nsj8324.tmp

The file nsj8324.tmp has been detected as a potentially unwanted program by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from s3.amazonaws.com. While running, it connects to the Internet address server-54-230-38-29.jfk1.r.cloudfront.net on port 80 using the HTTP protocol.
MD5:
36faf51a99718c7a30e2a5009b1fa97d

SHA-1:
ab2a1c65f3d81330653a9d6cb5b5f6f9a9a2ea5f

SHA-256:
a87dac56540e26479ad2da735ff75a9178f941fca25773a694201b22124afa0f

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
11/16/2024 9:46:37 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.VOPackage
2015.09.27

Arcabit
PUP.Adware.ConvertAd
1.0.0.582

Kaspersky
not-a-virus:AdWare.Win32.Vopak
14.0.0.1200

Reason Heuristics
Adware.Generic.ABT (M)
16.2.29.17

File size:
219.6 KB (224,844 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\nsj8324.tmp

File PE Metadata
Compilation timestamp:
12/6/2009 12:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:0e34yJ0zjq7ZSmz0LH4ley7xOFip5WzPW7:uc8mz06xOFi3Wzu7

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nsj8324.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-38-29.jfk1.r.cloudfront.net  (54.230.38.29:80)

TCP (HTTP):
Connects to ec2-52-1-45-42.compute-1.amazonaws.com  (52.1.45.42:80)

Remove nsj8324.tmp - Powered by Reason Core Security