home

{09c3ffd6-f1a3-4fde-86e1-d448e8559c21}w64.sys

Girafarri

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {09c3ffd6-f1a3-4fde-86e1-d448e8559c21}w64.sys by Girafarri has been detected as adware by 29 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{09c3ffd6-f1a3-4fde-86e1-d448e8559c21}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by Girafarri)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
800d039de934824e73077fbfe4d5bfd1

SHA-1:
da4f3453b16afdec507b1d3c93c5ee2ccf5e928a

SHA-256:
f016f206394220d7aee481867fd06e04a6196b474542eddbdc3646902ffa8fe3

Scanner detections:
29 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/26/2024 12:58:10 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.CH
655

Agnitum Outpost
Riskware.Agent
7.1.1

avast!
Win32:BrowseFox-EN [PUP]
2014.9-150421

AVG
Girafarri
2016.0.3133

Bitdefender
Adware.SwiftBrowse.CH
1.0.20.555

Bkav FE
W64.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Swiftbrowse-497
0.98/19765

Dr.Web
hacktool program Tool.NetFilter.313
9.0.1.0111

Emsisoft Anti-Malware
Adware.SwiftBrowse.CH
8.15.04.21.09

ESET NOD32
Win64/BrowseFox.CG potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
Adware/NetFilter
4/21/2015

F-Prot
W64/A-59c9c70a
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.CH
11.2015-21-04_3

G Data
Adware.SwiftBrowse.CH
15.4.25

herdProtect (fuzzy)
variant of {da0b130f-7ef7-4a5c-97ff-4239bbc3502d}gw64.sys (Adware)
2015.7.22.14

K7 AntiVirus
Adware
13.202.15452

Malwarebytes
PUP.Optional.Girafarri
v2015.04.21.09

McAfee
Artemis!800D039DE934
5600.6789

MicroWorld eScan
Adware.SwiftBrowse.CH
16.0.0.333

NANO AntiVirus
Trojan.Win64.Yontoo.dqckrn
0.30.10.952

Norman
Adware.SwiftBrowse.CH
11.20150421

nProtect
Adware.SwiftBrowse.CH
14.12.11.01

Panda Antivirus
PUP/BrowseFox
15.04.21.09

Reason Heuristics
Threat.Yontoo.Girafarri
15.4.21.5

SUPERAntiSpyware
Adware.BrowseFox/Variant
9922

Trend Micro House Call
HS_BROWSEFOX.SM
7.2.111

Trend Micro
HS_BROWSEFOX.SM
10.465.21

VIPRE Antivirus
Threat.4150696
35418

Zillya! Antivirus
Adware.Yotoon.Win64.14
2.0.0.2123

File size:
47.7 KB (48,832 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Common path:
C:\Windows\System32\drivers\{09c3ffd6-f1a3-4fde-86e1-d448e8559c21}w64.sys

Digital Signature
Signed by:
Girafarri

Authority:
VeriSign, Inc.

Valid from:
4/22/2014 3:00:00 AM

Valid to:
4/23/2015 2:59:59 AM

Subject:
CN=Girafarri, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Girafarri, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2FB197284297D52000599AA2F7D0668F

File PE Metadata
Compilation timestamp:
3/24/2015 12:19:17 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:lx7G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD3om:LFID6EGnLA8AFJTNEVmDl

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{09c3ffd6-f1a3-4fde-86e1-d448e8559c21}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.