download: | Adobe%20Photoshop_24_242.exe |
Full analysis: | https://app.any.run/tasks/6137e2d6-eff1-4c29-a3c2-a6e4b7c2c1db |
Verdict: | Malicious activity |
Analysis date: | June 12, 2019, 08:50:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | D8F704B2F289171737A56C50357CFB52 |
SHA1: | CC5627C8A1223E58A04363A5D14E5DF2A1364F7E |
SHA256: | 0B0F2C452ED06229E6F9DDB58D5F72230D140F3DB348CBB83CE85A8DDB292C23 |
SSDEEP: | 98304:sODn6E6vnzaUbRnW4aeQ7bWWkhdVbmt4QI5zEKKJA7/fYMnkOBPde:sQn6EGzaGW7eQ7Mbbm2zEKp7dkOBQ |
.exe | | | InstallShield setup (54.3) |
---|---|---|
.exe | | | Win64 Executable (generic) (34.8) |
.exe | | | Win32 Executable (generic) (5.6) |
.exe | | | Generic Win/DOS Executable (2.5) |
.exe | | | DOS Executable Generic (2.5) |
ProductVersion: | 1 |
---|---|
ProductName: | downer for windows |
OriginalFileName: | downloader.exe |
LegalCopyright: | Copyright ? 2018 - 2019 xiao T |
InternalName: | downloader.exe |
FileVersion: | 1 |
FileDescription: | downer for windows |
Comments: | downer for windows |
CharacterSet: | Windows, Chinese (Simplified) |
LanguageCode: | Chinese (Simplified) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.2 |
FileVersionNumber: | 1.0.0.2 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x153174 |
UninitializedDataSize: | - |
InitializedDataSize: | 4364800 |
CodeSize: | 1655808 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2019:05:30 03:46:35+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 30-May-2019 01:46:35 |
Detected languages: |
|
Debug artifacts: |
|
Comments: | downer for windows |
FileDescription: | downer for windows |
FileVersion: | 1.0 |
InternalName: | downloader.exe |
LegalCopyright: | Copyright ? 2018 - 2019 xiao T |
OriginalFilename: | downloader.exe |
ProductName: | downer for windows |
ProductVersion: | 1.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 30-May-2019 01:46:35 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0019421F | 0x00194400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.38163 |
.rdata | 0x00196000 | 0x00044FA6 | 0x00045000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.8927 |
.data | 0x001DB000 | 0x00012080 | 0x0000B000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.14927 |
.rsrc | 0x001EE000 | 0x003C217C | 0x003C2200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.8767 |
.reloc | 0x005B1000 | 0x0001761C | 0x00017800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.69443 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.01229 | 633 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.24731 | 296 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 3.27183 | 3752 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
4 | 3.91452 | 2216 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
5 | 3.47417 | 1384 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
6 | 3.02843 | 9640 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
7 | 2.22721 | 72 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
8 | 2.44525 | 1128 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
9 | 3.02695 | 308 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
10 | 2.74274 | 180 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
NETAPI32.dll |
OLEACC.dll (delay-loaded) |
OLEAUT32.dll |
PSAPI.DLL |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3204 | "C:\Users\admin\AppData\Local\Temp\beb44565-3a80-4eee-b396-e6985e7e4287.exe" | C:\Users\admin\AppData\Local\Temp\beb44565-3a80-4eee-b396-e6985e7e4287.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: downer for windows Exit code: 3221226540 Version: 1.0 Modules
| |||||||||||||||
3604 | "C:\Users\admin\AppData\Local\Temp\beb44565-3a80-4eee-b396-e6985e7e4287.exe" | C:\Users\admin\AppData\Local\Temp\beb44565-3a80-4eee-b396-e6985e7e4287.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: downer for windows Version: 1.0 Modules
|
(PID) Process: | (3604) beb44565-3a80-4eee-b396-e6985e7e4287.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3604) beb44565-3a80-4eee-b396-e6985e7e4287.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3604) beb44565-3a80-4eee-b396-e6985e7e4287.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3604) beb44565-3a80-4eee-b396-e6985e7e4287.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3604) beb44565-3a80-4eee-b396-e6985e7e4287.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3604) beb44565-3a80-4eee-b396-e6985e7e4287.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3604) beb44565-3a80-4eee-b396-e6985e7e4287.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3604) beb44565-3a80-4eee-b396-e6985e7e4287.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3604) beb44565-3a80-4eee-b396-e6985e7e4287.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3604) beb44565-3a80-4eee-b396-e6985e7e4287.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | C:\Users\admin\AppData\Roaming\youxunbox\main.7z | — | |
MD5:— | SHA256:— | |||
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | C:\Users\admin\AppData\Roaming\youxunbox\baidu.ico | image | |
MD5:861F227D99793BAF229A5ADF29A2E7DD | SHA256:1441505511BFFF6EF63584A3D3B6CE7086E427A16503818F1CA536617C856D9A | |||
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | C:\Users\admin\AppData\Roaming\youxunbox\aitb.ico | image | |
MD5:0B495875ABCF45ABF90385AD888CFC5C | SHA256:7C92CD859E4DEB5880418767277302F2AD9012D66008BF7A764A4CA5D1874BEB | |||
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | C:\Users\admin\AppData\Roaming\youxunbox\lsqy_tb.ico | image | |
MD5:2A03E678288929731A710D4A19D3FD1B | SHA256:8973F18F0D4678F96049FA3E4C3D31BCEDC4736DCA127E471F97ADB578CDFC5C | |||
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | C:\Users\admin\AppData\Roaming\youxunbox\cqsf.ico | image | |
MD5:436FCDAC987DD49BD5E664C5C283A209 | SHA256:2A85783774E2F7CFA6F480D4C3F437D934876D20FB46B42482297E000296E46D | |||
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | C:\Users\admin\AppData\Roaming\youxunbox\新建文件夹\2.7z | compressed | |
MD5:0D5DD5003E01C58CC9B46B9CEE7998FB | SHA256:FCC0A8543C3EA878110FC71E97C627CFFA2DC217603C56D464C385579693627D | |||
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | C:\Users\admin\AppData\Roaming\youxunbox\tmmarket.ico | image | |
MD5:5F8B47DC7A085E0A0D379A505310E23B | SHA256:B0D150D2C69A8F09B060CE9EAF19EC8C94D2FD5703A5F11CDE6E48EA11CB9E27 | |||
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | C:\Users\admin\AppData\Roaming\youxunbox\shipin.ico | image | |
MD5:56DB8FC68B28DCDC5E37FDE17957AC13 | SHA256:CE1725220A36DD26D78B7CD582A31AA65F0273D741A46E3D4D88C00196463769 | |||
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | C:\Users\admin\AppData\Roaming\youxunbox\新建文件夹\down.zip | compressed | |
MD5:B107AE30ECBAF944DDAB4540667D90E9 | SHA256:A2AF856323F94AD48B5308CC3A46D0C4DD87BB1299EFA8E82D7D0817A2266A28 | |||
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | C:\Users\admin\AppData\Roaming\youxunbox\jhs.ico | image | |
MD5:4234A87AA111281F8AF2C28F9DFBD468 | SHA256:499603368C57CBB188A3510B1E92344D02B54992B86A4906AE7E7CF061362684 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | GET | 200 | 182.118.46.58:80 | http://poik.dgygpx.com/yxh/navico/hhts3.png | CN | image | 952 b | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | GET | 200 | 182.118.46.58:80 | http://poik.dgygpx.com/yxh/navico/baidu.png | CN | image | 3.04 Kb | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | GET | 200 | 163.171.128.148:80 | http://api.pcsoft.jshhdian.com/cgi/PCSoftInfo.ashx/pcsoft/getentity?id= | US | text | 61 b | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | GET | 200 | 163.171.128.148:80 | http://ggstats.yb.jshhdian.com/pinforesults.do?sc=%3DFUQmS3ck6XanBUNgSXZwync4AHaA13cza3ZnRXZwync4AHaA13czanKxFUQ16XewOnKnGXM1BUMiSUMxBUM1VUMzVUQkGXcnFUQlm3d | US | text | 35.9 Kb | whitelisted |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | GET | 200 | 182.118.46.58:80 | http://poik.dgygpx.com/yxh/navico/jd.ico | CN | image | 1.12 Kb | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | GET | 200 | 182.118.46.58:80 | http://poik.dgygpx.com/yxh/navico/hhts3.ico | CN | image | 1.12 Kb | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | GET | 200 | 182.118.46.58:80 | http://poik.dgygpx.com/yxh/navico/cqfd3.png | CN | image | 645 b | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | GET | 200 | 182.118.46.58:80 | http://poik.dgygpx.com/yxh/navico/cqfd3.ico | CN | image | 1.12 Kb | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | GET | 200 | 163.171.128.148:80 | http://api.yb.jshhdian.com/open/rili/ip.json?ip=10.116.0.1 | US | text | 38 b | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | GET | 200 | 182.118.46.58:80 | http://poik.dgygpx.com/yxh/navico/wangzdh.png | CN | image | 1.49 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | 182.118.46.58:80 | poik.dgygpx.com | CHINA UNICOM China169 Backbone | CN | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | 222.85.26.209:443 | s13.cnzz.com | No.31,Jin-rong Street | CN | unknown |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | 119.28.47.147:80 | api.pcsoft.70gj.cn | Tencent Cloud Computing (Beijing) Co., Ltd | CN | unknown |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | 163.171.132.119:80 | dw.jshhdian.com | — | US | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | 163.171.128.148:80 | api.pcsoft.jshhdian.com | — | US | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | 171.11.231.37:80 | poik.dgygpx.com | No.31,Jin-rong Street | CN | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | 171.11.231.39:80 | poik.dgygpx.com | No.31,Jin-rong Street | CN | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | 203.119.206.93:443 | z7.cnzz.com | — | CN | malicious |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | 222.85.26.208:443 | s13.cnzz.com | No.31,Jin-rong Street | CN | unknown |
3604 | beb44565-3a80-4eee-b396-e6985e7e4287.exe | 198.11.136.24:443 | cnzz.mmstat.com | Alibaba (China) Technology Co., Ltd. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
api.pcsoft.jshhdian.com |
| malicious |
ggstats.yb.jshhdian.com |
| whitelisted |
www.baidu.com |
| whitelisted |
api.yb.jshhdian.com |
| malicious |
poik.dgygpx.com |
| malicious |
ymte.sgdebao.com |
| malicious |
eoud.dgygpx.com |
| malicious |
dw.jshhdian.com |
| malicious |
api.pcsoft.70gj.cn |
| malicious |
s13.cnzz.com |
| suspicious |