| File name: | EeveeSpotify-5.8.2-8.9.96.ipa |
| Full analysis: | https://app.any.run/tasks/3f93ae55-1510-4ad9-9604-46a61260ac3f |
| Verdict: | Malicious activity |
| Analysis date: | December 08, 2024, 06:30:11 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| MIME: | application/x-ios-app |
| File info: | iOS App Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 8CB27435E51EA7CC49EC21C69E28CB17 |
| SHA1: | 866D325AFEAEBCF7E9B3403BB04EC1D7E1C38B19 |
| SHA256: | 09DFDCA4B6B4AA438AAE25760A3B0A272556CD175FB0165E68BB908B2433EBC0 |
| SSDEEP: | 786432:8Rl/hyDIBinKMSRcRmznJcXD/oLjgv5+NweHUVCHdkbORA+r:QhfBinKU5XD/o/gx+NXHUYdYaA+r |
MALICIOUS
No malicious indicators.SUSPICIOUS
No suspicious indicators.INFO
Manual execution by a user
- notepad.exe (PID: 1864)
- notepad.exe (PID: 5036)
- notepad.exe (PID: 648)
- notepad.exe (PID: 5156)
- notepad.exe (PID: 4300)
- notepad.exe (PID: 4824)
- notepad.exe (PID: 2548)
- notepad.exe (PID: 2744)
- notepad.exe (PID: 3912)
- notepad.exe (PID: 4132)
- notepad.exe (PID: 1348)
- notepad.exe (PID: 2292)
- notepad.exe (PID: 2736)
- notepad.exe (PID: 2828)
- notepad.exe (PID: 5604)
- notepad.exe (PID: 5712)
- notepad.exe (PID: 5252)
- notepad.exe (PID: 3760)
- notepad.exe (PID: 4020)
- notepad.exe (PID: 3820)
- notepad.exe (PID: 1576)
- notepad.exe (PID: 1140)
- notepad.exe (PID: 3364)
- notepad.exe (PID: 3888)
- notepad.exe (PID: 2392)
- notepad.exe (PID: 5576)
- notepad.exe (PID: 440)
- notepad.exe (PID: 2512)
- notepad.exe (PID: 4612)
- notepad.exe (PID: 2972)
- notepad.exe (PID: 6176)
- notepad.exe (PID: 5732)
- notepad.exe (PID: 6256)
- notepad.exe (PID: 6304)
- notepad.exe (PID: 6216)
- notepad.exe (PID: 6344)
- notepad.exe (PID: 3900)
- notepad.exe (PID: 6388)
- notepad.exe (PID: 6432)
- notepad.exe (PID: 6476)
- notepad.exe (PID: 6520)
- notepad.exe (PID: 6560)
- notepad.exe (PID: 6604)
- notepad.exe (PID: 6692)
- notepad.exe (PID: 6736)
- notepad.exe (PID: 6776)
- notepad.exe (PID: 6644)
- notepad.exe (PID: 6820)
- notepad.exe (PID: 6860)
- notepad.exe (PID: 6908)
- notepad.exe (PID: 6172)
- notepad.exe (PID: 6424)
- notepad.exe (PID: 7120)
- notepad.exe (PID: 7080)
- notepad.exe (PID: 7040)
- notepad.exe (PID: 6952)
- notepad.exe (PID: 6996)
- notepad.exe (PID: 524)
- notepad.exe (PID: 5200)
- notepad.exe (PID: 6772)
- notepad.exe (PID: 2436)
- notepad.exe (PID: 1356)
- notepad.exe (PID: 6732)
- notepad.exe (PID: 3032)
- notepad.exe (PID: 6076)
- notepad.exe (PID: 3732)
- notepad.exe (PID: 7188)
- notepad.exe (PID: 7228)
- notepad.exe (PID: 7276)
- notepad.exe (PID: 7320)
- notepad.exe (PID: 7448)
- notepad.exe (PID: 7360)
- notepad.exe (PID: 7404)
- notepad.exe (PID: 7496)
- notepad.exe (PID: 7588)
- notepad.exe (PID: 7628)
- notepad.exe (PID: 7712)
- notepad.exe (PID: 7668)
- notepad.exe (PID: 7756)
- notepad.exe (PID: 7860)
- notepad.exe (PID: 7808)
- notepad.exe (PID: 7904)
- notepad.exe (PID: 7944)
- notepad.exe (PID: 8076)
- notepad.exe (PID: 8028)
- notepad.exe (PID: 8120)
- notepad.exe (PID: 8164)
- notepad.exe (PID: 4640)
- notepad.exe (PID: 1380)
- notepad.exe (PID: 7984)
- notepad.exe (PID: 7544)
Reads security settings of Internet Explorer
- notepad.exe (PID: 1864)
- notepad.exe (PID: 5036)
- notepad.exe (PID: 648)
- notepad.exe (PID: 5156)
- notepad.exe (PID: 4300)
- notepad.exe (PID: 4824)
- notepad.exe (PID: 2744)
- notepad.exe (PID: 4132)
- notepad.exe (PID: 3912)
- notepad.exe (PID: 1348)
- notepad.exe (PID: 2548)
- notepad.exe (PID: 2736)
- notepad.exe (PID: 2828)
- notepad.exe (PID: 5604)
- notepad.exe (PID: 3364)
- notepad.exe (PID: 5252)
- notepad.exe (PID: 3760)
- notepad.exe (PID: 4020)
- notepad.exe (PID: 2292)
- notepad.exe (PID: 1576)
- notepad.exe (PID: 1140)
- notepad.exe (PID: 5712)
- notepad.exe (PID: 2512)
- notepad.exe (PID: 3900)
- notepad.exe (PID: 2392)
- notepad.exe (PID: 3820)
- notepad.exe (PID: 440)
- notepad.exe (PID: 4612)
- notepad.exe (PID: 5732)
- notepad.exe (PID: 2972)
- notepad.exe (PID: 6176)
- notepad.exe (PID: 6216)
- notepad.exe (PID: 6256)
- notepad.exe (PID: 6304)
- notepad.exe (PID: 5576)
- notepad.exe (PID: 3888)
- notepad.exe (PID: 6344)
- notepad.exe (PID: 6432)
- notepad.exe (PID: 6388)
- notepad.exe (PID: 6520)
- notepad.exe (PID: 6476)
- notepad.exe (PID: 6560)
- notepad.exe (PID: 6604)
- notepad.exe (PID: 6644)
- notepad.exe (PID: 6736)
- notepad.exe (PID: 6776)
- notepad.exe (PID: 6692)
- notepad.exe (PID: 6820)
- notepad.exe (PID: 6860)
- notepad.exe (PID: 6908)
- notepad.exe (PID: 6172)
- notepad.exe (PID: 7120)
- notepad.exe (PID: 7040)
- notepad.exe (PID: 7080)
- notepad.exe (PID: 6952)
- notepad.exe (PID: 6996)
- notepad.exe (PID: 524)
- notepad.exe (PID: 5200)
- notepad.exe (PID: 6424)
- notepad.exe (PID: 6772)
- notepad.exe (PID: 2436)
- notepad.exe (PID: 1356)
- notepad.exe (PID: 3032)
- notepad.exe (PID: 6732)
- notepad.exe (PID: 6076)
- notepad.exe (PID: 3732)
- notepad.exe (PID: 7228)
- notepad.exe (PID: 7188)
- notepad.exe (PID: 7320)
- notepad.exe (PID: 7276)
- notepad.exe (PID: 7448)
- notepad.exe (PID: 7360)
- notepad.exe (PID: 7496)
- notepad.exe (PID: 7404)
- notepad.exe (PID: 7588)
- notepad.exe (PID: 7628)
- notepad.exe (PID: 7756)
- notepad.exe (PID: 7668)
- notepad.exe (PID: 7712)
- notepad.exe (PID: 7860)
- notepad.exe (PID: 7904)
- notepad.exe (PID: 7808)
- notepad.exe (PID: 7944)
- notepad.exe (PID: 7984)
- notepad.exe (PID: 8028)
- notepad.exe (PID: 8120)
- notepad.exe (PID: 8076)
- notepad.exe (PID: 8164)
- notepad.exe (PID: 1380)
- notepad.exe (PID: 4640)
- notepad.exe (PID: 7544)
The process uses the downloaded file
- WinRAR.exe (PID: 5000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:11:26 21:02:58 |
| ZipCRC: | 0x5257638f |
| ZipCompressedSize: | 164 |
| ZipUncompressedSize: | 287 |
| ZipFileName: | Payload/Spotify.app/iOS-to-web-language-mappings.json |
Total processes
201
Monitored processes
92
Malicious processes
0
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 440 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\pt-BR.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 524 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\no.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 648 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\pt-BR.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1140 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\es-ES.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1348 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\ar.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1356 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\el.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1380 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\pl.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1576 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\sk.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1864 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\en-UK.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2292 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\zh-TW.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
14 716
Read events
14 703
Write events
13
Delete events
0
Modification events
| (PID) Process: | (5000) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (5000) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (5000) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (5000) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\EeveeSpotify-5.8.2-8.9.96.ipa.zip | |||
| (PID) Process: | (5000) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (5000) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (5000) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (5000) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (5000) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan |
| Operation: | write | Name: | DefScanner |
Value: Windows Defender | |||
| (PID) Process: | (5000) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList |
| Operation: | write | Name: | ArcSort |
Value: 32 | |||
Executable files
0
Suspicious files
616
Text files
370
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5000.26257\EeveeSpotify-5.8.2-8.9.96.ipa.zip\Payload\Spotify.app\Spotify | — | |
MD5:— | SHA256:— | |||
| 5000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5000.26257\EeveeSpotify-5.8.2-8.9.96.ipa.zip\Payload\Spotify.app\social-on-demand-clients.plist | binary | |
MD5:DB84285DE674F00EA360DA0069515B3E | SHA256:1B0957CDEB016256BA6FE16F845F8B33E44BD8027690C33C882CCE778DADC435 | |||
| 5000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5000.26257\EeveeSpotify-5.8.2-8.9.96.ipa.zip\Payload\Spotify.app\Info.plist | xml | |
MD5:52C7A89F3CC54772CAA94C82287DC26C | SHA256:1FDDA718C5D477ACBD29814D72165F32DA4518440BF8D89B0C9CD33DF8E905FB | |||
| 5000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5000.26257\EeveeSpotify-5.8.2-8.9.96.ipa.zip\Payload\Spotify.app\googlemaps-bundle-ids.plist | binary | |
MD5:6CC38E1ECD6535D0CB6D3D38E5E53F4F | SHA256:4632FF07342A2943C2C3709E99AE066FC1D91123E68ED8110E057B3812A25DF3 | |||
| 5000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5000.26257\EeveeSpotify-5.8.2-8.9.96.ipa.zip\Payload\Spotify.app\fallback.urimap | binary | |
MD5:EB8CD87A8E870E81746E49475721761C | SHA256:0289F8A0A7195EF7DC89E5D3D81ACAE5D6819DCE3D7A6E28394EE98DE64C096C | |||
| 5000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5000.26257\EeveeSpotify-5.8.2-8.9.96.ipa.zip\Payload\Spotify.app\de.lproj\AppIntentVocabulary.plist | binary | |
MD5:A99DAA92DB4E46E2A28B13A6A807088B | SHA256:6AB9F07E8A97194CF6D0D0F7A59E87C1D6DD2F47434510CCD25EA2EF11B60488 | |||
| 5000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5000.26257\EeveeSpotify-5.8.2-8.9.96.ipa.zip\Payload\Spotify.app\PkgInfo | text | |
MD5:23B7D7D024ABB0F558420E098800BF27 | SHA256:82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0 | |||
| 5000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5000.26257\EeveeSpotify-5.8.2-8.9.96.ipa.zip\Payload\Spotify.app\de.lproj\InfoPlist.strings | text | |
MD5:8EDED00ABAC4B3869EF91FB62DD1FA15 | SHA256:BCC3480E45C67042EB5144D63B24A9A09649DE7610F266979FDC9BB1C40C83BE | |||
| 5000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5000.26257\EeveeSpotify-5.8.2-8.9.96.ipa.zip\Payload\Spotify.app\Intents.intentdefinition | xml | |
MD5:52756D063BE8C58C48C827D7A3FEB5B1 | SHA256:56E36BD6B76E3D2D04F93D6B6DAFB5FB46AC20B7B00AA9A4B361E3E6C4BD5CA8 | |||
| 5000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5000.26257\EeveeSpotify-5.8.2-8.9.96.ipa.zip\Payload\Spotify.app\iOS-to-web-language-mappings.json | binary | |
MD5:E798436EF5C3B501984D81AD0D7D2EF4 | SHA256:3630D4D6BF7EB5BB6E20307057D1F49D4AF1B90CAE1ED42E8E770088C083F7E9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
17
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3220 | svchost.exe | GET | 200 | 2.16.164.9:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3220 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3220 | svchost.exe | 2.16.164.9:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3220 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
3976 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |