analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

YuQu-0.1.4.exe

Full analysis: https://app.any.run/tasks/88e109da-70e4-4d2c-82e3-873438e79a21
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 18, 2020, 12:33:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

D34A0A86CD4B653B324CECF7411D7677

SHA1:

F229D77F57F699C3123C0C4BD420048DA9C960FF

SHA256:

0EC380E7C4539A878640A5C75610BF34667BA4D0CD590511831D7DF24350E2E4

SSDEEP:

196608:Rwyv8T74kzuumvOqaZVpoQTVHJack+bWNnTbS:SC8T7BXmvBaZVTacJGPS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • javaw.exe (PID: 4004)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 4004)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1048)

    • Creates files in the user directory

      • javaw.exe (PID: 4004)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1048)

    • Executes JAVA applets

      • YuQu-0.1.4.exe (PID: 2332)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 4004)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:01:14 16:26:55+01:00
PEType: PE32
LinkerVersion: 2.22
CodeSize: 25088
InitializedDataSize: 160256
UninitializedDataSize: 36864
EntryPoint: 0x1290
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 14-Jan-2020 15:26:55
Detected languages:
  • Process Default Language

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 14-Jan-2020 15:26:55
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006080
0x00006200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.98243
.data
0x00008000
0x00000040
0x00000200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.163808
.rdata
0x00009000
0x00000510
0x00000600
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.01355
.bss
0x0000A000
0x00008E30
0x00000000
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00013000
0x00000AA8
0x00000C00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.65264
.rsrc
0x00014000
0x00025D0C
0x00025E00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.43667

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.79908
90
UNKNOWN
Process Default Language
RT_GROUP_ICON
2
2.25163
6
UNKNOWN
Process Default Language
RT_RCDATA
3
5.17516
16936
UNKNOWN
Process Default Language
RT_ICON
4
5.31596
9640
UNKNOWN
Process Default Language
RT_ICON
5
5.50014
4264
UNKNOWN
Process Default Language
RT_ICON
6
5.75242
1128
UNKNOWN
Process Default Language
RT_ICON
8
1
2
UNKNOWN
Process Default Language
RT_RCDATA
12
4.0958
22
UNKNOWN
Process Default Language
RT_RCDATA
15
4.21782
41
UNKNOWN
Process Default Language
RT_RCDATA
16
2.58496
6
UNKNOWN
Process Default Language
RT_RCDATA

Imports

ADVAPI32.DLL
KERNEL32.dll
SHELL32.DLL
USER32.dll
msvcrt.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start yuqu-0.1.4.exe no specs javaw.exe cmd.exe no specs chcp.com no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2332"C:\Users\admin\AppData\Local\Temp\YuQu-0.1.4.exe" C:\Users\admin\AppData\Local\Temp\YuQu-0.1.4.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\yuqu-0.1.4.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
4004"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\admin\AppData\Local\Temp\YuQu-0.1.4.exe" org.develnext.jphp.ext.javafx.FXLauncherC:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
YuQu-0.1.4.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1048C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\System32\reg.exe query "HKU\S-1-5-19""C:\Windows\System32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3012C:\Windows\System32\chcp.com 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3920C:\Windows\System32\reg.exe query "HKU\S-1-5-19"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
20
Read events
19
Write events
1
Delete events
0

Modification events

(PID) Process:(4004) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
Executable files
1
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
4004javaw.exeC:\Users\admin\AppData\Local\Temp\YuQu-0.1.4.exe.$##
MD5:
SHA256:
4004javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:9E8CF341114CFB938FA3D2E7D5A3561B
SHA256:87B55BC4E7EF0EDCBE3F7E76AF8B7F671A6E2FE5126C180955ABCC892643847D
4004javaw.exeC:\Users\admin\AppData\Local\Temp\YuQu-0.1.4.exeexecutable
MD5:D34A0A86CD4B653B324CECF7411D7677
SHA256:0EC380E7C4539A878640A5C75610BF34667BA4D0CD590511831D7DF24350E2E4
4004javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
25
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4004
javaw.exe
GET
200
91.224.22.111:80
http://yuqu.site/stats/c.php
RU
suspicious
4004
javaw.exe
GET
200
91.224.22.111:80
http://YuQu.Site/line.php
RU
text
4 b
suspicious
4004
javaw.exe
GET
200
91.224.22.111:80
http://yuqu.site/YuQuR/YuQu-0.1.4.exe
RU
executable
7.03 Mb
suspicious
4004
javaw.exe
GET
200
91.224.22.111:80
http://YuQu.Site/line.php
RU
text
4 b
suspicious
4004
javaw.exe
GET
200
91.224.22.111:80
http://YuQu.Site/line.php
RU
text
4 b
suspicious
4004
javaw.exe
GET
200
91.224.22.111:80
http://YuQu.Site/line.php
RU
text
4 b
suspicious
4004
javaw.exe
GET
200
91.224.22.111:80
http://yuqu.site/YuQuR/vers.txt
RU
text
5 b
suspicious
4004
javaw.exe
GET
200
91.224.22.111:80
http://yuqu.site/YuQuR/update.txt
RU
text
37 b
suspicious
4004
javaw.exe
GET
200
91.224.22.111:80
http://yuqu.site/
RU
html
1.52 Kb
suspicious
4004
javaw.exe
GET
200
91.224.22.111:80
http://YuQu.Site/line.php
RU
text
4 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4004
javaw.exe
91.224.22.111:80
ticket.yuqu.site
Domain names registrar REG.RU, Ltd
RU
suspicious
91.224.22.111:80
ticket.yuqu.site
Domain names registrar REG.RU, Ltd
RU
suspicious

DNS requests

Domain
IP
Reputation
ticket.yuqu.site
  • 91.224.22.111
suspicious
yuqu.site
  • 91.224.22.111
suspicious

Threats

PID
Process
Class
Message
4004
javaw.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
4004
javaw.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
YuQu-0.1.4.exe