home

y2go.exe

24 Grad Media GmbH

The application y2go.exe by 24 Grad Media GmbH has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This executable runs as a local area network (LAN) Internet proxy server listening on port 8808 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address tlb.hwcdn.net on port 443.
Publisher:
24 Grad Media GmbH  (signed and verified)

MD5:
ac285a6e766d317b935f0652e26b8e39

SHA-1:
eb5facb670ef345e95f5c5ba8756deba8b21f53b

SHA-256:
367ec1ab6643a95f61e1c011d4676b565ef79f4e22ab178cdf3912ddfe9cb819

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
4/25/2024 2:48:13 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.24Grad (M)
16.10.7.12

File size:
2.2 MB (2,329,584 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\y2go\bin\y2go.exe

Digital Signature
Signed by:
24 Grad Media GmbH

Authority:
COMODO CA Limited

Valid from:
5/22/2015 2:00:00 AM

Valid to:
5/22/2017 1:59:59 AM

Subject:
CN=24 Grad Media GmbH, O=24 Grad Media GmbH, STREET=Dirmingerstraße 37, L=Marpingen, S=Saarland, PostalCode=66646, C=DE

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00AA4A10DC8AFB785DA6DA3EACAA190749

File PE Metadata
Compilation timestamp:
10/7/2016 8:18:52 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
49152:5R42Oa92559VWyE2H2QuudOHgRqlun8cBpr9eZnGAVb5FaP8BGsc+WuGe2OZXZgQ:5iVak5zVW8br9EnGAVXjc+WuGe2Ot

Entry address:
0x130618

Entry point:
E8, 8E, 07, 00, 00, E9, 8E, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 51, 8D, 4C, 24, 04, 2B, C8, 1B, C0, F7, D0, 23, C8, 8B, C4, 25, 00, F0, FF, FF, 3B, C8, F2, 72, 0B, 8B, C1, 59, 94, 8B, 00, 89, 04, 24, F2, C3, 2D, 00, 10, 00, 00, 85, 00, EB, E7, 55, 8B, EC, 83, 25, 4C, EA, 60, 00, 00, 83, EC, 28, 53, 33, DB, 43, 09, 1D, EC, 5B, 60, 00, 6A, 0A, E8, EF, A9, 05, 00, 85, C0, 0F, 84, 6D, 01, 00, 00, 83, 65, F0, 00, 33, C0, 83, 0D, EC, 5B, 60, 00, 02, 33, C9, 56, 57, 89, 1D, 4C, EA...
 
[+]

Code size:
1.6 MB (1,669,120 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:8808/

Local host port:
8808

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to dev.ucoz.net  (193.109.246.216:80)

TCP (HTTP):
Connects to ec2-52-28-170-48.eu-central-1.compute.amazonaws.com  (52.28.170.48:80)

TCP (HTTP):
Connects to ec2-52-28-126-208.eu-central-1.compute.amazonaws.com  (52.28.126.208:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-cdg2.fbcdn.net  (179.60.192.7:443)

TCP (HTTP SSL):
Connects to col402-m.hotmail.com  (157.56.17.247:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-frt3.fbcdn.net  (31.13.92.14:443)

TCP (HTTP SSL):
Connects to waw02s05-in-f14.1e100.net  (216.58.209.46:443)

TCP (HTTP):
Connects to srv1007.htdedicated.pl  (178.217.187.205:80)

TCP (HTTP):
Connects to nl.redir.opera.com  (82.145.215.91:80)

TCP (HTTP SSL):
Connects to edge-star-shv-01-waw1.facebook.com  (31.13.81.9:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-fra3.facebook.com  (31.13.93.36:443)

TCP (HTTP SSL):
Connects to dub407-m.hotmail.com  (157.56.194.24:443)

TCP (HTTP SSL):
Connects to waw02s08-in-f195.1e100.net  (172.217.20.195:443)

TCP (HTTP SSL):
Connects to waw02s08-in-f14.1e100.net  (172.217.20.206:443)

TCP (HTTP SSL):
Connects to upload-lb.esams.wikimedia.org  (91.198.174.208:443)

TCP (HTTP SSL):
Connects to tlb.hwcdn.net  (69.16.175.42:443)

TCP (HTTP SSL):
Connects to server-54-230-230-26.waw50.r.cloudfront.net  (54.230.230.26:443)

TCP (HTTP SSL):
Connects to server-54-192-228-66.waw50.r.cloudfront.net  (54.192.228.66:443)

TCP (HTTP SSL):
Connects to server-54-192-198-49.lhr50.r.cloudfront.net  (54.192.198.49:443)

TCP (HTTP SSL):
Connects to server-52-84-13-11.ord54.r.cloudfront.net  (52.84.13.11:443)

Remove y2go.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.