dailywiki.exe

DailyWiki

The executable dailywiki.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘DailyWiki’. While running, it connects to the Internet address bam-4.nr-data.net on port 443.
Publisher:
DailyWiki  (signed and verified)

MD5:
2e60bcfff0a9573238ed95f11aace98e

SHA-1:
b52348fe324cb67d29217a37528850263b045a35

SHA-256:
f667de78ae5742988da2d9c9f0698d27839bba26505fab39fc6d8b244019a372

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
1/3/2017 12:23:42 AM UTC  (ten months ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.1.2.19

File size:
45.6 MB (47,826,568 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\dailywiki\dailywiki.exe

Digital Signature
Signed by:

Authority:
DailyWiki

Valid from:
9/19/2015 11:16:51 AM

Valid to:
9/16/2025 11:16:51 AM

Subject:
CN=DailyWiki, O=DailyWiki, S=Some-State, C=US

Issuer:
CN=DailyWiki, O=DailyWiki, S=Some-State, C=US

Serial number:
00DE81C7E6A224F568

File PE Metadata
Compilation timestamp:
2/20/2016 3:43:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8809

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
DailyWiki

Command:
C:\users\{user}\appdata\roaming\dailywiki\dailywiki.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to s-prd-req-adcom-scd-blue-b.evip.aol.com  (149.174.66.133:443)

TCP (HTTP SSL):
Connects to sky.com.ssl.d1.sc.omtrdc.net  (63.140.40.169:443)

TCP (HTTP SSL):
Connects to bam-4.nr-data.net  (50.31.164.174:443)

TCP (HTTP SSL):
Connects to l3dsr-cserv-um-21.iad3.btrll.com  (162.208.22.39:443)

TCP (HTTP):
Connects to a95-101-129-51.deploy.akamaitechnologies.com  (95.101.129.51:80)

TCP (HTTP):
Connects to a92-123-180-200.deploy.akamaitechnologies.com  (92.123.180.200:80)

TCP (HTTP):
Connects to a92-123-180-195.deploy.akamaitechnologies.com  (92.123.180.195:80)

TCP (HTTP):
Connects to a92-123-180-194.deploy.akamaitechnologies.com  (92.123.180.194:80)

TCP (HTTP):
Connects to a92-123-180-192.deploy.akamaitechnologies.com  (92.123.180.192:80)

TCP (HTTP):
Connects to a92-123-180-184.deploy.akamaitechnologies.com  (92.123.180.184:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to a184-51-148-105.deploy.static.akamaitechnologies.com  (184.51.148.105:80)

TCP (HTTP SSL):
Connects to a184-30-212-95.deploy.static.akamaitechnologies.com  (184.30.212.95:443)

TCP (HTTP):
Connects to a172-227-97-135.deploy.static.akamaitechnologies.com  (172.227.97.135:80)

TCP (HTTP SSL):
Connects to a172-227-109-215.deploy.static.akamaitechnologies.com  (172.227.109.215:443)

TCP (HTTP):
Connects to a104-86-110-24.deploy.static.akamaitechnologies.com  (104.86.110.24:80)

TCP (HTTP):
Connects to a104-121-28-159.deploy.static.akamaitechnologies.com  (104.121.28.159:80)

TCP (HTTP SSL):
Connects to a104-121-18-103.deploy.static.akamaitechnologies.com  (104.121.18.103:443)

TCP (HTTP):
Connects to a104-121-1-229.deploy.static.akamaitechnologies.com  (104.121.1.229:80)

Remove dailywiki.exe - Powered by Reason Core Security