» yopyobx.exe
Overview
Analysis
File Details
Behaviors (1)
Network (4)

yopyobx.exe

Crime Watch

Great Apps

This is part of an adware program designed to inject advertising in the web browser (banners, text-links) as well as modify the normal behavior of the browser. Part of the Injekt brand of unwanted programs. The application yopyobx.exe, “CrimeWatch Service” by Great Apps has been detected as adware by 16 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “YopYobx”.

File name:

yopyobx.exe

Publisher:

Great Apps (signed and verified)

Product:

Crime Watch

Description:

CrimeWatch Service

Version:

1.0.0.0

MD5:

7156dfa101fff3c2bb491bd4cc35ad76

SHA-1:

ead47be30d928011bdfff3ff8c25948d7ccdd7ee

SHA-256:

3ac7904828434912be3fcf9db02c9dee2c04862899cacdcf70e84bb31f5be619

Scanner detections:

16 / 68

Status:

Adware

Explanation:

Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:

4/19/2024 5:27:00 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.PullUpdate.AW

657

Avira AntiVirus

ADWARE/Adware.Gen7

3.6.1.96

AVG

Generic

2016.0.3135

Baidu Antivirus

Adware.MSIL.PullUpdate

4.0.3.15419

Bitdefender

Adware.PullUpdate.AW

1.0.20.545

Bkav FE

W32.HfsAdware

1.3.0.6379

Dr.Web

Adware.Yontoo.68

9.0.1.0109

Emsisoft Anti-Malware

Adware.PullUpdate.AW

8.15.04.19.04

ESET NOD32

MSIL/Adware.PullUpdate.N.gen (variant)

9.11496

F-Secure

Adware.PullUpdate.AW

11.2015-19-04_1

G Data

Adware.PullUpdate.AW

15.4.25

Kaspersky

not-a-virus:AdWare.MSIL.PullUpdate

14.0.0.2169

Malwarebytes

PUP.Optional.CrimeWatch.A

v2015.04.19.04

MicroWorld eScan

Adware.PullUpdate.AW

16.0.0.327

nProtect

Adware.PullUpdate.AW

15.04.17.01

Reason Heuristics

Threat.Injekt.GreatApps

15.4.19.0

File size:

2.6 MB (2,729,944 bytes)

Product version:

1.0.0.0

Original file name:

CrimeWatchService.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\ProgramData\ynfctorwzwo\yopyobx.exe

Digital Signature

Signed by:

Great Apps

Authority:

Symantec Corporation

Valid from:

2/16/2015 4:00:00 PM

Valid to:

2/17/2016 3:59:59 PM

Subject:

CN=Great Apps, O=Great Apps, L=St. Michael, S=St. Michael, C=BB

Issuer:

CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:

18DA5D77283E42E4EA6279778229FFBA

File PE Metadata

Compilation timestamp:

4/17/2015 10:20:23 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

49152:mzbywOP+AULRXfwp8Gxv0SC1aIddwnX42LiQ/5C7pbUACu:EndPaxv7waTta6hu

Entry address:

0x29A4CE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

7.9996

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

2.6 MB (2,721,280 bytes)

Service

Display name:

YopYobx

Type:

Win32OwnProcess

Depends on:

Winmgmt CryptSvc

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-54-171-43-206.eu-west-1.compute.amazonaws.com (54.171.43.206:80)

TCP (HTTP):

Connects to ec2-54-76-91-10.eu-west-1.compute.amazonaws.com (54.76.91.10:80)

TCP (HTTP):

Connects to ec2-54-246-181-97.eu-west-1.compute.amazonaws.com (54.246.181.97:80)

TCP (HTTP):

Connects to ec2-52-16-174-255.eu-west-1.compute.amazonaws.com (52.16.174.255:80)

Remove yopyobx.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.