» yam64-ivy.exe
Overview
Analysis
File Details
Network (14)

yam64-ivy.exe

JProof LLC

The application yam64-ivy.exe by JProof has been detected as adware by 19 anti-malware scanners. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address static.152.235.201.138.clients.your-server.de on port 80 using the HTTP protocol.

File name:

yam64-ivy.exe

Publisher:

JProof LLC (signed and verified)

MD5:

b7ae031f32d69907a8d829180c36eddb

SHA-1:

ea105159e1882906f2cbaee7764f76167486e642

SHA-256:

ec2f8138d0927a2494be41a91895620c224ab67a8a759b79388934e07642b8e0

Scanner detections:

19 / 68

Status:

Adware

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

5/21/2024 1:00:47 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.15031612

480

Avira AntiVirus

PUA/BitcoinMiner.Gen

8.3.2.2

Arcabit

Trojan.Generic.DE55D3C

1.0.0.568

AVG

Generic

2016.0.2958

Bitdefender

Trojan.Generic.15031612

1.0.20.1425

Bkav FE

W64.HfsAdware

1.3.0.7237

Emsisoft Anti-Malware

Trojan.Generic.15031612

8.15.10.12.04

Fortinet FortiGate

Riskware/BitCoinMiner

10/12/2015

F-Secure

Trojan.Generic.15031612

11.2015-12-10_2

G Data

Trojan.Generic.15031612

15.10.25

IKARUS anti.virus

not-a-virus:RiskTool.BitCoinMiner

t3scan.1.9.5.0

K7 AntiVirus

Riskware

13.210.17412

Kaspersky

not-a-virus:RiskTool.Win64.BitCoinMiner

14.0.0.1287

McAfee

Artemis!B7AE031F32D6

5600.6614

MicroWorld eScan

Trojan.Generic.15031612

16.0.0.855

nProtect

Trojan.Generic.15031612

15.10.02.01

Panda Antivirus

Generic Suspicious

15.10.12.04

Reason Heuristics

PUP.EpicScale.JProof (M)

15.10.12.16

Trend Micro

TROJ_GEN.R047C0OIJ15

10.465.12

File size:

3.5 MB (3,620,456 bytes)

File type:

Executable application (Win64 EXE)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\yam64-ivy.exe

Digital Signature

Signed by:

JProof LLC

Authority:

DigiCert Inc

Valid from:

10/5/2014 4:00:00 AM

Valid to:

10/11/2017 3:00:00 PM

Subject:

CN=JProof LLC, O=JProof LLC, L=Washington, S=New Jersey, C=US

Issuer:

CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

010A6723CC9454568F41F9221A61B586

File PE Metadata

OS version:

4.0

OS bitness:

Win64

Subsystem:

Windows Console

Linker version:

2.24

CTPH (ssdeep):

49152:6OKXUwkYohqOE7P+IPY5BetywPqemxlcapg4LDxV130LYmwAT7p6dswB7GvIS:GUw5XnEdD0/w3BSJ

Entry address:

0x14D0

Entry point:

48, 83, EC, 28, C7, 05, 72, 42, 37, 00, 00, 00, 00, 00, E8, BD, D8, 20, 00, E8, 98, FC, FF, FF, 90, 90, 48, 83, C4, 28, C3, 90, 55, 48, 89, E5, 48, 83, E4, E0, 48, 81, EC, 80, 03, 00, 00, 48, 03, 17, C4, E1, F9, 6E, C2, C4, E2, 7D, 19, C0, C5, FD, D4, 15, EC, DA, 2D, 00, C4, E2, 7D, 59, 5F, 08, C5, FD, 7F, 9C, 24, E0, 00, 00, 00, C4, E2, 7D, 59, 47, 10, C5, FD, 7F, 84, 24, 00, 01, 00, 00, C4, E2, 7D, 59, 47, 18, C5, FD, 7F, 84, 24, 20, 01, 00, 00, C4, E2, 7D, 59, 47, 20, C5, FD, 7F, 84, 24, 40, 01, 00, 00... 
[+]

Code size:

2.8 MB (2,900,480 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to static.88-198-114-156.clients.your-server.de (88.198.114.156:80)

TCP (HTTP):

Connects to static.152.235.201.138.clients.your-server.de (138.201.235.152:80)

TCP:

Connects to ip106.ip-79-137-57.eu (79.137.57.106:8005)

TCP:

Connects to ip241.ip-144-217-61.net (144.217.61.241:8005)

TCP (HTTP):

Connects to ec2-52-0-217-44.compute-1.amazonaws.com (52.0.217.44:80)

TCP:

Connects to static.14.31.201.138.clients.your-server.de (138.201.31.14:3334)

TCP:

Connects to ip217.ip-178-32-196.eu (178.32.196.217:8005)

TCP (HTTP):

Connects to static.12.31.201.138.clients.your-server.de (138.201.31.12:8080)

TCP:

Connects to ip20.ip-144-217-101.net (144.217.101.20:8050)

Remove yam64-ivy.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.