CCBootClient.exe

CCBoot Client

Youngzsoft Co., Ltd.

The application CCBootClient.exe by Youngzsoft Co. has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “CCBootClient”. While running, it connects to the Internet address SERVER2 on port 1000.
Publisher:
Youngzsoft  (signed by Youngzsoft Co., Ltd.)

Product:
CCBoot Client

Version:
3.0

MD5:
ccce77008f3310fa1bed9ead8a9883b6

SHA-1:
88dcfdc861afd107c3359979ac64a08ff4f76819

SHA-256:
39a9667d0b9a38c92db317b9863ef09ee527896e1c9221024d2de89b4255fc40

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/16/2018 12:43:11 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Youngzso.Service
17.1.22.11

File size:
1.5 MB (1,554,272 bytes)

Product version:
3.0

Copyright:
(c) Youngzsoft. All rights reserved.

Original file name:
CCBootClient.exe

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/26/2015 7:00:00 AM

Valid to:
5/15/2018 6:59:59 AM

Subject:
CN="Youngzsoft Co., Ltd.", OU=Software Development, O="Youngzsoft Co., Ltd.", L=Changsha, S=Hunan, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
72D5CAF59A3CC644C573E13EA0892EAB

File PE Metadata
Compilation timestamp:
1/20/2017 1:58:05 PM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x6A580

Entry point:
48, 83, EC, 28, E8, 93, 90, 00, 00, 48, 83, C4, 28, E9, 16, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 66, 66, 0F, 1F, 84, 00, 00, 00, 00, 00, 48, 3B, 0D, E9, 1D, 0F, 00, 75, 11, 48, C1, C1, 10, 66, F7, C1, FF, FF, 75, 02, F3, C3, 48, C1, C9, 10, E9, 01, 91, 00, 00, CC, 48, 89, 5C, 24, 08, 57, 48, 83, EC, 20, 48, 8D, 05, A7, 41, 0A, 00, 8B, DA, 48, 8B, F9, 48, 89, 01, E8, 2E, 92, 00, 00, F6, C3, 01, 74, 08, 48, 8B, CF, E8, 65, B2, FC, FF, 48, 8B, C7, 48, 8B...
 
[+]

Entropy:
5.9377

Code size:
1 MB (1,050,112 bytes)

Service
Display name:
CCBootClient

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to li365-173.members.linode.com  (96.126.108.173:80)

TCP:
Connects to SERVER2  (210.98.239.152:1000)

TCP:
Connects to SERVER01  (210.98.239.151:1000)

Remove CCBootClient.exe - Powered by Reason Core Security