jollywallet_01072013.exe

Radyoos Media Ltd.

The application jollywallet_01072013.exe, “JollyWallet Installer” by Radyoos Media has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from dl-2.kbm2.com.
Publisher:
JollyWallet  (signed by Radyoos Media Ltd.)

Product:
JollyWallet

Description:
JollyWallet Installer

Version:
1.26.151.151

MD5:
5bd84f61cb715edb713cff51ec4a9585

SHA-1:
75ff4ffb8a7cd0be9de17a3a93e88408b5b4da91

SHA-256:
dbe5c7bb451145e29e8205cc4ac7b1446ba5f2e4edee17dca84bb5506fc61adf

Scanner detections:
7 / 68

Status:
Adware

Analysis date:
12/25/2024 12:43:36 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Crossrider-B [PUP]
2014.9-141008

Comodo Security
Heur.Suspicious
16056

Dr.Web
Adware.Plugin.22
9.0.1.0281

Emsisoft Anti-Malware
Packed.Win32.ScrambleWrapper.AMN
8.14.10.08.02

ESET NOD32
Win32/Packed.ScrambleWrapper
8.8266

Reason Heuristics
PUP.Installer.RadyoosMedia.U
14.10.8.14

Trend Micro House Call
TROJ_GEN.F47V0114
7.2.281

File size:
2.5 MB (2,662,840 bytes)

Copyright:
Copyright JollyWallet

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\jollywallet_01072013.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
12/23/2012 7:00:00 PM

Valid to:
12/24/2013 6:59:59 PM

Subject:
CN=Radyoos Media Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Radyoos Media Ltd., L=Tel Aviv-Jaffa, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
49AC6CD3FC56DEFFDF28CC3D8009CFD8

File PE Metadata
Compilation timestamp:
1/5/2010 7:09:32 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.56

CTPH (ssdeep):
49152:CfBvWJcIJ37j8cMultuesKX9c2PiQ8QMRJiy71Dvlh/Nn/7X7TK59qLkcqVN:zJTJLbu/KX9c2PiDhnj3h/F/2599VN

Entry address:
0x4044

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, E8, 97, 52, 00, 00, C7, 04, 24, 01, 80, 00, 00, E8, 43, 4F, 00, 00, 56, C7, 04, 24, 00, 00, 00, 00, E8, A6, 52, 00, 00, A3, 88, 5C, 42, 00, 53, C7, 04, 24, 08, 00, 00, 00, E8, 26, 32, 00, 00, A3, 38, 5D, 42, 00, 8D, 85, 84, FE, FF, FF, 51, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A4, B2, 40, 00, E8, D0, 51, 00, 00, 83, EC, 14, C7, 44, 24, 04, A5, B2, 40, 00, C7, 04, 24, 68, 5D...
 
[+]

Entropy:
7.9891  (probably packed)

Code size:
33 KB (33,792 bytes)

The file jollywallet_01072013.exe has been seen being distributed by the following URL.

Remove jollywallet_01072013.exe - Powered by Reason Core Security