File name: | Adobe Photoshop_24_242.exe |
Full analysis: | https://app.any.run/tasks/f24dab6d-5686-4623-9744-e65de677e533 |
Verdict: | Malicious activity |
Analysis date: | June 12, 2019, 08:53:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | D8F704B2F289171737A56C50357CFB52 |
SHA1: | CC5627C8A1223E58A04363A5D14E5DF2A1364F7E |
SHA256: | 0B0F2C452ED06229E6F9DDB58D5F72230D140F3DB348CBB83CE85A8DDB292C23 |
SSDEEP: | 98304:sODn6E6vnzaUbRnW4aeQ7bWWkhdVbmt4QI5zEKKJA7/fYMnkOBPde:sQn6EGzaGW7eQ7Mbbm2zEKp7dkOBQ |
.exe | | | InstallShield setup (54.3) |
---|---|---|
.exe | | | Win64 Executable (generic) (34.8) |
.exe | | | Win32 Executable (generic) (5.6) |
.exe | | | Generic Win/DOS Executable (2.5) |
.exe | | | DOS Executable Generic (2.5) |
ProductVersion: | 1 |
---|---|
ProductName: | downer for windows |
OriginalFileName: | downloader.exe |
LegalCopyright: | Copyright ? 2018 - 2019 xiao T |
InternalName: | downloader.exe |
FileVersion: | 1 |
FileDescription: | downer for windows |
Comments: | downer for windows |
CharacterSet: | Windows, Chinese (Simplified) |
LanguageCode: | Chinese (Simplified) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.2 |
FileVersionNumber: | 1.0.0.2 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x153174 |
UninitializedDataSize: | - |
InitializedDataSize: | 4364800 |
CodeSize: | 1655808 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2019:05:30 03:46:35+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 30-May-2019 01:46:35 |
Detected languages: |
|
Debug artifacts: |
|
Comments: | downer for windows |
FileDescription: | downer for windows |
FileVersion: | 1.0 |
InternalName: | downloader.exe |
LegalCopyright: | Copyright ? 2018 - 2019 xiao T |
OriginalFilename: | downloader.exe |
ProductName: | downer for windows |
ProductVersion: | 1.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 30-May-2019 01:46:35 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0019421F | 0x00194400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.38163 |
.rdata | 0x00196000 | 0x00044FA6 | 0x00045000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.8927 |
.data | 0x001DB000 | 0x00012080 | 0x0000B000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.14927 |
.rsrc | 0x001EE000 | 0x003C217C | 0x003C2200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.8767 |
.reloc | 0x005B1000 | 0x0001761C | 0x00017800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.69443 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.01229 | 633 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.24731 | 296 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 3.27183 | 3752 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
4 | 3.91452 | 2216 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
5 | 3.47417 | 1384 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
6 | 3.02843 | 9640 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
7 | 2.22721 | 72 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
8 | 2.44525 | 1128 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
9 | 3.02695 | 308 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
10 | 2.74274 | 180 | Latin 1 / Western European | Chinese - PRC | RT_CURSOR |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
NETAPI32.dll |
OLEACC.dll (delay-loaded) |
OLEAUT32.dll |
PSAPI.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2856 | "C:\Users\admin\AppData\Local\Temp\Adobe Photoshop_24_242.exe" | C:\Users\admin\AppData\Local\Temp\Adobe Photoshop_24_242.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: downer for windows Exit code: 3221226540 Version: 1.0 | ||||
3180 | "C:\Users\admin\AppData\Local\Temp\Adobe Photoshop_24_242.exe" | C:\Users\admin\AppData\Local\Temp\Adobe Photoshop_24_242.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: downer for windows Version: 1.0 | ||||
1040 | "C:\Users\admin\AppData\Local\Temp\yxMiniTp\EyZ3w\download\MiniThunderPlatform.exe" -StartTP | C:\Users\admin\AppData\Local\Temp\yxMiniTp\EyZ3w\download\MiniThunderPlatform.exe | Adobe Photoshop_24_242.exe | |
User: admin Company: 深圳市迅雷网络技术有限公司 Integrity Level: HIGH Description: 迅雷云加速开放平台 Exit code: 0 Version: 3.2.1.20 | ||||
3572 | "C:\Windows\explorer.exe" /select, C:\Users\admin\AppData\Local\Temp\.txt | C:\Windows\explorer.exe | — | Adobe Photoshop_24_242.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3672 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3180 | Adobe Photoshop_24_242.exe | C:\Users\admin\AppData\Roaming\youxunbox\main.7z | — | |
MD5:— | SHA256:— | |||
3180 | Adobe Photoshop_24_242.exe | C:\Users\admin\AppData\Roaming\youxunbox\aitb.ico | image | |
MD5:0B495875ABCF45ABF90385AD888CFC5C | SHA256:7C92CD859E4DEB5880418767277302F2AD9012D66008BF7A764A4CA5D1874BEB | |||
3180 | Adobe Photoshop_24_242.exe | C:\Users\admin\AppData\Roaming\youxunbox\cqsf.ico | image | |
MD5:436FCDAC987DD49BD5E664C5C283A209 | SHA256:2A85783774E2F7CFA6F480D4C3F437D934876D20FB46B42482297E000296E46D | |||
3180 | Adobe Photoshop_24_242.exe | C:\Users\admin\AppData\Roaming\youxunbox\lsqy_tb.ico | image | |
MD5:2A03E678288929731A710D4A19D3FD1B | SHA256:8973F18F0D4678F96049FA3E4C3D31BCEDC4736DCA127E471F97ADB578CDFC5C | |||
3180 | Adobe Photoshop_24_242.exe | C:\Users\admin\AppData\Roaming\youxunbox\新建文件夹\down.zip | compressed | |
MD5:B107AE30ECBAF944DDAB4540667D90E9 | SHA256:A2AF856323F94AD48B5308CC3A46D0C4DD87BB1299EFA8E82D7D0817A2266A28 | |||
3180 | Adobe Photoshop_24_242.exe | C:\Users\admin\AppData\Roaming\youxunbox\caipiao.ico | image | |
MD5:A3B545261150433E5673F571EB5319EB | SHA256:29A7E0BE47F90497C44624591AEA444EEA5411595899543C2659AC2C76F58DE0 | |||
3180 | Adobe Photoshop_24_242.exe | C:\Users\admin\AppData\Roaming\youxunbox\wangzdh.ico | image | |
MD5:D88C1D43FC223677A1E6019998A531B3 | SHA256:CB843CA33DC0FC3F6503E0C270487DFC7F9CC61B91983A1D736F47EE81BA5B9A | |||
3180 | Adobe Photoshop_24_242.exe | C:\Users\admin\AppData\Roaming\youxunbox\tmmarket.ico | image | |
MD5:5F8B47DC7A085E0A0D379A505310E23B | SHA256:B0D150D2C69A8F09B060CE9EAF19EC8C94D2FD5703A5F11CDE6E48EA11CB9E27 | |||
3180 | Adobe Photoshop_24_242.exe | C:\Users\admin\AppData\Roaming\youxunbox\baidu.ico | image | |
MD5:861F227D99793BAF229A5ADF29A2E7DD | SHA256:1441505511BFFF6EF63584A3D3B6CE7086E427A16503818F1CA536617C856D9A | |||
3180 | Adobe Photoshop_24_242.exe | C:\Users\admin\AppData\Roaming\youxunbox\temai.ico | image | |
MD5:6ED6686C133BA3159D89AAD6B6A4EE10 | SHA256:63403102BA0C06B6CB9918D66DD8A888BF2716AC4DA49E1F84A4655B28A8E2F6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3180 | Adobe Photoshop_24_242.exe | GET | — | 163.171.128.148:80 | http://ggstats.yb.jshhdian.com/pinforesults.do?sc=%3DFUQmS3ck6XanRkNgSXZwync4AHaA13cza3ZnRXZwync4AHaA13czanKxFUQ16XewOnKnGXM1BUMiSUMxBUM1VUMzVUQkGXcnFUQlm3d | US | — | — | whitelisted |
3180 | Adobe Photoshop_24_242.exe | GET | 200 | 163.171.128.148:80 | http://api.pcsoft.jshhdian.com/cgi/PCSoftInfo.ashx/pcsoft/getentity?id=242 | US | text | 1.01 Kb | malicious |
3180 | Adobe Photoshop_24_242.exe | GET | 200 | 163.171.132.119:80 | http://dw.jshhdian.com/post/index_az_22.html | US | html | 566 b | malicious |
3180 | Adobe Photoshop_24_242.exe | GET | 200 | 163.171.132.119:80 | http://dw.jshhdian.com/xiazaiqi/box_520x240.html | US | html | 528 b | malicious |
3180 | Adobe Photoshop_24_242.exe | GET | 200 | 119.28.47.147:80 | http://api.pcsoft.70gj.cn/cgi/PCSoftInfo.ashx/pcsoft/countdo?sc=5lkO6J0NxZUOy1UaumHenRkNgSXZwync4AHaARXbuAndnajN1JUQlmnKAl2WaSYVF2FeGelU1GFSOSYVV6FeKSmUA53d | CN | text | 79 b | malicious |
1040 | MiniThunderPlatform.exe | GET | — | 122.143.23.180:80 | http://down10.zol.com.cn/it/Adobe0PhotoshopCS6.zip | CN | — | — | malicious |
3180 | Adobe Photoshop_24_242.exe | GET | 200 | 163.171.128.148:80 | http://ggstats.yb.jshhdian.com/pinforesults.do?sc=%3D%3DRNAVHawOncmajfiOnfg63ewSHf62UcwKoakaTauG3a5mYQuAndnaDNy1EevW4ckajai2DOx1TZ11DNx1DO21jN210Zi2nK1FUQlm3d | US | text | 24.5 Kb | whitelisted |
3180 | Adobe Photoshop_24_242.exe | GET | 200 | 182.118.46.58:80 | http://sdmv.wxyxch.cn/Install/0105-4.gif | CN | image | 139 Kb | malicious |
3180 | Adobe Photoshop_24_242.exe | GET | 200 | 163.171.128.148:80 | http://ggstats.yb.jshhdian.com/noencrypt_count.do?from=download&cfrom=download_24&type_show=&type_selected=&type_down_succ=&type_install_succ=&sn=52-54-00-4a-04-af&&time=1560329711 | US | text | 152 b | whitelisted |
1040 | MiniThunderPlatform.exe | POST | 200 | 121.9.209.165:80 | http://121.9.209.165:80/ | CN | binary | 28 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3180 | Adobe Photoshop_24_242.exe | 163.171.128.148:80 | api.pcsoft.jshhdian.com | — | US | malicious |
1040 | MiniThunderPlatform.exe | 119.188.108.12:8000 | hub5pnc.hz.sandai.net | CHINA UNICOM China169 Backbone | CN | malicious |
3180 | Adobe Photoshop_24_242.exe | 163.171.132.119:80 | dw.jshhdian.com | — | US | malicious |
— | — | 119.28.47.147:80 | api.pcsoft.70gj.cn | Tencent Cloud Computing (Beijing) Co., Ltd | CN | unknown |
1040 | MiniThunderPlatform.exe | 112.80.23.156:80 | pmap.hz.sandai.net | CHINA UNICOM China169 Backbone | CN | malicious |
3180 | Adobe Photoshop_24_242.exe | 182.118.46.58:80 | sdmv.wxyxch.cn | CHINA UNICOM China169 Backbone | CN | malicious |
1040 | MiniThunderPlatform.exe | 153.37.209.8:80 | hub5c.hz.sandai.net | CHINA UNICOM China169 Backbone | CN | malicious |
3180 | Adobe Photoshop_24_242.exe | 203.119.206.97:443 | z7.cnzz.com | — | CN | unknown |
1040 | MiniThunderPlatform.exe | 47.92.195.246:80 | hub5pr.hz.sandai.net | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
3180 | Adobe Photoshop_24_242.exe | 222.85.26.209:443 | s13.cnzz.com | No.31,Jin-rong Street | CN | unknown |
Domain | IP | Reputation |
---|---|---|
api.pcsoft.jshhdian.com |
| malicious |
ggstats.yb.jshhdian.com |
| whitelisted |
dw.jshhdian.com |
| malicious |
api.pcsoft.70gj.cn |
| malicious |
sdmv.wxyxch.cn |
| malicious |
hub5pn.hz.sandai.net |
| unknown |
hub5pnc.hz.sandai.net |
| malicious |
hub5u.hz.sandai.net |
| unknown |
relay.phub.hz.sandai.net |
| whitelisted |
s13.cnzz.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1040 | MiniThunderPlatform.exe | Misc activity | ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo) |
1040 | MiniThunderPlatform.exe | Generic Protocol Command Decode | SURICATA STREAM CLOSEWAIT FIN out of window |
3180 | Adobe Photoshop_24_242.exe | Generic Protocol Command Decode | SURICATA STREAM CLOSEWAIT FIN out of window |
1040 | MiniThunderPlatform.exe | Misc activity | ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo) |
1040 | MiniThunderPlatform.exe | Misc activity | ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo) |
1040 | MiniThunderPlatform.exe | Misc activity | ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo) |
1040 | MiniThunderPlatform.exe | Generic Protocol Command Decode | SURICATA STREAM CLOSEWAIT FIN out of window |
1040 | MiniThunderPlatform.exe | Generic Protocol Command Decode | SURICATA STREAM CLOSEWAIT FIN out of window |
1040 | MiniThunderPlatform.exe | Generic Protocol Command Decode | SURICATA STREAM CLOSEWAIT FIN out of window |
1040 | MiniThunderPlatform.exe | Generic Protocol Command Decode | SURICATA STREAM CLOSEWAIT FIN out of window |