» mp.exe
Overview
Analysis
File Details
Downloads (1)

mp.exe

Golden Dock

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application mp.exe by Golden Dock has been detected as adware by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from cdn.results-hub.com.

File name:

mp.exe

Publisher:

Golden Dock (signed and verified)

Version:

1.0.5701.30181

MD5:

d664f734aec2730f490b70ee4f6d1b3a

SHA-1:

b765404a83ba7c5e063e7f3684cc7441412ad543

SHA-256:

3757726f69a6dbd42ca83ec48e0cf942613d4483904c6223460c76650f72e623

Scanner detections:

5 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

11/24/2024 6:03:11 AM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

PUP/Win32.BrowseFox

2015.08.12

Avira AntiVirus

ADWARE/BrowseFox.Gen

8.3.1.6

Baidu Antivirus

Adware.Win32.BrowseFox

4.0.3.15812

Clam AntiVirus

Win.Adware.Browsefox-725

0.98/20780

Malwarebytes

PUP.Optional.GoldenDock.A

v2015.08.12.07

File size:

60 KB (61,392 bytes)

Product version:

2015.08.11

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\mp.exe

Digital Signature

Signed by:

Golden Dock

Authority:

VeriSign, Inc.

Valid from:

7/9/2015 2:00:00 AM

Valid to:

7/9/2016 1:59:59 AM

Subject:

CN=Golden Dock, O=Golden Dock, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

0B58D134BC7841B7C3E6D5FE14474DDC

File PE Metadata

Compilation timestamp:

6/5/2014 1:58:31 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

768:rcA6fnsOkMIc9uTXg8jyWPeXUAPkkFB65LZ7PBS0CVm75nLtVW1kafeMXnbzc8bM:KfnsOk/cIDnj8F/oBS0CV6J/zkzcD6M7

Entry address:

0x31E4

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, E0, 73, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, B8, 6C, 44, 00, E8, 1B, 25, 00, 00, 53, 68, 60, 01, 00, 00, A3, C0, 6B, 44, 00, 8D, 44, 24, 38, 50, 53, 68, DB, 73, 40, 00, FF, 15, 58, 71, 40, 00, 68, D0, 73, 40, 00, 68, C0, 2B, 44, 00, E8, 0D, 24, 00, 00, FF, 15, AC, 70, 40, 00, 50, BF, 00, F0, 46, 00, 57, E8, FB, 23, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

22.5 KB (23,040 bytes)

The file mp.exe has been seen being distributed by the following URL.

http://cdn.results-hub.com/.../mp?mpt=64&v=1.0.5701.30181

Remove mp.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.