Updater.exe

Updater

LADY'S WOOD 2013 LIMITED

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application Updater.exe by LADY'S WOOD 2013 LIMITED has been detected as adware by 13 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. This file is typically installed with the program Oxy updater by SOFTWARE AGILITY LIMITED which is a potentially unwanted software program. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
LADY'S WOOD 2013 LIMITED  (signed and verified)

Product:
Updater

Version:
1.0.0.0

MD5:
45785480ccd105c206b4838ec2039a6f

SHA-1:
8c16c4bb963abedff13717a74cf31104244ed2d7

SHA-256:
e27ad599784e1438384700f7602393522f46944565a814a80abcbe83c1d9f055

Scanner detections:
13 / 68

Status:
Adware

Analysis date:
12/17/2018 9:22:43 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Downloader.AA
1030

avast!
Win32:Adware-BLB [PUP]
2014.9-140411

AVG
MalSign.Generic
2015.0.3547

Bitdefender
Adware.Downloader.AA
1.0.20.505

Emsisoft Anti-Malware
Adware.Downloader.AA
8.14.04.11.02

F-Secure
Adware.Downloader.AA
11.2014-11-04_6

G Data
Adware.Downloader.AA
14.4.24

McAfee
Artemis!45785480CCD1
5600.7164

MicroWorld eScan
Adware.Downloader.AA
15.0.0.303

nProtect
Adware.Downloader.AA
14.04.08.01

Reason Heuristics
PUP.Task.LADYSWOOD2013LIMITED.H
14.4.11.0

Trend Micro House Call
TROJ_GEN.F47V0301
7.2.101

VIPRE Antivirus
PileFile Downloader
26960

File size:
15.3 KB (15,688 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2013

Original file name:
Updater.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\oxy\updater.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
1/28/2014 1:00:00 AM

Valid to:
1/29/2015 12:59:59 AM

Subject:
CN=LADY'S WOOD 2013 LIMITED, O=LADY'S WOOD 2013 LIMITED, STREET=COMMUNICATIONS HOUSE, STREET=DEAN ROAD YATE, L=BRISTOL, S=SOUTH GLOUCESTERSHIRE, PostalCode=BS37 5NR, C=GB

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00F93831D83C5CE9CF3BB3658BA83359DB

File PE Metadata
Compilation timestamp:
2/18/2014 7:00:02 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
384:qvZCPHi7FC+Pza6y5C7SmReYFBS8vG5xiu3l:qvZCP4lm6+C7rReY/9O5D1

Entry address:
0x45CE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 10, 00, 00, 00, 20, 00, 00, 80, 18, 00, 00, 00, 38, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 50, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 68, 00...
 
[+]

Entropy:
5.6648

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
9.5 KB (9,728 bytes)

Scheduled Task
Task name:
Oxy

Trigger:
Daily (Runs daily at 10:48 AM)

Action:
updater.exe oxy www.shar-m.com 600000 3


The file Updater.exe has been discovered within the following program.

Oxy updater  by SOFTWARE AGILITY LIMITED
The Oxy updater adware injects advertising in the user's Internet browser by running as an extension and/or add-on. Ads are delivered in the form of search-related ads, banner and video ads, and text-links and some popup/popunder ads.
76% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.90:80)

TCP (HTTP):
Connects to ocsp.comodoca.com  (178.255.83.1:80)

TCP (HTTP):
Connects to ns1.ibspark.com  (54.72.130.67:80)

TCP (HTTP):
Connects to dmpro-ca-01.fooservers.com  (167.114.156.214:80)

TCP (HTTP):
Connects to 2a.6a.acb8.ip4.static.sl-reverse.com  (184.172.106.42:80)

TCP (HTTP):
Connects to no.rdns.ukservers.com  (94.229.72.116:80)

TCP (HTTP):
Connects to ec2-54-188-199-4.us-west-2.compute.amazonaws.com  (54.188.199.4:80)

TCP (HTTP):
Connects to custip-2080.sedoparking.com  (91.195.241.80:80)

Remove Updater.exe - Powered by Reason Core Security