analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ppc.cab

Full analysis: https://app.any.run/tasks/9f2a41f7-e9ba-4011-b8e6-949e1b42f76c
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: November 15, 2018, 07:23:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
gozi
ursnif
Indicators:
MIME: application/vnd.ms-cab-compressed
File info: Microsoft Cabinet archive data, 157113 bytes, 1 file
MD5:

E3B88F03A2E01F6DE21B1D81EB945E61

SHA1:

3769BAF00B8BA604ACB4AEAACD65022D14F969AF

SHA256:

18A433B73B9183BF1390ECB1483E041B6C5ED0F07CB62929B1FC30CA254ED0D2

SSDEEP:

3072:N3YoLvGECVD2Lc/Ccr22tYKktH7LHr4xSmEw2LXYtt6W+G0EJq4:N3Ynd2LKCcCSYKktH7PA9E7zYttt+Gy4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • puk.exe (PID: 3040)
      • puk.exe (PID: 3616)
    • Connects to CnC server

      • iexplore.exe (PID: 2956)
    • URSNIF was detected

      • iexplore.exe (PID: 2956)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3320)
    • Application launched itself

      • puk.exe (PID: 3040)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2476)
    • Creates files in the user directory

      • iexplore.exe (PID: 2476)
      • iexplore.exe (PID: 2956)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2956)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.cab | Microsoft Cabinet Archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe puk.exe no specs puk.exe no specs iexplore.exe #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3320"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\ppc.cab"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3040"C:\Users\admin\Desktop\ppc\puk.exe" C:\Users\admin\Desktop\ppc\puk.exeexplorer.exe
User:
admin
Company:
Duplex Secure Ltd.
Integrity Level:
MEDIUM
Description:
SCSI Pass Through Direct
Exit code:
0
Version:
1.86.0.0 built by: WinDDK
3616"C:\Users\admin\Desktop\ppc\puk.exe" C:\Users\admin\Desktop\ppc\puk.exepuk.exe
User:
admin
Company:
Duplex Secure Ltd.
Integrity Level:
MEDIUM
Description:
SCSI Pass Through Direct
Version:
1.86.0.0 built by: WinDDK
2476"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2956"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2476 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
640
Read events
593
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2476iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2476iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2476iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD2171E8A63A56C31.TMP
MD5:
SHA256:
2476iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{8F05063A-E8A7-11E8-A505-5254004AAD11}.dat
MD5:
SHA256:
2476iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF4E42DD2D1F4E527.TMP
MD5:
SHA256:
2476iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8F050639-E8A7-11E8-A505-5254004AAD11}.dat
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
2476iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
2956iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:B752BDBBC181AD0914EA37E78C00CB02
SHA256:2A1F22EBDD2727B0900EE74AA9A0FDB53AF0912A21EC7ED025E1D6AF083F4764
3320WinRAR.exeC:\Users\admin\Desktop\ppc\puk.exeexecutable
MD5:87C4ECFBDA15463E3850AB1F0B7C9442
SHA256:DA13F5504957BA999221367972B20FBC5B506758C148D2DD8236EAEFE920092B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2956
iexplore.exe
GET
404
47.74.131.146:80
http://in.ledalco.at/wpapi/iEDqNET9WeaQQ7CY0SeWjqV/8vgPVvPDVc/dNt0z2TwyG749WjZZ/5Z5qW3iYNDJu/asA2_2BbYfA/Yju_2FTitRzP9s/VRUUK8tyhOGlzBVPeJRjx/bxlQMEB0Dz8BRTKl/3xywOpbtJBLFGk1/Msp0Px_2FkVUuT7VPd/ABKELRhhC/Qqaw_2FvNlraaGnoJwAy/dry3uj6MH_2FX5yi9jo/IWAgfxFt267QFtpbt3C5pQ/9rxbctam9we/Mrae4qi
US
html
180 b
malicious
2476
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2476
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2956
iexplore.exe
47.74.131.146:80
in.ledalco.at
Alibaba (China) Technology Co., Ltd.
US
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
in.ledalco.at
  • 47.74.131.146
malicious

Threats

PID
Process
Class
Message
2956
iexplore.exe
A Network Trojan was detected
SC SPYWARE TrojanSpy:Win32/Ursnif variant
1 ETPRO signatures available at the full report
No debug info