jdownloader-0.9.exe

JDownloader

Sevas-S LLC

The application jdownloader-0.9.exe by Sevas-S has been detected as adware by 13 anti-malware scanners. This is a setup program which is used to install the application. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from pt.joydownload.com and multiple other hosts.
Publisher:
Sevas-S LLC  (signed and verified)

Product:
JDownloader

Version:
1.0.0.0

MD5:
da4d69460bbe2ef6add6af670926b951

SHA-1:
4d7b295705cba05baeed4a5d290203071e561a82

SHA-256:
0bcc41b6469f7bb4b16a51abcd8abc61bbbd49302b20e060b36c7057a5910a94

Scanner detections:
13 / 68

Status:
Adware

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/27/2024 2:02:15 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.OpenCandy
7.1.1

AVG
Downloader
2015.0.3508

Dr.Web
Adware.Downware.1446
9.0.1.045

ESET NOD32
Win32/JoyDownloader
8.9410

Kaspersky
not-a-virus:AdWare.Win32.OpenCandy
14.0.0.4037

Malwarebytes
PUP.Optional.OpenCandy
v2014.02.14.02

McAfee
Artemis!DA4D69460BBE
5600.7219

Reason Heuristics
PUP.SevasS.O
14.8.7.20

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.14212

Sophos
Generic PUA EN
4.98

Trend Micro House Call
ADW_OPENCANDY
7.2.45

Trend Micro
ADW_OPENCANDY
10.465.14

VIPRE Antivirus
Sevas-S Installer
28104

File size:
475.4 KB (486,840 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\jdownloader-0.9.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/22/2013 9:00:00 PM

Valid to:
2/22/2014 8:59:59 PM

Subject:
CN=Sevas-S LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Sevas-S LLC, L=Kyiv, S=Kyivska oblast, C=UA

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
527471E53862E2F90AB45ED4ACB8F4C2

File PE Metadata
Compilation timestamp:
5/19/2013 8:52:54 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:gaCDdvFhjs17FEUDTTup+Ts9PJYz5jtNcB+/TRfYx:eDZFhm7FjDHuzJYz5jtXTBYx

Entry address:
0x31B1

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, 34, 71, 40, 00, 55, FF, 15, AC, 72, 40, 00, 6A, 08, A3, 58, 92, 42, 00, E8, 90, 2E, 00, 00, A3, A4, 91, 42, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, 58, 06, 42, 00, FF, 15, 7C, 71, 40, 00, 68, C0, 92, 40, 00, 68, A0, 81, 42, 00, E8, FB, 2A, 00, 00, FF, 15, 38, 71, 40, 00, BB, 00, 40, 43, 00, 50, 53, E8, E9, 2A, 00, 00...
 
[+]

Code size:
23.5 KB (24,064 bytes)

The file jdownloader-0.9.exe has been seen being distributed by the following 14 URLs.

http://pt.joydownload.com/wi/f89e2f72e85c0ef4a2989f03b000bc33/1/3/1/.../jdownloader-0.9.exe

http://es.joydownload.com/wi/a749db060efbf5a66da55ebc39c55958/1/3/1/.../jdownloader-0.9.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-23-21-66-175.compute-1.amazonaws.com  (23.21.66.175:80)

Remove jdownloader-0.9.exe - Powered by Reason Core Security