yam64-ivy.exe

JProof LLC

The application yam64-ivy.exe by JProof has been detected as adware by 19 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address static.152.235.201.138.clients.your-server.de on port 80 using the HTTP protocol.
Publisher:
JProof LLC  (signed and verified)

MD5:
b7ae031f32d69907a8d829180c36eddb

SHA-1:
ea105159e1882906f2cbaee7764f76167486e642

SHA-256:
ec2f8138d0927a2494be41a91895620c224ab67a8a759b79388934e07642b8e0

Scanner detections:
19 / 68

Status:
Adware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
11/27/2024 4:44:32 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.15031612
480

Avira AntiVirus
PUA/BitcoinMiner.Gen
8.3.2.2

Arcabit
Trojan.Generic.DE55D3C
1.0.0.568

AVG
Generic
2016.0.2958

Bitdefender
Trojan.Generic.15031612
1.0.20.1425

Bkav FE
W64.HfsAdware
1.3.0.7237

Emsisoft Anti-Malware
Trojan.Generic.15031612
8.15.10.12.04

Fortinet FortiGate
Riskware/BitCoinMiner
10/12/2015

F-Secure
Trojan.Generic.15031612
11.2015-12-10_2

G Data
Trojan.Generic.15031612
15.10.25

IKARUS anti.virus
not-a-virus:RiskTool.BitCoinMiner
t3scan.1.9.5.0

K7 AntiVirus
Riskware
13.210.17412

Kaspersky
not-a-virus:RiskTool.Win64.BitCoinMiner
14.0.0.1287

McAfee
Artemis!B7AE031F32D6
5600.6614

MicroWorld eScan
Trojan.Generic.15031612
16.0.0.855

nProtect
Trojan.Generic.15031612
15.10.02.01

Panda Antivirus
Generic Suspicious
15.10.12.04

Reason Heuristics
PUP.EpicScale.JProof (M)
15.10.12.16

Trend Micro
TROJ_GEN.R047C0OIJ15
10.465.12

File size:
3.5 MB (3,620,456 bytes)

File type:
Executable application (Win64 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\yam64-ivy.exe

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
10/5/2014 4:00:00 AM

Valid to:
10/11/2017 3:00:00 PM

Subject:
CN=JProof LLC, O=JProof LLC, L=Washington, S=New Jersey, C=US

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
010A6723CC9454568F41F9221A61B586

File PE Metadata
OS version:
4.0

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
2.24

CTPH (ssdeep):
49152:6OKXUwkYohqOE7P+IPY5BetywPqemxlcapg4LDxV130LYmwAT7p6dswB7GvIS:GUw5XnEdD0/w3BSJ

Entry address:
0x14D0

Entry point:
48, 83, EC, 28, C7, 05, 72, 42, 37, 00, 00, 00, 00, 00, E8, BD, D8, 20, 00, E8, 98, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 55, 48, 89, E5, 48, 83, E4, E0, 48, 81, EC, 80, 03, 00, 00, 48, 03, 17, C4, E1, F9, 6E, C2, C4, E2, 7D, 19, C0, C5, FD, D4, 15, EC, DA, 2D, 00, C4, E2, 7D, 59, 5F, 08, C5, FD, 7F, 9C, 24, E0, 00, 00, 00, C4, E2, 7D, 59, 47, 10, C5, FD, 7F, 84, 24, 00, 01, 00, 00, C4, E2, 7D, 59, 47, 18, C5, FD, 7F, 84, 24, 20, 01, 00, 00, C4, E2, 7D, 59, 47, 20, C5, FD, 7F, 84, 24, 40, 01, 00, 00...
 
[+]

Code size:
2.8 MB (2,900,480 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static.88-198-114-156.clients.your-server.de  (88.198.114.156:80)

TCP (HTTP):
Connects to static.152.235.201.138.clients.your-server.de  (138.201.235.152:80)

TCP:
Connects to ip106.ip-79-137-57.eu  (79.137.57.106:8005)

TCP:
Connects to ip241.ip-144-217-61.net  (144.217.61.241:8005)

TCP (HTTP):
Connects to ec2-52-0-217-44.compute-1.amazonaws.com  (52.0.217.44:80)

TCP:
Connects to static.14.31.201.138.clients.your-server.de  (138.201.31.14:3334)

TCP:
Connects to ip217.ip-178-32-196.eu  (178.32.196.217:8005)

TCP (HTTP):
Connects to static.12.31.201.138.clients.your-server.de  (138.201.31.12:8080)

TCP:
Connects to ip20.ip-144-217-101.net  (144.217.101.20:8050)

Remove yam64-ivy.exe - Powered by Reason Core Security