home

yngpen.exe

Jewel Quest

Western Web Applications, LLC

This is part of an adware program designed to inject advertising in the web browser (banners, text-links) as well as modify the normal behavior of the browser as well as modify the computer’s system settings that control applications to run on startup. Part of the Injekt brand of unwanted programs. The application yngpen.exe, “JewelQuest Service” by Western Web Applications has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “YNGpEN”.
Publisher:
Western Web Applications, LLC  (signed and verified)

Product:
Jewel Quest

Description:
JewelQuest Service

Version:
1.0.0.0

MD5:
5e1830b76c5d984d62a5c09aa45c671f

SHA-1:
f59acbc6908f78668c48bd607da3c5a065c723cc

SHA-256:
95efe5bf942191a17e4d4cad06be8e983f7d18607e499b88c37d30d463632b91

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
9/16/2024 6:04:13 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Injekt (M)
16.11.2.1

File size:
2.2 MB (2,320,208 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Western Web Applications, LLC 2014

Original file name:
JewelQuestService.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\ProgramData\kcqnyyf\yngpen.exe

Digital Signature
Signed by:
Western Web Applications, LLC

Authority:
VeriSign, Inc.

Valid from:
6/2/2014 5:00:00 PM

Valid to:
6/3/2015 4:59:59 PM

Subject:
CN="Western Web Applications, LLC", O="Western Web Applications, LLC", L=Del Mar, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2846A7B6FF6C3C84D2AC5AD12B664347

File PE Metadata
Compilation timestamp:
8/4/2014 6:36:57 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
49152:ucfeq8iyQBDRXTgcpjrGscXfYjYv84xuydsAGMEj:DUpi/kkYvlxuydmMEj

Entry address:
0x2360EE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9992

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
2.2 MB (2,310,656 bytes)

Service
Display name:
YNGpEN

Type:
Win32OwnProcess

Depends on:
Winmgmt CryptSvc


Remove yngpen.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.