updatetask.exe

DealPly Technologies Ltd

This is part of various InstallCore adware bundles and is designed to run daily and maintain the current state of the installed product(s) offeres (mostly unwanted adware) by connecting to a remote server for configuration instructions. The application updatetask.exe by DealPly Technologies has been detected as adware by 15 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler named Dealply triggered daily at a specified time.
Publisher:
DealPly Technologies Ltd  (signed and verified)

MD5:
591f7c7bde59e71e362699683e91b471

SHA-1:
548957f540e363553dec20afbc4b2ea814d5e17e

SHA-256:
1eaa5e385788f2ce3399fffa3d2ad9df89b063ea5867532d504e00e1148955aa

Scanner detections:
15 / 68

Status:
Adware

Explanation:
The update task for the InstallCore download manager.

Analysis date:
12/11/2017 12:57:53 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Downware.L
1144

AhnLab V3 Security
Adware/Win32.Agent
2013.12.03

Bitdefender
Adware.Downware.L
1.0.20.1690

Bkav FE
W32.Cloda21.Trojan
1.3.0.4562

Boost by Reason
Optional.Task.DealPly.K
188838

Comodo Security
Application.Win32.Dealply.~l
17372

Emsisoft Anti-Malware
Adware.Downware.L
8.13.12.04.08

ESET NOD32
Win32/DealPly
7.9120

Fortinet FortiGate
Adware/Fam.NB
12/4/2013

G Data
Adware.Downware
13.12.22

Malwarebytes
PUP.Optional.DealPly.A
v2013.12.04.08

MicroWorld eScan
Adware.Downware.L
14.0.0.1014

Reason Heuristics
PUP.UpdateProc.Task.K
14.8.7.17

Vba32 AntiVirus
SScope.Trojan.Kriptik.8607
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
23936

File size:
106.1 KB (108,600 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\dealply\updateproc\updatetask.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
6/14/2012 2:00:00 AM

Valid to:
6/15/2015 1:59:59 AM

Subject:
CN=DealPly Technologies Ltd, O=DealPly Technologies Ltd, STREET=13 Barth St., L=Tel Aviv, S=Israel, PostalCode=69104, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
016DFA78310264827B57EAD4F620C264

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
3072:BTPD9DL7lYBMNywPu70ikC5Nq8P/tnSGuBRRI4OeB:Bh9Yn7eCLpHtnmT0eB

Entry address:
0x14E80

Entry point:
55, 8B, EC, 83, C4, F0, 53, B8, 28, 4E, 41, 00, E8, 43, FD, FE, FF, BB, 4C, 51, 41, 00, 8B, C3, BA, 04, 4F, 41, 00, E8, 8A, EC, FE, FF, 83, 3B, 00, 75, 0C, 8B, C3, BA, 14, 4F, 41, 00, E8, 85, EE, FE, FF, 83, 3B, 00, 74, 0C, 8B, C3, BA, 24, 4F, 41, 00, E8, 74, EE, FE, FF, B8, 50, 51, 41, 00, 8B, 13, E8, 5C, EC, FE, FF, 6A, 00, 68, A8, 4A, 41, 00, 68, D0, 4B, 41, 00, 68, 04, 4C, 41, 00, B9, 30, 4F, 41, 00, 8B, 15, 50, 51, 41, 00, 8B, 03, E8, BD, 72, FF, FF, 5B, E8, EF, EA, FE, FF, 00, 00, 00, FF, FF, FF, FF...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
80 KB (81,920 bytes)

5 Scheduled Tasks
Task name:
Hoolapp Init

Trigger:
Boot (Runs on boot)

Task name:
Dealply

Trigger:
Daily (Runs daily at 14:56)

Action:
updatetask.exe \check

Task name:
DSite

Trigger:
Daily (Runs daily at 20:20)

Task name:
Hoolapp For Android

Trigger:
Daily (Runs daily at 2:27)

Task name:
At1

Path:
D:\WINDOWS\Tasks\At1.job

Trigger:
Daily (Runs daily at 8:27 AM)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to bits-lb.esams.wikimedia.org  (91.198.174.202:80)

TCP (HTTP):
Connects to ec2-54-243-240-124.compute-1.amazonaws.com  (54.243.240.124:80)

TCP (HTTP):
Connects to ec2-54-243-205-164.compute-1.amazonaws.com  (54.243.205.164:80)

TCP (HTTP):
Connects to ec2-23-23-137-245.compute-1.amazonaws.com  (23.23.137.245:80)

TCP (HTTP):
Connects to ec2-54-197-227-159.compute-1.amazonaws.com  (54.197.227.159:80)

TCP (HTTP):
Connects to bits-lb.eqiad.wikimedia.org  (208.80.154.234:80)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (176.32.100.195:80)

TCP (HTTP SSL):
Connects to geoip-zlb.vips.scl3.mozilla.com  (63.245.215.82:443)

TCP (HTTP):
Connects to ec2-54-235-144-60.compute-1.amazonaws.com  (54.235.144.60:80)

TCP (HTTP):
Connects to ec2-23-23-169-51.compute-1.amazonaws.com  (23.23.169.51:80)

TCP (HTTP):
Connects to ec2-23-23-120-217.compute-1.amazonaws.com  (23.23.120.217:80)

TCP (HTTP):
Connects to ec2-23-21-92-35.compute-1.amazonaws.com  (23.21.92.35:80)

TCP (HTTP):
Connects to ec2-107-21-203-130.compute-1.amazonaws.com  (107.21.203.130:80)

Remove updatetask.exe - Powered by Reason Core Security