sp-downloader.exe

ClientConnect LTD

The file belongs to the ClientConnect (Conduit/Perion) platform, a utility that bundles and monetizes search toolbars and browser add-ons. The application sp-downloader.exe by ClientConnect has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from d1pg43ots40sgg.cloudfront.net and multiple other hosts.
Publisher:
ClientConnect  (signed by ClientConnect LTD)

Description:
Search Protect

Version:
1.1.2.4

MD5:
0b813086a3400aafa1639d08823fbd46

SHA-1:
119e149747a552877117a6d91efd3be4b26418ae

SHA-256:
c967920dc9349c9d963838391a29718b64ed2686a06d82c4afe0363e462fb509

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Analysis date:
12/24/2024 2:20:12 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Threat.Conduit.Installer
15.4.2.1

File size:
142.5 KB (145,928 bytes)

Copyright:
© 2014 ClientConnect Ltd.

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\sp-downloader.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
4/29/2014 2:00:00 AM

Valid to:
4/30/2016 1:59:59 AM

Subject:
CN=ClientConnect LTD, OU=SPStub, O=ClientConnect LTD, L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
36AC210D3412C8646EB3F4C8EE541402

File PE Metadata
Compilation timestamp:
7/6/2011 4:31:20 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:9cmVWD5ltbmP3Q7yYCkKP5/wYh8qQbz+/pApSy1TwtMHl3jI:imJI8kKBjy2SCeHl0

Entry address:
0x354B

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 84, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, 98, 06, 47, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, 05, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 86, 40, 00, FF, 15, 80, 81, 40, 00, 68, 04, 86, 40, 00, 68, A0, 85, 46, 00, E8, 35, 26, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 10, 4C, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
25 KB (25,600 bytes)

The file sp-downloader.exe has been seen being distributed by the following 12 URLs.

http://d1pg43ots40sgg.cloudfront.net/bundle/SearchProtect_Illyx/.../conduit.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to a23-214-155-116.deploy.static.akamaitechnologies.com  (23.214.155.116:443)

TCP (HTTP):
Connects to ec2-23-23-99-139.compute-1.amazonaws.com  (23.23.99.139:80)

TCP (HTTP):
Connects to ec2-54-225-182-66.compute-1.amazonaws.com  (54.225.182.66:80)

TCP (HTTP SSL):
Connects to a184-87-216-201.deploy.static.akamaitechnologies.com  (184.87.216.201:443)

TCP (HTTP):

TCP (HTTP SSL):
Connects to a104-94-7-44.deploy.static.akamaitechnologies.com  (104.94.7.44:443)

TCP (HTTP SSL):
Connects to a104-96-23-228.deploy.static.akamaitechnologies.com  (104.96.23.228:443)

TCP (HTTP SSL):
Connects to a96-7-59-102.deploy.akamaitechnologies.com  (96.7.59.102:443)

TCP (HTTP SSL):
Connects to a72-246-220-11.deploy.akamaitechnologies.com  (72.246.220.11:443)

TCP (HTTP):

TCP (HTTP SSL):
Connects to a23-4-252-124.deploy.static.akamaitechnologies.com  (23.4.252.124:443)

TCP (HTTP SSL):
Connects to a23-39-174-166.deploy.static.akamaitechnologies.com  (23.39.174.166:443)

Remove sp-downloader.exe - Powered by Reason Core Security