» gupdate.exe
Overview
Analysis
File Details
Behaviors (1)
Network (7)

gupdate.exe

Java Platform SE 7 U40

The executable gupdate.exe, “Java Control Panel” has been detected as malware by 27 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘gupdate’. While running, it connects to the Internet address srv118-131-240-87.vk.com on port 443.

File name:

gupdate.exe

Publisher:

Oracle Corporation* (Invalid match)

Product:

Java(TM) Platform SE 7 U40

Description:

Java Control Panel

Version:

10.40.2.43

MD5:

7de41ea87846dd14274c2c5ad1dc0642

SHA-1:

97b991e8516b1810e7b5575c4575bc323d33aebe

Scanner detections:

27 / 68

Status:

Malware

Analysis date:

4/24/2024 11:13:33 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Symmi.48325

776

AhnLab V3 Security

Trojan/Win32.MDA

2014.11.26

Avira AntiVirus

TR/ATRAPS.Gen4

7.11.188.174

avast!

Win32:Injector-CFX [Trj]

2014.9-141221

AVG

Win32/Cryptor

2015.0.3254

Baidu Antivirus

Backdoor.Win32.Androm

4.0.3.141221

Bitdefender

Gen:Variant.Symmi.48325

1.0.20.1775

Dr.Web

Trojan.DownLoader11.44205

9.0.1.0355

Emsisoft Anti-Malware

Gen:Variant.Symmi.48325

8.14.12.21.08

ESET NOD32

Win32/Injector.BPJM (variant)

8.10778

Fortinet FortiGate

W32/Injector.BPEQ!tr

12/21/2014

F-Prot

W32/Trojan3.MDA

v6.4.7.1.166

F-Secure

Gen:Variant.Symmi.48325

11.2014-21-12_1

G Data

Gen:Variant.Symmi.48325

14.12.24

Kaspersky

Backdoor.Win32.Androm

14.0.0.2763

Malwarebytes

Trojan.Rupest

v2014.12.21.08

McAfee

Artemis!7DE41EA87846

5600.6910

Microsoft Security Essentials

VirTool:Win32/Injector.EY

1.11202

MicroWorld eScan

Gen:Variant.Symmi.48325

15.0.0.1065

NANO AntiVirus

Trojan.Win32.Staser.dixznj

0.28.6.63726

Panda Antivirus

Trj/CI.A

14.12.21.08

Qihoo 360 Security

HEUR/QVM10.1.Malware.Gen

1.0.0.1015

Sophos

Troj/Agent-AKAQ

4.98

Trend Micro House Call

TROJ_GEN.R08NB01KK14

7.2.355

Vba32 AntiVirus

Backdoor.Androm

3.12.26.3

VIPRE Antivirus

Trojan.Win32.Ropest.ab

35118

Zillya! Antivirus

Backdoor.Ruskill.Win32.3175

2.0.0.1992

File size:

135 KB (138,240 bytes)

Product version:

7.0.400.43

Original file name:

javacpl.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\company\gupdate\gupdate.exe

File PE Metadata

Compilation timestamp:

11/13/2014 11:03:22 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

1536:I+1RJKp46vkNREw4n3yylsWOjeN7ZlAQN0hBrg7qjh3rmKPNRsbAg:JzfREw4n3yylsfckhRfjZqMNRsEg

Entry address:

0x9C40

Entry point:

E8, 07, 22, 00, 00, E9, 78, FE, FF, FF, 2D, A4, 03, 00, 00, 74, 22, 83, E8, 04, 74, 17, 83, E8, 0D, 74, 0C, 48, 74, 03, 33, C0, C3, B8, 04, 04, 00, 00, C3, B8, 12, 04, 00, 00, C3, B8, 04, 08, 00, 00, C3, B8, 11, 04, 00, 00, C3, 8B, FF, 56, 57, 8B, F0, 68, 01, 01, 00, 00, 33, FF, 8D, 46, 1C, 57, 50, E8, 60, 22, 00, 00, 33, C0, 0F, B7, C8, 8B, C1, 89, 7E, 04, 89, 7E, 08, 89, 7E, 0C, C1, E1, 10, 0B, C1, 8D, 7E, 10, AB, AB, AB, B9, 78, 49, 41, 00, 83, C4, 0C, 8D, 46, 1C, 2B, CE, BF, 01, 01, 00, 00, 8A, 14, 01... 
[+]

Code size:

60.5 KB (61,952 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

gupdate

Command:

C:\Program Files\company\gupdate\gupdate.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to srv118-131-240-87.vk.com (87.240.131.118:443)

TCP (SMTP):

Connects to smtp.rambler.ru (81.19.77.167:25)

TCP (SMTP):

Connects to smtp.pt.lu (195.46.255.244:25)

TCP (HTTP):

Connects to rev-213-81-185-188.zoznam.sk (213.81.185.188:80)

TCP (SMTP):

Connects to mx2.exponential-e.net (62.244.176.192:25)

TCP (HTTP):

Connects to host-37-247-108-21.routergate.com (37.247.108.21:80)

TCP (HTTP):

Connects to ec2-54-201-175-242.us-west-2.compute.amazonaws.com (54.201.175.242:80)

Remove gupdate.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.