wajam_download.exe

Iphone-Install.com

The application wajam_download.exe by Iphone-Install.com has been detected as a potentially unwanted program by 10 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from 113.171.224.214 and multiple other hosts.
Publisher:
Iphone-Install.com  (signed and verified)

MD5:
e31d6137e33c9e71e4b9a3c22d72ee2d

SHA-1:
58a5e2f13bd14864b2911c844940fd193505ed77

SHA-256:
3c16f90c19231d2167a17ed921ee92ec3260e8a192da628b87ca73c4c9a229e2

Scanner detections:
10 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 5:24:14 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
2014.9-150118

Baidu Antivirus
PUA.MSIL.Wajam
4.0.3.15118

Dr.Web
Adware.Searcher.2746
9.0.1.05190

ESET NOD32
MSIL/Wajam.A potentially unwanted application
7.0.302.0

G Data
Win32.Trojan.Agent.TT1KHK
15.1.24

McAfee
Artemis!775B43022C26
5600.6881

Qihoo 360 Security
HEUR/QVM42.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.IphoneInstall
15.2.14.11

Trend Micro House Call
Suspici.41822584
7.2.18

Zillya! Antivirus
Trojan.Win32.1DB12147
2.0.0.2038

File size:
2.3 MB (2,406,368 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\exe\wajam-internet-technologies-wajam-1.0-de-de\wajam_download.exe

Digital Signature
Authority:
thawte, Inc.

Valid from:
12/10/2014 1:00:00 AM

Valid to:
12/11/2015 12:59:59 AM

Subject:
CN=Iphone-Install.com, O=Iphone-Install.com, L=montreal, S=quebec, C=CA

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
3A9486DD32A165F8BAA825EFBA581212

File PE Metadata
Compilation timestamp:
12/5/2009 11:53:18 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:8XLlP3EfzZqBhyNesOAUVdnoR99qCccr8oplxHC7plPEBGibkB81R49UvIreRx4G:yPMFqyhlUjwfXccr3l87+Gibki10UQrc

Entry address:
0x36A0

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 88, A7, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 80, 40, 00, 53, FF, 15, 88, 82, 40, 00, 6A, 08, A3, B8, 63, 42, 00, E8, EE, 2E, 00, 00, A3, 04, 63, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, B0, 0C, 42, 00, FF, 15, 58, 81, 40, 00, 68, 10, A8, 40, 00, 68, 00, 5B, 42, 00, E8, F4, 29, 00, 00, FF, 15, B0, 80, 40, 00, BF, 00, C0, 42, 00, 50, 57, E8, E2, 29, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
24.5 KB (25,088 bytes)

The file wajam_download.exe has been seen being distributed by the following 4 URLs.

http://113.171.224.214/.../WIE_2.22.2.15.exe

http://113.171.224.168/.../WIE_2.22.2.15.exe

Remove wajam_download.exe - Powered by Reason Core Security