NUEVA DETECCION DE PENNY BEE CON EL ELISTARA 30.31 DE HOY, ADEMAS DEL ELIPUPS 1.25 DE AYER

NUEVA DETECCION DE PENNY BEE CON EL ELISTARA 30.31 DE HOY, ADEMAS DEL ELIPUPS 1.25 DE AYER
Si bien con el ELIPUPS de ayer ya ofreciamos deteccion y posible desinstalacion de este PUP, viendo que tiene efectos sobre las utilidades antimalwares (por ejemplo, el listado del SPROCES queda cortado), pasamos a controlarlo especificamente a partir del ELISTARA 30.31 de hoy, aunque no lo detecte actualmente ningun AV de virustotal:

 

SHA256: 4074369b1e39653ad0b0ff59edd601b68a806a082d992d60e38617c81e55a64c
Nombre: PennyBee.exe
Detecciones:  0 / 54
Fecha de análisis:  2014-07-02 12:57:40 UTC
MD5 ebb2cb19fbd58922265bf504bdb34143
SHA1 7a75e02558327c24550df3cfc4344bb162853db5
Tamaño del fichero 479.6 KB ( 491064 bytes )
La información obtenida al respecto por otros medios es:

 

File name:PennyBee.exe

Publisher:Penny Bee Agent (signed by Jambo Digital Ltd)

Product:Penny Bee

Version:1.1.0.13

MD5:3e01a07597677e78805a1947e0b52a8e

SHA-1:3ed7ee1d09e076f44d9e2a6da2f6998728deae5c

SHA-256:5fd311e80fdba709d80c11d8032ec7dd14de17245d2585c17257bd4f6c2e377e

Analysis
Scanner detections:1 / 68

Status:Adware

Note:Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:6/24/2014 3:09:46 PM UTC (14 days ago)

Scan engineDetectionEngine version

Reason HeuristicsPUP.Task.JamboDigital.I14.6.24.11

File Details
File size:454.1 KB (464,952 bytes)

Product version:1.1.0.13

Copyright:Copyright Penny Bee© 2014, All rights Reserved

Original file name:PennyBee.exe

File type:Executable application (Win32 EXE)

Language:English (United States)

Common path:C:\ProgramData\pennybee\pennybee.exe

Digital Signature
Signed by:Jambo Digital Ltd

Authority:COMODO CA Limited

Valid from:5/28/2014 7:00:00 AM

Valid to:5/28/2017 6:59:59 AM

Subject:CN=Jambo Digital Ltd, OU=Jambo Digital Ltd, O=Jambo Digital Ltd, STREET=2 Kaufman Yehezkel, STREET=tel aviv, L=tel aviv, S=TEL AVIV-JAFFA, PostalCode=6801294, C=IL

Issuer:CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:00C458EED8E9EAA77E97499968CD5DD6B9

File PE Metadata
Compilation timestamp:6/18/2014 7:30:37 PM

OS version:5.1

OS bitness:Win32

Subsystem:Windows GUI

Linker version:10.0

CTPH (ssdeep):12288:D5odcgNkNRUwrIpQ7jFZ9jkh21MWglBcxi++ElnIK:9odcxN2oIWZlkcBCcxi+9N

Entry address:0x32F96

Entry point:E8, 2A, BF, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 10, A1, 10, 07, 46, 00, 33, C5, 89, 45, FC, 8B, 55, 18, 53, 33, DB, 56, 57, 3B, D3, 7E, 1F, 8B, 45, 14, 8B, CA, 49, 38, 18, 74, 08, 40, 3B, CB, 75, F6, 83, C9, FF, 8B, C2, 2B, C1, 48, 3B, C2, 7D, 01, 40, 89, 45, 18, 89, 5D, F8, 39, 5D, 24, 75, 0B, 8B, 45, 08, 8B, 00, 8B, 40, 04, 89, 45, 24, 8B, 35, 8C, B2, 44, 00, 33, C0, 39, 5D, 28, 53, 53, FF, 75, 18, 0F, 95, C0, FF, 75, 14, 8D, 04, C5, 01, 00, 00, 00, 50, FF, 75, 24, FF, D6, 8B, F8, 89…
[+]
Entropy:6.4080

Code size:296 KB (303,104 bytes)

Behaviors
Scheduled TaskTask name:pennybee Runner

Trigger:Logon (Runs on logon)

Action:pennybee.exe \task=4 \installon=0 \closebr=0 \active=24 \update
Programs
The file PennyBee.exe has been discovered within the following program.

Penny Bee by pennybee
About 1% of users remove it
Powered by Should I Remove It?

Network Communications
The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):Connects to server-54-230-207-132.atl50.r.cloudfront.net (54.230.207.132:80)

TCP (HTTP):Connects to ec2-107-21-244-247.compute-1.amazonaws.com (107.21.244.247:80)

Related
1 / 68 (Adware)tmut21270.dll (7a75e02558327c24550df3cfc4344bb162853db5)

Fuente: http://www.herdprotect.com/pennybee.exe-3ed7ee1d09e076f44d9e2a6da2f6998728deae5c.aspx

Al parecer el pais de mas propagacion actual es Italia.

Dicha version del ELISTARA 30.31 que lo detecta y elimina, estará disponible en nuestra web a partir de las 15 h CEST de hoy.
saludos

ms, 8-7-2014