ship_simulator_extremes.exe

Inffinity Internet, S.L.

The application ship_simulator_extremes.exe by Inffinity Internet, S.L has been detected as adware by 9 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. While running, it connects to the Internet address pf.phpnuke.org on port 80 using the HTTP protocol.
Publisher:
Inffinity Internet, S.L.  (signed and verified)

MD5:
5530b1a4f2f486530287dfdbdbef74b8

SHA-1:
a4ec7faaa0602c524b0b37fceb42690a437b5aaf

SHA-256:
051ccf955fe2434b148a084e9c27e5c602679de50e0ea57b4953c3a54a6ecdfd

Scanner detections:
9 / 68

Status:
Adware

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:
12/26/2024 12:47:25 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/Adware.Gen4
8.3.1.6

avast!
Installer-Z [PUP]
150602-1

AVG
Potentially harmful program Toolbar.Babylon
2014.0.4311

Dr.Web
Adware.Downware.1036
9.0.1.05190

ESET NOD32
Win32/Toggle.H potentially unwanted application
7.0.302.0

K7 AntiVirus
Unwanted-Program
13.204.16122

NANO AntiVirus
Riskware.Nsis.Adware.dpyzfo
0.30.24.1636

Reason Heuristics
PUP.Installer.InffinityInternet
15.6.3.4

VIPRE Antivirus
Threat.4150696
40786

File size:
115.9 KB (118,672 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\ship_simulator_extremes.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
1/6/2013 1:00:00 AM

Valid to:
1/7/2014 12:59:59 AM

Subject:
CN="Inffinity Internet, S.L.", O="Inffinity Internet, S.L.", L=Villaviciosa de Odon, S=Madrid, C=ES

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
015B6BA30C3A5ECC19D4151834ADE49D

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
3072:pgXdZt9P6D3XJA45exQnn3UQwIAwP5kTkO0nc6++ENVmF6:pe34eFqn/bRkKc6Um8

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to pf.phpnuke.org  (198.50.173.143:80)

TCP (HTTP):
Connects to downloads.phpnuke.org  (37.59.191.12:80)

Remove ship_simulator_extremes.exe - Powered by Reason Core Security