analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

index.html

Full analysis: https://app.any.run/tasks/7a20a4e1-241a-4b2e-aaf8-d253e0a73e09
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: May 15, 2019, 03:33:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5:

ABFD7089C79CA276454C7EF0EC0786D8

SHA1:

6458A988B40BB8670094EE8A6523F58118D60CEE

SHA256:

1B49D013CB6488CBED216E008C9D530E323530A582A6952C0DF81243323154B6

SSDEEP:

6144:wh71haKiOmxxb7qIxoydj6PU59emYikbVMIKy1NFoM72rdA7yJUpT+Qz9KmlTUtU:wSSI+a3a+BazyrOwzluJgQhbkT1cUgP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3332)
    • Creates files in the user directory

      • iexplore.exe (PID: 3232)
      • iexplore.exe (PID: 2312)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3232)
      • iexplore.exe (PID: 3332)
      • iexplore.exe (PID: 2312)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3332)
      • iexplore.exe (PID: 3232)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3232)
      • iexplore.exe (PID: 2312)
    • Application launched itself

      • iexplore.exe (PID: 3332)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3232)
      • iexplore.exe (PID: 3332)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3232)
      • iexplore.exe (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.aiml | Artificial Intelligence Markup Language (48.3)
.htm/html | HyperText Markup Language with DOCTYPE (41.6)
.html | HyperText Markup Language (9.9)

EXIF

HTML

oathGuceConsentHost: guce.yahoo.com
referrer: unsafe-url
themeColor: #400090
formatDetection: telephone=no
Keywords: yahoo, yahoo home page, yahoo homepage, yahoo search, yahoo mail, yahoo messenger, yahoo games, news, finance, sport, entertainment
Description: News, email and search are just the beginning. Discover more every day. Find your yodel.
imagemode: force
layoutmode: fitscreen
nightmode: disable
browsermode: application
fullScreen: yes
msapplicationTapHighlight: no
applicationName: Yahoo
msapplicationTileImage: https://s.yimg.com/os/mit/media/p/presentation/images/icons/win8-tile-1484740.png
msapplicationTileColor: #ffffff
msapplicationNavbuttonColor: red
ContentType: text/html; charset=utf-8
HTTPEquivXDnsPrefetchControl: on
Title: Yahoo
HTTPEquivXUACompatible: IE=edge
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3332"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\index.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3232"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3332 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2312"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3332 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
771
Read events
569
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
76
Unknown types
15

Dropped files

PID
Process
Filename
Type
3332iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3332iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3232iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\Advance_rc4-rollup[1].eoteot
MD5:0F70FD96D2A27B5C46F7C4DB002C05D3
SHA256:7AA89D635FCDF4E98F4FD1FDD11F2CEAF6F6CA78866FE0FD28B90C91AB2D55AB
3232iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\advance_base_rc4_0.0.91[1].csstext
MD5:FED5969E59CCE3D2D712A3A4C229D08C
SHA256:C3A38D789DC540C78CC300EE7280FD8DD981BA55FB567F42FD2CC16E824BD012
3232iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\yglyphs[1].eoteot
MD5:430F2CB7F3B2B01E8A0FF27FD883F5A1
SHA256:8C83E68BEA7A6FC8B2E696DD5F0107837375B8BF6B536645C03E05D95A28571F
3232iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\fp_sda_0.0.30[1].csstext
MD5:54CA7D8202A70AA8BB421ACD5569363A
SHA256:D4255CCDD8CD45F9450E989F6459502DD11349B776B765A7ABAD4FAC0FB96DBD
3232iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\yglyphs-legacy_0.0.29[1].csstext
MD5:FEA1B3F449C8DE4E6AD28FC439976648
SHA256:8986CE1C5001F7AEEC6203851EC850874A158268F11CDC59E04DC56E86D9DBD1
3232iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\custom.desktop.c5483352[1].csstext
MD5:C54833527C77F998CD45B57A5D2749EB
SHA256:4FB4DC82052CE4E6A5BB5DFEDF5E61208FF884008F00378E30D2848CA38FCA8B
3232iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\atomic-css.ebf87f46[1].csstext
MD5:CCA0B205DEDC7744D3BD1683948DAFC9
SHA256:B808E87C489E2FC3AAA36CECCE3858AB6309CEBADF38A54E72C139B8928C5315
3232iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\yglyphs[1].eoteot
MD5:430F2CB7F3B2B01E8A0FF27FD883F5A1
SHA256:8C83E68BEA7A6FC8B2E696DD5F0107837375B8BF6B536645C03E05D95A28571F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
30
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2312
iexplore.exe
GET
200
203.76.216.1:80
http://203.76.216.1/mapi/searchclientga.bin
CN
malicious
2312
iexplore.exe
GET
404
203.76.216.1:80
http://203.76.216.1/mapi/searchclientga.aiml
CN
html
979 b
malicious
2312
iexplore.exe
GET
200
203.76.216.1:80
http://203.76.216.1/
CN
html
311 b
malicious
2312
iexplore.exe
GET
404
203.76.216.1:80
http://203.76.216.1/mapi/searchclientga
CN
html
969 b
malicious
3332
iexplore.exe
GET
404
203.76.216.1:80
http://203.76.216.1/favicon.ico
CN
html
564 b
malicious
3332
iexplore.exe
GET
404
203.76.216.1:80
http://203.76.216.1/favicon.ico
CN
html
564 b
malicious
3332
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3332
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3232
iexplore.exe
87.248.114.12:443
s.yimg.com
Yahoo! UK Services Limited
GB
shared
3232
iexplore.exe
104.109.56.111:443
sb.scorecardresearch.com
Akamai International B.V.
NL
whitelisted
3232
iexplore.exe
152.195.39.122:443
us.y.atwola.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3332
iexplore.exe
203.76.216.1:80
China Telecom (Group)
CN
malicious
2312
iexplore.exe
203.76.216.1:80
China Telecom (Group)
CN
malicious
3332
iexplore.exe
212.82.100.137:443
search.yahoo.com
Yahoo! UK Services Limited
CH
shared

DNS requests

Domain
IP
Reputation
s.yimg.com
  • 87.248.114.12
  • 87.248.114.11
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
us.y.atwola.com
  • 152.195.39.122
whitelisted
sb.scorecardresearch.com
  • 104.109.56.111
shared
search.yahoo.com
  • 212.82.100.137
whitelisted

Threats

PID
Process
Class
Message
2312
iexplore.exe
A Network Trojan was detected
ET TROJAN Generic .bin download from Dotted Quad
No debug info