setup.exe

Candle Jar

This is the installer and setup program from the Candle Jar branded Yontoo adware web browser extension. This adware injects various forms of advertisements in the user's web browser based on the HTML content and URLs viewed. Ad include banners, in-line context text links, coupons, and search. The program will install an auto-updating background service that will update the software with additional features. The application setup.exe by Candle Jar has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
Candle Jar  (signed and verified)

Version:
2.0.5624.10228

MD5:
33bd88c24249b3f86b8c465306c74264

SHA-1:
e1d4c1fa8eed9728092be868e2396817e47804cf

SHA-256:
e97bdb6b737072f585f656f4ba27606830d1109c2b70f2d143d71731e626e226

Scanner detections:
6 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/24/2024 1:13:14 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.BrowseFox
2015.06.10

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.15610

Clam AntiVirus
Win.Adware.Browsefox-725
0.98/20559

ESET NOD32
Win32/BrowseFox.BC potentially unwanted application
7.0.302.0

Malwarebytes
PUP.Optional.CandleJar.A
v2015.06.10.10

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

File size:
292.1 KB (299,080 bytes)

Product version:
2015.05.26

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\qt9tbr21hc\setup.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
3/24/2015 7:00:00 PM

Valid to:
3/24/2016 6:59:59 PM

Subject:
CN=Candle Jar, O=Candle Jar, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
0E8E936F9E02A9051DC291967D4FCECA

File PE Metadata
Compilation timestamp:
6/4/2014 6:58:31 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:9Q3W5KnM3DoFFjuvf/toNQ8dqLuJoU0U7Hd8CntQOHHM+HFFTjXdpNnT29l:v5KnM3D0Fw/tN8dkmLtpHHHrh7ql

Entry address:
0x31E4

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, E0, 73, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, B8, 6C, 44, 00, E8, 1B, 25, 00, 00, 53, 68, 60, 01, 00, 00, A3, C0, 6B, 44, 00, 8D, 44, 24, 38, 50, 53, 68, DB, 73, 40, 00, FF, 15, 58, 71, 40, 00, 68, D0, 73, 40, 00, 68, C0, 2B, 44, 00, E8, 0D, 24, 00, 00, FF, 15, AC, 70, 40, 00, 50, BF, 00, F0, 46, 00, 57, E8, FB, 23, 00, 00...
 
[+]

Entropy:
7.9396

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file setup.exe has been seen being distributed by the following 5 URLs.

http://113.171.224.171/.../setup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wac.edgecastcdn.net  (72.21.81.13:80)

TCP (HTTP):
Connects to service.yontoo.com  (8.25.35.148:80)

TCP (HTTP):
Connects to api.yontoo.com  (8.25.35.15:80)

Remove setup.exe - Powered by Reason Core Security