dailywiki.exe

DailyWiki

The executable dailywiki.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘DailyWiki’. While running, it connects to the Internet address bam-7.nr-data.net on port 443.
Publisher:
DailyWiki  (signed and verified)

MD5:
00e792e7ad25d21701c210cac81aff8f

SHA-1:
bcb728b257c9fee7707fc07b24129bf5b6b20d78

SHA-256:
8b3057143afd274c514fdf65e7c6ead8df4eee0f6e081d9b3871c20a58788052

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
1/23/2018 6:53:54 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.10.2.6

File size:
47.9 MB (50,242,592 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\dailywiki\dailywiki.exe

Digital Signature
Signed by:

Authority:
DailyWiki

Valid from:
9/19/2015 11:16:51 AM

Valid to:
9/16/2025 11:16:51 AM

Subject:
CN=DailyWiki, O=DailyWiki, S=Some-State, C=US

Issuer:
CN=DailyWiki, O=DailyWiki, S=Some-State, C=US

Serial number:
00DE81C7E6A224F568

File PE Metadata
Compilation timestamp:
2/20/2016 3:43:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:IuK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQpk7twu:FwC64r1c6ZgnUSrLpbUAdBUQq6/BLFkl

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.9679

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
DailyWiki

Command:
C:\users\{user}\appdata\roaming\dailywiki\dailywiki.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

TCP (HTTP SSL):
Connects to 216.74.32.88.static.sfo.hosting.com  (216.74.32.88:443)

TCP (HTTP):
Connects to a92-123-180-200.deploy.akamaitechnologies.com  (92.123.180.200:80)

TCP (HTTP):
Connects to a104-121-1-229.deploy.static.akamaitechnologies.com  (104.121.1.229:80)

TCP (HTTP SSL):
Connects to a23-74-119-203.deploy.static.akamaitechnologies.com  (23.74.119.203:443)

TCP (HTTP):
Connects to a184-87-179-232.deploy.static.akamaitechnologies.com  (184.87.179.232:80)

TCP (HTTP SSL):
Connects to a104-82-191-115.deploy.static.akamaitechnologies.com  (104.82.191.115:443)

TCP (HTTP SSL):
Connects to a104-121-5-46.deploy.static.akamaitechnologies.com  (104.121.5.46:443)

TCP (HTTP):
Connects to x.ligatus.com  (81.26.166.11:80)

TCP (HTTP):
Connects to server-54-230-197-82.lhr50.r.cloudfront.net  (54.230.197.82:80)

TCP (HTTP):
Connects to server-54-230-197-197.lhr50.r.cloudfront.net  (54.230.197.197:80)

TCP (HTTP):
Connects to server-54-192-199-56.lhr50.r.cloudfront.net  (54.192.199.56:80)

TCP (HTTP):
Connects to server-54-192-196-97.lhr50.r.cloudfront.net  (54.192.196.97:80)

TCP (HTTP SSL):
Connects to m-prd-umpxl-adcom-mtc-b.evip.aol.com  (149.174.28.143:443)

TCP (HTTP SSL):
Connects to img.ccmbg.com  (195.248.251.143:443)

TCP (HTTP):
Connects to hotelamur.ru  (62.109.15.15:80)

TCP (HTTP):
Connects to h300.meetrics.de  (136.243.12.41:80)

TCP (HTTP SSL):
Connects to h297.meetrics.de  (78.46.71.232:443)

TCP (HTTP SSL):
Connects to h295.meetrics.de  (78.46.73.168:443)

TCP (HTTP):
Connects to ec2-54-247-117-232.eu-west-1.compute.amazonaws.com  (54.247.117.232:80)

Remove dailywiki.exe - Powered by Reason Core Security