jumpflip.purbrowse64.exe

Jump Flip

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application jumpflip.purbrowse64.exe by Jump Flip has been detected as adware by 16 anti-malware scanners. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. While running, it connects to the Internet address install.jumpflip.net on port 80 using the HTTP protocol.
Remove jumpflip.purbrowse64.exe - Powered by Reason Core Security
Publisher:
Jump Flip  (signed and verified)

MD5:
09be957b22cfb48654962280d54f124c

SHA-1:
dc18a204de2f8a36af6e83dd988f0996a5eebe45

SHA-256:
6e4dab324e097723a49cf9714b51cf02ead9d3a7163972b6977f591a645e1a6f

Scanner detections:
16 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/5/2016 11:49:55 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.P
970

Agnitum Outpost
PUA.LinkSwift
7.1.1

Antiy Labs AVL
GrayWare[AdWare:not-a-virus]/Win32.LinkSwift
1.0.0.1

AVG
Adware BrowseFox.A
2014.0.3955

Baidu Antivirus
Adware.Win64.BrowseFox
4.0.3.14610

Bitdefender
Adware.SwiftBrowse.P
1.0.20.805

Emsisoft Anti-Malware
Adware.SwiftBrowse.P
8.14.06.10.10

ESET NOD32
Win64/BrowseFox.A potentially unwanted application
7.0.302.0

F-Secure
Adware.SwiftBrowse.P
11.2014-10-06_3

G Data
Adware.SwiftBrowse
14.6.24

IKARUS anti.virus
AdWare.BrowseFox
t3scan.1.6.1.0

Jiangmin
AdWare/LinkSwift.bl
KV140610

MicroWorld eScan
Adware.SwiftBrowse.P
15.0.0.483

nProtect
Adware.SwiftBrowse.P
14.06.10.01

Reason Heuristics
Adware.Yontoo.JumpFlip.T
14.8.8.0

VIPRE Antivirus
Threat.4150696
30086

Remove jumpflip.purbrowse64.exe - Powered by Reason Core Security
File size:
280.3 KB (287,008 bytes)

File type:
Executable application (Win64 EXE)

Common path:
C:\Program Files\jump flip\bin\jumpflip.purbrowse64.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
8/22/2013 2:00:00 AM

Valid to:
8/23/2015 1:59:59 AM

Subject:
CN=Jump Flip, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Jump Flip, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
144CF0B61216826C7F439B5C91A6ABD6

File PE Metadata
Compilation timestamp:
4/8/2014 4:22:58 AM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
10.0

CTPH (ssdeep):
6144:hICH0pAvY1Q5vQhQc4BHi4zQqATmr7D647YGTB95k2asmNoNz:uCH0pQhQm7EWJ7YGTPW3sJ

Entry address:
0x20140

Entry point:
48, 83, EC, 28, E8, 53, 77, 00, 00, 48, 83, C4, 28, E9, 76, FE, FF, FF, CC, CC, 48, 89, 5C, 24, 10, 48, 89, 7C, 24, 18, 55, 48, 8B, EC, 48, 83, EC, 60, 48, 8B, FA, 48, 8B, D9, 48, 8D, 4D, C0, 48, 8D, 15, 49, 05, 01, 00, 41, B8, 40, 00, 00, 00, E8, 8E, E4, FF, FF, 48, 8D, 55, 10, 48, 8B, CF, 48, 89, 5D, E8, 48, 89, 7D, F0, E8, 0E, 99, 00, 00, 4C, 8B, D8, 48, 89, 45, 10, 48, 89, 45, F8, 48, 85, FF, 74, 1B, F6, 07, 08, B9, 00, 40, 99, 01, 74, 05, 89, 4D, E0, EB, 0C, 8B, 45, E0, 4D, 85, DB, 0F, 44, C1, 89, 45...
 
[+]

Code size:
185 KB (189,440 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to install.jumpflip.net  (70.186.131.184:80)

Remove jumpflip.purbrowse64.exe - Powered by Reason Core Security