home

DuuquUpdate.exe

Duuqu Update

Duuqu Group OU

The application DuuquUpdate.exe by Duuqu Group OU has been detected as adware by 2 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Duuqu Update Service (dqupdate)”. It runs as a scheduled task under the Windows Task Scheduler named DuuquUpdateTaskMachineCore triggered to execute each time a user logs in. While running, it connects to the Internet address ip-static-94-242-251-63.server.lu on port 80 using the HTTP protocol.
Publisher:
Duuqu Group  (signed by Duuqu Group OU)

Product:
Duuqu Update

Description:
Duuqu Installer

Version:
1.3.37.0

MD5:
136e913b1d3771b3535c3622c36b5e38

SHA-1:
d24c52c0c29fb30a2e842b08292a8de1fd4a3f25

SHA-256:
1da8a0e8d4d3701020958bbf89fa781e47a19a55524c2f9b8dca358b58321422

Scanner detections:
2 / 68

Status:
Adware

Analysis date:
4/24/2024 11:02:55 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Service.DuuquGroupOU.L
14.8.7.21

Rising Antivirus
PE:Trojan.GenericKDV!6.B5C
23.00.65.131227

File size:
96.1 KB (98,360 bytes)

Product version:
1.3.37.0

Copyright:
Copyright 2010-2012 Duuqu Group

Original file name:
DuuquUpdate.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\duuqu\update\duuquupdate.exe

Digital Signature
Signed by:
Duuqu Group OU

Authority:
Thawte, Inc.

Valid from:
8/8/2012 5:00:00 PM

Valid to:
8/9/2014 4:59:59 PM

Subject:
CN=Duuqu Group OU, O=Duuqu Group OU, L=Tallinn, S=Harju, C=EE

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
162E253D4CB8942D57DC084A3456BA93

File PE Metadata
Compilation timestamp:
10/30/2012 1:04:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
1536:o+QVaIlvZoTd1LzpUlkBbB4sRrFwQphPd90+Sv9U8/YyY:oruLzpZHRrFwQnI+Sv9U8/YL

Entry address:
0x4D36

Entry point:
E8, 3B, 24, 00, 00, E9, 79, FE, FF, FF, 6A, 0C, 68, C8, 30, 41, 00, E8, 84, 00, 00, 00, 8B, 75, 08, 85, F6, 74, 75, 83, 3D, 9C, 0C, 41, 00, 03, 75, 43, 6A, 04, E8, 25, 26, 00, 00, 59, 83, 65, FC, 00, 56, E8, 4D, 26, 00, 00, 59, 89, 45, E4, 85, C0, 74, 09, 56, 50, E8, 6E, 26, 00, 00, 59, 59, C7, 45, FC, FE, FF, FF, FF, E8, 0B, 00, 00, 00, 83, 7D, E4, 00, 75, 37, FF, 75, 08, EB, 0A, 6A, 04, E8, 11, 25, 00, 00, 59, C3, 56, 6A, 00, FF, 35, 04, F7, 40, 00, FF, 15, 7C, 10, 41, 00, 85, C0, 75, 16, E8, F0, 06, 00...
 
[+]

Entropy:
6.3401

Code size:
51.5 KB (52,736 bytes)

2 Scheduled Tasks
Task name:
DuuquUpdateTaskMachineCore

Trigger:
Logon (Runs on logon)

Task name:
DuuquUpdateTaskMachineUA

Trigger:
Daily (Runs daily at 01:26)


2 Services
Display name:
Duuqu Update Service (dqupdate)

Service name:
dqupdate

Description:
Keeps your Duuqu software up to date. If this service is disabled or stopped, your Duuqu software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and featu

Type:
Win32OwnProcess

Display name:
Duuqu Update Service (dqupdatem)

Service name:
dqupdatem

Description:
Keeps your Duuqu software up to date. If this service is disabled or stopped, your Duuqu software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and featu

Type:
Win32OwnProcess


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ip-static-94-242-251-63.server.lu  (94.242.251.63:80)

Remove DuuquUpdate.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.