home

yawtix.exe

Yawtix

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application yawtix.exe by Yawtix has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from secure.fordcdnsecure.com and multiple other hosts.
Publisher:
Yawtix  (signed and verified)

MD5:
8fab6fdb4b65375d6890ed097c49e46b

SHA-1:
56b315735848ed4e3f6486bafff5215e478ac71f

SHA-256:
2da9440b70c22f8722d537ab431bcd52a8916fc425dbad933f7b2f79117cba7d

Scanner detections:
4 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/23/2024 9:02:34 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Yawtix.G
14.6.17.16

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.14610

Trend Micro House Call
Suspicious_GEN.F47V0610
7.2.163

VIPRE Antivirus
Trojan.Win32.Generic
30206

File size:
462.6 KB (473,664 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\yawtix.exe

Digital Signature
Signed by:
Yawtix

Authority:
VeriSign, Inc.

Valid from:
4/22/2014 2:00:00 AM

Valid to:
4/23/2015 1:59:59 AM

Subject:
CN=Yawtix, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Yawtix, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2E42C67BCB3B665946270E2F15BC3A2B

File PE Metadata
Compilation timestamp:
12/5/2009 11:52:01 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:KwhUYmUn1s15AB/G/8/3D0Fw/tN8dkmLtpHHHrh79:Kwh/mK6F8/z0FmcLbH19

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 6F, 44, 00, E8, F1, 2B, 00, 00, A3, 84, 6E, 44, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, 9C, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 2E, 44, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, F0, 46, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file yawtix.exe has been seen being distributed by the following 8 URLs.

http://secure.fordcdnsecure.com/.../Yawtix.exe

http://secure.fiestacdnsecure.com/.../Yawtix.exe

http://secure.letigerfastcdn.com/.../Yawtix.exe

http://secure.goeastcdncache.com/.../Yawtix.exe

http://secure.fastcdngoeast.com/.../Yawtix.exe

http://secure.fordzxicdn.com/.../Yawtix.exe

http://secure.cacheanglegoeast.com/.../Yawtix.exe

http://secure.ilandcachecdn.com/.../Yawtix.exe

Remove yawtix.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.