» wg8v2.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)

wg8v2.exe

M/s Children Code

The application wg8v2.exe by M/s Children Code has been detected as adware by 21 anti-malware scanners. This is a setup program which is used to install the application. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘TasksWatch’. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from downloads.doubleoptmedia.com.

File name:

wg8v2.exe

Publisher:

M/s Children Code (signed and verified)

MD5:

2bd7eb2b1464c59d0628de3ab0279f11

SHA-1:

86965c6b8ef66bed8c82e06473d85582f3e2ac9f

SHA-256:

6bb64dc082dd091ee58d09c92aa20bba3a4313f3cdd86a0615b203550c5eedf6

Scanner detections:

21 / 68

Status:

Adware

Explanation:

Part of a backdoor IRC bot network.

Analysis date:

4/26/2024 7:04:12 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Symmi.39392

1032

Agnitum Outpost

Trojan.Themida

7.1.1

AhnLab V3 Security

Trojan/Win32.BitCoinMiner

14.04.09

Avira AntiVirus

TR/Symmi.39392.1

7.11.141.176

Bitdefender

Gen:Variant.Symmi.39392

1.0.20.495

Comodo Security

UnclassifiedMalware

18061

Dr.Web

Trojan.Packed.26351

9.0.1.099

Emsisoft Anti-Malware

Gen:Variant.Symmi.39392

8.14.04.09.01

ESET NOD32

Win32/Packed.Themida (variant)

8.9645

Fortinet FortiGate

PossibleThreat

4/9/2014

F-Secure

Gen:Variant.Symmi.39392

11.2014-09-04_4

G Data

Gen:Variant.Symmi.39392

14.4.24

IKARUS anti.virus

Win32.SuspectCrc

t3scan.2.2.29

K7 AntiVirus

Unwanted-Program

13.176.11663

McAfee

Artemis!2BD7EB2B1464

5600.7166

MicroWorld eScan

Gen:Variant.Symmi.39392

15.0.0.297

Qihoo 360 Security

Win32/Trojan.c2b

1.0.0.1015

Reason Heuristics

PUP.Startup.MsChildrenCode.F

14.4.7.1

Sophos

Bitcoin Miner

4.98

Trend Micro House Call

TROJ_GEN.F47V0320

7.2.99

VIPRE Antivirus

Backdoor.Win32.Ircbot.gen

28110

File size:

1.2 MB (1,289,872 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\wg8v2.exe

Digital Signature

Signed by:

M/s Children Code

Authority:

COMODO CA Limited

Valid from:

2/10/2014 3:00:00 AM

Valid to:

2/11/2015 2:59:59 AM

Subject:

CN=M/s Children Code, O=M/s Children Code, STREET="Plot No. F-125,", STREET="Sector 74,", STREET="Industrial Area, Phase 8B", L=Mohali, S=Punjab, PostalCode=160071, C=IN

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

355CDFD525F643928F3A5700D87F0799

File PE Metadata

Compilation timestamp:

3/20/2014 8:04:50 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:AqRE57Qo9L5iyOxWuvn+uZumtqUGu9vXJvS5+bY2m8LoRm:VRETl5OF+uZTcFuZXYp2LX

Entry address:

0x342000

Entry point:

83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 89, C3, 40, 2D, 00, 10, 13, 00, 2D, FF, 91, 0A, 10, 05, F4, 91, 0A, 10, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 81, 63, EF, 13, 68, 41, 39, 14, 5A, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 89, E5, 50, 53, 51, 56, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, 85, C9, 74, 0A, 31, 06, 01, 1E, 83, C6, 04, 49, EB, F2, 5E, 59, 5B, 58, C9, C2, 10, 00, 51, 74, 3F, 3A, 50, 00, F3, 82, A0, 58, 37, DE, C1, E2... 
[+]

Entropy:

7.9079 (probably packed)

Code size:

33 KB (33,792 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

TasksWatch

Command:

"C:\users\{user}\appdata\local\temp\taskswatch.exe"

The file wg8v2.exe has been seen being distributed by the following URL.

http://downloads.doubleoptmedia.com/wg8v2.exe

Remove wg8v2.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.