home

{0ca29851-3273-497e-b859-b648c9a6fe3a}w64.sys

Jump Flip

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {0ca29851-3273-497e-b859-b648c9a6fe3a}w64.sys by Jump Flip has been detected as adware by 28 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{0ca29851-3273-497e-b859-b648c9a6fe3a}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by Jump Flip)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
841337a5de120540bfd25d077a51b3f5

SHA-1:
8bd0ffd2d9006d670f02d42c33c40970fd17403c

SHA-256:
f29e8871726eaeaa430b1d965144fa2679166ce18e727e1a48aefcbc6c844c7e

Scanner detections:
28 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/24/2024 6:33:47 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.CH
371

Agnitum Outpost
Riskware.Agent
7.1.1

avast!
Win32:BrowseFox-DZ [PUP]
2014.9-160130

AVG
Adware AdPlugin
2017.0.2849

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.16130

Bitdefender
Adware.SwiftBrowse.CH
1.0.20.150

Bkav FE
W64.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Swiftbrowse-497
0.98/21411

Dr.Web
Trojan.Yontoo.1734
9.0.1.030

Emsisoft Anti-Malware
Adware.SwiftBrowse.CH
8.16.01.30.09

ESET NOD32
Win64/BrowseFox.CG potentially unwanted application
10.7.0.302.0

Fortinet FortiGate
Adware/BrowseFox
1/30/2016

F-Prot
W64/A-59c9c70a
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.CH
11.2016-30-01_7

G Data
Adware.SwiftBrowse.CH
16.1.24

K7 AntiVirus
Adware
13.191.14689

McAfee
Artemis!C515D124E11C
5600.6505

MicroWorld eScan
Adware.SwiftBrowse.CH
17.0.0.90

NANO AntiVirus
Riskware.Win64.NetFilter.dmjofz
0.30.0.64448

Norman
Adware.SwiftBrowse.CH
11.20160130

nProtect
Adware.SwiftBrowse.CH
14.10.17.01

Reason Heuristics
PUP.Yontoo.JumpFlip (M)
16.1.30.9

Sophos
BrowseSmart
4.98

SUPERAntiSpyware
Adware.BrowseFox/Variant
9354

Trend Micro House Call
Suspicious_GEN.F47V0702
7.2.30

Trend Micro
HS_BROWSEFOX.SM
10.465.30

VIPRE Antivirus
Trojan.Win32.Generic
31318

Zillya! Antivirus
Adware.Yotoon.Win64.14
2.0.0.2000

File size:
47.7 KB (48,832 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{0ca29851-3273-497e-b859-b648c9a6fe3a}w64.sys

Digital Signature
Signed by:
Jump Flip

Authority:
VeriSign, Inc.

Valid from:
8/22/2013 7:00:00 AM

Valid to:
8/23/2015 6:59:59 AM

Subject:
CN=Jump Flip, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Jump Flip, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
144CF0B61216826C7F439B5C91A6ABD6

File PE Metadata
Compilation timestamp:
1/14/2015 6:28:31 AM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:lb7G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD3nu:hFID6EGnLA8AFJTNEVmDu

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Entropy:
6.3918

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{0ca29851-3273-497e-b859-b648c9a6fe3a}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.