icreinstall_pdfreadersetup.exe

JumpyApps

The installer utilizes InstallCore which may bundle about 3-4 offers for various ad-supported toolbars, extensions and utilities. The application icreinstall_pdfreadersetup.exe by JumpyApps has been detected as adware by 16 anti-malware scanners. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address os.solvefile.com on port 80 using the HTTP protocol.
Remove icreinstall_pdfreadersetup.exe - Powered by Reason Core Security
Publisher:
JumpyApps  (signed and verified)

MD5:
6636be119f46791c8c88c02f7f21e972

SHA-1:
54713991da676876086fe824551ada04493dd874

SHA-256:
7f31112099bae0489910549f372b2c768cb289b9ad2d2eea6215a623b029b6f4

Scanner detections:
16 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/5/2016 9:44:31 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.InstallCore
7.1.1

Avira AntiVirus
Adware/InstallCo.IU.55
7.11.154.46

Antiy Labs AVL
Trojan/Win32.SGeneric
1.0.0.1

AVG
Adware InstallCore.CG
2014.0.3955

Dr.Web
Trojan.Packed.24814
9.0.1.05190

ESET NOD32
Win32/InstallCore.IU potentially unwanted application
7.0.302.0

G Data
Win32.Application.InstallCore
14.6.24

K7 AntiVirus
Trojan
13.1712358

K7 Gateway Antivirus
Trojan
13.1712358

NANO AntiVirus
Trojan.Win32.DP.cydaah
0.28.0.60253

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
PUP.Installer.JumpyApps.AA
14.8.7.18

Rising Antivirus
PE:Malware.XPACK-LNR/Heur!1.5594
23.00.65.14608

The Hacker
Trojan/Kryptik.bwam
6.8.0.5.466

VIPRE Antivirus
Threat.4786018
30086

Remove icreinstall_pdfreadersetup.exe - Powered by Reason Core Security
File size:
1.3 MB (1,315,784 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore

Common path:
C:\users\{user}\appdata\local\temp\icreinstall_pdfreadersetup.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
2/18/2013 1:00:00 AM

Valid to:
2/19/2014 12:59:59 AM

Subject:
CN=JumpyApps, O=JumpyApps, STREET=63 Rothschild Blvd., L=Tel Aviv, S=NA, PostalCode=65785, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
6DB423F9C6473168CF486AAF112EDD5C

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:kyS/EevNAchU+JrpbCI6BW0+s/xSjAO/mQtwZcA1RQ62uSRNDcSy7/:3wN1pbv/AO/mQiZcA12lRDcT7/

Entry address:
0xBAB4

Entry point:
55, 8B, EC, 83, C4, F4, B8, 54, BA, 40, 00, E8, 70, 96, FF, FF, 68, E0, BA, 40, 00, E8, 72, 97, FF, FF, 68, E0, BA, 40, 00, 6A, 00, E8, 3E, 97, FF, FF, E8, 8D, 75, FF, FF, 00, 64, 73, 61, 64, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
43 KB (44,032 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to os.solvefile.com  (207.189.109.121:80)

TCP (HTTP):
Connects to cdnus.solvefile.com  (207.189.109.121:80)

Remove icreinstall_pdfreadersetup.exe - Powered by Reason Core Security