cinpl2.3c-codedownloader.exe

CinPl2.3c

Berserk Group

Part of the Crossrider framework, a web browser extension that will deliver advertisements such as coupons, price-comparisons, display media, affiliate links, banners, popups/popunders and other links. The application cinpl2.3c-codedownloader.exe by Berserk Group has been detected as adware by 6 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. Built using the Crossrider web brower toolkit the CodeDownloader component will automatically connnect to the remote API server and download additional code/components for CinPl extension/toolbar. The component makes a number of requests to the host app-static.crossrider.com/plugins/.../monetization/monetizationLoader.js.
Publisher:
CinPl  (signed by Berserk Group)

Product:
CinPl2.3c

Description:
CinPl2.3c exe

Version:
1000.1000.1000.1000

MD5:
9ba47e6b8d76a52ba4999affcc085fb4

SHA-1:
d53fc540fe77d74e3d93ca2d874f86aca9bfc27f

SHA-256:
f40e3f92162a73e62394d7acdcec057f0b43eaafa0ccaa92f49e0ece53fdc70d

Scanner detections:
6 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application. The owner/publisher of this file is Berserk Group.

Analysis date:
11/24/2017 9:40:00 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/CrossRider.Gen2
7.11.170.204

Kaspersky
Trojan.NSIS.GoogUpdate
14.0.0.3301

Malwarebytes
PUP.Optional.CinemaPlus.A
v2014.09.04.07

Panda Antivirus
Trj/Genetic.gen
14.09.04.07

Reason Heuristics
PUP.Crossrider.BerserkGroup.X
14.9.4.19

VIPRE Antivirus
Crossrider
32788

File size:
573.9 KB (587,672 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2011

Original file name:
CinPl2.3c.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\cinpl2.3c\cinpl2.3c-codedownloader.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
8/13/2014 9:00:00 PM

Valid to:
8/14/2015 8:59:59 PM

Subject:
CN=Berserk Group, O=Berserk Group, STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
58761EBCDB730A1C637A95BCB768285A

File PE Metadata
Compilation timestamp:
9/2/2014 7:05:16 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:IQz74ZiL9BVa2TE7A3g9sUrwCN8uKnlI0gH7Sh1851nsQoYjSpTByO514RENs:yc7Vahcw9AuKl1gH7ShyehYjSpTMOO

Entry address:
0x4A13A

Entry point:
E8, 71, DE, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1...
 
[+]

Code size:
453.5 KB (464,384 bytes)

Scheduled Task
Task name:
1e4fc0d7-d5bd-404c-a6bf-96ac70b26f48-1

Trigger:
Logon (Runs on logon)

Action:
cinpl2.3c-codedownloader.exe \reinstallapp \runfrom=task \agentregpath='cinpl2.


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ip-184-168-221-43.ip.secureserver.net  (184.168.221.43:80)

Remove cinpl2.3c-codedownloader.exe - Powered by Reason Core Security