Reason Labs

updater.exe

Wander Burst

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application updater.exe by Wander Burst has been detected as Adware.Yontoo. It runs as a separate (within the context of its own process) windows Service named “Update Mgr WanderBurst”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
Wander Burst  (signed and verified)

Version:
1.0.5672.41168

MD5:
05f733f5bf01ddbbd335b0cab9f6289c

SHA-1:
a9d1a6e8d6ccc51ddbe55f7f2b444643e1ccd5fe

SHA-256:
804da873bd28607b09719c7025d0cf3ee0f5b7320c860a7107db3cad4f60e4ec

Detection:
Adware.Yontoo

Risk:
Medium

Explanation:
Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser.

What does it do?
  • Starts a Windows service
  • Creates or opens a system mutex object
  • Connects to the Internet

Analysis date:
12/12/2018 10:29:55 AM UTC  (today)

File size:
562.7 KB (576,224 bytes)

Product version:
1.0.5672.41168

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\common files\fccb0821-00ee-466c-acb5-2a5cec258511\updater.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
6/18/2015 5:00:00 PM

Valid to:
6/18/2016 4:59:59 PM

Subject:
CN=Wander Burst, O=Wander Burst, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4A9C9001F9FFB60F7F507CDFCDC1B744

File PE Metadata
Compilation timestamp:
7/13/2015 10:52:23 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
12288:ha5Kh0uYcuecjaonBg+b0pSLvSN+VZXYue8dpROnLlCckppx9x39o:ha85uxjaibwMSoZMlCp333C

Entry address:
0x253E7

Entry point:
E8, 19, D9, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, 3C, F5, 20, 45, 48, 00, 00, 75, 13, 56, E8, 71, 00, 00, 00, 59, 85, C0, 75, 08, 6A, 11, E8, 43, 49, 00, 00, 59, FF, 34, F5, 20, 45, 48, 00, FF, 15, 48, 51, 45, 00, 5E, 5D, C3, 56, 57, BE, 20, 45, 48, 00, 8B, FE, 53, 8B, 1F, 85, DB, 74, 17, 83, 7F, 04, 01, 74, 11, 53, FF, 15, 80, 51, 45, 00, 53, E8, EF, 9F, FF, FF, 83, 27, 00, 59, 83, C7, 08, 81, FF, 40, 46, 48, 00, 7C, D8, 5B, 83, 3E, 00, 74, 0E, 83, 7E, 04, 01, 75, 08, FF, 36, FF, 15...
 
[+]

Entropy:
6.4651

Characteristics:
0x258

Code size:
335.5 KB (343,552 bytes)

Properties
Services:
Update Mgr WanderBurst

Integrity level:
16384

Command line:
"C:\Program Files (x86)\Common Files\fccb0821-00ee-466c-acb5-2a5cec258511\updater.exe"

Service
Display name:
Update Mgr WanderBurst

Type:
Win32OwnProcess

Depends on:
RPCSS


The following strings where extracted from updater.exe and are interesting.

RegDeleteKeyTransactedW
FRegDeleteKeyExW
operation not permitted
operation canceled
operation_in_progress
operation_not_supported
operation_would_block
inappropriate io control operation
network unreachable
operation in progress
operation not supported
operation would block
CreateMutexW
MoveFileExW
DeleteService
OpenSCManagerW
OpenServiceW
StartServiceW
PathRemoveExtensionW
PathRenameExtensionW
WinHttpCrackUrl
WinHttpOpenRequest
WinHttpSendRequest
"UpdaterClientLib
There are numerous known code variantions that share the same compilation structure.

Adware.Yontoo
updater.exe  1.0.5679.17878  (e59994e5b7ceee715ba43f16a2e50729483d177f)

Adware.Yontoo
updater.exe  1.0.5678.43078  (af04b1c2d77cf3db38ad43fb519292cc67aca0df)

Adware.Yontoo
updater.exe  1.0.5678.16077  (53f8376b55978c31c874b44ffcd2e02c7e21445c)

Adware.Yontoo
updater.exe  1.0.5678.7081  (70ad832af6abaef558fce6eb15c66ae72faaaba3)

Adware.Yontoo
updater.exe  1.0.5677.23279  (f81f82dc8a6e6b4aaa7598727210a07924f1b72d)

Adware.Yontoo
updater.exe  1.0.5676.30473  (f8df0e751228bad93e4288ea852988427dcfcdbe)

Adware.Yontoo
updater.bak  1.0.5676.3473  (377fddf63f7c28c7cfdb45510e0cb732aa679b69)

Adware.Yontoo
updater.exe  1.0.5675.37663  (e6c06e7fc747dfaa8edb5601c81e21e19eb7293c)

Adware.Yontoo
updater.bak  1.0.5675.28644  (209a9a19a96655d3e146a8c27cf3e79429faf396)

Adware.Yontoo
updater.exe  1.0.5674.8841  (38b9f85dc7341b16397c6d40530cdca4fcf5e0ec)

Adware.Yontoo
updater.exe  1.0.5673.15980  (b9e6489e9990addb9e2acb64f4833c4d7e709ac6)

Adware.Yontoo
updater.exe  1.0.5673.15980  (48ac49b29272a551eac2758d08ab8b0d316f05dd)

Adware.Yontoo
updater.bak  1.0.5672.32231  (b7f4279c3e0f34e4a4cab623c614ad63c880f747)

Adware.Yontoo
updater.exe  1.0.5672.32231  (f375cdb1f5d7e02b9f055248b40102f95856524e)

Adware.Yontoo
updater.exe  1.0.5672.23270  (319ac2621d8248be18ceeb2c92c17dd8086ce936)

Adware.Yontoo.WanderBurst.Installer
setup.exe  (5d1e74a8de10817e6d0d1ae9dde9549a7529eb8b)

Adware.Yontoo
plugincontainer.exe  (790d2ee8d295f51d021a5a8ea65a275faaee7c05)

Adware.Yontoo.WanderBurst
plugin.exe  (d3b5d012118cae0c9970dec2a74a611c6e325141)

Adware.Yontoo
0f4e02f8-f10e-493d-a1a7-3aed7ba7b110.dll  (484cb43a45a7c733d77899603361cb5d025eae92)

Adware.Yontoo
34.0.5.dll  (1d293258c9061b45738b2ffc31d9461774062cae)

Adware.Yontoo
38.0.5.dll  (0ac2d83c767862719884b611aa98b6901ffce95a)

Adware.Yontoo
39.0.0.dll  (ef6333176bd4936b46111fe7f6d3e2a416fae1d2)

Adware.Yontoo.Installer
uninstaller.exe  (125fbecc8a0d732071beb7e1147949fa193621d9)

Download Reason Core Security - Powerful anti-malware software