zwinkycrxsetup.9808ec26-beae-4466-9cc9-f7f076100229.exe

Mindspark Interactive Network

The application zwinkycrxsetup.9808ec26-beae-4466-9cc9-f7f076100229.exe by Mindspark Interactive Network has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The file has been seen being downloaded from ak.imgfarm.com and multiple other hosts. While running, it connects to the Internet address anx.mindspark.com on port 80 using the HTTP protocol.
Publisher:
Zwinky  (signed by Mindspark Interactive Network)

Product:
Zwinky

Version:
2.2.1.2

MD5:
f0b4784ec91b0117ef21248577ddad2b

SHA-1:
9d6f76b7429ad172e60245add1810aa31c33be2d

SHA-256:
9a411bad1a50f8533fdce5e78ccb003d76273e90376a4e697809a29b5c540868

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/27/2024 9:31:54 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Mindspark (M)
16.8.10.10

File size:
3 MB (3,116,920 bytes)

Product version:
2.2.1.2

Copyright:
Copyright © 2012, 2013

Original file name:
5qSetup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\zwinkycrxsetup.9808ec26-beae-4466-9cc9-f7f076100229.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/10/2012 3:00:00 AM

Valid to:
5/7/2015 2:59:59 AM

Subject:
CN=Mindspark Interactive Network, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Mindspark Interactive Network, L=White Plains, S=NewYork, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
098417F7EA6406EC7B320590E17A65B7

File PE Metadata
Compilation timestamp:
10/25/2013 6:50:33 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:hC/l6pcWQtrWofBEaCp01a9Ac7V+o/+20ZujUHP8SFEy++EzFB2/i5dP:4d6KrW0tC19N7ViwjYP8SFp+Dv

Entry address:
0x235A1

Entry point:
E8, A5, 6E, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, F8, 9A, 43, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, 00, 9B, 43, 00, C3, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 57, 8B, F9, 74, 2D, 56, FF, 75, 08, E8, 34, FD, FF, FF, 8D, 70, 01, 56, E8, 0C, D7, FF, FF, 59, 59, 89, 47, 04, 85, C0, 74, 11, FF, 75, 08, 56, 50, E8, DE, 6E, 00, 00, 83, C4, 0C, C6, 47, 08, 01, 5E, 5F, 5D, C2, 04, 00, 8B, FF, 56, 8B, F1, 80, 7E, 08, 00, 74, 09, FF...
 
[+]

Entropy:
6.2815

Packer / compiler:
PEQuake V0.06

Code size:
218.5 KB (223,744 bytes)

The file zwinkycrxsetup.9808ec26-beae-4466-9cc9-f7f076100229.exe has been seen being distributed by the following 2 URLs.

http://ak.imgfarm.com/images/nocache/vicinio/installers/207521081.YYA.2/177392-131107144507-YYA.2/.../ZwinkyCrxSetup.8664CDE0-5DEB-49EE-98EA-D177E68DFA38.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www187.mindspark.com  (74.113.233.187:80)

TCP (HTTP):
Connects to anx.mindspark.com  (74.113.233.187:80)