setup.exe

kozaka

This is the installer and setup program from the kozaka branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by kozaka has been detected as adware by 15 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
kozaka  (signed and verified)

MD5:
8a740d04a70689107275c1353f65bbf2

SHA-1:
1eb1a72c31237d1e6fd746c96742d8579aff884f

SHA-256:
d08e7e4e21b94c806d1d75f3557fb981d479b7bb8db55015d0829f7e716c22b7

Scanner detections:
15 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/25/2024 1:31:32 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
2014.9-131224

AVG
Skodna.Generic
2014.0.3616

Bkav FE
W32.Clod693.Trojan
1.3.0.4613

Comodo Security
Application.Win32.Altbrowse.AK
17409

Dr.Web
Adware.Plugin.124
9.0.1.0358

ESET NOD32
Win32/BrowseFox
7.9148

Fortinet FortiGate
Adware/Agent
12/24/2013

G Data
Win32.Trojan.Agent.RMKQVE
13.12.22

Malwarebytes
PUP.Optional.Kozaka.A
v2013.12.24.05

McAfee
Artemis!8A740D04A706
5600.7272

Reason Heuristics
PUP.Installer.kozaka.F
14.8.7.20

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.131222

Trend Micro House Call
ADW_AGENT
7.2.358

Trend Micro
ADW_AGENT
10.465.24

VIPRE Antivirus
Yontoo
24164

File size:
847.7 KB (868,024 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\setup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
10/7/2013 1:00:00 AM

Valid to:
10/8/2014 12:59:59 AM

Subject:
CN=kozaka, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=kozaka, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
1B38C0B5B092B91BC43EB30DCF78B962

File PE Metadata
Compilation timestamp:
12/5/2009 10:52:01 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
24576:cg3Q6F84k9AhDRiYwR+Q+pKk+HEJQ6l8u:7pF84KAdRiOZF+krl8u

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 6F, 44, 00, E8, F1, 2B, 00, 00, A3, 84, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 2E, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file setup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security