» updater.exe
Overview
Analysis
File Details
Behaviors (1)

updater.exe

Western Web Applications, LLC

Part of the branded Injekt adware package, the updater mechanism is an auto-starting program that is desigend to update the web browser extensions and protect the executables ChromeHelper, FirefoxHelper and IeHelper so that these programs can inject advertisments and generate popups in the user's web browser. The application updater.exe by Western Web Applications has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Updater’.

File name:

updater.exe

Publisher:

Updater (signed by Western Web Applications, LLC)

Product:

Updater

Description:

Updater service

Version:

1, 0, 0, 1

MD5:

5ceaa5d764a5e35091b40ca848a0639b

SHA-1:

9b238df5a1edfc265114c4b4c3335b09f09c3c8b

Scanner detections:

1 / 68

Status:

Adware

Explanation:

Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:

4/23/2024 3:51:08 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Injekt.WesternWebApplications (M)

15.12.30.9

File size:

291.1 KB (298,136 bytes)

Product version:

1, 0, 0, 1

Original file name:

updater.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Documents and Settings\{user}\Application data\updater\updater.exe

Digital Signature

Signed by:

Western Web Applications, LLC

Authority:

COMODO CA Limited

Valid from:

5/23/2013 7:00:00 PM

Valid to:

5/24/2014 6:59:59 PM

Subject:

CN="Western Web Applications, LLC", O="Western Web Applications, LLC", STREET=640 E Grand Ave, STREET=Suite 129, L=Carlsbad, S=CA, PostalCode=92008, C=US

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

2A1B337726D509D16C17362E2E625DE9

File PE Metadata

Compilation timestamp:

9/24/2013 6:32:40 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

3072:V1RqZ9kQAamHgEDFx7RVkciTr6O1s/koJuv8QA/R/f4/koOkpz10qIBOMeZEA:V1oYta2hhR9qr6OgkXvm5/A/korh0WFl

Entry address:

0x1C477

Entry point:

E8, 46, 96, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 3C, D4, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 30, AB, 43, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 4C, 01, 43, 00... 
[+]

Entropy:

6.4328

Code size:

187.5 KB (192,000 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Updater

Command:

C:\Documents and Settings\{user}\Application data\updater\updater.exe

Remove updater.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.