Malware analysis index.html Malicious activity | ANY.RUN

Add for printing

download:	index.html
Full analysis:	https://app.any.run/tasks/f36d9dde-63d9-4048-a9b4-7718dee3f53f
Verdict:	Malicious activity
Analysis date:	June 19, 2019, 11:05:06
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	opendir
Indicators:
MIME:	text/html
File info:	HTML document, Non-ISO extended-ASCII text, with very long lines, with CRLF, LF line terminators
MD5:	23BE16E5A9500A213B2B1C0F96670A8A
SHA1:	4683BD2476C877D185F3521ECDFE8E8D82D01026
SHA256:	06C713DCD6B576167F041CF422E9A76F578A9A7506705EDCED9DE4FA2A7B5859
SSDEEP:	768:fajoxiEsaOlKD24UJC3cy9hk2kiB7yQKsun:isxiEs7lNhC3cy9hk2kiB7yQHun

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Application launched itself
  - iexplore.exe (PID: 2328)
- Reads settings of System Certificates
  - iexplore.exe (PID: 3444)
- Changes internet zones settings
  - iexplore.exe (PID: 2328)
- Reads internet explorer settings
  - iexplore.exe (PID: 3444)
- Creates files in the user directory
  - iexplore.exe (PID: 3444)
- Changes settings of System certificates
  - iexplore.exe (PID: 3444)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 3444)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3444)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.txt	\|	Text - UTF-8 encoded (100)

EXIF

HTML

HTTPEquivXUACompatible:	IE=edge
ContentType:	text/html; charset=UTF-8
Description:	youtube,youtube music,unblock youtube,youtube videos,youtube to mp3,youtube songs,youtube movies,youtube music videos,youtube proxy,youtube broadcast yourself,listen to youtube,youtube broadcast,utube,youtub
Keywords:	Unblock YouTube grants you access to any blocked web page. This site is compatible with YouTube Videos and has servers located in Europe.,youtube,youtube music,unblock youtube,youtube videos,youtube to mp3,youtube songs,youtube movies,youtube music videos,youtube proxy,youtube broadcast yourself,listen to youtube,youtube broadcast,utube,youtub
Title:	Unblock YouTube grants you access to any blocked web page. This site is compatible with YouTube Videos and has servers located in Europe.youtube,youtube music,unblock youtube,youtube videos,youtube to mp3,youtube songs,youtube movies,youtube music videos,youtube proxy,youtube broadcast yourself,listen to youtube,youtube broadcast,utube,youtub
alexaVerifyID:	fSWVak30jpQ63Nap7Sg7C4QUhc8
viewport:	width=device-width, initial-scale=1, maximum-scale=1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Parent process
2328	"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\index.html	C:\Program Files\Internet Explorer\iexplore.exe	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3444	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2328 CREDAT:79873	C:\Program Files\Internet Explorer\iexplore.exe	iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

401

Read events

317

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2328	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico		—
		MD5:—	SHA256:—
2328	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3444	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\application[1].js		text
		MD5:A4A4A8D805B868598E3AED208154677D	SHA256:90DE614EA109FD0EFD8A4A3C870686EC78DE0A50837731D992BDA445E5AB4D9C
3444	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\upload_video[1].css		text
		MD5:C17996DCF65C4A65DB22B3BF38E8AED5	SHA256:FDA610D8C0847A6D7CCCBA517667E5D3DB7F9F057FBC92B0809B7C72F29612C8
3444	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\vimotube[1].eot		html
		MD5:29DC4C365E375380ACB46356A212160A	SHA256:13AD212FF6145D05E79B681CE43EF5CA12EE98107BB3DDA7556F3A50E9EBB9F8
3444	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\style[1].css		text
		MD5:ACA43D99058C7D6B076EF61C91B22CDE	SHA256:7A8B2EC5A166171D60447CF81A8B4C0436A68AA4B06DD48974FBCEDAFB2E7AE3
3444	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\bootstrap[1].js		text
		MD5:D5A03D9CCA57637F008124916B86B585	SHA256:8E5884D1BE3041EAFBAB27D898B8E401E0263C5BEBABA17C97D82240064A362C
3444	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\jquery-ui[1].css		text
		MD5:69C5D597F54236958C504088FA1C4F9C	SHA256:5C1B0496A851F2D0FECD978C46949D2C4C8A1806F43C70097785458CD1DA9FF3
3444	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\bootstrap[1].css		text
		MD5:5CDDE728ED9268DD1266453A548B03A8	SHA256:7648BE07FF9FB3EF0CAF50027419BC8A0EDBF0E2EF1AF3A0B5DE520F14704442
3444	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\s[1].js		text
		MD5:0678130915A269ABACE9528D54499E7E	SHA256:992A590A3EA614A8B6CCD0433782753C3C13CE08727AE2FAED3A68A9DB2C9B57

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3444	iexplore.exe	GET	200	104.27.152.110:80	http://vidco.su/static/css/jquery-ui.css?v=1.2	US	text	6.03 Kb	suspicious
3444	iexplore.exe	GET	200	104.27.152.110:80	http://vidco.su/static/css/app.css	US	text	13.0 Kb	suspicious
3444	iexplore.exe	GET	200	104.27.152.110:80	http://vidco.su/static/application.js	US	text	1.53 Kb	suspicious
3444	iexplore.exe	GET	200	104.27.152.110:80	http://vidco.su/themes/ytspace/upload_video.css	US	text	203 b	suspicious
3444	iexplore.exe	GET	200	172.217.22.42:80	http://ajax.googleapis.com/ajax/libs/jqueryui/1/jquery-ui.min.js	US	text	60.0 Kb	whitelisted
3444	iexplore.exe	GET	200	104.27.152.110:80	http://vidco.su/static/css/style.css?v=1.2	US	text	3.87 Kb	suspicious
3444	iexplore.exe	GET	200	104.27.152.110:80	http://vidco.su/static/js/s.js	US	text	990 b	suspicious
3444	iexplore.exe	GET	200	104.27.152.110:80	http://vidco.su/static/fonts/vimotube.eot?	US	html	4.25 Kb	suspicious
3444	iexplore.exe	GET	200	104.27.152.110:80	http://vidco.su/static/fonts/glyphicons-halflings-regular.eot?	US	eot	19.7 Kb	suspicious
3444	iexplore.exe	GET	200	104.27.152.110:80	http://vidco.su/static/img/bg.jpg	US	html	4.42 Kb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2328	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
4	System	104.19.196.151:445	cdnjs.cloudflare.com	Cloudflare Inc	US	shared
3444	iexplore.exe	172.217.22.42:80	ajax.googleapis.com	Google Inc.	US	whitelisted
3444	iexplore.exe	104.27.152.110:80	vidco.su	Cloudflare Inc	US	shared
4	System	209.197.3.15:445	maxcdn.bootstrapcdn.com	Highwinds Network Group, Inc.	US	whitelisted
4	System	209.197.3.15:139	maxcdn.bootstrapcdn.com	Highwinds Network Group, Inc.	US	whitelisted
3444	iexplore.exe	172.217.16.136:443	www.googletagmanager.com	Google Inc.	US	suspicious
4	System	104.19.198.151:445	cdnjs.cloudflare.com	Cloudflare Inc	US	shared
4	System	104.19.199.151:445	cdnjs.cloudflare.com	Cloudflare Inc	US	shared
3444	iexplore.exe	23.111.8.154:443	oss.maxcdn.com	netDNA	US	unknown

DNS requests

Domain	IP	Reputation
maxcdn.bootstrapcdn.com	209.197.3.15	whitelisted
vidco.su	104.27.152.110 104.27.153.110	suspicious
ajax.googleapis.com	172.217.22.42 216.58.210.10 172.217.16.202 172.217.18.106 172.217.23.170 172.217.21.202 172.217.21.234 172.217.18.10 172.217.18.170 172.217.23.138 216.58.206.10 216.58.207.42 216.58.207.74 172.217.16.170 216.58.208.42 172.217.16.138	whitelisted
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
cdnjs.cloudflare.com	104.19.196.151 104.19.197.151 104.19.198.151 104.19.195.151 104.19.199.151	whitelisted
www.googletagmanager.com	172.217.16.136	whitelisted
oss.maxcdn.com	23.111.8.154	whitelisted
pariwiki.com.ph	51.159.22.40	unknown
ytimg.googleusercontent.com	216.58.206.1	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
—	—	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
3444	iexplore.exe	Potentially Bad Traffic	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3444	iexplore.exe	Potentially Bad Traffic	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3444	iexplore.exe	Potentially Bad Traffic	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3444	iexplore.exe	Potentially Bad Traffic	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3444	iexplore.exe	Potentially Bad Traffic	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3444	iexplore.exe	Potentially Bad Traffic	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3444	iexplore.exe	Potentially Bad Traffic	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3444	iexplore.exe	Potentially Bad Traffic	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related

Add for printing

No debug info

General Info

index.html

23BE16E5A9500A213B2B1C0F96670A8A

4683BD2476C877D185F3521ECDFE8E8D82D01026

06C713DCD6B576167F041CF422E9A76F578A9A7506705EDCED9DE4FA2A7B5859

768:fajoxiEsaOlKD24UJC3cy9hk2kiB7yQKsun:isxiEs7lNhC3cy9hk2kiB7yQHun

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Application launched itself

Reads settings of System Certificates

Changes internet zones settings

Reads internet explorer settings

Creates files in the user directory

Changes settings of System certificates

Adds / modifies Windows certificates

Reads Internet Cache Settings

Malware configuration

Static information

TRiD

EXIF

HTML

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings