analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://jarv.is/y2k/downloads/bejewled.exe

Full analysis: https://app.any.run/tasks/88bddd03-9c76-47c5-a5f9-3072009442e5
Verdict: Malicious activity
Analysis date: May 24, 2019, 15:43:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

744203822118E4FB81C90DC0A95FA39F

SHA1:

617A776A1EC30ECD7E8244438BBAA4AB4AD3027E

SHA256:

0C53AA79AEF5078D5299F318B93B3B70CF572DCE0C7538D75757974DE4973400

SSDEEP:

3:N8k3eS94KKAL:28eSV3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • bejewled[1].exe (PID: 3864)
      • GLB3254.tmp (PID: 3284)
      • bejewled[1].exe (PID: 2980)
      • Bejeweled2Deluxe.exe (PID: 3880)
      • WinBej2.exe (PID: 2424)

    • Loads dropped or rewritten executable

      • GLB3254.tmp (PID: 3284)
      • explorer.exe (PID: 252)
      • svchost.exe (PID: 816)
      • svchost.exe (PID: 848)
      • Bejeweled2Deluxe.exe (PID: 3880)
      • WinBej2.exe (PID: 2424)

    • Changes settings of System certificates

      • WinBej2.exe (PID: 2424)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3336)
      • iexplore.exe (PID: 4000)
      • GLB3254.tmp (PID: 3284)
      • bejewled[1].exe (PID: 3864)

    • Starts Internet Explorer

      • explorer.exe (PID: 252)

    • Creates files in the Windows directory

      • GLB3254.tmp (PID: 3284)

    • Starts application with an unusual extension

      • bejewled[1].exe (PID: 3864)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 252)

    • Removes files from Windows directory

      • GLB3254.tmp (PID: 3284)

    • Creates COM task schedule object

      • Bejeweled2Deluxe.exe (PID: 3880)

    • Reads internet explorer settings

      • Bejeweled2Deluxe.exe (PID: 3880)

    • Executed via COM

      • explorer.exe (PID: 2816)

    • Creates a software uninstall entry

      • GLB3254.tmp (PID: 3284)

    • Searches for installed software

      • svchost.exe (PID: 816)

    • Adds / modifies Windows certificates

      • WinBej2.exe (PID: 2424)

    • Creates files in the program directory

      • WinBej2.exe (PID: 2424)
      • GLB3254.tmp (PID: 3284)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3336)

    • Creates files in the user directory

      • iexplore.exe (PID: 3336)
      • iexplore.exe (PID: 4000)

    • Application launched itself

      • iexplore.exe (PID: 3336)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4000)
      • iexplore.exe (PID: 3336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
12
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start iexplore.exe iexplore.exe bejewled[1].exe no specs bejewled[1].exe glb3254.tmp explorer.exe no specs svchost.exe explorer.exe no specs explorer.exe no specs bejeweled2deluxe.exe no specs svchost.exe no specs winbej2.exe

Process information

PID
CMD
Path
Indicators
Parent process
3336"C:\Program Files\Internet Explorer\iexplore.exe" https://jarv.is/y2k/downloads/bejewled.exeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4000"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3336 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2980"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\bejewled[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\bejewled[1].exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3864"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\bejewled[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\bejewled[1].exe
iexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3284C:\Users\admin\AppData\Local\Temp\GLB3254.tmp 4736 C:\Users\admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\I0488CJO\BEJEWL~1.EXEC:\Users\admin\AppData\Local\Temp\GLB3254.tmp
bejewled[1].exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
252C:\Windows\Explorer.EXEC:\Windows\explorer.exectfmon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
848C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3656"C:\Windows\explorer.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Shockwave.com\Bejeweled 2 DeluxeC:\Windows\explorer.exeGLB3254.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2816C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3880"C:\Program Files\Shockwave.com\Bejeweled 2 Deluxe\Bejeweled2Deluxe.exe" C:\Program Files\Shockwave.com\Bejeweled 2 Deluxe\Bejeweled2Deluxe.exeexplorer.exe
User:
admin
Company:
shockwave.com
Integrity Level:
MEDIUM
Description:
shockwave.com Keyhole DRM Application
Version:
1, 0, 0, 1
Total events
2 903
Read events
2 669
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
171
Text files
705
Unknown types
181

Dropped files

PID
Process
Filename
Type
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF7789350BE20A851A.TMP
MD5:
SHA256:
4000iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:BE087DDC05A4106F6F64684352BA0D21
SHA256:0088122973F1FDE63D0844D5CA31F3016F107BDA292F9DF33C4D7CE95DE74BA6
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B5009CF4-7E3A-11E9-B3B3-5254004A04AF}.datbinary
MD5:95BBCFF7108D779272583AC79557F195
SHA256:7B25343FA3F988DEAB85622699E6E9BF69A496FB55D9ED548FBD311AC940E0CF
4000iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@jarv[1].txttext
MD5:4FE776E38EAEAEB06DF11F7E6BE1EC96
SHA256:FA8F62A0F2C3B579586AA9ADA5D55925DBCE18212FF511B5A954A7146B110C23
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\bejewled[1].exeexecutable
MD5:30583A08F50B6D7B4ED9ADA0050B05EB
SHA256:DAD28E5E444268E601F8682BEB16D89E7EFF59C62D7FAA047BF09515578F1C37
4000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:F2EAFDF9C9320B4C19FE37871E07ADB2
SHA256:85B968A7160B5D30800AC53BDE9B8E5A0DD737E3015837997568B25C09BC818D
4000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SIZQF3NT\bejewled[1].exeexecutable
MD5:30583A08F50B6D7B4ED9ADA0050B05EB
SHA256:DAD28E5E444268E601F8682BEB16D89E7EFF59C62D7FAA047BF09515578F1C37
848svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:71CA7046B0B8C29B86E377E31888B3D7
SHA256:1EF7983D907EA8D5C152B0A6352827CA3F4133C26E42A77E66AF092D86073AD0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3336
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3336
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
4000
iexplore.exe
104.31.67.47:443
jarv.is
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
jarv.is
  • 104.31.67.47
  • 104.31.66.47
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
Process
Message
WinBej2.exe
BuildNum: 1948
WinBej2.exe
BuildNum: 1948
WinBej2.exe
BuildDate: Wed Oct 27 16:01:07 2004
WinBej2.exe
Loading completed: 218 out of 218
WinBej2.exe
Resource Loading Time: 9
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://jarv.is/y2k/downloads/bejewled.exe