pacfunction_setup.exe

PacFunction

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application pacfunction_setup.exe by PacFunction has been detected as adware by 15 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from install-cdn.pacfunction.info. While running, it connects to the Internet address api.yontoo.com on port 80 using the HTTP protocol.
Publisher:
PacFunction  (signed and verified)

MD5:
310ad0915a18b1e9a22a96ba0a7e5689

SHA-1:
7d2c0a6c3ed67c3bb232ecb3e4c461ca350e2309

SHA-256:
b9e4e8d874e894ae702981855f42d0458d081e6d68fcb17c241b49c4cf835a90

Scanner detections:
15 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/25/2024 1:33:34 AM UTC  (today)

Scan engine
Detection
Engine version

Comodo Security
Application.Win32.Altbrowse.AK
17982

Dr.Web
Trojan.BPlug.37
9.0.1.083

ESET NOD32
Win32/BrowseFox (variant)
8.9581

Fortinet FortiGate
Adware/Agent
3/24/2014

Kaspersky
not-a-virus:AdWare.Win32.Agent
14.0.0.4122

Malwarebytes
PUP.Optional.PacFunction.A
v2014.03.24.03

McAfee
Artemis!310AD0915A18
5600.7181

NANO AntiVirus
Riskware.Win32.Agent.cqvnby
0.28.0.58491

Reason Heuristics
PUP.Installer.PacFunction.R
14.3.24.15

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.14322

Sophos
Generic PUA EB
4.98

SUPERAntiSpyware
Adware.BrowseFox/Variant
10708

Trend Micro House Call
TROJ_GEN.F47V0316
7.2.83

Vba32 AntiVirus
AdWare.Agent
3.12.24.3

VIPRE Antivirus
Yontoo
27690

File size:
2.8 MB (2,920,680 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\pacfunction_setup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/9/2014 1:00:00 AM

Valid to:
1/10/2015 12:59:59 AM

Subject:
CN=PacFunction, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=PacFunction, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4DF47FADF68D2EB9B8A7923DCCC176FF

File PE Metadata
Compilation timestamp:
12/5/2009 11:52:01 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:gmWF88FAdRiOxzWr2CJUxz0g8QSgtwjAmyP6XV9D7BGw/UhCTmuoCaeauljrdWlL:gmWuGWR/ROPUxz0SyXVN7BGqTpccjxWd

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 6F, 44, 00, E8, F1, 2B, 00, 00, A3, 84, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 2E, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file pacfunction_setup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove pacfunction_setup.exe - Powered by Reason Core Security