analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://deadfake.com/

Full analysis: https://app.any.run/tasks/ca4ef7ef-e40d-4cde-967d-bcc544b40473
Verdict: Malicious activity
Analysis date: November 15, 2018, 21:33:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

89F8B1DB16AE707D486C3F7F3DB26C42

SHA1:

DD38AD2A53B39BB03652B63E4B31C9E7B9199D6C

SHA256:

014598E664F173535B5DF4ECF10257A144F7B0E53966F49BF90A9D81A04C5ABE

SSDEEP:

3:N1KaAEBDc:Cahm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3280)
    • Changes internet zones settings

      • iexplore.exe (PID: 3280)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3668)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3668)
      • iexplore.exe (PID: 3280)
    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3268)
      • iexplore.exe (PID: 3668)
      • iexplore.exe (PID: 3280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3280"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3668"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3280 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3268C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
617
Read events
527
Write events
87
Delete events
3

Modification events

(PID) Process:(3280) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3280) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3280) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3280) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3280) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3280) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3280) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{25604C21-E91E-11E8-A505-5254004AAD11}
Value:
0
(PID) Process:(3280) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3280) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(3280) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E2070B0004000F001500210035002302
Executable files
0
Suspicious files
0
Text files
258
Unknown types
8

Dropped files

PID
Process
Filename
Type
3280iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3280iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3668iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@deadfake[2].txt
MD5:
SHA256:
3668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\deadfake_com[1].txt
MD5:
SHA256:
3668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\imp[1].gif
MD5:
SHA256:
3668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\combine[1].css
MD5:
SHA256:
3668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\dall4[1].jstext
MD5:49B44BE40AA82F23BA5971C5DD833C73
SHA256:3D8273A0DBB360B30831E5C0BB9509D1BC92022FEC72ECEF59904481E07FB2A9
3668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\deadfake_com[1].htmhtml
MD5:8FAFDC257A23CBEAC9F524491375E3CB
SHA256:656D2B0F38E44680A0BD8B1FC6C3E55D4AACE9EE6979AECCC5AAFA88BD3441BA
3668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\rochester[1].jstext
MD5:9CEE11A1177FBFD3509CF70CD6573DB2
SHA256:872691E0BB2ABB68E66674A5AABD2E3AA9F0FCF33F1E7EDE7EBBD679A3341900
3668iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@deadfake[1].txttext
MD5:92A2E2451D1CDAAEA2831AE048E30BE7
SHA256:84917A0346924D08A775450A87BE5BE45BA5F9A00FDC6D516FD08A584B3FC8AE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
234
TCP/UDP connections
51
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3668
iexplore.exe
GET
200
104.18.40.223:80
http://cdn.deadfake.com/utilcave_com/templates/combine.php?all=1&solCombine=1&dirname=deadfake_com&ezcb=182-1&d=deadfake.com&css=%2Futilcave_com%2Ffont%2Ff.php%3FsolCSS%3D1%26a%3D2%26dirname%3Ddeadfake_com%26ezcb%3D182-1%26d%3Ddeadfake.com%26u%3DFjalla%2BOne%7C%7C%257E::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Fcss%2Fcommon.ezoic.scss%26dirname%3Ddeadfake_com%26ezcb%3D182-1::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Farticle%2Fcss%2Fdropdown.css%26ezcb%3D182-1%26tdir%3D%2Farticle%2F%26scss%3D1%26dirname%3Ddeadfake_com%26did%3D4370%26eztmp%3D1%26ezcss%3D1::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Farticle%2Fcss%2Ftwo_column.ezoic.scss%26ezcb%3D182-1%26tdir%3D%2Farticle%2F%26scss%3D1%26dirname%3Ddeadfake_com%26did%3D4370%26eztmp%3D1::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Farticle%2Fcss%2Ftwo_column_emogrify.ezoic.scss%26ezcb%3D182-1%26tdir%3D%2Farticle%2F%26scss%3D1%26dirname%3Ddeadfake_com%26did%3D4370%26eztmp%3D1%26ezcss%3D1::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Farticle%2Fcss%2Ftwo_column.menu.css.go%26ezcb%3D182-1%26tdir%3D%2Farticle%2F%26scss%3D1%26dirname%3Ddeadfake_com%26did%3D4370%26eztmp%3D1%26ezcss%3D1::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Farticle%2Ffont%2Fcss%2Ffont-awesome.css%26ezcb%3D182-1%26tdir%3D%2Farticle%2F%26scss%3D1%26dirname%3Ddeadfake_com%26did%3D4370%26eztmp%3D1%26ezcss%3D1
US
28.3 Kb
suspicious
3668
iexplore.exe
GET
200
35.158.91.78:80
http://deadfake.com/detroitchicago/imp.gif?e=%7B%22ad_cache_level%22%3A0%2C%22ad_location_ids%22%3A%2221%2C5%2C1%2C0%2C99%2C95%22%2C%22ad_transform_level%22%3A0%2C%22adx_ad_count%22%3A4%2C%22bidder_version%22%3A3%2C%22city%22%3A%22Fulham%22%2C%22country%22%3A%22GB%22%2C%22days_since_last_visit%22%3A-1%2C%22display_ad_count%22%3A3%2C%22domain_id%22%3A4370%2C%22ds_adsize_opt_id%22%3A-1%2C%22engaged_time_visit%22%3A0%2C%22ezcache_level%22%3A0%2C%22forensiq_score%22%3A-1%2C%22form_factor_id%22%3A1%2C%22framework_id%22%3A1%2C%22has_bad_image%22%3A0%2C%22has_bad_words%22%3A0%2C%22iab_category%22%3A%22%22%2C%22is_from_recommended_pages%22%3Afalse%2C%22is_return_visitor%22%3Afalse%2C%22last_page_load%22%3A%22%22%2C%22last_pageview_id%22%3A%22%22%2C%22lt_cache_level%22%3A1%2C%22max_ads%22%3A3%2C%22metro_code%22%3A0%2C%22page_ad_positions%22%3A%221000%2C1001%2C1005%2C1021%2C1095%2C1099%22%2C%22page_view_count%22%3A0%2C%22page_view_id%22%3A%22cf63628f-4953-48cc-6c2b-f8ac5f293265%22%2C%22position_selection_id%22%3A16%2C%22postal_code%22%3A%22SW6%22%2C%22pv_event_count%22%3A0%2C%22response_time_orig%22%3A1847%2C%22serverid%22%3A%2235.158.253.70%3A4748%22%2C%22state%22%3A%22HMF%22%2C%22sub_page_ad_positions%22%3A%221200%2C1224%2C1301%2C1321%2C1420%2C1480%22%2C%22t_epoch%22%3A1542317634%2C%22template_id%22%3A25%2C%22time_on_site_visit%22%3A0%2C%22url%22%3A%22http%3A%2F%2Fdeadfake.com%2F%22%2C%22user_id%22%3A0%2C%22word_count%22%3A187%2C%22worst_bad_word_level%22%3A0%7D
DE
59 b
malicious
3668
iexplore.exe
GET
200
104.18.40.223:80
http://cdn.deadfake.com/utilcave_com/templates/combine.php?all=1&solCombine=1&dirname=deadfake_com&ezcb=182-1&d=deadfake.com&css=%2Futilcave_com%2Ffont%2Ff.php%3FsolCSS%3D1%26a%3D2%26dirname%3Ddeadfake_com%26ezcb%3D182-1%26d%3Ddeadfake.com%26u%3DFjalla%2BOne%7C%7C%257E::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Fcss%2Fcommon.ezoic.scss%26dirname%3Ddeadfake_com%26ezcb%3D182-1::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Farticle%2Fcss%2Fdropdown.css%26ezcb%3D182-1%26tdir%3D%2Farticle%2F%26scss%3D1%26dirname%3Ddeadfake_com%26did%3D4370%26eztmp%3D1%26ezcss%3D1::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Farticle%2Fcss%2Ftwo_column.ezoic.scss%26ezcb%3D182-1%26tdir%3D%2Farticle%2F%26scss%3D1%26dirname%3Ddeadfake_com%26did%3D4370%26eztmp%3D1::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Farticle%2Fcss%2Ftwo_column_emogrify.ezoic.scss%26ezcb%3D182-1%26tdir%3D%2Farticle%2F%26scss%3D1%26dirname%3Ddeadfake_com%26did%3D4370%26eztmp%3D1%26ezcss%3D1::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Farticle%2Fcss%2Ftwo_column.menu.css.go%26ezcb%3D182-1%26tdir%3D%2Farticle%2F%26scss%3D1%26dirname%3Ddeadfake_com%26did%3D4370%26eztmp%3D1%26ezcss%3D1::%2Futilcave_com%2Fmiddleton%2Fcss.php%3FsolCSS%3D1%26css%3D%2Farticle%2Ffont%2Fcss%2Ffont-awesome.css%26ezcb%3D182-1%26tdir%3D%2Farticle%2F%26scss%3D1%26dirname%3Ddeadfake_com%26did%3D4370%26eztmp%3D1%26ezcss%3D1
US
28.3 Kb
suspicious
3668
iexplore.exe
GET
200
35.158.91.78:80
http://deadfake.com/porpoiseant/banger.js?cb=182-1&bv=2&v=8&PageSpeed=off
DE
text
11.4 Kb
malicious
3668
iexplore.exe
GET
200
54.230.129.115:80
http://go.ezoic.net/porpoiseant/dall4.js
US
text
76.0 Kb
shared
3668
iexplore.exe
GET
200
35.158.91.78:80
http://deadfake.com/ezoic/cookieconsent.min.js
DE
html
1.88 Kb
malicious
3668
iexplore.exe
GET
200
104.18.40.223:80
http://cdn.deadfake.com/utilcave_com/middleton/img.webp?dirname=deadfake_com&img=%2Farticle%2Ffont%2Fcss%2F..%2Ffonts%2Ffontawesome-webfont.eot%3F%23iefix%26v%3D4.0.1)%20format("embedded-opentype"),%20url(//cdn.deadfake.com/utilcave_com/middleton/img.webp?dirname=deadfake_com&img=%2Farticle%2Ffont%2Fcss%2F..%2Ffonts%2Ffontawesome-webfont.woff%3Fv%3D4.0.1)%20format("woff"),%20url(//cdn.deadfake.com/utilcave_com/middleton/img.webp?dirname=deadfake_com&img=%2Farticle%2Ffont%2Fcss%2F..%2Ffonts%2Ffontawesome-webfont.ttf%3Fv%3D4.0.1)%20format("truetype"),%20url(//cdn.deadfake.com/utilcave_com/middleton/img.webp?dirname=deadfake_com&img=%2Farticle%2Ffont%2Fcss%2F..%2Ffonts%2Ffontawesome-webfont.svg%3Fv%3D4.0.1%23fontawesomeregular)%20format("svg"
US
image
55.5 Kb
suspicious
3668
iexplore.exe
GET
200
216.58.210.2:80
http://www.googletagservices.com/tag/js/gpt.js
US
text
9.14 Kb
whitelisted
3668
iexplore.exe
GET
200
216.58.206.3:80
http://fonts.gstatic.com/s/fjallaone/v5/Yq6R-LCAWCX3-6Ky7FAFrOF6lg.eot
US
eot
17.6 Kb
whitelisted
3668
iexplore.exe
GET
200
35.158.91.78:80
http://deadfake.com/detroitchicago/rochester.js?cb=182-1&v=8
DE
text
952 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3280
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3668
iexplore.exe
104.18.40.223:80
cdn.deadfake.com
Cloudflare Inc
US
shared
3668
iexplore.exe
216.58.208.34:443
adservice.google.com
Google Inc.
US
whitelisted
3668
iexplore.exe
216.58.206.10:80
ajax.googleapis.com
Google Inc.
US
whitelisted
3668
iexplore.exe
216.58.207.34:443
adservice.google.co.uk
Google Inc.
US
whitelisted
3668
iexplore.exe
35.158.91.78:80
deadfake.com
Amazon.com, Inc.
DE
suspicious
3668
iexplore.exe
104.18.41.223:80
cdn.deadfake.com
Cloudflare Inc
US
shared
3668
iexplore.exe
172.217.23.170:80
ajax.googleapis.com
Google Inc.
US
whitelisted
3668
iexplore.exe
216.58.210.2:80
www.googletagservices.com
Google Inc.
US
whitelisted
3668
iexplore.exe
216.58.206.2:443
securepubads.g.doubleclick.net
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
deadfake.com
  • 35.158.91.78
malicious
go.ezoic.net
  • 54.230.129.115
  • 54.230.129.143
  • 54.230.129.137
  • 54.230.129.119
shared
www.googletagservices.com
  • 216.58.210.2
whitelisted
cdn.deadfake.com
  • 104.18.40.223
  • 104.18.41.223
suspicious
ajax.googleapis.com
  • 172.217.23.170
  • 172.217.22.74
  • 216.58.205.234
  • 172.217.21.234
  • 172.217.22.10
  • 172.217.18.10
  • 172.217.18.170
  • 216.58.206.10
  • 216.58.207.42
  • 216.58.207.74
  • 172.217.16.170
  • 216.58.208.42
  • 172.217.22.42
  • 172.217.22.106
  • 216.58.210.10
whitelisted
cdn-2.deadfake.com
  • 104.18.41.223
  • 104.18.40.223
suspicious
fonts.googleapis.com
  • 216.58.206.10
whitelisted
securepubads.g.doubleclick.net
  • 216.58.206.2
whitelisted
adservice.google.com
  • 216.58.208.34
whitelisted

Threats

No threats detected
No debug info