home

californiafontssetup.exe

SqueakyChocolate

The installer utilizes the installCore download manager which may bundle additional offers for various ad-supported toolbars, extensions and utilities. The application californiafontssetup.exe by SqueakyChocolate has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The file has been seen being downloaded from cdn.californiafonts.com. While running, it connects to the Internet address cdn.squeakychocolate.com on port 80 using the HTTP protocol.
Publisher:
SqueakyChocolate  (signed and verified)

MD5:
485af008cf96541e996573ce2bf47b1b

SHA-1:
1d31a7177f64dfd3a23249882af3d79e2455e6d8

SHA-256:
d1264bffa5b0e602bda82208268d2e0fc6bbc65ed71c89ae1dfec26dcb82aae3

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
4/19/2024 9:33:39 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.installCore (M)
16.11.4.1

File size:
1.5 MB (1,621,536 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\californiafontssetup.exe

Digital Signature
Signed by:
SqueakyChocolate

Authority:
COMODO CA Limited

Valid from:
2/19/2012 6:00:00 PM

Valid to:
2/19/2015 5:59:59 PM

Subject:
CN=SqueakyChocolate, O=SqueakyChocolate, STREET=12902 Dorathea Terrace, L=Poway, S=CA, PostalCode=92064, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00B696A8829DC1E0486236AF86C6DC0B70

File PE Metadata
Compilation timestamp:
7/26/2014 4:58:31 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:zX6jIR7ip1DhfUf4arnj5PjYzB+TtStCW64RNbPAnc+5Va3ZJGoWzsXZHTvC4:D6jIRQ1dy469j+BECu4D0Vq2Fzsp1

Entry address:
0x35B7

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, E0, 84, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, B4, 82, 40, 00, 6A, 08, A3, F8, 05, 47, 00, E8, 62, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, 00, 05, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 24, 86, 40, 00, FF, 15, 84, 81, 40, 00, 68, 0C, 86, 40, 00, 68, 00, 85, 46, 00, E8, 32, 26, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, 00, 10, 4C, 00, 57, E8, 20, 26, 00, 00...
 
[+]

Entropy:
7.9120

Packer / compiler:
Nullsoft install system v2.x

Code size:
26 KB (26,624 bytes)

The file californiafontssetup.exe has been seen being distributed by the following URL.

http://cdn.californiafonts.com/.../CaliforniaFontsSetup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to squeakychocolate.com  (74.208.110.68:80)

TCP (HTTP):
Connects to post-install-verification.conduit-data.com  (184.72.217.85:80)

TCP (HTTP):
Connects to cdn.squeakychocolate.com  (62.253.3.84:80)

Remove californiafontssetup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.