widgetlocker lockscreen apk v2.4.3 paid__4415_il24368.exe

Installer

The application widgetlocker lockscreen apk v2.4.3 paid__4415_il24368.exe has been detected as a potentially unwanted program by 13 anti-malware scanners. This is a self-extracting archive and installer, however the file is not signed with an authenticode signature from a trusted source. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. The file has been seen being downloaded from www.specificdownload.com and multiple other hosts. While running, it connects to the Internet address server-52-84-25-137.sea32.r.cloudfront.net on port 80 using the HTTP protocol.
Product:
Installer

Version:
1.1.6.20

MD5:
24372ae249e4a85a8444d0e0886c040d

SHA-1:
7e5f18550c47505187c277c34d34d3a6b7cc98ae

SHA-256:
12818858ff39730d40b8b1ccf8eb17a362719c5fc994088abe9fa23c8a21d032

Scanner detections:
13 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 11:16:07 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Amonetize
7.1.1

AhnLab V3 Security
PUP/Win32.Amonetiz
2014.02.24

Avira AntiVirus
ADWARE/Adware.Gen2
7.11.133.86

avast!
Win32:Amonetize-F [PUP]
2014.9-140223

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.14223

Dr.Web
Adware.Downware.2160
9.0.1.054

ESET NOD32
Win32/Amonetize.AG (variant)
8.9460

Fortinet FortiGate
Riskware/Amonetize
2/23/2014

G Data
Win32.Application.Amonetize
14.2.24

Malwarebytes
PUP.Optional.Amonetize
v2014.02.23.06

McAfee
Artemis!24372AE249E4
5600.7210

Reason Heuristics
Threat.Win.Reputation.IMP
14.3.31.13

Trend Micro House Call
TROJ_GEN.F47V0220
7.2.54

File size:
322.5 KB (330,240 bytes)

Product version:
2.1.12

Copyright:
Copyright(c), All Rights Reserved.

Original file name:
Installer.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\widgetlocker lockscreen apk v2.4.3 paid__4415_il24368.exe

File PE Metadata
Compilation timestamp:
2/20/2014 4:13:42 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:dTYLOZQD3y7+TX8OocJICwB97Ks1Lqe+VN97+QGUZu0cTV+Y3QXzCNwTXHSpe:dTiOZQDi7+TsOocJN497wYQZu7TV+0Qa

Entry address:
0x26EC4

Entry point:
E8, BC, 95, 00, 00, E9, 89, FE, FF, FF, 57, 8B, C6, 83, E0, 0F, 85, C0, 0F, 85, C1, 00, 00, 00, 8B, D1, 83, E1, 7F, C1, EA, 07, 74, 65, EB, 06, 8D, 9B, 00, 00, 00, 00, 66, 0F, 6F, 06, 66, 0F, 6F, 4E, 10, 66, 0F, 6F, 56, 20, 66, 0F, 6F, 5E, 30, 66, 0F, 7F, 07, 66, 0F, 7F, 4F, 10, 66, 0F, 7F, 57, 20, 66, 0F, 7F, 5F, 30, 66, 0F, 6F, 66, 40, 66, 0F, 6F, 6E, 50, 66, 0F, 6F, 76, 60, 66, 0F, 6F, 7E, 70, 66, 0F, 7F, 67, 40, 66, 0F, 7F, 6F, 50, 66, 0F, 7F, 77, 60, 66, 0F, 7F, 7F, 70, 8D, B6, 80, 00, 00, 00, 8D, BF...
 
[+]

Code size:
228.5 KB (233,984 bytes)

The file widgetlocker lockscreen apk v2.4.3 paid__4415_il24368.exe has been seen being distributed by the following 14 URLs.

http://www.specificdownload.com/download.php?version=1.1.6.20&prefix=Deep Freeze Enterprise 7.72.220.4535 Full version 2014, Crack,Patch&campid=3207&instid[appname]=Deep Freeze Enterprise 7.72.220.4535 Full version 2014, Crack,Patch&instid[thankyoupage]=&instid[appsetupurl]=&instid[interrupted]=&instid[appimageurl]=http://s3.amazonaws.com/.../downloadall.png

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-52-84-25-234.sea32.r.cloudfront.net  (52.84.25.234:80)

TCP (HTTP):
Connects to server-52-84-25-137.sea32.r.cloudfront.net  (52.84.25.137:80)

TCP (HTTP):
Connects to ec2-54-243-162-153.compute-1.amazonaws.com  (54.243.162.153:80)