JDownloaderSetup.exe

JDownloader

AppWork GmbH

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application JDownloaderSetup.exe by AppWork GmbH has been detected as a potentially unwanted program by 2 anti-malware scanners. The program is a setup application that uses the installCore installer. The file has been seen being downloaded from www.filecluster.com and multiple other hosts. While running, it connects to the Internet address update1.jdownloader.org on port 80 using the HTTP protocol.
Publisher:
AppWork GmbH  (signed and verified)

Product:
JDownloader

Version:
0.9

MD5:
4f506c5bca19b177e9995a7ee1a70435

SHA-1:
fd23046bb47d2626012db8a018535680ca3cb374

SHA-256:
fb6003680400d54096bb110cae09998cf92fd5834bd76c44466ebe3936d4f5a9

Scanner detections:
2 / 68

Status:
Potentially unwanted

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
12/25/2024 3:55:16 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Installer.AppWorkGmbH.Q
14.7.28.0

Trend Micro House Call
TROJ_GEN.F47V1213
7.2.133

File size:
25.3 MB (26,539,720 bytes)

Product version:
0.9

Copyright:
AppWork GmbH

Original file name:
JDownloaderSetup.exe

File type:
Executable application (Win64 EXE)

Bundler/Installer:
installCore

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\jdownloadersetup.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
3/1/2011 3:00:48 PM

Valid to:
3/1/2014 3:00:41 PM

Subject:
E=e-mail@appwork.org, CN=AppWork GmbH, O=AppWork GmbH, L=Fürth, S=Bavaria, C=DE

Issuer:
CN=GlobalSign ObjectSign CA, OU=ObjectSign CA, O=GlobalSign nv-sa, C=BE

Serial number:
0100000000012E71E7355C

File PE Metadata
Compilation timestamp:
5/28/2012 1:51:07 PM

OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
2.56

CTPH (ssdeep):
393216:Pt88m+FK+Oa6+ZLv1rIoeuerdq8S/Eucs8s2ow7Eho0r3tpypfuJN0uUv:FM+FKB9+ZLvheuepq8ScuSs2oDZ3C

Entry address:
0x11F8

Entry point:
4D, 5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00, FF, FF, 00, 00, B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 80, 00, 00, 00, 0E, 1F, BA, 0E, 00, B4, 09, CD, 21, B8, 01, 4C, CD, 21, 54, 68, 69, 73, 20, 70, 72, 6F, 67, 72, 61, 6D, 20, 63, 61, 6E, 6E, 6F, 74, 20, 62, 65, 20, 72, 75, 6E, 20, 69, 6E, 20, 44, 4F, 53, 20, 6D, 6F, 64, 65, 2E, 0D, 0D, 0A, 24, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Code size:
181.5 KB (185,856 bytes)

The file JDownloaderSetup.exe has been seen being distributed by the following 3 URLs.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to update1.jdownloader.org  (178.63.91.110:80)

Remove JDownloaderSetup.exe - Powered by Reason Core Security