home

jzipsetup-r3-n-bc.exe

jZip

Bandoo Media Inc

The application jzipsetup-r3-n-bc.exe by Bandoo Media Inc has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from download.cdn.jzip.com and multiple other hosts. While running, it connects to the Internet address cdn-117-121-249-254.sin.llnw.net on port 80 using the HTTP protocol.
Publisher:
Bandoo Media Inc  (signed and verified)

Product:
jZip

Description:
jZip Install

Version:
2.0.0.136510

MD5:
914713d358f46cb82396b471fb779c1e

SHA-1:
6ea628db250ef9536d627f5c6699aff826107171

SHA-256:
5d5add0161b7acbf1c645965397b798213153988d952147febfbccffde8b7387

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
May bundle additional software offers in the setup installer included a branded Ask.com Toolbar (Movies/Music Toolbar).

Analysis date:
4/30/2024 9:48:19 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Win32.Generic
16.7.4.9

File size:
1.2 MB (1,293,640 bytes)

Product version:
2.0.0.136510

Copyright:
Copyright (c) 2015 Bandoo Media Inc

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\jzipsetup-r3-n-bc.exe

Digital Signature
Signed by:
Bandoo Media Inc

Authority:
thawte, Inc.

Valid from:
10/19/2015 2:00:00 AM

Valid to:
10/5/2016 1:59:59 AM

Subject:
CN=Bandoo Media Inc, O=Bandoo Media Inc, L=Panama City, S=Panama, C=PA

Issuer:
CN=thawte SHA256 Code Signing CA - G2, O="thawte, Inc.", C=US

Serial number:
6B956A6578BE9947ED82830D03DF2E2E

File PE Metadata
Compilation timestamp:
2/24/2012 9:20:04 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:CrK69yus8hqY0nUTuRRopfwbWaiuBov11iW6mfBGvVa4b:wyoqFU6RRopfwb3vBop6SBG9aG

Entry address:
0x38AF

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 68, A2, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 90, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 90, 40, 00, 55, FF, 15, C0, 92, 40, 00, 6A, 08, A3, 98, EB, 47, 00, E8, 36, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, EA, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 64, A2, 40, 00, FF, 15, 84, 91, 40, 00, 68, 4C, A2, 40, 00, 68, A0, 6A, 47, 00, E8, 18, 27, 00, 00, FF, 15, B0, 90, 40, 00, 50, BF, A0, F0, 4C, 00, 57, E8, 06, 27, 00, 00...
 
[+]

Entropy:
7.9587

Packer / compiler:
Nullsoft install system v2.x

Code size:
29 KB (29,696 bytes)

The file jzipsetup-r3-n-bc.exe has been seen being distributed by the following 8 URLs.

http://download.cdn.jzip.com/cdn/r/.../jZipSetup-r2-n-bi.exe

http://download18.cdn.jzip.com/cdn/r/.../jZipSetup-r9-n-bc.exe

http://download.cdn.jzip.com/cdn/r/.../jZipSetup-r20-n-bc.exe

http://download.cdn.jzip.com/cdn/r/.../jZipSetup-r0-n.exe

http://download.cdn.jzip.com/cdn/r/.../jZipSetup-r9-n-bi.exe

http://download.cdn.jzip.com/cdn/r/.../jZipSetup-r32-n-bi.exe

http://download.cdn.jzip.com/cdn/r/.../jZipSetup-r4-n-bi.exe

http://download.jzip.com/jZipSetup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to cdn-87-248-195-253.lin.llnw.net  (87.248.195.253:80)

TCP (HTTP):
Connects to https-69-28-164-0.dal.llnw.net  (69.28.164.0:80)

TCP (HTTP):
Connects to https-103-53-14-0.maa.llnw.net  (103.53.14.0:80)

TCP (HTTP):
Connects to cdn-203-77-188-253.hkg.llnw.net  (203.77.188.253:80)

TCP (HTTP):
Connects to cdn-178-79-196-253.pmo.llnw.net  (178.79.196.253:80)

TCP (HTTP):
Connects to cdn-68-142-101-7.mia1.llnw.net  (68.142.101.7:80)

TCP (HTTP):
Connects to cdn-117-121-249-254.sin.llnw.net  (117.121.249.254:80)

TCP (HTTP):
Connects to https-178-79-251-128.lcy.llnw.net  (178.79.251.128:80)

TCP (HTTP):
Connects to https-178-79-238-128.mrs.llnw.net  (178.79.238.128:80)

TCP (HTTP):
Connects to cdn-87-248-203-254.ams.llnw.net  (87.248.203.254:80)

Remove jzipsetup-r3-n-bc.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.