pjr_webssearches.exe

1840_pjr_webssearches

Ma Lin

The application pjr_webssearches.exe by Ma Lin has been detected as adware by 16 anti-malware scanners. This is a setup program which is used to install the application. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girllumin.com.
Publisher:
One Syn  (signed by Ma Lin)

Product:
1840_pjr_webssearches

Description:
Syn worker

Version:
6.3.7601.1094

MD5:
b9b4bbe8345e96b25c43bb78cddacbdc

SHA-1:
fda82e4a8bd6932a0a4df89eab13cf867c582750

SHA-256:
9f209642422d323a8b8865f8d69a8a891406015eb85ae9d8db7a5bb750711e37

Scanner detections:
16 / 68

Status:
Adware

Analysis date:
12/25/2024 1:40:51 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.Amonetize
2014.11.12

Avira AntiVirus
ADWARE/Adware.Gen
7.11.184.98

AVG
Malin
2015.0.3294

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.141111

Dr.Web
Adware.Mutabaha.83
9.0.1.05190

ESET NOD32
Win32/ELEX.AZ (variant)
8.10707

Fortinet FortiGate
Riskware/Elex
11/20/2014

IKARUS anti.virus
PUA.SafeSurf
t3scan.1.8.3.0

K7 AntiVirus
Trojan
13.185.14007

Malwarebytes
PUP.Optional.Bundle
v2014.11.11.10

McAfee
Artemis!2D79E522A869
5600.6941

NANO AntiVirus
Riskware.Win32.Mutabaha.diqyjk
0.28.6.63362

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

Reason Heuristics
PUP.MaLin.Q
14.11.11.10

Sophos
Generic PUA IN
4.98

File size:
563.1 KB (576,592 bytes)

Product version:
6.3.7601.1094

Copyright:
One Syn

Original file name:
Worker.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\pjr_webssearches.exe

Digital Signature
Signed by:

Authority:
WoSign CA Limited

Valid from:
8/20/2014 12:22:46 PM

Valid to:
7/20/2015 12:22:46 PM

Subject:
CN=Ma Lin, E=chloezhangling@163.com, L=北京市, S=北京市, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
760E23ABF26CF75AE5C944881CCA6DA7

File PE Metadata
Compilation timestamp:
10/21/2014 12:39:32 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:1g1gOyAI8OK+Df23syHi3HeHNu/SXATpPTOZZNVG03:u1HyUqet6SwNTiZNVGk

Entry address:
0x3FBA5

Entry point:
E8, 56, 04, 01, 00, E9, 7F, FE, FF, FF, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 98, 26, 48, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 18, 72, 47, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 98, 26, 48, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00, F7, C6, 03, 00, 00...
 
[+]

Code size:
380.5 KB (389,632 bytes)

The file pjr_webssearches.exe has been seen being distributed by the following URL.

Remove pjr_webssearches.exe - Powered by Reason Core Security