URL: | http://mewkid.net/buy-xalanta/ |
Full analysis: | https://app.any.run/tasks/38d12f9f-31a9-48ae-9910-d6f88e526fc6 |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 09:19:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 9B07A5CB1DFCC6B23B386D75F2F907ED |
SHA1: | E0470D7526D890629F052C8853A6D30AAFFCC5CB |
SHA256: | 0F96D987D2ABCCFDF56A7C371C3ABC0CF4E0156AAC89956B58460C37F954A8EA |
SSDEEP: | 3:N1KT+u0sHJIdEJiREKn:CNqgiiK |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1608 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://mewkid.net/buy-xalanta/" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2148 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1608 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3532 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2148 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WSS38W2D\buy-xalanta[1].txt | — | |
MD5:— | SHA256:— | |||
1608 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
1608 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2148 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WSS38W2D\mewkid_net[1].txt | — | |
MD5:— | SHA256:— | |||
2148 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FCN4OFFV\css[1].txt | text | |
MD5:A061058C6C4AF78E8EFBA6F420ED8489 | SHA256:778C24E891D5F018DD98A104843A842DD1ED510149CFCAD2468FC30DF488412A | |||
2148 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019101420191015\index.dat | dat | |
MD5:C3EDD3423DC80AEC3E191D50E6711688 | SHA256:27EFBEE3AD7AF1D1A2C49C6339D589FB44EDDF3643D5DC1FAA2628C2A5F81967 | |||
2148 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:26B2B0C54768B58B0E066A782C49267E | SHA256:1487AABC5D126CB9C2C066028B193632AD68088678B353FDBC66086762DBC81F | |||
2148 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QYNYDV39\buy-xalanta[1].htm | html | |
MD5:5787D0A3AB62123545D1E1D3D3DC22DE | SHA256:E628CC3CF4E7A0CD778756D03DA3572A6C38466514CCDEBF98E2D29465CEA25F | |||
2148 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FCN4OFFV\st_insights[1].js | text | |
MD5:BD82D78C4AF8412E52C10D0CB4D0A879 | SHA256:53AE914563CA9A506ECDE6B72EFBC109BE28B72BE94AAF341D3D216556D38EF6 | |||
2148 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FCN4OFFV\gglcptch[1].css | text | |
MD5:95D63D64E34C2A2C3377EAE57B9508FF | SHA256:94781286B2A56B8ADFDBC4F6BA3A7AD93E2653FEE8B357D0714BE7BDA9318A1B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2148 | iexplore.exe | GET | 404 | 173.254.204.79:80 | http://mewkid.net/static/css/banner-styles.css?v=1518460053.0 | US | html | 696 b | unknown |
2148 | iexplore.exe | GET | 200 | 173.254.204.79:80 | http://mewkid.net/buy-xalanta/ | US | html | 722 b | unknown |
2148 | iexplore.exe | GET | 200 | 173.254.204.79:80 | http://mewkid.net/ | US | html | 19.3 Kb | unknown |
2148 | iexplore.exe | GET | 404 | 173.254.204.79:80 | http://mewkid.net/wp/wp-content/plugins/add-link-to-facebook/add-link-to-facebook.css?ver=4.5.10 | US | html | 696 b | unknown |
1608 | iexplore.exe | GET | 404 | 173.254.204.79:80 | http://mewkid.net/favicon.ico | US | html | 696 b | unknown |
2148 | iexplore.exe | GET | — | 173.254.204.79:80 | http://mewkid.net/static/js/analytics.js?v=1518460053.0 | US | — | — | unknown |
2148 | iexplore.exe | GET | 404 | 173.254.204.79:80 | http://mewkid.net/static/js/wbhack.js?v=1518460053.0 | US | html | 696 b | unknown |
2148 | iexplore.exe | GET | 200 | 216.58.208.42:80 | http://fonts.googleapis.com/css?family=Indie+Flower&ver=4.5.10 | US | text | 173 b | whitelisted |
2148 | iexplore.exe | GET | 200 | 143.204.101.38:80 | http://w.sharethis.com/button/st_insights.js?publisher=4d48b7c5-0ae3-43d4-bfbe-3ff8c17a8ae6&product=simpleshare | US | text | 6.60 Kb | shared |
2148 | iexplore.exe | GET | 200 | 173.254.204.79:80 | http://mewkid.net/wp/wp-content/themes/base-wp-premium-child/style.css?ver=4.5.10 | US | text | 905 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2148 | iexplore.exe | 172.217.21.194:80 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
1608 | iexplore.exe | 173.254.204.79:80 | mewkid.net | QuadraNet, Inc | US | unknown |
2148 | iexplore.exe | 143.204.101.38:80 | w.sharethis.com | — | US | malicious |
2148 | iexplore.exe | 216.58.208.42:80 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2148 | iexplore.exe | 173.254.204.79:80 | mewkid.net | QuadraNet, Inc | US | unknown |
1608 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2148 | iexplore.exe | 207.241.233.214:80 | web.archive.org | Internet Archive | US | suspicious |
2148 | iexplore.exe | 157.240.20.19:80 | connect.facebook.net | Facebook, Inc. | US | whitelisted |
2148 | iexplore.exe | 209.197.3.15:80 | maxcdn.bootstrapcdn.com | Highwinds Network Group, Inc. | US | whitelisted |
2148 | iexplore.exe | 172.217.18.110:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
mewkid.net |
| unknown |
www.bing.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
maxcdn.bootstrapcdn.com |
| whitelisted |
w.sharethis.com |
| shared |
connect.facebook.net |
| whitelisted |
web.archive.org |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain |
2148 | iexplore.exe | Misc activity | ADWARE [PTsecurity] Redirecting.Zemot (RBN ZeroPark 0-Click) |
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |