nsjf6fb.tmp

4931_cmi_mystartsearch

Minidigital Technology Co., Limited

The file nsjf6fb.tmp by Minidigital Technology Co., Limited has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 113.171.224.178 and multiple other hosts. While running, it connects to the Internet address server-205-251-209-61.mxp4.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
7th  (signed by Minidigital Technology Co., Limited)

Product:
4931_cmi_mystartsearch

Description:
7th

Version:
7,0,0,2843

MD5:
bdef0be351c842b138504fd13de05532

SHA-1:
881fad21998bf603826379e2b52bad3a2349f1be

SHA-256:
b3b40459f76b5e76a641decd602948d8933195a834b4e0b789488332d83c73ea

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/24/2024 7:38:24 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ELEX.MinidigitalTechnologyCo (M)
15.10.4.13

File size:
264.7 KB (271,024 bytes)

Product version:
7,0,0,2843

Copyright:
7th

Original file name:
7th

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\nsjf6fb.tmp

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
9/29/2015 12:15:51 PM

Valid to:
6/21/2016 4:55:40 PM

Subject:
CN="Minidigital Technology Co., Limited", O="Minidigital Technology Co., Limited", L=Hong Kong, S=Hong Kong, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11214CE115AF28506C44B4B11D01099FEBCE

File PE Metadata
Compilation timestamp:
10/4/2015 5:47:05 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:EVM5oc9xB9Q+85DuajBqMHhxj8jtwpOg4FPejf5m2xTV+rjIyqxB5kWK:Egoc9xSSA13IJnfPum2xTVjk7

Entry address:
0x17E04

Entry point:
E8, 5B, CF, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 18, D0, 43, 00, E8, 56, 67, 00, 00, E8, 82, 2D, 00, 00, 0F, B7, F0, 6A, 02, E8, EE, CE, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, B2, 63, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
188.5 KB (193,024 bytes)

The file nsjf6fb.tmp has been seen being distributed by the following 2 URLs.

http://113.171.224.178/.../cmi_mystartsearch.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-205-251-209-61.mxp4.r.cloudfront.net  (205.251.209.61:80)

TCP (HTTP):
Connects to server-205-251-209-201.mxp4.r.cloudfront.net  (205.251.209.201:80)

Remove nsjf6fb.tmp - Powered by Reason Core Security