CCProxy.EXE

CCProxy

Youngzsoft Co., Ltd.

The application CCProxy.EXE by Youngzsoft Co. has been detected as adware by 3 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘CCProxy’. While running, it connects to the Internet address li365-173.members.linode.com on port 80 using the HTTP protocol.
Publisher:
Youngzsoft  (signed by Youngzsoft Co., Ltd.)

Product:
CCProxy

Version:
8, 0, 0, 0

MD5:
fa8f43192d20fea1ee403c6e97165efd

SHA-1:
d207a16ed4eb524ed7377efbdd5be6397dd78479

SHA-256:
b5658fc3a08d492c173501097ac330b3fa5e4066562fab810212234f1012d821

Scanner detections:
3 / 68

Status:
Adware

Analysis date:
12/15/2018 10:21:22 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:CCProxy-D [PUP]
2014.9-150216

Reason Heuristics
PUP.Startup.YoungzsoftCo
15.2.16.8

Trend Micro House Call
TROJ_GEN.F47V0608
7.2.47

File size:
3.2 MB (3,336,600 bytes)

Product version:
8, 0, 0, 0

Copyright:
(c) Youngzsoft. All rights reserved.

Original file name:
CCProxy.EXE

File type:
Executable application (Win64 EXE)

Language:
English (United States)

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/16/2014 5:00:00 PM

Valid to:
4/17/2015 4:59:59 PM

Subject:
CN="Youngzsoft Co., Ltd.", OU=Software Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Youngzsoft Co., Ltd.", L=Changsha, S=Hunan, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3100D378FD898D4DA76C9FCBA2E349F7

File PE Metadata
Compilation timestamp:
1/27/2015 12:57:20 AM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
49152:mpm60DYFIMh9FoPbgTiHn/fyeXYS6G25BOUnALULscThdjMeyyA0N0:0AyIs8fyUr0DdxA0N0

Entry address:
0x167608

Entry point:
48, 83, EC, 28, E8, 9F, D2, 00, 00, 48, 83, C4, 28, E9, 16, FE, FF, FF, CC, CC, 48, 89, 5C, 24, 10, 48, 89, 6C, 24, 18, 48, 89, 74, 24, 20, 57, 41, 54, 41, 55, 41, 56, 41, 57, 48, 83, EC, 20, 49, 63, 78, 0C, 4C, 8B, F9, 49, 8B, C8, 49, 8B, E9, 4D, 8B, E8, 4C, 8B, F2, E8, A0, D3, 00, 00, 4D, 8B, 17, 4C, 89, 55, 00, 44, 8B, E0, 85, FF, 0F, 84, 85, 00, 00, 00, 48, 8D, 0C, BF, 48, 8D, 34, 8D, EC, FF, FF, FF, 49, 63, 5D, 10, 49, 03, 5E, 08, 48, 03, DE, 44, 3B, 63, 04, 7E, 49, 44, 3B, 63, 08, 7F, 43, 49, 8B, 0E...
 
[+]

Entropy:
6.2864

Code size:
1.8 MB (1,851,904 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
CCProxy

Command:
C:\ccproxy\ccproxy.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to li365-173.members.linode.com  (96.126.108.173:80)

TCP:
Connects to ip-172-16-1-111.ec2.internal  (172.16.1.111:55411)

TCP (HTTP SSL):
Connects to ec2-52-66-88-241.ap-south-1.compute.amazonaws.com  (52.66.88.241:443)

TCP (HTTP SSL):
Connects to mc.yandex.ru  (93.158.134.119:443)

TCP (HTTP SSL):
Connects to bam-3.nr-data.net  (50.31.164.173:443)

TCP (HTTP SSL):
Connects to 2.40.155.104.bc.googleusercontent.com  (104.155.40.2:443)

TCP:
Connects to ip-172-16-1-11.ec2.internal  (172.16.1.11:62610)

TCP:
Connects to ip-172-16-0-33.ec2.internal  (172.16.0.33:1235)

TCP:
Connects to ip-172-16-0-245.ec2.internal  (172.16.0.245:49338)

TCP:
Connects to ip-172-16-0-218.ec2.internal  (172.16.0.218:65328)

TCP:
Connects to ip-172-16-0-185.ec2.internal  (172.16.0.185:56859)

TCP:
Connects to ip-172-16-0-167.ec2.internal  (172.16.0.167:56607)

TCP:
Connects to ip-172-16-0-119.ec2.internal  (172.16.0.119:63553)

TCP:
Connects to ip-172-16-0-118.ec2.internal  (172.16.0.118:59911)

TCP (HTTP SSL):
Connects to db5sch101101529.wns.windows.com  (40.77.229.30:443)

TCP (HTTP SSL):
Connects to db5sch101100938.wns.windows.com  (40.77.229.8:443)

Remove CCProxy.EXE - Powered by Reason Core Security