» 3.8.0.122_20140403070800.exe
Overview
Analysis
File Details
Downloads (14)
Network (11)

3.8.0.122_20140403070800.exe

The KMPlayer

PandoraTV

The application 3.8.0.122_20140403070800.exe, “The KMPlayer Setup/Install” by PandoraTV has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from biblprog.org.ua and multiple other hosts. While running, it connects to the Internet address i0-h0-s2053.p9-jfk.cdngp.net on port 80 using the HTTP protocol.

File name:

Publisher:

PandoraTV (signed and verified)

Product:

The KMPlayer

Description:

The KMPlayer Setup/Install

Version:

3.8.0.122

MD5:

3b892324a1ede092397abeb14f1e0cec

SHA-1:

ac1ce2ef11d4dca8eca186cc9cc5c0ec6ebae48a

SHA-256:

8b6875087b57640ac5a635728b41dd9da5240e34aff5c199617c6fc7b90c6150

Scanner detections:

3 / 68

Status:

Potentially unwanted

Explanation:

Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:

4/24/2024 4:58:39 PM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/OpenCandy

8.9639

Reason Heuristics

PUP.OpenCandy.Installer (L)

16.11.29.15

Rising Antivirus

PE:PUF.OpenCandy!1.9DE5

23.00.65.14405

File size:

31.5 MB (33,044,640 bytes)

Product version:

3.8

Trademarks:

Freeware

Original file name:

KMPlayer_3.8.0.122.exe

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

Language Neutral

Common path:

C:\users\{user}\downloads\3.8.0.122_20140403070800.exe

Digital Signature

Signed by:

PandoraTV

Authority:

Thawte, Inc.

Valid from:

5/15/2012 3:00:00 AM

Valid to:

6/15/2014 2:59:59 AM

Subject:

CN=PandoraTV, O=PandoraTV, L=Gangnam-gu, S=Seoul, C=KR

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

2BF6AC6C0932526A56D17EB4F2C776C5

File PE Metadata

Compilation timestamp:

2/24/2012 9:19:59 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

786432:o3m+//mduKt+cmZZmqDK/ddJawRVs0Tk76ljb+gR2s8N0qGK:o3bQnIv8YKvUsVxTZljigRINxGK

Entry address:

0x39E3

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00... 
[+]

Entropy:

7.9999

Packer / compiler:

Nullsoft install system v2.x

Code size:

28 KB (28,672 bytes)

The file 3.8.0.122_20140403070800.exe has been seen being distributed by the following 14 URLs.

http://biblprog.org.ua/go.php?site=http://cdn.kmplayer.com/KMP/player/download/.../3.8.0.122_20140403070800.exe

http://www.jsoftj.com/files/.../jsoftj.com_3.8.0.122_20140403070800_jsoftj.com.exe

http://f.sync.hamicloud.net/.../@download?416eb4c6e3fdb7dac58b05c262fce1b4&4fc2c326e5b584bcaa2c982d4bcb3ea6

http://f.sync.hamicloud.net/.../@download?ada567a378fae308d89d0f4eafafaa85&66cd866376fd9891992b035faa09ee04

http://www.gezginler.net/indir/v/.../

temp:3.8.0.122_20140403070800.exe

http://www.filehippo.com/download/file/.../

http://www.free-codecs.com/download_soft.php?d=7657&s=672&r=

http://ftp-stahuj.centrum.cz/dl/c1cf75b47be14b49cdd055716bcc1ed2/5370ff51/stahuj/download/software/secured/k/kmplayer/380122/.../3.8.0.122_20140403070800.exe

http://ftp-stahuj.centrum.cz/dl/793dd7a8ea35275474e51148c62f07db/534ec33f/stahuj/download/software/secured/k/kmplayer/380122/.../3.8.0.122_20140403070800.exe

http://cdn.kmplayer.com/KMP/player/download/.../3.8.0.122_20140403070800.exe

http://update.kmpmedia.net/player/.../34

http://www.videohelp.com/.../KMPlayer_3.8.0.122.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-54-229-95-87.eu-west-1.compute.amazonaws.com (54.229.95.87:80)

TCP (HTTP):

Connects to ec2-52-214-2-242.eu-west-1.compute.amazonaws.com (52.214.2.242:80)

TCP (HTTP):

Connects to i0-h0-s2132.p9-jfk.cdngp.net (174.35.76.28:80)

TCP (HTTP):

Connects to i0-h0-s2079.p9-jfk.cdngp.net (174.35.73.165:80)

TCP (HTTP):

Connects to i0-h0-s2053.p9-jfk.cdngp.net (174.35.73.139:80)

TCP (HTTP):

Connects to i0-h0-s2036.p9-jfk.cdngp.net (174.35.73.105:80)

TCP (HTTP):

Connects to i0-h0-s2029.p9-jfk.cdngp.net (174.35.73.98:80)

TCP (HTTP):

Connects to i0-h0-s2002.p9-jfk.cdngp.net (174.35.73.71:80)

TCP (HTTP):

Connects to i0-h0-s1133.p6-ord.cdngp.net (174.35.56.235:80)

TCP (HTTP):

Connects to i0-h0-s1103.p6-ord.cdngp.net (174.35.56.151:80)

TCP (HTTP):

Connects to i0-h0-s1039.p0-mia.cdngp.net (174.35.36.72:80)

Remove 3.8.0.122_20140403070800.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.