yam.exe

JProof LLC

The application yam.exe by JProof has been detected as adware by 7 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. While running, it connects to the Internet address static.152.235.201.138.clients.your-server.de on port 80 using the HTTP protocol.
Publisher:
JProof LLC  (signed and verified)

MD5:
5d7cf8bb1db4282575f973facb567a31

SHA-1:
76cd499e136a624a9134fbb9f77b27712750fab7

SHA-256:
3df440a98636c201aec24efbb445d5fd6ad1c279fa191c9f22b7aa07e712cec1

Scanner detections:
7 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/23/2024 12:35:02 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
PUA/BitcoinMiner.Gen
8.3.1.6

AVG
Generic
2016.0.2983

Bkav FE
W64.HfsAdware
1.3.0.7062

IKARUS anti.virus
not-a-virus:RiskTool.BitCoinMiner
t3scan.1.9.5.0

Kaspersky
not-a-virus:RiskTool.Win64.BitCoinMiner
14.0.0.1411

Panda Antivirus
Generic Suspicious
15.09.17.08

Reason Heuristics
PUP.EpicScale.JProof (M)
15.9.17.20

File size:
3.5 MB (3,625,064 bytes)

File type:
Executable application (Win64 EXE)

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
10/5/2014 2:00:00 AM

Valid to:
10/11/2017 2:00:00 PM

Subject:
CN=JProof LLC, O=JProof LLC, L=Washington, S=New Jersey, C=US

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
010A6723CC9454568F41F9221A61B586

File PE Metadata
OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
2.24

CTPH (ssdeep):
49152:4OKQTCX8eS1K+2dEuORK4k1ghkIC+rcgzLv+DP0DnQX+H32Gm:jTC1I154mcQ3G

Entry address:
0x14D0

Entry point:
48, 83, EC, 28, C7, 05, 72, 42, 37, 00, 00, 00, 00, 00, E8, 1D, E5, 20, 00, E8, 98, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 55, 48, 89, E5, 48, 83, E4, E0, 48, 81, EC, 80, 03, 00, 00, 48, 03, 17, C4, E1, F9, 6E, C2, C4, E2, 7D, 19, C0, C5, FD, D4, 15, EC, DA, 2D, 00, C4, E2, 7D, 59, 5F, 08, C5, FD, 7F, 9C, 24, E0, 00, 00, 00, C4, E2, 7D, 59, 47, 10, C5, FD, 7F, 84, 24, 00, 01, 00, 00, C4, E2, 7D, 59, 47, 18, C5, FD, 7F, 84, 24, 20, 01, 00, 00, C4, E2, 7D, 59, 47, 20, C5, FD, 7F, 84, 24, 40, 01, 00, 00...
 
[+]

Code size:
2.8 MB (2,903,552 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static.152.235.201.138.clients.your-server.de  (138.201.235.152:80)

TCP (HTTP):
Connects to static.88-198-114-156.clients.your-server.de  (88.198.114.156:80)

TCP:
Connects to static.13.31.201.138.clients.your-server.de  (138.201.31.13:3336)

TCP (HTTP):
Connects to ec2-52-0-217-44.compute-1.amazonaws.com  (52.0.217.44:80)

TCP:
Connects to static.12.31.201.138.clients.your-server.de  (138.201.31.12:3336)

TCP:
Connects to static.94.62.63.178.clients.your-server.de  (178.63.62.94:2555)

TCP:
Connects to static.78.147.9.176.clients.your-server.de  (176.9.147.78:45560)

TCP:
Connects to static.243.47.9.176.clients.your-server.de  (176.9.47.243:45590)

TCP:
Connects to static.14.31.201.138.clients.your-server.de  (138.201.31.14:3335)

TCP:
Connects to ns3064121.ip-94-23-8.eu  (94.23.8.105:7777)

TCP:
Connects to ns3001361.ip-37-59-49.eu  (37.59.49.7:7777)

TCP:
Connects to lb-182-223.above.com  (103.224.182.223:7778)

TCP:
Connects to ip217.ip-178-32-196.eu  (178.32.196.217:8050)

TCP:
Connects to ip20.ip-144-217-101.net  (144.217.101.20:8050)

TCP:
Connects to ip-149-202-169.eu  (149.202.169.14:7777)

TCP:
Connects to 195-154-181-121.rev.poneytelecom.eu  (195.154.181.121:45590)

Remove yam.exe - Powered by Reason Core Security