home

lly_webssearches.exe

1251_tugs_webssearches

Liyan Liu

The application lly_webssearches.exe by Liyan Liu has been detected as adware by 10 anti-malware scanners. This is a setup program which is used to install the application. This is an adware bundler (AKA ElexNetDownload) that will include additional unwanted offers in the download and install process. During install it will establish a connection to twonext.com and xingcloud.com to determine what offers to show the user (based on what is already installed and where they live).It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlzhangling.com.
Publisher:
File Syn  (signed by Liyan Liu)

Product:
1251_tugs_webssearches

Description:
FileWork

Version:
6.1.7602.750

MD5:
3678d34e431d27997df6f473d09044fa

SHA-1:
66bd88c1b91ee183e2263da9d2377e54e0aae237

SHA-256:
b0ce28662e0bf4be8118a05a4812084b3831b8a0cc339dd88dec3f752f65ccdd

Scanner detections:
10 / 68

Status:
Adware

Explanation:
Software bundler and update mechanism that will attempt to install adware offers.

Analysis date:
11/30/2024 11:10:24 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Mutabaha
7.1.1

AhnLab V3 Security
PUP/Win32.Downloader
2014.09.04

AVG
Generic
2015.0.3379

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.14817

Dr.Web
Adware.Mutabaha.70
9.0.1.0254

Malwarebytes
PUP.Optional.SearchHijacker.A
v2014.08.17.02

McAfee
Artemis!2BE3144251E9
5600.7010

Qihoo 360 Security
HEUR/Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
PUP.LiyanLiu.Q
14.8.17.14

VIPRE Antivirus
Elex Installer
32236

File size:
749.9 KB (767,872 bytes)

Product version:
6.1.7602.750

Copyright:
SynWork

Original file name:
SynWork.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\lly_webssearches.exe

Digital Signature
Signed by:
Liyan Liu

Authority:
DigiCert Inc

Valid from:
7/22/2014 2:00:00 AM

Valid to:
7/27/2015 2:00:00 PM

Subject:
CN=Liyan Liu, O=Liyan Liu, L=Wenzhou, S=Zhejiang, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
06A374858107D7F624D3CC328C92248A

File PE Metadata
Compilation timestamp:
8/15/2014 4:01:10 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:G1HCq6pjUJjz1MlY7W16W1koLtBN+tXCJZjiqevn6USKAX:GdCjUJjzIY7Wt1koNZjiJ6USKAX

Entry address:
0x39207

Entry point:
E8, A5, E6, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 74, AA, 4A, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, 18, 4A, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 74, AA, 4A, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03...
 
[+]

Packer / compiler:
PEQuake V0.06

Code size:
539 KB (551,936 bytes)

The file lly_webssearches.exe has been seen being distributed by the following URL.

http://www.girlzhangling.com/hpnt/.../lly_webssearches.exe

Remove lly_webssearches.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.