setup{1a95b1d1-834c-436d-80bb-39ffa9879b7b}.exe

WebAppTech Coding LLC

This is part of an adware program designed to inject advertising in the web browser (banners, text-links) as well as modify the normal behavior of the browser as well as modify the computer’s system settings that control applications to run on startup. Part of the Injekt brand of unwanted programs. The application setup{1a95b1d1-834c-436d-80bb-39ffa9879b7b}.exe by WebAppTech Coding has been detected as adware by 5 anti-malware scanners. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d.searchdonkeyapp.com.
Publisher:
UpdaterResponse  (signed by WebAppTech Coding LLC)

Product:
UpdaterResponse

Version:
3, 0, 0, 1

MD5:
c83e046f1e30e62d277373f0714bd183

SHA-1:
26d7fb2f90c24f4c5742f8b7002f3dbe86d0f02d

SHA-256:
124953468b0a6ecbb333852f81d653e8254577107fad427c24cf54fa17050d1e

Scanner detections:
5 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
11/27/2024 7:38:09 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Searcher.2647
9.0.1.0146

Reason Heuristics
PUP.Installer.WebAppTechCoding.l
14.8.7.17

Trend Micro House Call
TROJ_GEN.F47V0412
7.2.146

VIPRE Antivirus
Injekt
29484

File size:
1 MB (1,085,304 bytes)

Product version:
3, 0, 0, 1

Original file name:
response.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\setup{1a95b1d1-834c-436d-80bb-39ffa9879b7b}.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
12/23/2013 7:00:00 PM

Valid to:
12/24/2014 6:59:59 PM

Subject:
CN=WebAppTech Coding LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=WebAppTech Coding LLC, L=Grandville, S=Michigan, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
1A6411A4888DF6223DF9C572F9BE2E96

File PE Metadata
Compilation timestamp:
4/11/2014 1:44:37 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:duADi58EwHhVzMIDO/eSd2ebgurhjT4Hnn9R9Z:nSihVzMbeRSgurhX4Hnn9R9Z

Entry address:
0x9BC81

Entry point:
E8, 0A, 18, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, A8, 94, 4F, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, B0, 00, 4F, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, A8, 94, 4F, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00, F7...
 
[+]

Entropy:
6.5785

Code size:
784.5 KB (803,328 bytes)

The file setup{1a95b1d1-834c-436d-80bb-39ffa9879b7b}.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-50-112-218-190.us-west-2.compute.amazonaws.com  (50.112.218.190:80)