» CmdShell.exe
Overview
Analysis
File Details
Network (6)

CmdShell.exe

Taiwan Shui Mu Chih Ching Technology Limited

The application CmdShell.exe by Taiwan Shui Mu Chih Ching Technology Limited has been detected as adware by 16 anti-malware scanners. This particular feature is designed to hijack the browser in an attempt to prevent other resources from modify the browser's search and home pages. While running, it connects to the Internet address 7d.a0.a86c.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.

File name:

CmdShell.exe

Publisher:

SearchProtect (signed by Taiwan Shui Mu Chih Ching Technology Limited)

Product:

SearchProtect

Description:

CmdShell.exe

Version:

4,0,1,1716

MD5:

77590ce0cdeb6bbee8dc056fea0b107c

SHA-1:

599f4eb498d7c05a680386c1d3e1fc3dd68a8fa9

SHA-256:

17370d4e684f479e9f15116148dae7490d9ba88461228a76b47245f246693921

Scanner detections:

16 / 68

Status:

Adware

Analysis date:

4/20/2024 2:56:01 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.SearchProtect

7.1.1

AVG

Generic

2016.0.3174

Baidu Antivirus

Adware.Win32.Elex

4.0.3.15116

Bkav FE

W32.HfsAdware

1.3.0.6379

Dr.Web

Adware.Mutabaha.117

9.0.1.070

ESET NOD32

Win32/ELEX.BM potentially unwanted

9.11285

Fortinet FortiGate

Adware/SearchProtect

3/11/2015

G Data

Win32.Application.SearchProtect.AA@gen

15.3.25

K7 AntiVirus

Unwanted-Program

13.200.15187

Kaspersky

not-a-virus:AdWare.Win32.SearchProtect

15.0.0.543

Panda Antivirus

Generic Suspicious

15.03.11.01

Qihoo 360 Security

HEUR/QVM10.1.Malware.Gen

1.0.0.1015

Reason Heuristics

PUP.TaiwanShuiMuChihChingTechnologyLimited.I

15.1.16.6

Sophos

Generic PUA BP

4.98

Vba32 AntiVirus

AdWare.SearchProtect

3.12.26.3

Zillya! Antivirus

Adware.SearchProtect.Win32.14

2.0.0.2090

File size:

47.2 KB (48,304 bytes)

Product version:

4,0,1,1716

Original file name:

CmdShell.exe

File type:

Executable application (Win32 EXE)

Language:

Chinese (Simplified, China)

Common path:

C:\Program Files\xtab\cmdshell.exe

Digital Signature

Signed by:

Taiwan Shui Mu Chih Ching Technology Limited

Authority:

GlobalSign nv-sa

Valid from:

1/15/2015 6:36:14 AM

Valid to:

2/25/2015 9:15:36 AM

Subject:

CN=Taiwan Shui Mu Chih Ching Technology Limited, O=Taiwan Shui Mu Chih Ching Technology Limited, L=New Taipei City, S=Taiwan, C=TW

Issuer:

CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:

11214791C542722D5C418927DCC4A64E75B7

File PE Metadata

Compilation timestamp:

1/15/2015 6:19:07 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

768:6S3vNM7DQzergf+hYabD4VBKRNItvnxbhnwAnS42hJQ:IDQlf+h1bDK8ItPxVnta

Entry address:

0x5DD4

Entry point:

E8, 88, 03, 00, 00, E9, 4C, FE, FF, FF, 55, 8B, EC, FF, 15, A4, 70, 40, 00, 6A, 01, A3, 9C, 94, 40, 00, E8, 7B, 04, 00, 00, FF, 75, 08, E8, 79, 04, 00, 00, 83, 3D, 9C, 94, 40, 00, 00, 59, 59, 75, 08, 6A, 01, E8, 61, 04, 00, 00, 59, 68, 09, 04, 00, C0, E8, 62, 04, 00, 00, 59, 5D, C3, 55, 8B, EC, 81, EC, 24, 03, 00, 00, 6A, 17, E8, 6D, 04, 00, 00, 85, C0, 74, 05, 6A, 02, 59, CD, 29, A3, 80, 92, 40, 00, 89, 0D, 7C, 92, 40, 00, 89, 15, 78, 92, 40, 00, 89, 1D, 74, 92, 40, 00, 89, 35, 70, 92, 40, 00, 89, 3D, 6C... 
[+]

Entropy:

6.0626

Code size:

22.5 KB (23,040 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to 7d.a0.a86c.ip4.static.sl-reverse.com (108.168.160.125:80)

TCP (HTTP):

Connects to 43.f7.24ae.ip4.static.sl-reverse.com (174.36.247.67:80)

TCP (HTTP):

Connects to 208.43.232.116-static.reverse.softlayer.com (208.43.232.116:80)

TCP (HTTP):

Connects to 174.36.200.164-static.reverse.softlayer.com (174.36.200.164:80)

TCP (HTTP):

Connects to 174.36.200.173-static.reverse.softlayer.com (174.36.200.173:80)

TCP (HTTP):

Connects to 173.193.180.131-static.reverse.softlayer.com (173.193.180.131:80)

Remove CmdShell.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.