Chedot Browser

The Chedot Browser is promoted on Chedot.com as an innovative Web browser based on the open-source project Chromium that would allow users to download any media on the Internet blazingly fast. In addition, users of the Chedot Browser will be directed to the Chedot.com search portal where they can find direct links to services like YouTube, Facebook and currency exchange rates. Users that may want to download the Chedot Browser should know that it is perceived as a Potentially Unwanted Program (PUP). Security investigators note that web surfers using Chedot only have access to commercials by sponsors of Chedot.com and will not see the native ads on trusted e-commerce sites like Amazon, Walmart, eBay and Best Buy. Moreover, users of the Chedot Browser will not have the option to change their default search engine to leading engines like Google and Bing. The Chedot Browser works similarly to the Mustang Browser and the Protectium and might present users with many pop-up windows to promote sponsored services and products. The Chedot Browser may arrive on your system bundled with a free program installer and edit your Windows Registry values to become your default Internet client. The Chedot Browser may be built upon Chromium, but it may not allow you to browse as fast as your Internet connection allows because it is constantly exchanging information with the servers of advertisers. The Chedot Browser may send information like your Internet browsing and download history logs to advertisers in order to show related commercials on the pages you visit. You may want to remove all files related to the Chedot Browser by using a reputable anti-malware solution.

Table of Contents

Toggle

SpyHunter Detects & Remove Chedot Browser

Analysis Report

General information

Family Name:	PUP.Chedot
Signature status:	Self Signed

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 4a5023faf541dcd11e990d8dbf0bbdb2 SHA1: cf0ce48d086e38eb90ed2fa891401acc715ec252 SHA256: 31515A740EA7786343A2090570B4E8869351ADBAFE9FF44A18FE2B5B45BEA77B File Size: 3.39 MB, 3389824 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Company Name	Chedot
File Description	Chedot Setup
File Version	5.1.1.0
Internal Name	sf_rt
Original Filename	suf_launch.exe
Product Name	Chedot
Product Version	5.1.1.0

Digital Signatures

i

Digital Signatures

This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.

Signer	Root	Status
Guerrilla Programming OÜ	Symantec Class 3 SHA256 Code Signing CA	Self Signed

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	152
Potentially Malicious Blocks:	0
Whitelisted Blocks:	152
Unknown Blocks:	0

Visual Map

0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 2 2 0 1 1 0 1 0 0 1 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 2 2 2 3 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 1

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\chedot.ico	Generic Read,Write Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\chedot.ico	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\ftp.lmd	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\irimg1.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\irimg1.jpg	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\irimg2.jpg	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\irsetup.dat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\irsetup.dat	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\irsetup.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\_ir_sf_temp_0\license.txt	Generic Write,Read Attributes

Show More

c:\users\user\appdata\local\temp\_ir_sf_temp_0\lua5.1.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\chedot setup log.txt	Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\ctf\msutb::left	ঔ	RegNtPreCreateKey
HKCU\software\microsoft\ctf\msutb::top		RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory
Process Shell Execute	ShellExecuteEx
Anti Debug	IsDebuggerPresent
User Data Access	GetUserObjectInformation
Other Suspicious	SetWindowsHookEx

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

open C:\Users\Uuetfptg\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe __IRAOFF:2156210 "__IRAFN:c:\users\user\downloads\cf0ce48d086e38eb90ed2fa891401acc715ec252_0003389824" "__IRCT:3" "__IRTSS:3383754" "__IRSID:S-1-5-21-3119368278-1123331430-659265220-1001"