pokkiInstaller.exe

Pokki Installer

Pokki

The application pokkiInstaller.exe by Pokki has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from download2179.mediafire.com and multiple other hosts. While running, it connects to the Internet address cdn-87-248-217-253.frf.llnw.net on port 80 using the HTTP protocol.
Publisher:
Pokki  (signed and verified)

Product:
Pokki Installer

Version:
0.266.1.169

MD5:
c693853729168e427e88e464a67dc5e0

SHA-1:
49f77be68f14047fbbbca457e1b0a12324544083

SHA-256:
e394b024b32a5d768dd2efb06feee42cc3bc5b542c1b711ed02ee1b7b7908093

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/15/2024 3:26:51 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.Installer.Pokki.O
14.3.3.12

File size:
2.6 MB (2,690,376 bytes)

Product version:
0.266.1.169

Copyright:
Copyright (C) 2010-2012 - SweetLabs, Inc

Original file name:
pokkiInstaller.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\pokkiinstaller.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
2/28/2012 3:00:00 AM

Valid to:
4/26/2015 2:59:59 AM

Subject:
CN=Pokki, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Pokki, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
7F0C02A0B2F2B0727327296C8736183B

File PE Metadata
Compilation timestamp:
10/31/2013 9:18:45 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:529eGdYyVL/hAV5xZQKgdMRmGdGdj11HozPQ48BA755TBV6p/inbuVodkZv26S+n:5Q3D+Hg2mBdEzPpeA6ibWD

Entry address:
0x90513

Entry point:
E8, E7, C2, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 51, 83, 65, FC, 00, 56, 8D, 45, FC, 50, FF, 75, 0C, FF, 75, 08, E8, 63, C3, 00, 00, 8B, F0, 83, C4, 0C, 85, F6, 75, 18, 39, 45, FC, 74, 13, E8, 96, 01, 00, 00, 85, C0, 74, 0A, E8, 8D, 01, 00, 00, 8B, 4D, FC, 89, 08, 8B, C6, 5E, C9, C3, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 75, 0B, FF, 75, 0C, E8, 9A, 00, 00, 00, 59, 5D, C3, 56, 8B, 75, 0C, 85, F6, 75, 0D, FF, 75, 08, E8, EA, D1, FF, FF, 59, 33, C0, EB, 4D, 57, EB, 30, 85, F6, 75, 01, 46, 56, FF, 75...
 
[+]

Entropy:
7.0704

Code size:
1.4 MB (1,446,400 bytes)

The file pokkiInstaller.exe has been seen being distributed by the following 9 URLs.

http://download2179.mediafire.com/9m3ncn7779hg/.../PokkiInstaller.exe

http://download2179.mediafire.com/sukb6d9r1mjg/.../PokkiInstaller.exe

http://download2179.mediafire.com/l5ufg7ann96g/.../PokkiInstaller.exe

http://download2179.mediafire.com/40r4d10fyk3g/.../PokkiInstaller.exe

http://download2179.mediafire.com/07v5fs60wgqg/.../PokkiInstaller.exe

http://202.65.242.8/.../PokkiInstaller.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (205.251.243.169:80)

TCP (HTTP):
Connects to cdn-87-248-217-253.frf.llnw.net  (87.248.217.253:80)

TCP (HTTP):
Connects to cdn-87-248-210-254.lon.llnw.net  (87.248.210.254:80)

Remove pokkiInstaller.exe - Powered by Reason Core Security