent.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/26/2024 12:44:30 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Dropped:Adware.Bundler.Offer.A
924

Agnitum Outpost
PUA.DomaIQ
7.1.1

AhnLab V3 Security
PUP/Win32.DomaIQ
2014.07.27

Avira AntiVirus
APPL/DomaIQ.Gen
7.11.164.8

avast!
PUP-gen [PUP]
140617-1

AVG
Adware DomaIQ.BW
2014.0.3986

Bitdefender
Dropped:Adware.Bundler.Offer.A
1.0.20.1035

Clam AntiVirus
Win.Adware.Domaiq-31
0.98/19185

Dr.Web
Trojan.DownLoader9.51748
9.0.1.05190

Emsisoft Anti-Malware
Dropped:Adware.Bundler.Offer
8.14.07.26.11

ESET NOD32
Win32/DomaIQ.BB potentially unwanted application
7.0.302.0

F-Prot
W32/DomaIQ.C.gen
v6.4.7.1.166

F-Secure
Adware:W32/DomaIQ
11.2014-26-07_7

G Data
Dropped:Adware.Bundler.Offer
14.7.24

IKARUS anti.virus
AdWare.DomaIQ
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.181.12846

Kaspersky
not-a-virus:AdWare.Win32.Lollipop
15.0.0.494

Malwarebytes
PUP.Optional.DomalQ
v2014.07.26.11

McAfee
CryptDomaIQ
5600.7058

Microsoft Security Essentials
Threat.Undefined
1.179.1033.0

MicroWorld eScan
Dropped:Adware.Bundler.Offer.A
15.0.0.621

NANO AntiVirus
Riskware.Win32.Lolipop.cvxwnv
0.28.2.60990

nProtect
Trojan-Clicker/W32.Lollipop.517512
14.07.25.01

Panda Antivirus
PUP/MultiToolbar.A
14.07.26.11

Quick Heal
Adware.DomaIQ.BT5
7.14.14.00

Reason Heuristics
PUP.PaymentsInteractiveSL.E
14.8.7.23

Sophos
DomainIQ pay-per install
4.98

Vba32 AntiVirus
AdWare.Lollipop
3.12.26.3

VIPRE Antivirus
Threat.4780044
31208

File size:
505.4 KB (517,512 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup

Common path:
C:\users\{user}\downloads\java.exe

Digital Signature
Authority:
GoDaddy.com, Inc.

Valid from:
2/7/2014 2:58:55 PM

Valid to:
2/7/2015 2:58:55 PM

Subject:
CN=Payments Interactive SL, O=Payments Interactive SL, L=Adeje, S=Santa cruz de Tenerife, C=ES

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B974AA267457F

File PE Metadata
Compilation timestamp:
3/22/2014 12:13:37 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:x6QTlw7u7eAefuwA8dzQD1NYYueR10lFp:x66OS7lwAf/zG

Entry address:
0x26C1

Entry point:
E8, 06, 33, 00, 00, E9, 79, FE, FF, FF, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8D, A4, 24, 00, 00, 00, 00, 8B, 01, BA, FF, FE, FE, 7E, 03, D0, 83, F0, FF, 33, C2, 83, C1, 04, A9, 00, 01, 01, 81, 74, E8, 8B, 41, FC, 84, C0, 74, 32, 84, E4, 74, 24, A9, 00, 00, FF, 00, 74, 13, A9, 00, 00, 00, FF, 74, 02, EB, CD, 8D, 41, FF, 8B, 4C, 24, 04, 2B, C1, C3, 8D, 41, FE, 8B...
 
[+]

Code size:
40.5 KB (41,472 bytes)

The file java.exe has been seen being distributed by the following URL.

Remove java.exe - Powered by Reason Core Security