zombiesetup.exe

Creative Island Media, LLC

The software will display additional offers (such as adware) during installation including a browser toolbar/extension as well as advertising injection software (part of the Injekt brand). The application zombiesetup.exe by Creative Island Media has been detected as adware by 16 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from secure.ilandcachecdn.com. While running, it connects to the Internet address update.betterxperience.com on port 80 using the HTTP protocol.
Publisher:
Creative Island Media, LLC  (signed and verified)

MD5:
dfda46b0e22c72e3a45fe9347fe09bcd

SHA-1:
be0dbe36ead4458f1b092d5f7707bd6279805ec0

SHA-256:
8dc6409a6fd8b497b8001e442f2dcf1bcb927e4d4571efac53498efc4aad8464

Scanner detections:
16 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
11/30/2024 8:21:59 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.PullUpdate
7.1.1

Comodo Security
ApplicUnwnt
18115

Dr.Web
Adware.Plugin.128
9.0.1.0108

ESET NOD32
MSIL/Adware.PullUpdate
8.9687

Fortinet FortiGate
Adware/SaMon
4/18/2014

herdProtect (fuzzy)
2014.7.7.3

IKARUS anti.virus
not-a-virus:AdWare.Win32.SaMon
t3scan.1.6.1.0

Kaspersky
not-a-virus:AdWare.Win32.SaMon
14.0.0.3998

Malwarebytes
PUP.Optional.ZombieAlert.A
v2014.04.18.07

McAfee
Artemis!DFDA46B0E22C
5600.7157

Qihoo 360 Security
Win32/Trojan.Adware.988
1.0.0.1015

Reason Heuristics
PUP.Installer.CreativeIslandMedia.L
14.8.7.20

Sophos
Generic PUA DH
4.98

Trend Micro House Call
TROJ_GEN.F47V0402
7.2.108

Vba32 AntiVirus
TScope.Trojan.MSIL
3.12.26.0

VIPRE Antivirus
Injekt
28312

File size:
3 MB (3,136,456 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\zombiesetup.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/24/2014 1:00:00 AM

Valid to:
6/24/2015 1:59:59 AM

Subject:
CN="Creative Island Media, LLC", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Creative Island Media, LLC", L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
0ED42A15C608C5CB28B1EF56CE392E5E

File PE Metadata
Compilation timestamp:
6/6/2009 11:41:59 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:QLwI25JsUZRNiRR67t3U9ZZOBS48zAmC1Yc4OwpnlrEiiCcVilp4DRT5xs+jTor:QLwzFnNiGREVOIzApYfdllrEiNcoMDls

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file zombiesetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to update.betterxperience.com  (54.218.62.24:80)

TCP (HTTP):
Connects to d.pullupdate.com  (54.230.15.37:80)

Remove zombiesetup.exe - Powered by Reason Core Security