home

java.exe

Payments Interactive SL

This is the Tuguu DomaIQ download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application java.exe by Payments Interactive SL has been detected as adware by 34 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from www.dundown.com.
Publisher:
Payments Interactive SL  (signed and verified)

MD5:
9a80c26d8d50608fbfa6db44dc99d98f

SHA-1:
d8d03e261bd4f46ef401d5bdc21554a9964e6a59

SHA-256:
fbff8122f0c347e46102d71935abb5be76c5fc386c755c79c11ea4bca1a41d38

Scanner detections:
34 / 68

Status:
Adware

Explanation:
Uses the DomainIQ download manager to bundle additional potentially unwanted software without adequate consent.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/26/2024 12:24:33 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.DomaIQ.Q
914

Agnitum Outpost
PUA.DomaIQ
7.1.1

AhnLab V3 Security
PUP/Win32.DomaIQ
2014.08.18

Avira AntiVirus
TR/Inject.owlpanom
7.11.167.196

avast!
Win32:DomaIQ-BO [PUP]
2014.9-140804

AVG
Trojan horse Downloader.Generic13.CIDW.dropper
2015.0.3392

Bitdefender
Application.Bundler.DomaIQ.Q
1.0.20.1080

Clam AntiVirus
Win.Adware.Agent-7150
0.98/19289

Comodo Security
Application.Win32.DomaIQ.XFR
19227

Dr.Web
Trojan.BPlug.78
9.0.1.0216

Emsisoft Anti-Malware
Application.Bundler.DomaIQ.Q
8.14.09.12.03

ESET NOD32
Win32/DomaIQ.BI potentially unwanted application
8.7.0.302.0

F-Prot
W32/DomaIQ.E
v6.4.6.5.141

F-Secure
Application.Bundler.DomaIQ
11.2014-04-08_2

G Data
Application.Bundler.DomaIQ
14.8.24

herdProtect (fuzzy)
variant of setup.exe (Adware)
2014.9.12.7

IKARUS anti.virus
PUA.PaymentsInter
t3scan.1.7.5.0

K7 AntiVirus
Unwanted-Program
13.183.13054

Kaspersky
not-a-virus:AdWare.MSIL.DomaIQ
14.0.0.3456

Malwarebytes
PUP.Optional.DomaIQ
v2014.08.04.05

McAfee
Adware-DomaIQ
5600.7048

Microsoft Security Essentials
Threat.Undefined
1.179.3249.0

MicroWorld eScan
Application.Bundler.DomaIQ.Q
15.0.0.648

NANO AntiVirus
Riskware.Win32.Generic.dbebaf
0.28.2.61519

Panda Antivirus
PUP/MultiToolbar.A
14.08.04.05

Reason Heuristics
PUP.PaymentsInteractiveSL.E
14.8.7.23

Rising Antivirus
PE:Trojan.Win32.Generic.16DCFBA2!383581090
23.00.65.14802

Sophos
DomainIQ pay-per install
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Tugspay
10442

Trend Micro House Call
TROJ_SPNR.15GA14
7.2.216

Trend Micro
TROJ_SPNR.15GA14
10.465.04

Vba32 AntiVirus
AdWare.Lollipop
3.12.26.3

VIPRE Antivirus
Threat.4150696
32210

Zillya! Antivirus
Adware.Lollipop.Win32.190
2.0.0.1880

File size:
283.5 KB (290,328 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
TUGUU DomaIQ Setup

Common path:
C:\users\{user}\downloads\java.exe

Digital Signature
Signed by:
Payments Interactive SL

Authority:
GoDaddy.com, Inc.

Valid from:
12/5/2013 3:09:43 PM

Valid to:
12/5/2014 3:09:43 PM

Subject:
CN=Payments Interactive SL, O=Payments Interactive SL, L=Adeje, S=Santa cruz de Tenerife, C=ES

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
4EAD03AB9EAF7D

File PE Metadata
Compilation timestamp:
6/17/2014 12:17:30 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:mwR5za+HqlckLlSNb8uBaKxW6cG+GF6nTg9TYcg:dR5zaoMckLMNGKxW6L+GFwTg9ng

Entry address:
0x609F

Entry point:
B8, 6C, EE, 4C, 00, 50, 64, FF, 35, 00, 00, 00, 00, 64, 89, 25, 00, 00, 00, 00, 33, C0, 89, 08, 65, 73, 6F, 6E, 6F, 73, 65, 6C, 6F, 63, 00, C2, 57, 8B, F3, 00, DE, 5C, 15, 60, 5E, 16, BC, C1, D7, 51, 99, 02, DC, C9, FD, 80, B5, BB, A0, 31, 5E, 9C, B6, 03, 10, C2, A4, 38, D3, 1A, E9, 04, 36, 7D, 4F, A9, 99, B3, 7C, 7B, 2D, 2C, 1C, 69, 40, C9, AE, A7, 85, FD, 1A, FB, 0F, A2, E8, 59, 7E, C5, 23, 49, EB, 74, 3B, A3, C5, 20, 2C, E0, CD, 4C, E7, 5B, 7F, AD, A3, 13, B3, BB, FF, 3E, 54, CD, E5, AD, 20, 38, B8, 72...
 
[+]

Code size:
111 KB (113,664 bytes)

The file java.exe has been seen being distributed by the following URL.

http://www.dundown.com/.../Java.exe

Remove java.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.