CCProxy.EXE

CCProxy

Youngzsoft Co., Ltd.

The application CCProxy.EXE by Youngzsoft Co. has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “CCProxy”. While running, it connects to the Internet address server18907.teamviewer.com on port 443.
Publisher:
Youngzsoft  (signed by Youngzsoft Co., Ltd.)

Product:
CCProxy

Version:
8, 0, 0, 0

MD5:
44073733bf48e97edd94dc0f1ebad052

SHA-1:
6c7dae76b9f5cfb6e2af2f332c13030386cc8f4b

SHA-256:
c6840b28239d1ad80c4b454d756b18471a6b8878795acd255e3a0b10eba90abc

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
6/20/2018 6:32:31 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Youngzso.Service
16.12.13.22

File size:
2.5 MB (2,639,216 bytes)

Product version:
8, 0, 0, 0

Copyright:
(c) Youngzsoft. All rights reserved.

Original file name:
CCProxy.EXE

File type:
Executable application (Win32 EXE)

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/26/2015 3:00:00 AM

Valid to:
5/15/2018 2:59:59 AM

Subject:
CN="Youngzsoft Co., Ltd.", OU=Software Development, O="Youngzsoft Co., Ltd.", L=Changsha, S=Hunan, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
72D5CAF59A3CC644C573E13EA0892EAB

File PE Metadata
Compilation timestamp:
12/13/2016 12:58:32 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x12A1F4

Entry point:
E8, 2F, DE, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 51, 53, 8B, 45, 0C, 83, C0, 0C, 89, 45, FC, 64, 8B, 1D, 00, 00, 00, 00, 8B, 03, 64, A3, 00, 00, 00, 00, 8B, 45, 08, 8B, 5D, 0C, 8B, 6D, FC, 8B, 63, FC, FF, E0, 5B, C9, C2, 08, 00, 58, 59, 87, 04, 24, FF, E0, 58, 59, 87, 04, 24, FF, E0, 58, 59, 87, 04, 24, FF, E0, 8B, FF, 55, 8B, EC, 51, 51, 53, 56, 57, 64, 8B, 35, 00, 00, 00, 00, 89, 75, FC, C7, 45, F8, 70, A2, 52, 00, 6A, 00, FF, 75, 0C, FF, 75, F8, FF, 75, 08, E8, B4, 6B, 03, 00, 8B, 45, 0C, 8B...
 
[+]

Entropy:
6.4825

Code size:
1.5 MB (1,528,320 bytes)

Service
Display name:
CCProxy

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to li365-173.members.linode.com  (96.126.108.173:80)

TCP (HTTP):
Connects to ir1.fp.vip.sg3.yahoo.com  (106.10.139.246:80)

TCP (HTTP):
Connects to ir2.fp.vip.sg3.yahoo.com  (106.10.138.240:80)

TCP (HTTP SSL):
Connects to server50609.teamviewer.com  (195.81.195.57:443)

TCP (HTTP SSL):
Connects to server50607.teamviewer.com  (195.81.195.55:443)

TCP (HTTP SSL):
Connects to server19604.teamviewer.com  (169.54.83.56:443)

TCP (HTTP SSL):
Connects to server19407.teamviewer.com  (159.8.67.136:443)

TCP (HTTP SSL):
Connects to server18907.teamviewer.com  (159.122.90.122:443)

TCP (HTTP):
Connects to a23-219-134-67.deploy.static.akamaitechnologies.com  (23.219.134.67:80)

Remove CCProxy.EXE - Powered by Reason Core Security