home

dailywiki.exe

DailyWiki

The executable dailywiki.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘DailyWiki’. While running, it connects to the Internet address nginxi-ext-las-prd.cdk.com on port 443.
Publisher:
DailyWiki  (signed and verified)

MD5:
9bc11be2e7d4f8d51057e0cb1612989e

SHA-1:
109c3b61b260a7c225414d410c74f49e8582f270

SHA-256:
46a7b5dc31b9e0ebab732db7affa77927b7455255ad16ed44f28749afad8cfaa

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
4/25/2024 3:43:23 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.11.12.15

File size:
47.9 MB (50,243,664 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\dailywiki\dailywiki.exe

Digital Signature
Signed by:
DailyWiki

Authority:
DailyWiki

Valid from:
9/19/2015 11:16:51 AM

Valid to:
9/16/2025 11:16:51 AM

Subject:
CN=DailyWiki, O=DailyWiki, S=Some-State, C=US

Issuer:
CN=DailyWiki, O=DailyWiki, S=Some-State, C=US

Serial number:
00DE81C7E6A224F568

File PE Metadata
Compilation timestamp:
2/20/2016 3:43:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:0uK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQpYnGmC:pwC64r1c6ZgnUSrLpbUAdBUQq6/BLFYG

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.9681

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
DailyWiki

Command:
C:\users\{user}\appdata\roaming\dailywiki\dailywiki.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-230-196-161.lhr50.r.cloudfront.net  (54.230.196.161:443)

TCP (HTTP SSL):
Connects to server-54-192-145-185.sfo4.r.cloudfront.net  (54.192.145.185:443)

TCP (HTTP SSL):
Connects to server-52-84-239-21.sfo5.r.cloudfront.net  (52.84.239.21:443)

TCP (HTTP SSL):
Connects to mpr2.ngd.vip.gq1.yahoo.com  (216.39.55.13:443)

TCP (HTTP SSL):
Connects to ec2-54-69-215-78.us-west-2.compute.amazonaws.com  (54.69.215.78:443)

TCP (HTTP SSL):
Connects to ec2-54-183-6-148.us-west-1.compute.amazonaws.com  (54.183.6.148:443)

TCP (HTTP SSL):
Connects to ec2-52-52-107-244.us-west-1.compute.amazonaws.com  (52.52.107.244:443)

TCP (HTTP SSL):
Connects to ec2-23-20-26-202.compute-1.amazonaws.com  (23.20.26.202:443)

TCP (HTTP SSL):
Connects to ox-173-241-242-143.xv.dc.openx.org  (173.241.242.143:443)

TCP (HTTP SSL):
Connects to oneads-sspums-adtech-scd-blue-b.evip.aol.com  (152.163.20.130:443)

TCP (HTTP SSL):
Connects to ec2-54-201-133-184.us-west-2.compute.amazonaws.com  (54.201.133.184:443)

TCP (HTTP SSL):
Connects to ec2-54-152-7-52.compute-1.amazonaws.com  (54.152.7.52:443)

TCP (HTTP SSL):
Connects to ec2-52-8-182-197.us-west-1.compute.amazonaws.com  (52.8.182.197:443)

TCP (HTTP SSL):
Connects to ec2-52-41-230-39.us-west-2.compute.amazonaws.com  (52.41.230.39:443)

TCP (HTTP SSL):
Connects to ec2-52-204-128-81.compute-1.amazonaws.com  (52.204.128.81:443)

TCP (HTTP SSL):
Connects to a104-86-99-105.deploy.static.akamaitechnologies.com  (104.86.99.105:443)

TCP (HTTP SSL):
Connects to a104-86-98-104.deploy.static.akamaitechnologies.com  (104.86.98.104:443)

TCP (HTTP SSL):
Connects to 40.1e.2fa9.ip4.static.sl-reverse.com  (169.47.30.64:443)

TCP (HTTP SSL):
Connects to 29.154.196.104.bc.googleusercontent.com  (104.196.154.29:443)

TCP (HTTP SSL):
Connects to server-54-192-145-64.sfo4.r.cloudfront.net  (54.192.145.64:443)

Remove dailywiki.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.